Commit | Line | Data |
---|---|---|
6a488035 TO |
1 | <?php |
2 | /* | |
3 | +--------------------------------------------------------------------+ | |
7e9e8871 | 4 | | CiviCRM version 4.7 | |
6a488035 | 5 | +--------------------------------------------------------------------+ |
0f03f337 | 6 | | Copyright CiviCRM LLC (c) 2004-2017 | |
6a488035 TO |
7 | +--------------------------------------------------------------------+ |
8 | | This file is a part of CiviCRM. | | |
9 | | | | |
10 | | CiviCRM is free software; you can copy, modify, and distribute it | | |
11 | | under the terms of the GNU Affero General Public License | | |
12 | | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. | | |
13 | | | | |
14 | | CiviCRM is distributed in the hope that it will be useful, but | | |
15 | | WITHOUT ANY WARRANTY; without even the implied warranty of | | |
16 | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. | | |
17 | | See the GNU Affero General Public License for more details. | | |
18 | | | | |
19 | | You should have received a copy of the GNU Affero General Public | | |
20 | | License and the CiviCRM Licensing Exception along | | |
21 | | with this program; if not, contact CiviCRM LLC | | |
22 | | at info[AT]civicrm[DOT]org. If you have questions about the | | |
23 | | GNU Affero General Public License or the licensing of CiviCRM, | | |
24 | | see the CiviCRM license FAQ at http://civicrm.org/licensing | | |
25 | +--------------------------------------------------------------------+ | |
d25dd0ee | 26 | */ |
6a488035 TO |
27 | |
28 | /** | |
29 | * | |
30 | * @package CRM | |
0f03f337 | 31 | * @copyright CiviCRM LLC (c) 2004-2017 |
6a488035 TO |
32 | */ |
33 | class CRM_Core_IDS { | |
34 | ||
35 | /** | |
fe482240 | 36 | * Define the threshold for the ids reactions. |
6a488035 TO |
37 | */ |
38 | private $threshold = array( | |
39 | 'log' => 25, | |
40 | 'warn' => 50, | |
41 | 'kick' => 75, | |
42 | ); | |
43 | ||
44 | /** | |
7c877abd | 45 | * @var string |
6a488035 | 46 | */ |
7c877abd | 47 | private $path; |
6a488035 TO |
48 | |
49 | /** | |
ea3ddccf | 50 | * Check function. |
51 | * | |
6a488035 TO |
52 | * This function includes the IDS vendor parts and runs the |
53 | * detection routines on the request array. | |
54 | * | |
76adcecc | 55 | * @param array $route |
6a488035 | 56 | * |
3bdca100 | 57 | * @return bool |
6a488035 | 58 | */ |
76adcecc TO |
59 | public function check($route) { |
60 | if (CRM_Core_Permission::check('skip IDS check')) { | |
61 | return NULL; | |
62 | } | |
63 | ||
6a488035 | 64 | // lets bypass a few civicrm urls from this check |
aa00da9b | 65 | $skip = array('civicrm/admin/setting/updateConfigBackend', 'civicrm/admin/messageTemplates'); |
66 | CRM_Utils_Hook::idsException($skip); | |
76adcecc | 67 | $this->path = $route['path']; |
7c877abd | 68 | if (in_array($this->path, $skip)) { |
3bdca100 | 69 | return NULL; |
6a488035 TO |
70 | } |
71 | ||
36d4fa1b | 72 | $init = self::create(self::createRouteConfig($route)); |
76adcecc | 73 | |
ea3ddccf | 74 | // Add request url and user agent. |
6a488035 TO |
75 | $_REQUEST['IDS_request_uri'] = $_SERVER['REQUEST_URI']; |
76 | if (isset($_SERVER['HTTP_USER_AGENT'])) { | |
77 | $_REQUEST['IDS_user_agent'] = $_SERVER['HTTP_USER_AGENT']; | |
78 | } | |
79 | ||
76adcecc TO |
80 | require_once 'IDS/Monitor.php'; |
81 | $ids = new \IDS_Monitor($_REQUEST, $init); | |
