PHP Classes

File: vendor/jackbooted/security/TamperGuard.php

Recommend this page to a friend!
  Classes of Brett Dutton   JackBooted PHP Framework   vendor/jackbooted/security/TamperGuard.php   Download  
File: vendor/jackbooted/security/TamperGuard.php
Role: Class source
Content type: text/plain
Description: Class source
Class: JackBooted PHP Framework
Web application framework using simplified MVC
Author: By
Last change:
Date: 8 years ago
Size: 4,726 bytes
 

Contents

Class file image Download
<?php
namespace Jackbooted\Security;

use \
Jackbooted\Config\Cfg;
use \
Jackbooted\Forms\Request;
use \
Jackbooted\Forms\Response;
use \
Jackbooted\Util\Log4PHP;
/**
 * @copyright Confidential and copyright (c) 2016 Jackbooted Software. All rights reserved.
 *
 * Written by Brett Dutton of Jackbooted Software
 * brett at brettdutton dot com
 *
 * This software is written and distributed under the GNU General Public
 * License which means that its source code is freely-distributed and
 * available to the general public.
 */

class TamperGuard extends \Jackbooted\Util\JB {
    const
CHECKSUM = '_CS';

    private static
$log;
    public static
$knownFields;

    public static function
init () {
       
self::$log = Log4PHP::logFactory ( __CLASS__ );
       
self::$knownFields = [ 'XDEBUG_SESSION_START', 'XDEBUG_PROFILE' ];
    }

    public function
__construct () {
       
parent::__construct();
    }

    public static function
known ( $key ) {
       
self::$knownFields[] = $key;
    }

    public static function
del ( Response $response ) {
       
$response->del ( self::CHECKSUM );
    }

    public static function
add ( Response $response ) {
       
$keyList = [];
       
$valList = [];

        foreach (
$response as $key => $val ) {
            if (
is_array ( $val ) ) {
                foreach (
$val as $key1 => $val1 ) {
                    if (
is_array ( $val1 ) ) continue;
                   
$keyList[] = '[' . $key . '][' . $key1 . ']';
                   
$valList[] = $val1;
                }
            }
            else {
                if ( (
$loc = strpos ( $key, '[' ) ) !== false ) {
                   
$keyList[] = '[' . substr ( $key, 0, $loc ) . ']' . substr ( $key, $loc );
                }
                else {
                   
$keyList[] = '[' . $key . ']';
                }
               
$valList[] = $val;
            }
        }

       
$flatKeyList = join ( ',', $keyList );
       
$hash = md5 ( $flatKeyList . join ( '', $valList ) );
       
$response->set ( self::CHECKSUM, [ $flatKeyList, $hash ] );
    }


    public static function
check ( Request $request ) {
        if ( (
$formVarLen = $request->count() ) == 0 ) return true;
        foreach (
$request as $key => $val ) {
            if (
in_array ( $key, self::$knownFields ) ) {
               
$formVarLen --;
            }
        }
        if (
$formVarLen <= 0 ) return true;

        if ( (
$checksum = $request->getVar ( self::CHECKSUM ) ) == '' ) {
           
$request->clear ();
            if (
Cfg::get( 'jb_tamper_detail', false ) ) {
                return
'Checksum Variable Missing from the request.';
            }
            else {
               
self::$log->error ( 'Checksum Variable Missing from the request: ' . $_SERVER['SCRIPT_NAME'] );
                return
false;
            }
        }
        else if ( !
is_array ( $checksum ) ) {
           
$request->clear ();
            if (
Cfg::get( 'jb_tamper_detail', false ) ) {
                return
'Checksum Variable not an array.';
            }
            else {
               
self::$log->error ( 'Checksum Variable not an array: ' . $_SERVER['SCRIPT_NAME'] );
                return
false;
            }
        }
        else if (
count ( $checksum ) != 2 ) {
           
$request->clear ();
            if (
Cfg::get( 'jb_tamper_detail', false ) ) {
                return
'Checksum Variable not 2 elements.';
            }
            else {
               
self::$log->error ( 'Checksum Variable not 2 elements: ' . $_SERVER['SCRIPT_NAME'] );
                return
false;
            }
        }
        else {
            if ( ! empty (
$checksum[0] ) ) {
               
$keys = explode ( ',', $checksum[0] );
               
$allVariablesJoined = $checksum[0];
                foreach (
$keys as $key ) {
                   
$allVariablesJoined .= $request->getRaw ( $key );
                }
            }
            else {
               
$allVariablesJoined = '';
            }

            if (
md5 ( $allVariablesJoined ) != $checksum[1] ) {
               
$request->clear ();
                if (
Cfg::get( 'jb_tamper_detail', false ) ) {
                    return
'Checksum failed md5('.$allVariablesJoined.')<>'. $checksum[1];
                }
                else {
                   
self::$log->error ( 'The checksum has failed. The request variables have been tampered: ' . $_SERVER['SCRIPT_NAME'] );
                    return
false;
                }
               
self::$log->error ( 'The checksum has failed. The request variables have been tampered. ' . $_SERVER['SCRIPT_NAME'] );
            }
            else {
                return
true;
            }
        }
    }
}