Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: introduced security fixes (#263)
- dologin.php - validating user input and introduced CSRF token check - logging.php - preventing direct access to this file, which means redirecting to index.php when directly hitting this include file, (repeated for other exten. / include / etc. files), and optimized logging features - actionMessages.php and errorHandling.php same as logging.php - library/exten-* files - preventing direct access to these files, generalized the approach of looking for known file locations, improved user input validation (params such as limit, etc.), improved output (escaping logfile output, etc.) - in library/exten-server_info.php - i also have added new commands for retrieving network information and system distro/version - opendb.php - general code optimization (TODO prevent direct access to this file) - sessions.php - introduced new session handling (TODO prevent direct access to this file) - login.php - removed the default username hardcoded in the form, added the csrf_token - rep-* - user input validation, code optimization
- Loading branch information
1 parent
765fb6a
commit 3d11f37
Showing
21 changed files
with
1,141 additions
and
1,125 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,107 +1,116 @@ | ||
| <?php | ||
| /********************************************************************* | ||
| * Name: logging.php | ||
| * Author: Liran tal <liran.tal@gmail.com> | ||
| * | ||
| * This file is used for controlling the logging actions | ||
| * | ||
| *********************************************************************/ | ||
|
|
||
|
|
||
| /* | ||
| * It is important to understand that when logging.php is included in | ||
| * a page AFTER an include for config_read.php it gains access to all | ||
| * of the variables it's scope including the $configValues[....] because | ||
| * it was included just before it. | ||
| * | ||
| * But it should be noticed that these variables are only accessible | ||
| * in the scope of the general or main block of php code and are | ||
| * not accessible from functions, so we can't just use $configValues[...] | ||
| * variables from within logMessageNotice() or any other function | ||
| * and so we must use them here as references. | ||
| * | ||
| * The relevant variables are: | ||
| * | ||
| * $operator | ||
| * $_SERVER["SCRIPT_NAME"] | ||
| * $configValues['CONFIG_LOG_FILE'] | ||
| * | ||
| */ | ||
| ********************************************************************************************************* | ||
| * daloRADIUS - RADIUS Web Platform | ||
| * Copyright (C) 2007 - Liran Tal <liran@enginx.com> All Rights Reserved. | ||
| * | ||
| * This program is free software; you can redistribute it and/or | ||
| * modify it under the terms of the GNU General Public License | ||
| * as published by the Free Software Foundation; either version 2 | ||
| * of the License, or (at your option) any later version. | ||
| * | ||
| * You should have received a copy of the GNU General Public License | ||
| * along with this program; if not, write to the Free Software | ||
| * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. | ||
| * | ||
| ********************************************************************************************************* | ||
| * Description: This file is used for controlling the logging actions | ||
| * | ||
| * Authors: Liran Tal <liran@enginx.com> | ||
| * Filippo Lauria <filippo.lauria@iit.cnr.it> | ||
| * | ||
| ********************************************************************************************************* | ||
| */ | ||
|
|
||
| if ($configValues['CONFIG_LOG_PAGES'] == "yes") { | ||
| if (isset($log)) { | ||
| $msgNotice = $operator . " " . $log; | ||
| logMessage("NOTICE", $msgNotice, $configValues['CONFIG_LOG_FILE'], $_SERVER["SCRIPT_NAME"]); | ||
| } | ||
| // prevent this file to be directly accessed | ||
| if (strpos($_SERVER['PHP_SELF'], '/include/config/logging.php') !== false) { | ||
| header("Location: ../../index.php"); | ||
| exit; | ||
| } | ||
|
|
||
| /* | ||
| * It is important to understand that when logging.php is included in | ||
