2013-07-18 07:09:21 +02:00
|
|
|
<?php
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Class ParameterConfirmationToken
|
|
|
|
*
|
|
|
|
* When you need to use a dangerous GET parameter that needs to be set before core/Core.php is
|
|
|
|
* established, this class takes care of allowing some other code of confirming the parameter,
|
|
|
|
* by generating a one-time-use token & redirecting with that token included in the redirected URL
|
|
|
|
*
|
|
|
|
* WARNING: This class is experimental and designed specifically for use pre-startup in main.php
|
|
|
|
* It will likely be heavily refactored before the release of 3.2
|
|
|
|
*/
|
|
|
|
class ParameterConfirmationToken {
|
|
|
|
protected $parameterName = null;
|
|
|
|
protected $parameter = null;
|
|
|
|
protected $token = null;
|
|
|
|
|
|
|
|
protected function pathForToken($token) {
|
|
|
|
if (defined('BASE_PATH')) {
|
|
|
|
$basepath = BASE_PATH;
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
$basepath = rtrim(dirname(dirname(dirname(dirname(__FILE__)))), DIRECTORY_SEPARATOR);
|
|
|
|
}
|
|
|
|
|
2013-07-19 04:33:56 +02:00
|
|
|
require_once(dirname(dirname(__FILE__)).'/TempPath.php');
|
2013-07-18 07:09:21 +02:00
|
|
|
$tempfolder = getTempFolder($basepath ? $basepath : DIRECTORY_SEPARATOR);
|
|
|
|
|
|
|
|
return $tempfolder.'/token_'.preg_replace('/[^a-z0-9]+/', '', $token);
|
|
|
|
}
|
|
|
|
|
|
|
|
protected function genToken() {
|
|
|
|
// Generate a new random token (as random as possible)
|
2013-07-19 04:33:56 +02:00
|
|
|
require_once(dirname(dirname(dirname(__FILE__))).'/security/RandomGenerator.php');
|
2013-07-18 07:09:21 +02:00
|
|
|
$rg = new RandomGenerator();
|
|
|
|
$token = $rg->randomToken('md5');
|
|
|
|
|
|
|
|
// Store a file in the session save path (safer than /tmp, as open_basedir might limit that)
|
|
|
|
file_put_contents($this->pathForToken($token), $token);
|
|
|
|
|
|
|
|
return $token;
|
|
|
|
}
|
|
|
|
|
|
|
|
protected function checkToken($token) {
|
|
|
|
$file = $this->pathForToken($token);
|
|
|
|
$content = null;
|
|
|
|
|
|
|
|
if (file_exists($file)) {
|
|
|
|
$content = file_get_contents($file);
|
|
|
|
unlink($file);
|
|
|
|
}
|
|
|
|
|
|
|
|
return $content == $token;
|
|
|
|
}
|
|
|
|
|
|
|
|
public function __construct($parameterName) {
|
|
|
|
// Store the parameter name
|
|
|
|
$this->parameterName = $parameterName;
|
|
|
|
// Store the parameter value
|
|
|
|
$this->parameter = isset($_GET[$parameterName]) ? $_GET[$parameterName] : null;
|
|
|
|
// Store the token
|
|
|
|
$this->token = isset($_GET[$parameterName.'token']) ? $_GET[$parameterName.'token'] : null;
|
|
|
|
|
|
|
|
// If a token was provided, but isn't valid, just throw a 403
|
|
|
|
if ($this->token && (!$this->checkToken($this->token))) {
|
|
|
|
header("HTTP/1.0 403 Forbidden", true, 403);
|
|
|
|
die;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
public function parameterProvided() {
|
|
|
|
return $this->parameter !== null;
|
|
|
|
}
|
|
|
|
|
|
|
|
public function tokenProvided() {
|
|
|
|
return $this->token !== null;
|
|
|
|
}
|
|
|
|
|
|
|
|
public function params() {
|
|
|
|
return array(
|
|
|
|
$this->parameterName => $this->parameter,
|
|
|
|
$this->parameterName.'token' => $this->genToken()
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
|
|
|
public function reloadWithToken() {
|
|
|
|
global $url;
|
|
|
|
|
|
|
|
// Are we http or https?
|
|
|
|
$proto = 'http';
|
|
|
|
|
|
|
|
if(isset($_SERVER['HTTP_X_FORWARDED_PROTOCOL'])) {
|
|
|
|
if(strtolower($_SERVER['HTTP_X_FORWARDED_PROTOCOL']) == 'https') $proto = 'https';
|
|
|
|
}
|
|
|
|
|
|
|
|
if((!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off')) $proto = 'https';
|
|
|
|
if(isset($_SERVER['SSL'])) $proto = 'https';
|
|
|
|
|
|
|
|
// What's our host
|
|
|
|
$host = $_SERVER['HTTP_HOST'];
|
|
|
|
|
|
|
|
// What's our GET params (ensuring they include the original parameter + a new token)
|
|
|
|
$params = array_merge($_GET, $this->params());
|
|
|
|
unset($params['url']);
|
|
|
|
|
|
|
|
// Join them all together into the original URL
|
|
|
|
$location = "$proto://" . $host . BASE_URL . $url . ($params ? '?'.http_build_query($params) : '');
|
|
|
|
|
|
|
|
// And redirect
|
|
|
|
header('location: '.$location, true, 302);
|
|
|
|
die;
|
|
|
|
}
|
|
|
|
}
|