public static final function DownloadsHandler($encrypted_download_pack, $controller_key) { //-- $encrypted_download_pack = (string) $encrypted_download_pack; $controller_key = (string) $controller_key; //-- $client_signature = SmartUtils::get_visitor_signature(); //-- if ((string) SMART_APP_VISITOR_COOKIE == '') { Smart::log_info('File Download', 'Failed: 400 / Invalid Visitor Cookie' . ' on Client: ' . $client_signature); self::Raise400Error('ERROR: Invalid Visitor UUID. Cookies must be enabled to enable this feature !'); return ''; } //end if //-- $downloaded_file = ''; // init //-- $decoded_download_packet = (string) trim((string) SmartUtils::crypto_decrypt((string) $encrypted_download_pack, 'SmartFramework//DownloadLink' . SMART_FRAMEWORK_SECURITY_KEY)); //-- if ((string) $decoded_download_packet != '') { // if data is corrupted, decrypt checksum does not match, will return an empty string //-- if (SMART_FRAMEWORK_ADMIN_AREA === true) { // {{{SYNC-DWN-CTRL-PREFIX}}} $controller_key = (string) 'AdminArea/' . $controller_key; } else { $controller_key = (string) 'IndexArea/' . $controller_key; } //end if //-- {{{SYNC-DOWNLOAD-ENCRYPT-ARR}}} $arr_metadata = explode("\n", (string) $decoded_download_packet, 6); // only need first 5 parts //print_r($arr_metadata); // #PACKET-STRUCTURE# [we will have an array like below, according with the: SmartUtils::create_download_link()] // [TimedAccess]\n // [FilePath]\n // [AccessKey]\n // [UniqueKey]\n // [SFR.UA]\n // #END# //-- $crrtime = (string) trim((string) $arr_metadata[0]); $filepath = (string) trim((string) $arr_metadata[1]); $access_key = (string) trim((string) $arr_metadata[2]); $unique_key = (string) trim((string) $arr_metadata[3]); //-- unset($arr_metadata); //-- $timed_hours = 1; // default expire in 1 hour if (defined('SMART_FRAMEWORK_DOWNLOAD_EXPIRE')) { if ((int) SMART_FRAMEWORK_DOWNLOAD_EXPIRE > 0) { if ((int) SMART_FRAMEWORK_DOWNLOAD_EXPIRE <= 24) { // max is 24 hours (since download link is bind to unique browser signature + unique cookie ... make non-sense to keep more) $timed_hours = (int) SMART_FRAMEWORK_DOWNLOAD_EXPIRE; } //end if } //end if } //end if //-- if ((int) $timed_hours > 0) { if ((int) $crrtime < (int) (time() - 60 * 60 * $timed_hours)) { Smart::log_info('File Download', 'Failed: 403 / Download expired at: ' . date('Y-m-d H:i:s O', (int) $crrtime) . ' for: ' . $filepath . ' on Client: ' . $client_signature); self::Raise403Error('ERROR: The Access Key for this Download is Expired !'); return ''; } //end if } //end if //-- if ((string) $access_key != (string) sha1('DownloadLink:' . SMART_SOFTWARE_NAMESPACE . '-' . SMART_FRAMEWORK_SECURITY_KEY . '-' . SMART_APP_VISITOR_COOKIE . ':' . $filepath . '^' . $controller_key)) { Smart::log_info('File Download', 'Failed: 403 / Invalid Access Key for: ' . $filepath . ' on Client: ' . $client_signature); self::Raise403Error('ERROR: Invalid Access Key for this Download !'); return ''; } //end if //-- if ((string) $unique_key != (string) SmartHashCrypto::sha1('Time=' . $crrtime . '#' . SMART_SOFTWARE_NAMESPACE . '-' . SMART_FRAMEWORK_SECURITY_KEY . '-' . $access_key . '-' . SmartUtils::unique_auth_client_private_key() . ':' . $filepath . '+' . $controller_key)) { Smart::log_info('File Download', 'Failed: 403 / Invalid Client (Unique) Key for: ' . $filepath . ' on Client: ' . $client_signature); self::Raise403Error('ERROR: Invalid Client Key to Access this Download !'); return ''; } //end if //-- if (SmartFileSysUtils::check_file_or_dir_name($filepath)) { //-- $skip_log = 'no'; // default log if (defined('SMART_FRAMEWORK_DOWNLOAD_SKIP_LOG')) { $skip_log = 'yes'; // do not log if accessed via admin area and user is authenticated } //end if //-- $tmp_file_ext = (string) strtolower(SmartFileSysUtils::get_file_extension_from_path($filepath)); // [OK] $tmp_file_name = (string) strtolower(SmartFileSysUtils::get_file_name_from_path($filepath)); //-- $tmp_eval = SmartFileSysUtils::mime_eval($tmp_file_name); $mime_type = (string) $tmp_eval[0]; $mime_disp = (string) $tmp_eval[1]; //-- the path must not start with / but this is tested below $tmp_arr_paths = (array) explode('/', $filepath, 2); // only need 1st part for testing //-- allow file downloads just from specific folders like wpub/ or wsys/ (this is a very important security fix to dissalow any downloads that are not in the specific folders) if (substr((string) $filepath, 0, 1) != '/' and strpos((string) SMART_FRAMEWORK_DOWNLOAD_FOLDERS, '<' . trim((string) $tmp_arr_paths[0]) . '>') !== false and stripos((string) SMART_FRAMEWORK_DENY_UPLOAD_EXTENSIONS, '<' . $tmp_file_ext . '>') === false) { //-- SmartFileSysUtils::raise_error_if_unsafe_path($filepath); // re-test finally //-- @clearstatcache(); //-- if (is_file($filepath)) { //-- if (!headers_sent()) { //-- $fp = @fopen($filepath, 'rb'); $fsize = @filesize($filepath); //-- if (!$fp || $fsize <= 0) { //-- Smart::log_info('File Download', 'Failed: 404 / The requested File is Empty or Not Readable: ' . $filepath . ' on Client: ' . $client_signature); self::Raise404Error('WARNING: The requested File is Empty or Not Readable !'); return ''; //-- } //end if //-- set max execution time to zero ini_set('max_execution_time', 0); // we can expect a long time if file is big, but this will be anyway overriden by the WebServer Timeout Directive //-- // cache headers are presumed to be sent by runtime before of this step //-- header('Content-Type: ' . $mime_type); header('Content-Disposition: ' . $mime_disp); header('Content-Length: ' . $fsize); //-- @fpassthru($fp); // output without reading all in memory //-- @fclose($fp); //-- } else { //-- Smart::log_info('File Download', 'Failed: 500 / Headers Already Sent: ' . $filepath . ' on Client: ' . $client_signature); self::Raise500Error('ERROR: Download Failed, Headers Already Sent !'); return ''; //-- } //end if else //-- if ((string) $skip_log != 'yes') { //-- $downloaded_file = (string) $filepath; // return the file name to be logged //-- } //end if //-- } else { //-- Smart::log_info('File Download', 'Failed: 404 / The requested File does not Exists: ' . $filepath . ' on Client: ' . $client_signature); self::Raise404Error('WARNING: The requested File for Download does not Exists !'); return ''; //-- } //end if else } else { //-- Smart::log_info('File Download', 'Failed: 403 / Access to this File is Denied: ' . $filepath . ' on Client: ' . $client_signature); self::Raise403Error('ERROR: Download Access to this File is Denied !'); return ''; //-- } //end if else //-- } else { //-- Smart::log_info('File Download', 'Failed: 400 / Unsafe File Path: ' . $filepath . ' on Client: ' . $client_signature); self::Raise400Error('ERROR: Unsafe Download File Path !'); return ''; //-- } //end if else //-- } else { //-- Smart::log_info('File Download', 'Failed: 400 / Invalid Data Packet' . ' on Client: ' . $client_signature); self::Raise400Error('ERROR: Invalid Download Data Packet !'); return ''; //-- } //end if else //-- return (string) $downloaded_file; //-- }