| * a page AFTER an include for config_read.php it gains access to all | ||
| * of the variables it's scope including the $configValues[....] because | ||
| * it was included just before it. | ||
| * | ||
| * But it should be noticed that these variables are only accessible | ||
| * in the scope of the general or main block of php code and are | ||
| * not accessible from functions, so we can't just use $configValues[...] | ||
| * variables from within logMessageNotice() or any other function | ||
| * and so we must use them here as references. | ||
| * | ||
| * The relevant variables are: | ||
| * | ||
| * $operator | ||
| * $_SERVER["SCRIPT_NAME"] | ||
| * $configValues['CONFIG_LOG_FILE'] | ||
| * | ||
| */ | ||
|
|
||
| /* | ||
| * @param $type The message type, for example, NOTICE, DEBUG, ERROR, ACTION, etc... | ||
| * @param $msg The message string which should be logged to the file | ||
| * @param $logFile The full path for the filename to write logs to | ||
| * @param $currPage The current page that we included from | ||
| * @return $table The table name, either radcheck or radreply | ||
| */ | ||
| function logMessage($type, $msg, $logFile, $currPage) { | ||
| $date = date('M d G:i:s'); | ||
| $msgString = $date . " " . $type . " " . $msg . " " . $currPage; | ||
|
|
||
| if ($configValues['CONFIG_LOG_QUERIES'] == "yes") { | ||
| if (isset($logQuery)) { | ||
| $msgQuery = $operator . " " . $logQuery; | ||
| logMessage("QUERY", $msgQuery, $configValues['CONFIG_LOG_FILE'], $_SERVER["SCRIPT_NAME"]); | ||
| } | ||
| $fp = fopen($logFile, "a"); | ||
| if ($fp) { | ||
| fwrite($fp, $msgString . "\n"); | ||
| fclose($fp); | ||
| return; | ||
| } | ||
|
|
||
| echo "<div>" | ||
| . '<span style="color: red">error: could not open the file for writing: <strong>' | ||
| . $logFile . "</strong></span><br>" | ||
| . "Check file permissions. The file should be writable by the webserver's user/group" | ||
| . "</div>"; | ||
| } | ||
|
|
||
| $logger_work = array(); | ||
|
|
||
| if ($configValues['CONFIG_LOG_PAGES'] == "yes" && isset($log) && !empty($log)) { | ||
| $logger_work['NOTICE'] = "$operator $log"; | ||
| } | ||
|
|
||
| if ($configValues['CONFIG_LOG_ACTIONS'] == "yes") { | ||
| if (isset($logAction)) { | ||
| $msgAction = $operator . " " . $logAction; | ||
| logMessage("ACTION", $msgAction, $configValues['CONFIG_LOG_FILE'], $_SERVER["SCRIPT_NAME"]); | ||
| } | ||
| if ($configValues['CONFIG_LOG_QUERIES'] == "yes" && isset($logQuery) && !empty($logQuery)) { | ||
| $logger_work['QUERIES'] = "$operator $logQuery"; | ||
| } | ||
|
|
||
|
|
||
| /******************************************************************************** | ||
| if ($configValues['CONFIG_LOG_ACTIONS'] == "yes" && isset($logAction) && !empty($logAction)) { | ||
| $logger_work['ACTIONS'] = "$operator $logAction"; | ||
| } | ||
|
|
||
| /* | ||
| ******************************************************************************** | ||
| * evaluating whether we need to debug SQL queries to the database as well. | ||
| * $logDebugSQL is set for each $sql = "query statement..." on the actual page | ||
| * in the following form: $logDebugSQL += $sql . "\n"; | ||
| * | ||
| ********************************************************************************/ | ||
| if ($configValues['CONFIG_DEBUG_SQL'] == "yes") { | ||
| if (isset($logDebugSQL)) { | ||
| $msgDebugSQL = "- SQL -" . " " . $logDebugSQL . " on page: "; | ||
| logMessage("DEBUG", $msgDebugSQL, $configValues['CONFIG_LOG_FILE'], $_SERVER["SCRIPT_NAME"]); | ||
| } | ||
| ******************************************************************************** | ||
| */ | ||
| if ($configValues['CONFIG_DEBUG_SQL'] == "yes" && isset($logDebugSQL) && !empty($logDebugSQL)) { | ||
| $logger_work['DEBUG'] = "- SQL -" . " " . $logDebugSQL . " on page: "; | ||
| } | ||
|
|
||
| /* the continuation of the CONFIG_DEBUG_SQL actually, this prints to the page | ||
| * being viewed */ | ||
| if ($configValues['CONFIG_DEBUG_SQL_ONPAGE'] == "yes") { | ||
| if (isset($logDebugSQL)) { | ||
| echo "<br/><br/>"; | ||
| echo "Debugging SQL Queries: <br/>"; | ||
| echo $logDebugSQL; | ||
