library/sanitize.inc.php

   1 <?php
   2 /**
   3 * Function to check and/or sanitize things for security such as
   4 * directories names, file names, etc.
   5  *
   6  * @package   OpenEMR
   7  * @link      http://www.open-emr.org
   8  * @author    Brady Miller <brady.g.miller@gmail.com>
   9  * @author    Roberto Vasquez <robertogagliotta@gmail.com>
  10  * @author    Shachar Zilbershlag <shaharzi@matrix.co.il>
  11  * @copyright Copyright (c) 2012-2018 Brady Miller <brady.g.miller@gmail.com>
  12  * @license   https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
  13  */
  14
  15
  16 // If the label contains any illegal characters, then the script will die.
  17 function check_file_dir_name($label)
  18 {
  19     if (empty($label) || preg_match('/[^A-Za-z0-9_.-]/', $label)) {
  20         error_log("ERROR: The following variable contains invalid characters:" . $label);
  21         die(xlt("ERROR: The following variable contains invalid characters").": ". attr($label));
  22     }
  23 }
  24
  25 // Convert all illegal characters to _
  26 function convert_safe_file_dir_name($label)
  27 {
  28     return preg_replace('/[^A-Za-z0-9_.-]/', '_', $label);
  29 }
  30
  31 // Convert all non A-Z a-z 0-9 characters to _
  32 function convert_very_strict_label($label)
  33 {
  34     return preg_replace('/[^A-Za-z0-9]/', '_', $label);
  35 }
  36
  37 //Basename functionality for nonenglish languages (without this, basename function omits nonenglish characters).
  38 function basename_international($path)
  39 {
  40     $parts = preg_split('~[\\\\/]~', $path);
  41     foreach ($parts as $key => $value) {
  42         $encoded = urlencode($value);
  43         $parts[$key] = $encoded;
  44     }
  45
  46     $encoded_path = implode("/", $parts);
  47     $encoded_file_name = basename($encoded_path);
  48     $decoded_file_name = urldecode($encoded_file_name);
  49
  50     return $decoded_file_name;
  51 }
  52
  53
  54 /**
  55  * This function detects a MIME type for a file and check if it in the white list of the allowed mime types.
  56  * @param string $file - file location.
  57  * @param array|null $whiteList - array of mime types that allowed to upload.
  58  */
  59 // Regarding the variable below. In the case of multiple file upload the isWhiteList function will run multiple
  60 // times, therefore, storing the white list in the variable below to prevent multiple requests from database.
  61 $white_list = null;
  62 function isWhiteFile($file)
  63 {
  64     global $white_list;
  65     if (is_null($white_list)) {
  66         $white_list = array();
  67         $lres = sqlStatement("SELECT option_id FROM list_options WHERE list_id = 'files_white_list' AND activity = 1");
  68         while ($lrow = sqlFetchArray($lres)) {
  69             $white_list[] = $lrow['option_id'];
  70         }
  71     }
  72
  73     $mimetype  = mime_content_type($file);
  74     if (in_array($mimetype, $white_list)) {
  75         return true;
  76     } else {
  77         $splitMimeType = explode('/', $mimetype);
  78         $categoryType = $splitMimeType[0];
  79         if (in_array($categoryType. '/*', $white_list)) {
  80             return true;
  81         }
  82     }
  83
  84     return false;
  85 }
  86
  87 // Sanitize a value to ensure it is a number.
  88 function sanitizeNumber($number)
  89 {
  90     $clean_number = $number +0 ;
  91
  92     if ($clean_number==$number) {
  93         return $clean_number;
  94     } else {
  95         error_log('Custom validation error: Parameter contains non-numeric value (A numeric value expected)');
  96         return $clean_number;
  97     }
  98 }