function action() { $auth = owa_auth::get_instance(); $status = $auth->authenticateUser(); $go = owa_sanitize::cleanUrl($this->getParam('go')); // if authentication is successfull if ($status['auth_status'] == true) { if (!empty($go)) { // redirect to url if present $url = urldecode($go); $this->e->debug("redirecting browser to...:" . $url); owa_lib::redirectBrowser($url); } else { //else redirect to home page // these need to be unset as they were set previously by the doAction method. // need to refactor this out. $this->set('auth_status', ''); $this->set('params', ''); $this->set('site_id', ''); $this->setRedirectAction($this->config['start_page']); } } else { // return login form with error msg $this->setView('base.loginForm'); $this->set('go', $go); $this->set('error_code', 2002); $this->set('user_id', $this->getParam('user_id')); } }
function construct($data) { $this->setTitle("Login"); $this->t->set_template('wrapper_public.tpl'); $this->body->set_template('login_form.tpl'); $this->body->set('headline', 'Please login using the from below'); $this->body->set('user_id', $this->get('user_id')); $this->body->set('go', owa_sanitize::cleanUrl($this->get('go'))); $this->setJs("owa", "base/js/owa.js"); }
static function setDataType($var, $type = 'string') { switch ($type) { case "integer": $var = $var + 0; break; case "string": $var = owa_sanitize::cleanInput($var, array('remove_html' => true)); } return $var; }
/** * Outputs data into the template * * @param string $output The String to be output into the template * @param bool $sanitize Flag that will sanitize the output for display */ function out($output, $sanitize = true, $decode_special_entities = false) { if ($sanitize) { $output = owa_sanitize::escapeForDisplay($output); if ($decode_special_entities) { $output = strtr($output, array('&' => '&')); } } echo $output; }
public static function cleanUserId($user_id) { $illegals = owa_coreAPI::getSetting('base', 'user_id_illegal_chars'); foreach ($illegals as $k => $char) { if (strpos($user_id, $char)) { $user_id = str_replace($char, "", $user_id); } } return owa_sanitize::cleanInput($user_id, array()); }
public static function inputFilter($input, $options = array()) { return owa_sanitize::cleanInput($input, $options); }
/** * Constructor * */ function __construct() { $this->timestamp = time(); $this->guid = owa_lib::generateRandomUid(); // php's server variables $this->server = $_SERVER; // files if (!empty($_FILES)) { $this->files = $_FILES; } // setup cookies $this->cookies = array(); // look for access to the raw HTTP cookie string. This is needed becuause OWA can set settings cookies // with the same name under different subdomains. Multiple cookies with the same name are not // available under $_COOKIE. Therefor OWA's cookie conainter must be an array of arrays. if (isset($_SERVER['HTTP_COOKIE']) && strpos($_SERVER['HTTP_COOKIE'], ';')) { $raw_cookie_array = explode(';', $_SERVER['HTTP_COOKIE']); foreach ($raw_cookie_array as $raw_cookie) { $nvp = explode('=', trim($raw_cookie)); $this->cookies[$nvp[0]][] = urldecode($nvp[1]); } } else { // just use the normal cookie global if ($_COOKIE && is_array($_COOKIE)) { foreach ($_COOKIE as $n => $v) { // hack against other frameworks sanitizing cookie data and blowing away our '>' delimiter // this should be removed once all cookies are using json format. if (strpos($v, '>')) { $v = str_replace(">", ">", $v); } $cookies[$n][] = $v; } } } // populate owa_cookie container with just the cookies that have the owa namespace. $this->owa_cookies = owa_lib::stripParams($this->cookies, owa_coreAPI::getSetting('base', 'ns')); // session if (!empty($_SESSION)) { $this->session = $_SESSION; } /* STATE CONTAINER */ // state $this->state = owa_coreAPI::supportClassFactory('base', 'state'); // merges session if (!empty($this->session)) { $this->state->addStores(owa_lib::stripParams($this->session, owa_coreAPI::getSetting('base', 'ns'))); } // merges cookies foreach ($this->owa_cookies as $k => $owa_cookie) { $this->state->setInitialState($k, $owa_cookie); } // create request params from GET or POST or CLI args $params = array(); // use GET vars as the base for the request if (isset($_GET) && !empty($_GET)) { // get params from _GET $params = $_GET; $this->request_type = 'get'; } // merge in POST vars. GET and POST can occure on the same request. if (isset($_POST) && !empty($_POST)) { // get params from _GET $params = array_merge($params, $_POST); $this->request_type = 'post'; } // look for command line arguments in the 'argv' index. if (!