| echo "<br/><br/>"; | ||
| } | ||
| foreach ($logger_work as $type => $message) { | ||
| logMessage($type, $message, $configValues['CONFIG_LOG_FILE'], $_SERVER["SCRIPT_NAME"]); | ||
| } | ||
|
|
||
|
|
||
|
|
||
| function logMessage($type, $msg, $logFile, $currPage) { | ||
| /* | ||
| * @param $type The message type, for example, NOTICE, DEBUG, ERROR, ACTION, etc... | ||
| * @param $msg The message string which should be logged to the file | ||
| * @param $logFile The full path for the filename to write logs to | ||
| * @param $currPage The current page that we included from | ||
| * @return $table The table name, either radcheck or radreply | ||
| */ | ||
|
|
||
| $date = date('M d G:i:s'); | ||
| $msgString = $date . " " . $type . " " . $msg . " " . $currPage; | ||
|
|
||
| $fp = fopen($logFile, "a"); | ||
| if ($fp) { | ||
| fwrite($fp, $msgString . "\n"); | ||
| fclose($fp); | ||
| } else { | ||
|
|
||
| echo "<font color='#FF0000'>error: could not open the file for writing:<b> $logFile </b><br/></font>"; | ||
| echo "Check file permissions. The file should be writable by the webserver's user/group<br/>"; | ||
| } | ||
|
|
||
| /* the continuation of the CONFIG_DEBUG_SQL actually, this prints to the page | ||
| * being viewed */ | ||
| if ($configValues['CONFIG_DEBUG_SQL_ONPAGE'] == "yes" && isset($logDebugSQL) && !empty($logDebugSQL)) { | ||
| echo "<br><br>" | ||
| . "Debugging SQL Queries: <br>" | ||
| . "<pre>$logDebugSQL</pre>" | ||
| . "<br><br>"; | ||
| } | ||
|
|
||
| ?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,27 +1,41 @@ | ||
| <?php | ||
| /********************************************************************* | ||
| * Name: actionMessages.php | ||
| * Author: Liran tal <liran.tal@gmail.com> | ||
| * | ||
| * This file provides control for messages that are printed to the | ||
| * screen in reply to actions such as applying forms, saving data, | ||
| * removing data and such. | ||
| * | ||
| *********************************************************************/ | ||
| /* | ||
| ********************************************************************************************************* | ||
| * daloRADIUS - RADIUS Web Platform | ||
| * Copyright (C) 2007 - Liran Tal <liran@enginx.com> All Rights Reserved. | ||
| * | ||
| * This program is free software; you can redistribute it and/or | ||
| * modify it under the terms of the GNU General Public License | ||
| * as published by the Free Software Foundation; either version 2 | ||
| * of the License, or (at your option) any later version. | ||
| * | ||
| * You should have received a copy of the GNU General Public License | ||
| * along with this program; if not, write to the Free Software | ||
| * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. | ||
| * | ||
| ********************************************************************************************************* | ||
| * | ||
| * Description: | ||
| * This file provides control for messages that are printed to the | ||
| * screen in reply to actions such as applying forms, saving data, | ||
| * removing data and such. | ||
| * | ||
| * Authors: Liran Tal <liran@enginx.com> | ||
| * Filippo Lauria <filippo.lauria@iit.cnr.it> | ||
| * | ||
| ********************************************************************************************************* | ||
| */ | ||
|
|
||
|
|
||
| if ((isset($failureMsg)) && ($failureMsg != "")) { | ||
| echo "<div class='failure'> | ||
| $failureMsg | ||
| </div> | ||
| "; | ||
| // prevent this file to be directly accessed | ||
| if (strpos($_SERVER['PHP_SELF'], '/include/management/actionMessages.php') !== false) { | ||
| header("Location: ../../index.php"); | ||
| exit; | ||
| } | ||
|
|
||
|
|
||
| if ((isset($successMsg)) && ($successMsg != "")) { | ||
| echo "<div class='success'> | ||
| $successMsg | ||
| </div> | ||
| "; | ||
| if (isset($failureMsg) && !empty($failureMsg)) { | ||
| printf('<div class="failure">%s</div>', $failureMsg); | ||
| } | ||
|
|
||
| if (isset($successMsg) && !empty($successMsg)) { | ||
| printf('<div class="success">%s</div>', $successMsg); | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.