library/sanitize.inc.php

   1 <?php
   2 /**
   3  * Function to check and/or sanitize things for security such as
   4  * directories names, file names, etc.
   5  * Also including csrf token management functions.
   6  *
   7  * @package   OpenEMR
   8  * @link      https://www.open-emr.org
   9  * @author    Brady Miller <brady.g.miller@gmail.com>
  10  * @author    Roberto Vasquez <robertogagliotta@gmail.com>
  11  * @author    Shachar Zilbershlag <shaharzi@matrix.co.il>
  12  * @copyright Copyright (c) 2012-2018 Brady Miller <brady.g.miller@gmail.com>
  13  * @license   https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
  14  */
  15
  16
  17 // Function to collect ip address(es)
  18 function collectIpAddresses()
  19 {
  20     $mainIp = $_SERVER['REMOTE_ADDR'];
  21     $stringIp = $mainIp;
  22
  23     if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
  24         $forwardIp = $_SERVER['HTTP_X_FORWARDED_FOR'];
  25         $stringIp .= " (" . $forwardIp . ")";
  26     }
  27
  28     return array(
  29         'ip_string' => $stringIp,
  30         'ip' => $mainIp,
  31         'forward_ip' => $forwardIp
  32     );
  33 }
  34
  35 // Sanitize a json encoded entry.
  36 function json_sanitize($json)
  37 {
  38     if (json_decode($json)) {
  39         return json_encode(json_decode($json, true));
  40     } else {
  41         error_log("OPENEMR ERROR: " . errorLogEscape($json) . " is not a valid json ");
  42         return false;
  43     }
  44 }
  45
  46 // If the label contains any illegal characters, then the script will die.
  47 function check_file_dir_name($label)
  48 {
  49     if (empty($label) || preg_match('/[^A-Za-z0-9_.-]/', $label)) {
  50         error_log("ERROR: The following variable contains invalid characters:" . errorLogEscape($label));
  51         die(xlt("ERROR: The following variable contains invalid characters").": ". attr($label));
  52     } else {
  53         return $label;
  54     }
  55 }
  56
  57 // Convert all illegal characters to _
  58 function convert_safe_file_dir_name($label)
  59 {
  60     return preg_replace('/[^A-Za-z0-9_.-]/', '_', $label);
  61 }
  62
  63 // Convert all non A-Z a-z 0-9 characters to _
  64 function convert_very_strict_label($label)
  65 {
  66     return preg_replace('/[^A-Za-z0-9]/', '_', $label);
  67 }
  68
  69 // Check integer
  70 function check_integer($value)
  71 {
  72     return (empty(preg_match('/[^0-9]/', $value)));
  73 }
  74
  75 //Basename functionality for nonenglish languages (without this, basename function omits nonenglish characters).
  76 function basename_international($path)
  77 {
  78     $parts = preg_split('~[\\\\/]~', $path);
  79     foreach ($parts as $key => $value) {
  80         $encoded = urlencode($value);
  81         $parts[$key] = $encoded;
  82     }
  83
  84     $encoded_path = implode("/", $parts);
  85     $encoded_file_name = basename($encoded_path);
  86     $decoded_file_name = urldecode($encoded_file_name);
  87
  88     return $decoded_file_name;
  89 }
  90
  91
  92 /**
  93  * This function detects a MIME type for a file and check if it in the white list of the allowed mime types.
  94  * @param string $file - file location.
  95  * @param array|null $whiteList - array of mime types that allowed to upload.
  96  */
  97 // Regarding the variable below. In the case of multiple file upload the isWhiteList function will run multiple
  98 // times, therefore, storing the white list in the variable below to prevent multiple requests from database.
  99 $white_list = null;
 100 function isWhiteFile($file)
 101 {
 102     global $white_list;
 103     if (is_null($white_list)) {
 104         $white_list = array();
 105         $lres = sqlStatement("SELECT option_id FROM list_options WHERE list_id = 'files_white_list' AND activity = 1");
 106         while ($lrow = sqlFetchArray($lres)) {
 107             $white_list[] = $lrow['option_id'];
 108         }
 109     }
 110
 111     $mimetype  = mime_content_type($file);
 112     if (in_array($mimetype, $white_list)) {
 113         return true;
 114     } else {
 115         $splitMimeType = explode('/', $mimetype);
 116         $categoryType = $splitMimeType[0];
 117         if (in_array($categoryType. '/*', $white_list)) {
 118             return true;
 119         }
 120     }
 121
 122     return false;
 123 }
 124
 125 // Sanitize a value to ensure it is a number.
 126 function sanitizeNumber($number)
 127 {
 128     $clean_number = $number +0 ;
 129
 130     if ($clean_number==$number) {
 131         return $clean_number;
 132     } else {
 133         error_log('Custom validation error: Parameter contains non-numeric value (A numeric value expected)');
 134         return $clean_number;
 135     }
 136 }