$this->request_type && isset($_SERVER['argv'])) { $this->cli_args = $_SERVER['argv']; // parse arguments into key value pairs for ($i = 1; $i < count($this->cli_args); $i++) { $it = explode("=", $this->cli_args[$i]); if (isset($it[1])) { $params[$it[0]] = $it[1]; } else { $params[$it[0]] = ''; } } $this->request_type = 'cli'; } if ($this->request_type === 'get' || $this->request_type === 'post') { $this->current_url = owa_lib::get_current_url(); } // Clean Input arrays if ($params) { $params = owa_sanitize::cleanInput($params, array('remove_html' => true)); if (is_array($params) && !empty($params)) { $this->request = $params; } } // get namespace $ns = owa_coreAPI::getSetting('base', 'ns'); // strip action and do params of nasty include exploits. if (array_key_exists($ns . 'action', $this->request)) { $this->request[$ns . 'action'] = owa_lib::fileInclusionFilter($this->request[$ns . 'action']); } if (array_key_exists($ns . 'do', $this->request)) { $this->request[$ns . 'do'] = owa_lib::fileInclusionFilter($this->request[$ns . 'do']); } // strip owa namespace $this->owa_params = owa_lib::stripParams($this->request, $ns); // translate certain request variables that are reserved in javascript $this->owa_params = owa_lib::rekeyArray($this->owa_params, array_flip(owa_coreAPI::getSetting('base', 'reserved_words'))); // set https flag if (isset($_SERVER['HTTPS'])) { $this->is_https = true; } }
/** * Sanitizes for safe input. Takes an array of options: * * - hidden_spaces - removes any non space whitespace characters * - escape_html - Encode any html entities. Encode must be true for the `remove_html` to work. * - dollar - Escape `$` with `\$` * - carriage - Remove `\r` * - unicode * - backslash - * - remove_html - Strip HTML with strip_tags. `encode` must be true for this option to work. * * @param mixed $data Data to sanitize * @param array $options * @return mixed Sanitized data * @access public * @static */ function cleanInput($input, $options = array()) { if (empty($input)) { return; } $options = array_merge(array('hidden_spaces' => true, 'remove_html' => false, 'encode' => true, 'dollar' => true, 'carriage' => true, 'unicode' => true, 'escape_html' => true, 'backslash' => true), $options); if (is_array($input)) { $output = array(); foreach ($input as $k => $v) { $output[$k] = owa_sanitize::cleanInput($v, $options); } return $output; } else { if ($options['hidden_spaces']) { $output = owa_sanitize::removeHiddenSpaces($input); } if ($options['remove_html']) { $output = owa_sanitize::stripAllTags($output); } if ($options['dollar']) { $output = owa_sanitize::escapeDollarSigns($output); } if ($options['carriage']) { $output = owa_sanitize::stripCarriageReturns($output); } if ($options['unicode']) { $output = owa_sanitize::escapeUnicode($output); } if ($options['escape_html']) { $output = owa_sanitize::escapeForDisplay($output); } if ($options['backslash']) { $output = owa_sanitize::escapeBackslash($output); } return $output; } }
/** * Authenticates user by a passkey * * @param unknown_type $key * @return unknown */ function authenticateUserByUrlPasskey($user_id, $passkey) { $passkey = owa_sanitize::cleanMd5($passkey); if ($passkey) { // set credentials $this->credentials['user_id'] = $user_id; $this->credentials['passkey'] = $passkey; // fetch user obj $this->getUser(); // generate a new passkey from its components in the db $key = $this->generateUrlPasskey($this->u->get('user_id'), $this->u->get('password')); // see if it matches the key on the url if ($key == $passkey) { return true; } else { return false; } } else { return false; } }