/** * Generate hash on user info and password * * @param string $userinfo User name, email, etc * @param string $password * @return string */ private function generateHash($userInfo, $password) { // mitigate rainbow table attack $passwordLen = strlen($password) / 2; $hash = Piwik_Common::hash($userInfo . substr($password, 0, $passwordLen) . Piwik_Common::getSalt() . substr($password, $passwordLen)); return $hash; }
public function __construct($templateFile, $smConf = array(), $filter = true) { $this->template = $templateFile; $this->smarty = new Piwik_Smarty($smConf, $filter); // global value accessible to all templates: the piwik base URL for the current request $this->piwik_version = Piwik_Version::VERSION; $this->cacheBuster = md5(Piwik_Common::getSalt() . PHP_VERSION . Piwik_Version::VERSION); $this->piwikUrl = Piwik_Common::sanitizeInputValue(Piwik_Url::getCurrentUrlWithoutFileName()); }
/** * Smarty cachebuster outputfilter plugin * * File: outputfilter.cachebuster.php<br> * Type: outputfilter<br> * Name: cachebuster<br> * Date: May 27, 2009<br> * Purpose: add cache busting string to URLs * of external CSS stylesheets and * JavaScript scripts<br> * Install: Drop into the plugin directory, call * <code>$smarty->assign('tag', 'some_unique_tag');</code> * <code>$smarty->load_filter('output','cachebuster');</code> * from application. * * @param string * @param Smarty */ function smarty_outputfilter_cachebuster($source, &$smarty) { static $cachebuster = null; if (is_null($cachebuster)) { $cachebuster = md5(Piwik_Common::getSalt() . PHP_VERSION . Piwik_Version::VERSION); } $tag = 'cb=' . $cachebuster; $pattern = array('~<script type=[\'"]text/javascript[\'"] src=[\'"]([^\'"]+)[\'"]>~', '~<script src=[\'"]([^\'"]+)[\'"] type=[\'"]text/javascript[\'"]>~', '~<link rel=[\'"]stylesheet[\'"] type=[\'"]text/css[\'"] href=[\'"]([^\'"]+)[\'"] ?/?>~', '~(src|href)=\\"index.php\\?module=([A-Za-z0-9_]+)&action=([A-Za-z0-9_]+)\\?cb=~'); $replace = array('<script type="text/javascript" src="$1?' . $tag . '">', '<script type="text/javascript" src="$1?' . $tag . '">', '<link rel="stylesheet" type="text/css" href="$1?' . $tag . '" />', '$1="index.php?module=$2&action=$3&cb='); return preg_replace($pattern, $replace, $source); }
/** * Generate nonce * * @param string $id Unique id to avoid namespace conflicts, e.g., ModuleName.ActionName * @param int $ttl Optional time-to-live in seconds; default is 5 minutes * @return string Nonce */ public static function getNonce($id, $ttl = 300) { // save session-dependent nonce $ns = new Piwik_Session_Namespace($id); $nonce = $ns->nonce; // re-use an unexpired nonce (a small deviation from the "used only once" principle, so long as we do not reset the expiration) // to handle browser pre-fetch or double fetch caused by some browser add-ons/extensions if (empty($nonce)) { // generate a new nonce $nonce = md5(Piwik_Common::getSalt() . time() . Piwik_Common::generateUniqId()); $ns->nonce = $nonce; $ns->setExpirationSeconds($ttl, 'nonce'); } return $nonce; }
/** * Returns the string to save in the cookie from the $this->value array of values. * It goes through the array and generates the cookie content string. * * @return string Cookie content */ protected function generateContentString() { $cookieStr = ''; foreach($this->value as $name=>$value) { if(!is_numeric($value)) { $value = base64_encode(safe_serialize($value)); } $cookieStr .= "$name=$value" . self::VALUE_SEPARATOR; } if(!empty($cookieStr)) { $cookieStr .= '_='; // sign cookie $signature = sha1($cookieStr . Piwik_Common::getSalt()); return $cookieStr . $signature; } return ''; }
/** * Generate nonce -- a cryptographic "number used only once", often recommended as part of a robust defense against cross-site request forgery (CSRF/XSRF). * Characteristics: limited lifetime, uniqueness, unpredictability (pseudo-randomness). * * @param string $id Unique id to avoid namespace conflicts, e.g., ModuleName.ActionName * @param int $ttl Optional time-to-live in seconds; default is 5 minutes * @return string Nonce */ public static function getNonce($id, $ttl = 300) { // the ingredients to our secret sauce? a dash of private salt and a flavorful mix of PRNGs, making it less predictable in nature, yet retaining a subtle hint of more entropy $nonce = md5(Piwik_Common::getSalt() . time() . Piwik_Common::generateUniqId()); // save session-dependent nonce $ns = new Zend_Session_Namespace($id); $ns->nonce = $nonce; $ns->setExpirationSeconds($ttl, 'nonce'); return $nonce; }
/** * Generate advisory lock name * * @param int $idsite * @param Piwik_Period $period * @param Piwik_Segment $segment * @return string */ public static function getArchiveProcessingLockName($idsite, $period, Piwik_Segment $segment) { $config = Piwik_Config::getInstance(); $lockName = 'piwik.' . $config->database['dbname'] . '.' . $config->database['tables_prefix'] . '/' . $idsite . '/' . (!$segment->isEmpty() ? $segment->getHash() . '/' : '') . $period->getId() . '/' . $period->getDateStart()->toString('Y-m-d') . ',' . $period->getDateEnd()->toString('Y-m-d'); return $lockName . '/' . md5($lockName . Piwik_Common::getSalt()); }