3 * Function to check and/or sanitize things for security such as
4 * directories names, file names, etc.
5 * Also including csrf token management functions.
8 * @link http://www.open-emr.org
9 * @author Brady Miller <brady.g.miller@gmail.com>
10 * @author Roberto Vasquez <robertogagliotta@gmail.com>
11 * @author Shachar Zilbershlag <shaharzi@matrix.co.il>
12 * @copyright Copyright (c) 2012-2018 Brady Miller <brady.g.miller@gmail.com>
13 * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
16 // Function to create a random unique token
17 // Length is in bytes that the openssl_random_pseudo_bytes() function will create
18 function createUniqueToken($length = 32)
20 if (!extension_loaded('openssl')) {
21 error_log("OpenEMR Error : OpenEMR is not working because missing openssl extension.");
22 die("OpenEMR Error : OpenEMR is not working because missing openssl extension.");
25 $uniqueToken = base64_encode(openssl_random_pseudo_bytes($length));
27 if (empty($uniqueToken)) {
28 error_log("OpenEMR Error : OpenEMR is not working because a random unique token is not being formed correctly.");
29 die("OpenEMR Error : OpenEMR is not working because a random unique token is not being formed correctly.");
35 // Function to create a csrf_token
36 function createCsrfToken()
38 return createUniqueToken(32);
41 // Function to collect the csrf token
42 function collectCsrfToken()
44 return $_SESSION['csrf_token'];
47 // Function to verify a csrf_token
48 function verifyCsrfToken($token)
50 if (empty(collectCsrfToken())) {
51 error_log("OpenEMR Error : OpenEMR is potentially not secure because CSRF token was not formed correctly.");
53 } elseif (empty($token)) {
55 } elseif (collectCsrfToken() == $token) {
62 // If the label contains any illegal characters, then the script will die.
63 function check_file_dir_name($label)
65 if (empty($label) ||
preg_match('/[^A-Za-z0-9_.-]/', $label)) {
66 error_log("ERROR: The following variable contains invalid characters:" . $label);
67 die(xlt("ERROR: The following variable contains invalid characters").": ". attr($label));
73 // Convert all illegal characters to _
74 function convert_safe_file_dir_name($label)
76 return preg_replace('/[^A-Za-z0-9_.-]/', '_', $label);
79 // Convert all non A-Z a-z 0-9 characters to _
80 function convert_very_strict_label($label)
82 return preg_replace('/[^A-Za-z0-9]/', '_', $label);
85 //Basename functionality for nonenglish languages (without this, basename function omits nonenglish characters).
86 function basename_international($path)
88 $parts = preg_split('~[\\\\/]~', $path);
89 foreach ($parts as $key => $value) {
90 $encoded = urlencode($value);
91 $parts[$key] = $encoded;
94 $encoded_path = implode("/", $parts);
95 $encoded_file_name = basename($encoded_path);
96 $decoded_file_name = urldecode($encoded_file_name);
98 return $decoded_file_name;
103 * This function detects a MIME type for a file and check if it in the white list of the allowed mime types.
104 * @param string $file - file location.
105 * @param array|null $whiteList - array of mime types that allowed to upload.
107 // Regarding the variable below. In the case of multiple file upload the isWhiteList function will run multiple
108 // times, therefore, storing the white list in the variable below to prevent multiple requests from database.
110 function isWhiteFile($file)
113 if (is_null($white_list)) {
114 $white_list = array();
115 $lres = sqlStatement("SELECT option_id FROM list_options WHERE list_id = 'files_white_list' AND activity = 1");
116 while ($lrow = sqlFetchArray($lres)) {
117 $white_list[] = $lrow['option_id'];
121 $mimetype = mime_content_type($file);
122 if (in_array($mimetype, $white_list)) {
125 $splitMimeType = explode('/', $mimetype);
126 $categoryType = $splitMimeType[0];
127 if (in_array($categoryType. '/*', $white_list)) {
135 // Sanitize a value to ensure it is a number.
136 function sanitizeNumber($number)
138 $clean_number = $number +
0 ;
140 if ($clean_number==$number) {
141 return $clean_number;
143 error_log('Custom validation error: Parameter contains non-numeric value (A numeric value expected)');
144 return $clean_number;