2019-09-16 16:18:16 +02:00
|
|
|
<?php
|
|
|
|
|
/*
|
|
|
|
|
FusionPBX
|
|
|
|
|
Version: MPL 1.1
|
|
|
|
|
|
|
|
|
|
The contents of this file are subject to the Mozilla Public License Version
|
|
|
|
|
1.1 (the "License"); you may not use this file except in compliance with
|
|
|
|
|
the License. You may obtain a copy of the License at
|
|
|
|
|
http://www.mozilla.org/MPL/
|
|
|
|
|
|
|
|
|
|
Software distributed under the License is distributed on an "AS IS" basis,
|
|
|
|
|
WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
|
|
|
|
|
for the specific language governing rights and limitations under the
|
|
|
|
|
License.
|
|
|
|
|
|
|
|
|
|
The Original Code is FusionPBX
|
|
|
|
|
|
|
|
|
|
The Initial Developer of the Original Code is
|
|
|
|
|
Mark J Crane <markjcrane@fusionpbx.com>
|
2020-03-29 05:40:33 +02:00
|
|
|
Portions created by the Initial Developer are Copyright (C) 2019-2020
|
2019-09-16 16:18:16 +02:00
|
|
|
the Initial Developer. All Rights Reserved.
|
|
|
|
|
|
|
|
|
|
Contributor(s):
|
|
|
|
|
Mark J Crane <markjcrane@fusionpbx.com>
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* captcha class
|
|
|
|
|
*
|
|
|
|
|
* @method string get
|
|
|
|
|
*/
|
|
|
|
|
class token {
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Called when the object is created
|
|
|
|
|
*/
|
|
|
|
|
//public $code;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Class constructor
|
|
|
|
|
*/
|
|
|
|
|
public function __construct() {
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Create the token
|
|
|
|
|
* @var string $key
|
|
|
|
|
*/
|
|
|
|
|
public function create($key) {
|
|
|
|
|
|
2020-03-30 19:15:09 +02:00
|
|
|
//clear previously validated tokens
|
|
|
|
|
$this->clear_validated();
|
|
|
|
|
|
2019-09-17 02:23:15 +02:00
|
|
|
//allow only specific characters
|
2020-03-29 05:40:33 +02:00
|
|
|
$key = preg_replace('[^a-zA-Z0-9\-_@.\/]', '', $key);
|
2019-09-17 02:23:15 +02:00
|
|
|
|
2020-03-29 05:40:33 +02:00
|
|
|
//create a token for the key submitted
|
|
|
|
|
$token = [
|
|
|
|
|
'name'=>hash_hmac('sha256', $key, bin2hex(random_bytes(32))),
|
2020-03-30 19:15:09 +02:00
|
|
|
'hash'=>hash_hmac('sha256', $key, bin2hex(random_bytes(32))),
|
|
|
|
|
'validated'=>false
|
2020-03-29 05:40:33 +02:00
|
|
|
];
|
|
|
|
|
|
|
|
|
|
//save in the token session array
|
|
|
|
|
$_SESSION['tokens'][$key][] = $token;
|
2019-09-16 16:18:16 +02:00
|
|
|
|
|
|
|
|
//send the hash
|
2020-03-29 05:40:33 +02:00
|
|
|
return $token;
|
2019-09-17 02:23:15 +02:00
|
|
|
|
2019-09-16 16:18:16 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* validate the token
|
|
|
|
|
* @var string $key
|
2020-03-30 19:15:09 +02:00
|
|
|
* @var string $value
|
2019-09-16 16:18:16 +02:00
|
|
|
*/
|
2019-09-17 02:23:15 +02:00
|
|
|
public function validate($key, $value = null) {
|
|
|
|
|
|
|
|
|
|
//allow only specific characters
|
2020-03-29 05:40:33 +02:00
|
|
|
