/** * Helper function. * * If the supplied logging level is at or above the current logging * threshold then log the message after optionally encoding any special * characters that might be dangerous when viewed by an HTML based log * viewer. Also encode any carriage returns and line feeds to prevent log * injection attacks. This logs all the supplied parameters: level, event * type, whether the event represents success or failure and the log * message. In addition, the application name, logger name/category, local * IP address and port, the identity of the user and their source IP * address, a logging specific user session ID, and the current date/time * are also logged. * If the supplied logging level is below the current logging threshold then * the message will be discarded. * * @param int $level the priority level of the event - an Logger Level * constant. * @param int $type the type of the event - an Logger Event constant. * @param bool $success TRUE indicates this was a successful * event, FALSE indicates this was a failed event * (the typical value). * @param string $message the message to be logged. * @param Exception $throwable The throwable Exception. * * @return does not return a value. */ private function _log($level, $type, $success, $message, $throwable) { // If this log level is below the threshold we can quit now. $logLevel = self::_convertESAPILeveltoLoggerLevel($level); if (!$this->_log4php->isEnabledFor($logLevel)) { return; } $encoder = ESAPI::getEncoder(); $secConfig = ESAPI::getSecurityConfiguration(); // Add some context to log the message. $context = ''; // The output of log level is handled here instead of providing a // LayoutPattern to Log4PHP. This allows us to print TRACE instead of // ALL and WARNING instead of WARN. $levelStr = $logLevel->toString(); if ($levelStr == 'ALL') { $levelStr = 'TRACE'; } elseif ($levelStr == 'WARN') { $levelStr = 'WARNING'; } $context .= $levelStr; // Application name. // $this->appName is set only if it is to be logged. if ($this->_appName !== null) { $context .= ' ' . $this->_appName; } // Logger name (Category in Log4PHP parlance) $context .= ' ' . $this->_log4phpName; // Event Type if (!is_string($type)) { $type = 'EVENT_UNKNOWN'; } $context .= ' ' . $type; // Success or Failure of Event if ($success === true) { $context .= '-SUCCESS'; } else { $context .= '-FAILURE'; } $request = ESAPI::getHttpUtilities()->getCurrentRequest(); if ($request === null) { $request = new SafeRequest(); ESAPI::getHttpUtilities()->setCurrentHTTP($request); } $laddr = $request->getServerName(); if ($laddr === '') { $laddr = 'UnknownLocalHost'; } $lport = $request->getServerPort(); $ruser = $request->getRemoteUser(); if ($ruser === '') { $ruser = '******'; } $raddr = $request->getRemoteAddr(); if ($raddr === '') { $raddr = 'UnknownRemoteHost'; } $context .= " {$laddr}:{$lport} {$ruser}@{$raddr}"; // create a random session number for the user to represent the // user's session, if it doesn't exist already $userSessionIDforLogging = 'SessionUnknown'; if (isset($_SESSION)) { if (isset($_SESSION['DefaultAuditor']) && isset($_SESSION['DefaultAuditor']['SessionIDForLogging'])) { $userSessionIDforLogging = $_SESSION['DefaultAuditor']['SessionIDForLogging']; } else { try { $userSessionIDforLogging = (string) ESAPI::getRandomizer()->getRandomInteger(0, 1000000); $_SESSION['DefaultAuditor']['SessionIDForLogging'] = $userSessionIDforLogging; } catch (Exception $e) { // continue } } } $context .= "[ID:{$userSessionIDforLogging}]"; // Now comes the message. if (!is_string($message)) { $message = ''; } // Encode CRLF - this bit might have to go in a try block // Codec Debugging entries are not affected. if (defined('CD_LOG') == true && $this->_log4phpName === CD_LOG) { $crlfEncoded = $message; } else { $crlfEncoded = $this->_replaceCRLF($message, '_'); } // Encode for HTML if ESAPI.xml says so $encodedMessage = null; if ($secConfig->getLogEncodingRequired()) { try { $encodedMessage = $encoder->encodeForHTML($crlfEncoded); if ($encodedMessage !== $crlfEncoded) { $encodedMessage .= ' (This log message was encoded for HTML)'; } } catch (Exception $e) { $exType = get_type($e); $encodedMessage = "The supplied log message generated an " . "Exception of type {$exType} and was not included"; } } else { $encodedMessage = $crlfEncoded; } // Now handle the exception $dumpedException = ''; if ($throwable !== null && $throwable instanceof Exception) { $dumpedException = ' ' . $this->_replaceCRLF($throwable, ' | '); } $messageForLog = $context . ' ' . $encodedMessage . $dumpedException; $this->_log4php->log($logLevel, $messageForLog, $this); }
/** * {@inheritDoc} */ public function loginWithPassword($password) { //FIXME: time() might not be the correct format to be used? if (is_null($password) || $password == "") { $this->setLastFailedLoginTime(time()); $this->incrementFailedLoginCount(); throw new AuthenticationLoginException("Login failed", "Missing password: "******"Login failed", "Disabled user attempt to login: "******"Login failed", "Locked user attempt to login: "******"Login failed", "Expired user attempt to login: "******"DefaultUser")->trace(ESAPILogger::SECURITY, "User logged in: " . $this->_accountName); } else { $this->_loggedIn = false; $this->setLastFailedLoginTime(time()); $this->incrementFailedLoginCount(); throw new AuthenticationLoginException("Login failed", "Incorrect password provided for " . $this->getAccountName()); } }