6a488035 TO |
82 | |
83 | $result = $ids->run(); | |
84 | if (!$result->isEmpty()) { | |
85 | $this->react($result); | |
86 | } | |
87 | ||
88 | return TRUE; | |
89 | } | |
90 | ||
91 | /** | |
76adcecc | 92 | * Create a new PHPIDS configuration object. |
6a488035 | 93 | * |
76adcecc TO |
94 | * @param array $config |
95 | * PHPIDS configuration array (per INI format). | |
96 | * @return \IDS_Init | |
6a488035 | 97 | */ |
76adcecc TO |
98 | protected static function create($config) { |
99 | require_once 'IDS/Init.php'; | |
100 | $init = \IDS_Init::init(NULL); | |
101 | $init->setConfig($config, TRUE); | |
6a488035 | 102 | |
76adcecc TO |
103 | // Cleanup |
104 | $reflection = new \ReflectionProperty('IDS_Init', 'instances'); | |
105 | $reflection->setAccessible(TRUE); | |
106 | $value = $reflection->getValue(NULL); | |
107 | unset($value[NULL]); | |
108 | $reflection->setValue(NULL, $value); | |
6a488035 | 109 | |
76adcecc | 110 | return $init; |
6a488035 TO |
111 | } |
112 | ||
b74c8634 TO |
113 | /** |
114 | * Create conservative, minimalist IDS configuration. | |
115 | * | |
116 | * @return array | |
117 | */ | |
118 | public static function createBaseConfig() { | |
119 | $config = \CRM_Core_Config::singleton(); | |
120 | $tmpDir = empty($config->uploadDir) ? CIVICRM_TEMPLATE_COMPILEDIR : $config->uploadDir; | |
121 | global $civicrm_root; | |
122 | ||
123 | return array( | |
124 | 'General' => array( | |
125 | 'filter_type' => 'xml', | |
126 | 'filter_path' => "{$civicrm_root}/packages/IDS/default_filter.xml", | |
127 | 'tmp_path' => $tmpDir, | |
128 | 'HTML_Purifier_Path' => 'IDS/vendors/htmlpurifier/HTMLPurifier.auto.php', | |
129 | 'HTML_Purifier_Cache' => $tmpDir, | |
130 | 'scan_keys' => '', | |
131 | 'exceptions' => array('__utmz', '__utmc'), | |
132 | ), | |
133 | ); | |
134 | } | |
135 | ||
136 | /** | |
137 | * Create the standard, general-purpose IDS configuration used by many pages. | |
138 | * | |
139 | * @return array | |
140 | */ | |
141 | public static function createStandardConfig() { | |
142 | $excs = array( | |
143 | 'widget_code', | |
144 | 'html_message', | |
145 | 'text_message', | |
146 | 'body_html', | |
147 | 'msg_html', | |
148 | 'msg_text', | |
149 | 'msg_subject', | |
150 | 'description', | |
151 | 'intro', | |
152 | 'thankyou_text', | |
153 | 'intro_text', | |
154 | 'body_text', | |
155 | 'footer_text', | |
156 | 'thankyou_text', | |
157 | 'tf_thankyou_text', | |
158 | 'thankyou_footer', | |
159 | 'thankyou_footer_text', | |
160 | 'new_text', | |
161 | 'renewal_text', | |
162 | 'help_pre', | |
163 | 'help_post', | |
164 | 'confirm_title', | |
165 | 'confirm_text', | |
166 | 'confirm_footer_text', | |
167 | 'confirm_email_text', | |
168 | 'report_header', | |
169 | 'report_footer', | |
170 | 'data', | |
171 | 'json', | |
172 | 'instructions', | |
173 | 'suggested_message', | |
174 | 'page_text', | |
175 | 'details', | |
176 | ); | |
177 | ||
178 | $result = self::createBaseConfig(); | |
179 | ||
180 | $result['General']['exceptions'] = array_merge( | |
181 | $result['General']['exceptions'], | |
182 | $excs | |
183 | ); | |
184 | ||
185 | return $result; | |
186 | } | |
187 | ||
36d4fa1b TO |
188 | /** |
189 | * @param array $route | |
190 | * @return array | |
191 | */ | |
192 | public static function createRouteConfig($route) { | |
193 | $config = \CRM_Core_IDS::createStandardConfig(); | |
