library/sanitize.inc.php

   1 <?php
   2 /**
   3  * Function to check and/or sanitize things for security such as
   4  * directories names, file names, etc.
   5  * Also including csrf token management functions.
   6  *
   7  * @package   OpenEMR
   8  * @link      http://www.open-emr.org
   9  * @author    Brady Miller <brady.g.miller@gmail.com>
  10  * @author    Roberto Vasquez <robertogagliotta@gmail.com>
  11  * @author    Shachar Zilbershlag <shaharzi@matrix.co.il>
  12  * @copyright Copyright (c) 2012-2018 Brady Miller <brady.g.miller@gmail.com>
  13  * @license   https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
  14  */
  15
  16
  17 // Function to create a csrf_token
  18 function createCsrfToken()
  19 {
  20     if (!extension_loaded('openssl')) {
  21         error_log("OpenEMR Error : OpenEMR is not working because missing openssl extension.");
  22         die("OpenEMR Error : OpenEMR is not working because missing openssl extension.");
  23     }
  24
  25     $csrfToken = base64_encode(openssl_random_pseudo_bytes(32));
  26
  27     if (empty($csrfToken)) {
  28         error_log("OpenEMR Error : OpenEMR is not working because CSRF token is not being formed correctly.");
  29         die("OpenEMR Error : OpenEMR is not working because CSRF token is not being formed correctly.");
  30     }
  31
  32     return $csrfToken;
  33 }
  34
  35 // Function to collect the csrf token
  36 function collectCsrfToken()
  37 {
  38     return $_SESSION['csrf_token'];
  39 }
  40
  41 // Function to verify a csrf_token
  42 function verifyCsrfToken($token)
  43 {
  44     if (empty(collectCsrfToken())) {
  45         error_log("OpenEMR Error : OpenEMR is potentially not secure because CSRF token was not formed correctly.");
  46         return false;
  47     } elseif (empty($token)) {
  48         return false;
  49     } elseif (collectCsrfToken() == $token) {
  50         return true;
  51     } else {
  52         return false;
  53     }
  54 }
  55
  56 // If the label contains any illegal characters, then the script will die.
  57 function check_file_dir_name($label)
  58 {
  59     if (empty($label) || preg_match('/[^A-Za-z0-9_.-]/', $label)) {
  60         error_log("ERROR: The following variable contains invalid characters:" . $label);
  61         die(xlt("ERROR: The following variable contains invalid characters").": ". attr($label));
  62     }
  63 }
  64
  65 // Convert all illegal characters to _
  66 function convert_safe_file_dir_name($label)
  67 {
  68     return preg_replace('/[^A-Za-z0-9_.-]/', '_', $label);
  69 }
  70
  71 // Convert all non A-Z a-z 0-9 characters to _
  72 function convert_very_strict_label($label)
  73 {
  74     return preg_replace('/[^A-Za-z0-9]/', '_', $label);
  75 }
  76
  77 //Basename functionality for nonenglish languages (without this, basename function omits nonenglish characters).
  78 function basename_international($path)
  79 {
  80     $parts = preg_split('~[\\\\/]~', $path);
  81     foreach ($parts as $key => $value) {
  82         $encoded = urlencode($value);
  83         $parts[$key] = $encoded;
  84     }
  85
  86     $encoded_path = implode("/", $parts);
  87     $encoded_file_name = basename($encoded_path);
  88     $decoded_file_name = urldecode($encoded_file_name);
  89
  90     return $decoded_file_name;
  91 }
  92
  93
  94 /**
  95  * This function detects a MIME type for a file and check if it in the white list of the allowed mime types.
  96  * @param string $file - file location.
  97  * @param array|null $whiteList - array of mime types that allowed to upload.
  98  */
  99 // Regarding the variable below. In the case of multiple file upload the isWhiteList function will run multiple
 100 // times, therefore, storing the white list in the variable below to prevent multiple requests from database.
 101 $white_list = null;
 102 function isWhiteFile($file)
 103 {
 104     global $white_list;
 105     if (is_null($white_list)) {
 106         $white_list = array();
 107         $lres = sqlStatement("SELECT option_id FROM list_options WHERE list_id = 'files_white_list' AND activity = 1");
 108         while ($lrow = sqlFetchArray($lres)) {
 109             $white_list[] = $lrow['option_id'];
 110         }
 111     }
 112
 113     $mimetype  = mime_content_type($file);
 114     if (in_array($mimetype, $white_list)) {
 115         return true;
 116     } else {
 117         $splitMimeType = explode('/', $mimetype);
 118         $categoryType = $splitMimeType[0];
 119         if (in_array($categoryType. '/*', $white_list)) {
 120             return true;
 121         }
 122     }
 123
 124     return false;
 125 }
 126
 127 // Sanitize a value to ensure it is a number.
 128 function sanitizeNumber($number)
 129 {
 130     $clean_number = $number +0 ;
 131
 132     if ($clean_number==$number) {
 133         return $clean_number;
 134     } else {
 135         error_log('Custom validation error: Parameter contains non-numeric value (A numeric value expected)');
 136         return $clean_number;
 137     }
 138 }