search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
log ip improve (#1928)
[openemr.git] / library / sanitize.inc.php
blobad41a94f31bf154b92de194aea895dfddfeaef6e
1 <?php
2 /**
3 * Function to check and/or sanitize things for security such as
4 * directories names, file names, etc.
5 * Also including csrf token management functions.
6 *
7 * @package OpenEMR
8 * @link http://www.open-emr.org
9 * @author Brady Miller <brady.g.miller@gmail.com>
10 * @author Roberto Vasquez <robertogagliotta@gmail.com>
11 * @author Shachar Zilbershlag <shaharzi@matrix.co.il>
12 * @copyright Copyright (c) 2012-2018 Brady Miller <brady.g.miller@gmail.com>
13 * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
14 */
15
16 // Function to collect ip address(es)
17 function collectIpAddresses()
18 {
19 $mainIp = $_SERVER['REMOTE_ADDR'];
20 $stringIp = $mainIp;
21
22 if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
23 $forwardIp = $_SERVER['HTTP_X_FORWARDED_FOR'];
24 $stringIp .= " (" . $forwardIp . ")";
25 }
26
27 return array(
28 'ip_string' => $stringIp,
29 'ip' => $mainIp,
30 'forward_ip' => $forwardIp
31 );
32 }
33
34 // Function to create a random unique token
35 // Length is in bytes that the openssl_random_pseudo_bytes() function will create
36 function createUniqueToken($length = 32)
37 {
38 if (!extension_loaded('openssl')) {
39 error_log("OpenEMR Error : OpenEMR is not working because missing openssl extension.");
40 die("OpenEMR Error : OpenEMR is not working because missing openssl extension.");
41 }
42
43 $uniqueToken = base64_encode(openssl_random_pseudo_bytes($length));
44
45 if (empty($uniqueToken)) {
46 error_log("OpenEMR Error : OpenEMR is not working because a random unique token is not being formed correctly.");
47 die("OpenEMR Error : OpenEMR is not working because a random unique token is not being formed correctly.");
48 }
49
50 return $uniqueToken;
51 }
52
53 // Function to create a csrf_token
54 function createCsrfToken()
55 {
56 return createUniqueToken(32);
57 }
58
59 // Function to collect the csrf token
60 function collectCsrfToken()
61 {
62 return $_SESSION['csrf_token'];
63 }
64
65 // Function to verify a csrf_token
66 function verifyCsrfToken($token)
67 {
68 if (empty(collectCsrfToken())) {
69 error_log("OpenEMR Error : OpenEMR is potentially not secure because CSRF token was not formed correctly.");
70 return false;
71 } elseif (empty($token)) {
72 return false;
73 } elseif (collectCsrfToken() == $token) {
74 return true;
75 } else {
76 return false;
77 }
78 }
79
80 function csrfNotVerified($toScreen = true, $toLog = true)
81 {
82 if ($toScreen) {
83 echo xlt('Authentication Error');
84 }
85 if ($toLog) {
86 error_log("OpenEMR CSRF token authentication error");
87 }
88 die;
89 }
90
91 // If the label contains any illegal characters, then the script will die.
92 function check_file_dir_name($label)
93 {
94 if (empty($label) || preg_match('/[^A-Za-z0-9_.-]/', $label)) {
95 error_log("ERROR: The following variable contains invalid characters:" . $label);
96 die(xlt("ERROR: The following variable contains invalid characters").": ". attr($label));
97 } else {
98 return $label;
99 }
100 }
101
102 // Convert all illegal characters to _
103 function convert_safe_file_dir_name($label)
104 {
105 return preg_replace('/[^A-Za-z0-9_.-]/', '_', $label);
106 }
107
108 // Convert all non A-Z a-z 0-9 characters to _
109 function convert_very_strict_label($label)
110 {
111 return preg_replace('/[^A-Za-z0-9]/', '_', $label);
112 }
113
114 //Basename functionality for nonenglish languages (without this, basename function omits nonenglish characters).
115 function basename_international($path)
116 {
117 $parts = preg_split('~[\\\\/]~', $path);
118 foreach ($parts as $key => $value) {
119 $encoded = urlencode($value);
120 $parts[$key] = $encoded;
121 }
122
123 $encoded_path = implode("/", $parts);
124 $encoded_file_name = basename($encoded_path);
125 $decoded_file_name = urldecode($encoded_file_name);
126
127 return $decoded_file_name;
128 }
129
130
131 /**
132 * This function detects a MIME type for a file and check if it in the white list of the allowed mime types.
133 * @param string $file - file location.
134 * @param array|null $whiteList - array of mime types that allowed to upload.
135 */
136 // Regarding the variable below. In the case of multiple file upload the isWhiteList function will run multiple
137 // times, therefore, storing the white list in the variable below to prevent multiple requests from database.
138 $white_list = null;
139 function isWhiteFile($file)
140 {
141 global $white_list;
142 if (is_null($white_list)) {
143 $white_list = array();
144 $lres = sqlStatement("SELECT option_id FROM list_options WHERE list_id = 'files_white_list' AND activity = 1");
145 while ($lrow = sqlFetchArray($lres)) {
146 $white_list[] = $lrow['option_id'];
147 }
148 }
149
150 $mimetype = mime_content_type($file);
151 if (in_array($mimetype, $white_list)) {
152 return true;
153 } else {
154 $splitMimeType = explode('/', $mimetype);
155 $categoryType = $splitMimeType[0];
156 if (in_array($categoryType. '/*', $white_list)) {
157 return true;
158 }
159 }
160
161 return false;
162 }
163
164 // Sanitize a value to ensure it is a number.
165 function sanitizeNumber($number)
166 {
167 $clean_number = $number +0 ;
168
169 if ($clean_number==$number) {
170 return $clean_number;
171 } else {
172 error_log('Custom validation error: Parameter contains non-numeric value (A numeric value expected)');
173 return $clean_number;
174 }
175 }
Mirror of official OpenEMR Sourceforge repository