$key = preg_replace('[^a-zA-Z0-9]', '', $key);
|
2019-09-17 02:23:15 +02:00
|
|
|
|
|
|
|
|
//get the token name
|
2023-05-16 20:54:45 +02:00
|
|
|
if (!empty($_SESSION['tokens']) && is_array($_SESSION['tokens'][$key]) && @sizeof($_SESSION['tokens'][$key]) != 0) {
|
2020-03-29 05:40:33 +02:00
|
|
|
foreach ($_SESSION['tokens'][$key] as $t => $token) {
|
|
|
|
|
$token_name = $token['name'];
|
|
|
|
|
if (isset($_REQUEST[$token_name])) {
|
|
|
|
|
$value = $_REQUEST[$token_name];
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2019-09-17 02:23:15 +02:00
|
|
|
|
|
|
|
|
//limit the value to specific characters
|
2020-03-29 05:40:33 +02:00
|
|
|
$value = preg_replace('[^a-zA-Z0-9]', '', $value);
|
2019-09-16 16:18:16 +02:00
|
|
|
|
|
|
|
|
//compare the hashed tokens
|
2023-05-16 20:54:45 +02:00
|
|
|
if (!empty($_SESSION['tokens']) && is_array($_SESSION['tokens'][$key]) && @sizeof($_SESSION['tokens'][$key]) != 0) {
|
2020-03-29 05:40:33 +02:00
|
|
|
foreach ($_SESSION['tokens'][$key] as $t => $token) {
|
|
|
|
|
if (hash_equals($token['hash'], $value)) {
|
2020-03-30 19:15:09 +02:00
|
|
|
$_SESSION['tokens'][$key][$t]['validated'] = true;
|
2020-03-29 05:40:33 +02:00
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2019-09-16 16:18:16 +02:00
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
2020-03-30 19:15:09 +02:00
|
|
|
/**
|
|
|
|
|
* clear previously validated tokens
|
|
|
|
|
*/
|
|
|
|
|
private function clear_validated() {
|
2023-05-16 20:54:45 +02:00
|
|
|
if (!empty($_SESSION['tokens']) && is_array($_SESSION['tokens']) && @sizeof($_SESSION['tokens']) != 0) {
|
2020-03-30 19:15:09 +02:00
|
|
|
foreach ($_SESSION['tokens'] as $key => $tokens) {
|
|
|
|
|
if (is_array($tokens) && @sizeof($tokens) != 0) {
|
|
|
|
|
foreach ($tokens as $t => $token) {
|
|
|
|
|
if ($token['validated']) {
|
|
|
|
|
unset($_SESSION['tokens'][$key][$t]);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-09-16 16:18:16 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
|
|
|
|
|
//create token
|
2019-09-17 02:23:15 +02:00
|
|
|
$object = new token;
|
|
|
|
|
$token = $object->create('/app/bridges/bridge_edit.php');
|
2019-09-16 16:18:16 +02:00
|
|
|
|
2019-09-17 02:23:15 +02:00
|
|
|
echo " <input type='hidden' name='".$token['name']."' value='".$token['hash']."'>\n";
|
2019-09-16 16:18:16 +02:00
|
|
|
|
|
|
|
|
//------------------------
|
|
|
|
|
|
|
|
|
|
//validate the token
|
2019-09-17 02:23:15 +02:00
|
|
|
$token = new token;
|
|
|
|
|
if (!$token->validate('/app/bridges/bridge_edit.php')) {
|
|
|
|
|
$_SESSION["message"] = $text['message-invalid_token'];
|
|
|
|
|
header('Location: bridges.php');
|
|
|
|
|
exit;
|
|
|
|
|
}
|
2019-09-16 16:18:16 +02:00
|
|
|
|
2020-03-30 19:15:09 +02:00
|
|
|
//note: can use $_SERVER['PHP_SELF'] instead of actual file path
|
|
|
|
|
|
2019-09-16 16:18:16 +02:00
|
|
|
*/
|
|
|
|
|
|
2020-03-30 19:15:09 +02:00
|
|
|
?>
|
