www-apps/phpSANE/dev/incl/security.php

   1 <?php
   2 /*
   3 #
   4 # Copyright (C) 2012 Alexander Weidinger <aw@sz9i.net>
   5 #
   6 # This program is free software; you can redistribute it and/or modify
   7 # it under the terms of the GNU General Public License as published by
   8 # the Free Software Foundation; either version 2 of the License, or
   9 # (at your option) any later version.
  10 #
  11 # This program is distributed in the hope that it will be useful,
  12 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14 # GNU General Public License for more details.
  15 #
  16 */
  17
  18 function validate($value, $constraint, $regex='') {
  19         switch ($constraint) {
  20                 case 'empty_or_numeric':
  21                         return empty($value) or validate($value, 'numeric');
  22                 case 'filepath':
  23                         return (validate($value, 'regex', '/^[a-z0-9 ._\/-]+$/i')
  24                                         and validate($value, 'inverse_regex', '/\.\./'));
  25                 case 'numeric':
  26                         return is_numeric($value);
  27                 case 'regex':
  28                         return preg_match($regex, $value);
  29                 case 'inverse_regex':
  30                         return ! preg_match($regex, $value);
  31                 default:
  32                         return FALSE;
  33         }
  34 }
  35
  36 function valid_or_dead($key, $constraint, $regex='') {
  37         foreach(array($_GET, $_POST, $_SERVER) as $_arr) {
  38                 if (!array_key_exists($key, $_arr)) {
  39                         continue;
  40                 }
  41                 $value = $_arr[$key];
  42                 if (!validate($value, $constraint, $regex)) {
  43                         die('Input validation of '.$key.' failed! <br/>'
  44                                 .'Constraint: "'.$constraint.'" <br/>'
  45                                 .'Value: "'.strip_tags(htmlspecialchars($value)).'"');
  46                 }
  47         }
  48 }
  49
  50 // action
  51 valid_or_dead('action', 'regex', '/[a-z0-9]*/i');
  52 // brightness
  53 valid_or_dead('brightness', 'empty_or_numeric');
  54 // contrast
  55 valid_or_dead('contrast', 'empty_or_numeric');
  56 // depth
  57 valid_or_dead('depth', 'numeric');
  58 // first
  59 valid_or_dead('first', 'regex', '/^[01]$/i');
  60 // format
  61 valid_or_dead('format', 'regex', '/^[a-z]+$/i');
  62 // pos_x
  63 valid_or_dead('pos_x', 'numeric');
  64 // pos_y
  65 valid_or_dead('pos_y', 'numeric');
  66 // geometry_x
  67 valid_or_dead('geometry_x', 'numeric');
  68 // geometry_y
  69 valid_or_dead('geometry_y', 'numeric');
  70 // lang_id
  71 valid_or_dead('lang_id', 'numeric');
  72 // mode
  73 valid_or_dead('mode', 'regex', '/^[a-z]+$/i');
  74 // file_name
  75 valid_or_dead('file_name', 'filepath');
  76 // preview_images
  77 valid_or_dead('preview_images', 'filepath');
  78 // resolution
  79 valid_or_dead('resolution', 'regex', '/^(|auto|[0-9]+)$/i');
  80 // sid
  81 valid_or_dead('sid', 'filepath');
  82 // usr_opt
  83 valid_or_dead('usr_opt', 'inverse_regex', '(;|&&|\|\||<|>|<<|>>)');
  84 // file_save
  85 valid_or_dead('file_save', 'filepath');
  86 // file_save_image
  87 valid_or_dead('first', 'regex', '/^[01]$/i');
  88
  89 // REMOTE_ADDR
  90 valid_or_dead('REMOTE_ADDR', 'regex', '/^[0-9.:]+$/i');