library/sanitize.inc.php

   1 <?php
   2 /**
   3 * Function to check and/or sanitize things for security such as
   4 * directories names, file names, etc.
   5  *
   6  * @package OpenEMR
   7  * @link    http://www.open-emr.org
   8  * @author  Brady Miller <brady.g.miller@gmail.com>
   9  * @author  Roberto Vasquez <robertogagliotta@gmail.com>
  10  * @author  Shachar Zilbershlag <shaharzi@matrix.co.il>
  11  * @copyright Copyright (c) 2012-2017 Brady Miller <brady.g.miller@gmail.com>
  12  * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
  13  */
  14
  15
  16 // If the label contains any illegal characters, then the script will die.
  17 function check_file_dir_name($label)
  18 {
  19     if (empty($label) || preg_match('/[^A-Za-z0-9_.-]/', $label)) {
  20         error_log("ERROR: The following variable contains invalid characters:" . $label);
  21         die(xlt("ERROR: The following variable contains invalid characters").": ". attr($label));
  22     }
  23 }
  24
  25 // Convert all illegal characters to _
  26 function convert_safe_file_dir_name($label)
  27 {
  28     return preg_replace('/[^A-Za-z0-9_.-]/', '_', $label);
  29 }
  30
  31 //Basename functionality for nonenglish languages (without this, basename function ommits nonenglish characters).
  32 function basename_international($path)
  33 {
  34     $parts = preg_split('~[\\\\/]~', $path);
  35     foreach ($parts as $key => $value) {
  36         $encoded = urlencode($value);
  37         $parts[$key] = $encoded;
  38     }
  39
  40     $encoded_path = implode("/", $parts);
  41     $encoded_file_name = basename($encoded_path);
  42     $decoded_file_name = urldecode($encoded_file_name);
  43
  44     return $decoded_file_name;
  45 }
  46
  47
  48 /**
  49  * This function detects a MIME type for a file and check if it in the white list of the allowed mime types.
  50  * @param string $file - file location.
  51  * @param array|null $whiteList - array of mime types that allowed to upload.
  52  */
  53 // Regarding the variable below. In the case of multiple file upload the isWhiteList function will run multiple
  54 // times, therefore, storing the white list in the variable below to prevent multiple requests from database.
  55 $white_list = null;
  56 function isWhiteFile($file)
  57 {
  58     global $white_list;
  59     if (is_null($white_list)) {
  60         $white_list = array();
  61         $lres = sqlStatement("SELECT option_id FROM list_options WHERE list_id = 'files_white_list' AND activity = 1");
  62         while ($lrow = sqlFetchArray($lres)) {
  63             $white_list[] = $lrow['option_id'];
  64         }
  65     }
  66
  67     $mimetype  = mime_content_type($file);
  68     if (in_array($mimetype, $white_list)) {
  69         return true;
  70     } else {
  71         $splitMimeType = explode('/', $mimetype);
  72         $categoryType = $splitMimeType[0];
  73         if (in_array($categoryType. '/*', $white_list)) {
  74             return true;
  75         }
  76     }
  77
  78     return false;
  79 }
  80
  81 // Sanitize a value to ensure it is a number.
  82 function sanitizeNumber($number)
  83 {
  84     $clean_number = $number +0 ;
  85
  86     if ($clean_number==$number) {
  87         return $clean_number;
  88     } else {
  89         error_log('Custom validation error: Parameter contains non-numeric value (A numeric value expected)');
  90         return $clean_number;
  91     }
  92 }