search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge pull request #2003 from sjpadgett/bug-fix
[openemr.git] / library / sanitize.inc.php
blob3016b1c1f48d3a8bb596792b0ca7380fd4ac480b
1 <?php
2 /**
3 * Function to check and/or sanitize things for security such as
4 * directories names, file names, etc.
5 * Also including csrf token management functions.
6 *
7 * @package OpenEMR
8 * @link http://www.open-emr.org
9 * @author Brady Miller <brady.g.miller@gmail.com>
10 * @author Roberto Vasquez <robertogagliotta@gmail.com>
11 * @author Shachar Zilbershlag <shaharzi@matrix.co.il>
12 * @copyright Copyright (c) 2012-2018 Brady Miller <brady.g.miller@gmail.com>
13 * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
14 */
15
16 // Function to collect ip address(es)
17 function collectIpAddresses()
18 {
19 $mainIp = $_SERVER['REMOTE_ADDR'];
20 $stringIp = $mainIp;
21
22 if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
23 $forwardIp = $_SERVER['HTTP_X_FORWARDED_FOR'];
24 $stringIp .= " (" . $forwardIp . ")";
25 }
26
27 return array(
28 'ip_string' => $stringIp,
29 'ip' => $mainIp,
30 'forward_ip' => $forwardIp
31 );
32 }
33
34 // Function to create a random unique token
35 // Length is in bytes that the openssl_random_pseudo_bytes() function will create
36 function createUniqueToken($length = 32)
37 {
38 if (!extension_loaded('openssl')) {
39 error_log("OpenEMR Error : OpenEMR is not working because missing openssl extension.");
40 die("OpenEMR Error : OpenEMR is not working because missing openssl extension.");
41 }
42
43 $uniqueToken = base64_encode(openssl_random_pseudo_bytes($length));
44
45 if (empty($uniqueToken)) {
46 error_log("OpenEMR Error : OpenEMR is not working because a random unique token is not being formed correctly.");
47 die("OpenEMR Error : OpenEMR is not working because a random unique token is not being formed correctly.");
48 }
49
50 return $uniqueToken;
51 }
52
53 // Function to create a csrf_token
54 function createCsrfToken()
55 {
56 return createUniqueToken(32);
57 }
58
59 // Function to collect the csrf token
60 function collectCsrfToken()
61 {
62 return $_SESSION['csrf_token'];
63 }
64
65 // Function to verify a csrf_token
66 function verifyCsrfToken($token)
67 {
68 if (empty(collectCsrfToken())) {
69 error_log("OpenEMR Error : OpenEMR is potentially not secure because CSRF token was not formed correctly.");
70 return false;
71 } elseif (empty($token)) {
72 return false;
73 } elseif (collectCsrfToken() == $token) {
74 return true;
75 } else {
76 return false;
77 }
78 }
79
80 function csrfNotVerified($toScreen = true, $toLog = true)
81 {
82 if ($toScreen) {
83 echo xlt('Authentication Error');
84 }
85 if ($toLog) {
86 error_log("OpenEMR CSRF token authentication error");
87 }
88 die;
89 }
90
91 // Sanitize a json encoded entry.
92 function json_sanitize($json)
93 {
94 if (json_decode($json)) {
95 return json_encode(json_decode($json, true));
96 } else {
97 error_log("OPENEMR ERROR: " . $json . " is not a valid json ");
98 return false;
99 }
100 }
101
102 // If the label contains any illegal characters, then the script will die.
103 function check_file_dir_name($label)
104 {
105 if (empty($label) || preg_match('/[^A-Za-z0-9_.-]/', $label)) {
106 error_log("ERROR: The following variable contains invalid characters:" . $label);
107 die(xlt("ERROR: The following variable contains invalid characters").": ". attr($label));
108 } else {
109 return $label;
110 }
111 }
112
113 // Convert all illegal characters to _
114 function convert_safe_file_dir_name($label)
115 {
116 return preg_replace('/[^A-Za-z0-9_.-]/', '_', $label);
117 }
118
119 // Convert all non A-Z a-z 0-9 characters to _
120 function convert_very_strict_label($label)
121 {
122 return preg_replace('/[^A-Za-z0-9]/', '_', $label);
123 }
124
125 //Basename functionality for nonenglish languages (without this, basename function omits nonenglish characters).
126 function basename_international($path)
127 {
128 $parts = preg_split('~[\\\\/]~', $path);
129 foreach ($parts as $key => $value) {
130 $encoded = urlencode($value);
131 $parts[$key] = $encoded;
132 }
133
134 $encoded_path = implode("/", $parts);
135 $encoded_file_name = basename($encoded_path);
136 $decoded_file_name = urldecode($encoded_file_name);
137
138 return $decoded_file_name;
139 }
140
141
142 /**
143 * This function detects a MIME type for a file and check if it in the white list of the allowed mime types.
144 * @param string $file - file location.
145 * @param array|null $whiteList - array of mime types that allowed to upload.
146 */
147 // Regarding the variable below. In the case of multiple file upload the isWhiteList function will run multiple
148 // times, therefore, storing the white list in the variable below to prevent multiple requests from database.
149 $white_list = null;
150 function isWhiteFile($file)
151 {
152 global $white_list;
153 if (is_null($white_list)) {
154 $white_list = array();
155 $lres = sqlStatement("SELECT option_id FROM list_options WHERE list_id = 'files_white_list' AND activity = 1");
156 while ($lrow = sqlFetchArray($lres)) {
157 $white_list[] = $lrow['option_id'];
158 }
159 }
160
161 $mimetype = mime_content_type($file);
162 if (in_array($mimetype, $white_list)) {
163 return true;
164 } else {
165 $splitMimeType = explode('/', $mimetype);
166 $categoryType = $splitMimeType[0];
167 if (in_array($categoryType. '/*', $white_list)) {
168 return true;
169 }
170 }
171
172 return false;
173 }
174
175 // Sanitize a value to ensure it is a number.
176 function sanitizeNumber($number)
177 {
178 $clean_number = $number +0 ;
179
180 if ($clean_number==$number) {
181 return $clean_number;
182 } else {
183 error_log('Custom validation error: Parameter contains non-numeric value (A numeric value expected)');
184 return $clean_number;
185 }
186 }
Mirror of official OpenEMR Sourceforge repository