public static function test_crypto() { //-- $time = microtime(true); //-- //-- $unicode_text = "Unicode String [ " . time() . " ]: @ Smart スマート // Cloud Application Platform クラウドアプリケーションプラットフォーム '" . implode('', array_keys(SmartUnicode::accented_chars())) . " \" <p></p>\n\t? & * ^ \$ @ ! ` ~ % () [] {} | \\ / + - _ : ; , . #'" . microtime() . '#'; //-- //-- $b64enc = base64_encode($unicode_text); $b64dec = base64_decode($b64enc); //-- //-- $bin2hex = strtoupper(bin2hex((string) $unicode_text)); $hex2bin = hex2bin(strtolower(trim((string) $bin2hex))); //-- //-- $hkey = 'TestUnit // This is a test key for Crypto Cipher ...' . time() . $unicode_text; //-- $he_enc = SmartUtils::crypto_encrypt($unicode_text, $hkey); $he_dec = SmartUtils::crypto_decrypt($he_enc, $hkey); //-- if ((string) $he_dec != (string) $unicode_text or sha1($he_dec) != sha1($unicode_text)) { Smart::raise_error('TestUnit FAILED in ' . __FUNCTION__ . '() :: Crypto Cipher test', 'TestUnit: Crypto Cipher test failed ...'); return; } //end if //-- //-- $bf_key = SmartHashCrypto::sha512('TestUnit // This is a test key for Blowfish ...' . time() . $unicode_text); $bf_enc = SmartUtils::crypto_blowfish_encrypt($unicode_text, $bf_key); $bf_dec = SmartUtils::crypto_blowfish_decrypt($bf_enc, $bf_key); if ((string) $bf_dec != (string) $unicode_text or sha1($bf_dec) != sha1($unicode_text)) { Smart::raise_error('TestUnit FAILED in ' . __FUNCTION__ . '() :: Crypto Blowfish test', 'TestUnit: Blowfish test failed ...'); return; } //end if //-- //-- $arch_lzs = SmartArchiverLZS::compressToBase64($unicode_text); $unarch_lzs = SmartArchiverLZS::decompressFromBase64($arch_lzs); if ((string) $unarch_lzs != (string) $unicode_text or sha1($unarch_lzs) != sha1($unicode_text)) { Smart::raise_error('TestUnit FAILED in ' . __FUNCTION__ . '() :: Crypto Arch-LZS test', 'TestUnit: Arch-LZS test failed ...'); return; } //end if //-- //-- $arch_bf_lzs = SmartArchiverLZS::compressToBase64($bf_enc); $unarch_bf_lzs = SmartArchiverLZS::decompressFromBase64($arch_bf_lzs); if ((string) $unarch_bf_lzs != (string) $bf_enc or sha1($unarch_bf_lzs) != sha1($bf_enc)) { Smart::raise_error('TestUnit FAILED in ' . __FUNCTION__ . '() :: Crypto Blowfish-Arch-LZS test', 'TestUnit: Blowfish-Arch-LZS test failed ...'); return; } //end if //-- //-- $time = 'TOTAL TIME was: ' . (microtime(true) - $time); //-- //-- return SmartMarkersTemplating::render_file_template('lib/core/templates/testunit/crypto-test.inc.htm', array('EXE-TIME' => Smart::escape_html($time), 'UNICODE-TEXT' => Smart::escape_html($unicode_text), 'JS-ESCAPED' => $unicode_text, 'HASH-SHA512' => Smart::escape_html(SmartHashCrypto::sha512($unicode_text)), 'HASH-SHA1' => Smart::escape_html(sha1($unicode_text)), 'HASH-MD5' => Smart::escape_html(md5($unicode_text)), 'BASE64-ENCODED' => Smart::escape_html($b64enc), 'BASE64-DECODED' => Smart::escape_html($b64dec), 'BIN2HEX-ENCODED' => Smart::escape_html($bin2hex), 'HEX2BIN-DECODED' => Smart::escape_html($hex2bin), 'LZS-ARCHIVED' => Smart::escape_html($arch_lzs), 'LZS-UNARCHIVED' => Smart::escape_html($unarch_lzs), 'BLOWFISH-ENCRYPTED' => Smart::escape_html($bf_enc), 'BLOWFISH-LZS-ENCRYPTED' => Smart::escape_html($arch_bf_lzs), 'BLOWFISH-DECRYPTED' => Smart::escape_html($bf_dec), 'BLOWFISH-KEY' => Smart::escape_html($bf_key), 'BLOWFISH-OPTIONS' => Smart::escape_html(SmartCipherCrypto::crypto_options('blowfish')), 'HASHCRYPT-ENC' => Smart::escape_html($he_enc), 'HASHCRYPT-DEC' => Smart::escape_html($he_dec), 'HASHCRYPT-OPTIONS' => Smart::escape_html(SmartCipherCrypto::crypto_options('custom')))); //-- }
public static function decode_mime_fileurl($y_enc_msg_file, $y_ctrl_key) { //-- $y_enc_msg_file = (string) trim((string) $y_enc_msg_file); if ((string) $y_enc_msg_file == '') { Smart::log_warning('Mail-Utils / Decode Mime File URL: Empty Message File Path has been provided. This means the URL link will be unavaliable (empty) to assure security protection.'); return ''; } //end if if (!SmartFileSysUtils::check_file_or_dir_name($y_enc_msg_file)) { Smart::log_warning('Mail-Utils / Decode Mime File URL: Invalid Message File Path has been provided. This means the URL link will be unavaliable (empty) to assure security protection. Message File: ' . $y_enc_msg_file); return ''; } //end if //-- $y_ctrl_key = (string) trim((string) $y_ctrl_key); if ((string) $y_ctrl_key == '') { Smart::log_warning('Mail-Utils / Decode Mime File URL: Empty Controller Key has been provided. This means the URL link will be unavaliable (empty) to assure security protection.'); return ''; } //end if if (SMART_FRAMEWORK_ADMIN_AREA === true) { // {{{SYNC-ENCMIMEURL-CTRL-PREFIX}}} $y_ctrl_key = (string) 'AdminMailUtilArea/' . $y_ctrl_key; } else { $y_ctrl_key = (string) 'IndexMailUtilArea/' . $y_ctrl_key; } //end if //-- $the_sep_arr = (array) self::mime_separe_part_link($y_enc_msg_file); $y_enc_msg_file = (string) $the_sep_arr['msg']; $the_msg_part = (string) $the_sep_arr['part']; unset($the_sep_arr); //-- $arr = array(); // {{{SYNC-MIME-ENCRYPT-ARR}}} $arr['error'] = ''; // by default, no error //-- if ((string) SMART_APP_VISITOR_COOKIE == '') { $arr['error'] = 'WARNING: Access Forbidden ... No Visitor ID set ...!'; return (array) $arr; } //end if //-- if ((string) $the_msg_part != '') { $the_msg_part = strtolower(trim((string) SmartUtils::url_hex_decode((string) $the_msg_part))); } //end if //-- $decoded_link = trim((string) SmartUtils::crypto_decrypt((string) $y_enc_msg_file, 'SmartFramework//MimeLink' . SMART_FRAMEWORK_SECURITY_KEY)); $dec_arr = (array) explode("\n", trim((string) $decoded_link)); //print_r($dec_arr); //-- $arr['creation-time'] = trim((string) $dec_arr[0]); $arr['message-file'] = trim((string) $dec_arr[1]); $arr['message-part'] = trim((string) $the_msg_part); $arr['access-key'] = trim((string) $dec_arr[2]); $arr['bw-unique-key'] = trim((string) $dec_arr[3]); $arr['sf-robot-key'] = trim((string) $dec_arr[4]); //-- check if file path is valid if ((string) $arr['message-file'] == '') { $arr = array(); $arr['error'] = 'ERROR: Empty Message Path ...'; return (array) $arr; } //end if if (!SmartFileSysUtils::check_file_or_dir_name($arr['message-file'])) { $arr = array(); $arr['error'] = 'ERROR: Unsafe Message Path Access ...'; return (array) $arr; } //end if //-- $browser_os_ip_identification = SmartUtils::get_os_browser_ip(); // get browser and os identification //-- re-compose the access key $crrtime = (int) $arr['creation-time']; $access_key = sha1('MimeLink:' . SMART_SOFTWARE_NAMESPACE . '-' . SMART_FRAMEWORK_SECURITY_KEY . '-' . SMART_APP_VISITOR_COOKIE . ':' . $arr['message-file'] . '>' . $y_ctrl_key); $uniq_key = sha1('Time=' . $crrtime . '#' . SMART_SOFTWARE_NAMESPACE . '-' . SMART_FRAMEWORK_SECURITY_KEY . '-' . $access_key . '-' . SmartUtils::unique_auth_client_private_key() . ':' . $arr['message-file'] . '>' . $y_ctrl_key); $self_robot_key = sha1('Time=' . $crrtime . '#' . SmartAuth::get_login_id() . '*' . SMART_SOFTWARE_NAMESPACE . '-' . SMART_FRAMEWORK_SECURITY_KEY . '-' . trim($browser_os_ip_identification['signature']) . '$' . $access_key . ':' . $arr['message-file'] . '>' . $y_ctrl_key); //-- check access key if ((string) $arr['error'] == '') { if ((string) $access_key != (string) $arr['access-key']) { $arr = array(); $arr['error'] = 'ERROR: Access Forbidden ... Invalid ACCESS KEY ...'; } //end if } //end if //-- check the client key if ((string) $arr['error'] == '') { //-- $ok_client_key = false; //-- if ((string) $the_msg_part == '' and (string) $arr['bw-unique-key'] == (string) $uniq_key) { // no message part, allow only client browser $ok_client_key = true; } elseif ((string) $the_msg_part != '' and ((string) $arr['bw-unique-key'] == (string) $uniq_key or (string) $browser_os_ip_identification['bw'] == '@s#' and (string) $arr['sf-robot-key'] == (string) $self_robot_key)) { $ok_client_key = true; } else { $ok_client_key = false; } //end if else //-- if ($ok_client_key != true) { $arr = array(); $arr['error'] = 'ERROR: Access Forbidden ... Invalid CLIENT KEY ...'; } //end if //-- } //end if //-- return (array) $arr; //-- }