library/sanitize.inc.php

   1 <?php
   2
   3 /**
   4  * Function to check and/or sanitize things for security such as
   5  * directories names, file names, etc.
   6  * Also including csrf token management functions.
   7  *
   8  * @package   OpenEMR
   9  * @link      https://www.open-emr.org
  10  * @author    Brady Miller <brady.g.miller@gmail.com>
  11  * @author    Roberto Vasquez <robertogagliotta@gmail.com>
  12  * @author    Shachar Zilbershlag <shaharzi@matrix.co.il>
  13  * @copyright Copyright (c) 2012-2018 Brady Miller <brady.g.miller@gmail.com>
  14  * @license   https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
  15  */
  16
  17
  18 // Function to collect ip address(es)
  19 function collectIpAddresses()
  20 {
  21     $mainIp = $_SERVER['REMOTE_ADDR'];
  22     $stringIp = $mainIp;
  23
  24     if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
  25         $forwardIp = $_SERVER['HTTP_X_FORWARDED_FOR'];
  26         $stringIp .= " (" . $forwardIp . ")";
  27     }
  28
  29     return array(
  30         'ip_string' => $stringIp,
  31         'ip' => $mainIp,
  32         'forward_ip' => $forwardIp ?? ''
  33     );
  34 }
  35
  36 // Sanitize a json encoded entry.
  37 function json_sanitize($json)
  38 {
  39     if (json_decode($json)) {
  40         return json_encode(json_decode($json, true));
  41     } else {
  42         error_log("OPENEMR ERROR: " . errorLogEscape($json) . " is not a valid json ");
  43         return false;
  44     }
  45 }
  46
  47 // If the label contains any illegal characters, then the script will die.
  48 function check_file_dir_name($label)
  49 {
  50     if (empty($label) || preg_match('/[^A-Za-z0-9_.-]/', $label)) {
  51         error_log("ERROR: The following variable contains invalid characters:" . errorLogEscape($label));
  52         die(xlt("ERROR: The following variable contains invalid characters") . ": " . attr($label));
  53     } else {
  54         return $label;
  55     }
  56 }
  57
  58 // Convert all illegal characters to _
  59 function convert_safe_file_dir_name($label)
  60 {
  61     return preg_replace('/[^A-Za-z0-9_.-]/', '_', $label);
  62 }
  63
  64 // Convert all non A-Z a-z 0-9 characters to _
  65 function convert_very_strict_label($label)
  66 {
  67     return preg_replace('/[^A-Za-z0-9]/', '_', $label);
  68 }
  69
  70 // Check integer
  71 function check_integer($value)
  72 {
  73     return (empty(preg_match('/[^0-9]/', $value)));
  74 }
  75
  76 //Basename functionality for nonenglish languages (without this, basename function omits nonenglish characters).
  77 function basename_international($path)
  78 {
  79     $parts = preg_split('~[\\\\/]~', $path);
  80     foreach ($parts as $key => $value) {
  81         $encoded = urlencode($value);
  82         $parts[$key] = $encoded;
  83     }
  84
  85     $encoded_path = implode("/", $parts);
  86     $encoded_file_name = basename($encoded_path);
  87     $decoded_file_name = urldecode($encoded_file_name);
  88
  89     return $decoded_file_name;
  90 }
  91
  92
  93 /**
  94  * This function detects a MIME type for a file and check if it in the white list of the allowed mime types.
  95  * @param string $file - file location.
  96  * @param array|null $whiteList - array of mime types that allowed to upload.
  97  */
  98 // Regarding the variable below. In the case of multiple file upload the isWhiteList function will run multiple
  99 // times, therefore, storing the white list in the variable below to prevent multiple requests from database.
 100 $white_list = null;
 101 function isWhiteFile($file)
 102 {
 103     global $white_list;
 104     if (is_null($white_list)) {
 105         $white_list = array();
 106         $lres = sqlStatement("SELECT option_id FROM list_options WHERE list_id = 'files_white_list' AND activity = 1");
 107         while ($lrow = sqlFetchArray($lres)) {
 108             $white_list[] = $lrow['option_id'];
 109         }
 110     }
 111
 112     $mimetype  = mime_content_type($file);
 113     if (in_array($mimetype, $white_list)) {
 114         return true;
 115     } else {
 116         $splitMimeType = explode('/', $mimetype);
 117         $categoryType = $splitMimeType[0];
 118         if (in_array($categoryType . '/*', $white_list)) {
 119             return true;
 120         }
 121     }
 122
 123     return false;
 124 }
 125
 126 // Sanitize a value to ensure it is a number.
 127 function sanitizeNumber($number)
 128 {
 129     $clean_number = $number + 0 ;
 130
 131     if ($clean_number == $number) {
 132         return $clean_number;
 133     } else {
 134         error_log('Custom validation error: Parameter contains non-numeric value (A numeric value expected)');
 135         return $clean_number;
 136     }
 137 }
 138
 139 /**
 140  * Function to get sql statement for empty datetime check.
 141  *
 142  * @param  string  $sqlColumn     SQL column/field name
 143  * @param  boolean  $time         flag used to determine if it's a datetime or a date
 144  * @param  boolean  $rev          flag used to reverse the condition
 145  * @return string                 SQL statement checking if passed column is empty
 146  */
 147
 148 function dateEmptySql($sqlColumn, $time = false, $rev = false)
 149 {
 150     if (!$rev) {
 151         if ($time) {
 152             $stat = " (`"  .  $sqlColumn . "` IS NULL OR `" .  $sqlColumn . "`= '0000-00-00 00:00:00') ";
 153         } else {
 154             $stat = " (`"  .  $sqlColumn . "` IS NULL OR `" .  $sqlColumn . "`= '0000-00-00') ";
 155         }
 156     } else {
 157         if ($time) {
 158             $stat = " (`"  .  $sqlColumn . "` IS NOT NULL AND `" .  $sqlColumn . "`!= '0000-00-00 00:00:00') ";
 159         } else {
 160             $stat = " (`"  .  $sqlColumn . "` IS NOT NULL AND `" .  $sqlColumn . "`!= '0000-00-00') ";
 161         }
 162     }
 163
 164     return $stat;
 165 }