library/sanitize.inc.php

   1 <?php
   2 /**
   3  * Function to check and/or sanitize things for security such as
   4  * directories names, file names, etc.
   5  * Also including csrf token management functions.
   6  *
   7  * @package   OpenEMR
   8  * @link      http://www.open-emr.org
   9  * @author    Brady Miller <brady.g.miller@gmail.com>
  10  * @author    Roberto Vasquez <robertogagliotta@gmail.com>
  11  * @author    Shachar Zilbershlag <shaharzi@matrix.co.il>
  12  * @copyright Copyright (c) 2012-2018 Brady Miller <brady.g.miller@gmail.com>
  13  * @license   https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
  14  */
  15
  16 // Function to create a random unique token
  17 // Length is in bytes that the openssl_random_pseudo_bytes() function will create
  18 function createUniqueToken($length = 32)
  19 {
  20     if (!extension_loaded('openssl')) {
  21         error_log("OpenEMR Error : OpenEMR is not working because missing openssl extension.");
  22         die("OpenEMR Error : OpenEMR is not working because missing openssl extension.");
  23     }
  24
  25     $uniqueToken = base64_encode(openssl_random_pseudo_bytes($length));
  26
  27     if (empty($uniqueToken)) {
  28         error_log("OpenEMR Error : OpenEMR is not working because a random unique token is not being formed correctly.");
  29         die("OpenEMR Error : OpenEMR is not working because a random unique token is not being formed correctly.");
  30     }
  31
  32     return $uniqueToken;
  33 }
  34
  35 // Function to create a csrf_token
  36 function createCsrfToken()
  37 {
  38     return createUniqueToken(32);
  39 }
  40
  41 // Function to collect the csrf token
  42 function collectCsrfToken()
  43 {
  44     return $_SESSION['csrf_token'];
  45 }
  46
  47 // Function to verify a csrf_token
  48 function verifyCsrfToken($token)
  49 {
  50     if (empty(collectCsrfToken())) {
  51         error_log("OpenEMR Error : OpenEMR is potentially not secure because CSRF token was not formed correctly.");
  52         return false;
  53     } elseif (empty($token)) {
  54         return false;
  55     } elseif (collectCsrfToken() == $token) {
  56         return true;
  57     } else {
  58         return false;
  59     }
  60 }
  61
  62 // If the label contains any illegal characters, then the script will die.
  63 function check_file_dir_name($label)
  64 {
  65     if (empty($label) || preg_match('/[^A-Za-z0-9_.-]/', $label)) {
  66         error_log("ERROR: The following variable contains invalid characters:" . $label);
  67         die(xlt("ERROR: The following variable contains invalid characters").": ". attr($label));
  68     } else {
  69         return $label;
  70     }
  71 }
  72
  73 // Convert all illegal characters to _
  74 function convert_safe_file_dir_name($label)
  75 {
  76     return preg_replace('/[^A-Za-z0-9_.-]/', '_', $label);
  77 }
  78
  79 // Convert all non A-Z a-z 0-9 characters to _
  80 function convert_very_strict_label($label)
  81 {
  82     return preg_replace('/[^A-Za-z0-9]/', '_', $label);
  83 }
  84
  85 //Basename functionality for nonenglish languages (without this, basename function omits nonenglish characters).
  86 function basename_international($path)
  87 {
  88     $parts = preg_split('~[\\\\/]~', $path);
  89     foreach ($parts as $key => $value) {
  90         $encoded = urlencode($value);
  91         $parts[$key] = $encoded;
  92     }
  93
  94     $encoded_path = implode("/", $parts);
  95     $encoded_file_name = basename($encoded_path);
  96     $decoded_file_name = urldecode($encoded_file_name);
  97
  98     return $decoded_file_name;
  99 }
 100
 101
 102 /**
 103  * This function detects a MIME type for a file and check if it in the white list of the allowed mime types.
 104  * @param string $file - file location.
 105  * @param array|null $whiteList - array of mime types that allowed to upload.
 106  */
 107 // Regarding the variable below. In the case of multiple file upload the isWhiteList function will run multiple
 108 // times, therefore, storing the white list in the variable below to prevent multiple requests from database.
 109 $white_list = null;
 110 function isWhiteFile($file)
 111 {
 112     global $white_list;
 113     if (is_null($white_list)) {
 114         $white_list = array();
 115         $lres = sqlStatement("SELECT option_id FROM list_options WHERE list_id = 'files_white_list' AND activity = 1");
 116         while ($lrow = sqlFetchArray($lres)) {
 117             $white_list[] = $lrow['option_id'];
 118         }
 119     }
 120
 121     $mimetype  = mime_content_type($file);
 122     if (in_array($mimetype, $white_list)) {
 123         return true;
 124     } else {
 125         $splitMimeType = explode('/', $mimetype);
 126         $categoryType = $splitMimeType[0];
 127         if (in_array($categoryType. '/*', $white_list)) {
 128             return true;
 129         }
 130     }
 131
 132     return false;
 133 }
 134
 135 // Sanitize a value to ensure it is a number.
 136 function sanitizeNumber($number)
 137 {
 138     $clean_number = $number +0 ;
 139
 140     if ($clean_number==$number) {
 141         return $clean_number;
 142     } else {
 143         error_log('Custom validation error: Parameter contains non-numeric value (A numeric value expected)');
 144         return $clean_number;
 145     }
 146 }