ISPConfig3 devel
blame | history | patch | commit | commitdiff | ignore whitespace
Marius Burkard
2015-12-14 6b15d5f4e18578acb46be3babc46b7a9d3a9299c 
 interface/lib/classes/tform_base.inc.php


@@ -126,6 +126,7 @@


   function loadFormDef($file, $module = '') {


      global $app, $conf;




      $app->plugin->raiseEvent('on_before_formdef', $module);


      include $file;


      $this->formDef = $form;




@@ -150,6 +151,8 @@


         $wb = $app->functions->array_merge($wb_global, $wb);


      }


      if(isset($wb_global)) unset($wb_global);


		


      $app->plugin->raiseEvent('on_after_formdef', $module);




      $this->wordbook = $wb;




@@ -414,6 +417,28 @@


      if(!is_array($this->formDef)) $app->error("No form definition found.");


      if(!is_array($this->formDef['tabs'][$tab])) $app->error("The tab is empty or does not exist (TAB: $tab).");




      /* CSRF PROTECTION */


      // generate csrf protection id and key


      $csrf_token = $app->auth->csrf_token_get($this->formDef['name']);


      $_csrf_id = $csrf_token['csrf_id'];


      $_csrf_value = $csrf_token['csrf_key'];


		


      $this->formDef['tabs'][$tab]['fields']['_csrf_id'] = array(


         'datatype' => 'VARCHAR',


         'formtype' => 'TEXT',


         'default' => $_csrf_id,


         'value' => $_csrf_id


      );


      $this->formDef['tabs'][$tab]['fields']['_csrf_key'] = array(


         'datatype' => 'VARCHAR',


         'formtype' => 'TEXT',


         'default' => $_csrf_value,


         'value' => $_csrf_value


      );


      $record['_csrf_id'] = $_csrf_id;


      $record['_csrf_key'] = $_csrf_value;


      /* CSRF PROTECTION */


		


      $new_record = array();


      if($action == 'EDIT') {


         $record = $this->decode($record, $tab);


@@ -669,8 +694,46 @@


    */


   protected function _encode($record, $tab, $dbencode = true, $api = false) {


      global $app;


      if($api == true) $fields = &$this->formDef['fields'];


      else $fields = &$this->formDef['tabs'][$tab]['fields'];


      if($api == true) {


         $fields = &$this->formDef['fields'];


      } else {


         $fields = &$this->formDef['tabs'][$tab]['fields'];


         /* CSRF PROTECTION */


         if(isset($_POST) && is_array($_POST)) {


            $_csrf_valid = false;


            if(isset($_POST['_csrf_id']) && isset($_POST['_csrf_key'])) {


               $_csrf_id = trim($_POST['_csrf_id']);


               $_csrf_key = trim($_POST['_csrf_key']);


               if(isset($_SESSION['_csrf']) && isset($_SESSION['_csrf'][$_csrf_id]) && isset($_SESSION['_csrf_timeout']) && isset($_SESSION['_csrf_timeout'][$_csrf_id])) {


                  if($_SESSION['_csrf'][$_csrf_id] === $_csrf_key && $_SESSION['_csrf_timeout'] >= time()) $_csrf_valid = true;


               }


            }


            if($_csrf_valid !== true) {


               $app->log('CSRF attempt blocked. Referer: ' . (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : 'unknown'), LOGLEVEL_WARN);


               $errmsg = 'err_csrf_attempt_blocked';


               $this->errorMessage .= ($api == true ? $errmsg : $this->wordbook[$errmsg]."<br />") . "\r\n";


               unset($_POST);


               unset($record);


            }


				


            if(isset($_SESSION['_csrf_timeout']) && is_array($_SESSION['_csrf_timeout'])) {


               $to_unset = array();


               foreach($_SESSION['_csrf_timeout'] as $_csrf_id => $timeout) {


                  if($timeout < time()) $to_unset[] = $_csrf_id;


               }


               foreach($to_unset as $_csrf_id) {


                  $_SESSION['_csrf'][$_csrf_id] = null;


                  $_SESSION['_csrf_timeout'][$_csrf_id] = null;


                  unset($_SESSION['_csrf'][$_csrf_id]);


                  unset($_SESSION['_csrf_timeout'][$_csrf_id]);


               }


               unset($to_unset);


            }


         }


         /* CSRF PROTECTION */


      }


		


      $new_record = array();


      if(is_array($record)) {


         foreach($fields as $key => $field) {




@@ -998,11 +1061,10 @@


            }


            break;








         case 'ISIPV4':


            $vip=1;


            if(preg_match("/^[0-9]{1,3}(\.)[0-9]{1,3}(\.)[0-9]{1,3}(\.)[0-9]{1,3}$/", $field_value)){


//            if(preg_match("/^[0-9]{1,3}(\.)[0-9]{1,3}(\.)[0-9]{1,3}(\.)[0-9]{1,3}$/", $field_value)){


            if(preg_match("/^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$/", $field_value)){


               $groups=explode(".", $field_value);


               foreach($groups as $group){


                  if($group<0 or $group>255)


@@ -1018,6 +1080,7 @@


               }


            }


            break;




         case 'ISIP':


            if($validator['allowempty'] != 'y') $validator['allowempty'] = 'n';


            if($validator['allowempty'] == 'y' && $field_value == '') {


@@ -1047,7 +1110,8 @@


                     if(preg_match("/^(\:\:([a-f0-9]{1,4}\:){0,6}?[a-f0-9]{0,4}|[a-f0-9]{1,4}(\:[a-f0-9]{1,4}){0,6}?\:\:|[a-f0-9]{1,4}(\:[a-f0-9]{1,4}){1,6}?\:\:([a-f0-9]{1,4}\:){1,6}?[a-f0-9]{1,4})(\/\d{1,3})?$/i", $field_value)){


                        $ip_ok = 1;


                     }


                     if(preg_match("/^[0-9]{1,3}(\.)[0-9]{1,3}(\.)[0-9]{1,3}(\.)[0-9]{1,3}$/", $field_value)){


//                     if(preg_match("/^[0-9]{1,3}(\.)[0-9]{1,3}(\.)[0-9]{1,3}(\.)[0-9]{1,3}$/", $field_value)){


                     if(preg_match("/^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$/", $field_value)){


                        $ip_ok = 1;


                     }


                     if($ip_ok == 0) {