194 | foreach (array('json', 'html', 'exceptions') as $section) { | |
195 | if (isset($route['ids_arguments'][$section])) { | |
196 | if (!isset($config['General'][$section])) { | |
197 | $config['General'][$section] = array(); | |
198 | } | |
199 | foreach ($route['ids_arguments'][$section] as $v) { | |
200 | $config['General'][$section][] = $v; | |
201 | } | |
202 | $config['General'][$section] = array_unique($config['General'][$section]); | |
203 | } | |
204 | } | |
205 | return $config; | |
206 | } | |
207 | ||
6a488035 | 208 | /** |
ea3ddccf | 209 | * This function reacts on the values in the incoming results array. |
6a488035 TO |
210 | * |
211 | * Depending on the impact value certain actions are | |
212 | * performed. | |
213 | * | |
214 | * @param IDS_Report $result | |
215 | * | |
3bdca100 | 216 | * @return bool |
6a488035 | 217 | */ |
76adcecc | 218 | public function react(IDS_Report $result) { |
6a488035 TO |
219 | |
220 | $impact = $result->getImpact(); | |
221 | if ($impact >= $this->threshold['kick']) { | |
222 | $this->log($result, 3, $impact); | |
7c877abd | 223 | $this->kick(); |
6a488035 TO |
224 | return TRUE; |
225 | } | |
226 | elseif ($impact >= $this->threshold['warn']) { | |
227 | $this->log($result, 2, $impact); | |
228 | $this->warn($result); | |
229 | return TRUE; | |
230 | } | |
231 | elseif ($impact >= $this->threshold['log']) { | |
232 | $this->log($result, 0, $impact); | |
233 | return TRUE; | |
234 | } | |
235 | else { | |
236 | return TRUE; | |
237 | } | |
238 | } | |
239 | ||
240 | /** | |
ea3ddccf | 241 | * This function writes an entry about the intrusion to the database. |
6a488035 | 242 | * |
c490a46a | 243 | * @param array $result |
77b97be7 EM |
244 | * @param int $reaction |
245 | * | |
3bdca100 | 246 | * @return bool |
6a488035 TO |
247 | */ |
248 | private function log($result, $reaction = 0) { | |
249 | $ip = (isset($_SERVER['SERVER_ADDR']) && | |
3bdca100 | 250 | $_SERVER['SERVER_ADDR'] != '127.0.0.1') ? $_SERVER['SERVER_ADDR'] : ( |
251 | isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : '127.0.0.1' | |
006389de | 252 | ); |
6a488035 TO |
253 | |
254 | $data = array(); | |
255 | $session = CRM_Core_Session::singleton(); | |
256 | foreach ($result as $event) { | |
257 | $data[] = array( | |
258 | 'name' => $event->getName(), | |
259 | 'value' => stripslashes($event->getValue()), | |
260 | 'page' => $_SERVER['REQUEST_URI'], | |
261 | 'userid' => $session->get('userID'), | |
262 | 'session' => session_id() ? session_id() : '0', | |
263 | 'ip' => $ip, | |
264 | 'reaction' => $reaction, | |
265 | 'impact' => $result->getImpact(), | |
266 | ); | |
267 | } | |
268 | ||
269 | CRM_Core_Error::debug_var('IDS Detector Details', $data); | |
270 | return TRUE; | |
271 | } | |
272 | ||
273 | /** | |
ea3ddccf | 274 | * Warn about IDS. |
275 | * | |
276 | * @param array $result | |
277 | * | |
278 | * @return array | |
6a488035 TO |
279 | */ |
280 | private function warn($result) { | |
281 | return $result; | |
282 | } | |
283 | ||
284 | /** | |
7c877abd | 285 | * Create an error that prevents the user from continuing. |
ea3ddccf | 286 | * |
287 | * @throws \Exception | |
6a488035 | 288 | */ |
7c877abd | 289 | private function kick() { |
6a488035 TO |
290 | $session = CRM_Core_Session::singleton(); |
291 | $session->reset(2); | |
292 | ||
f3a27f08 DL |
293 | $msg = ts('There is a validation error with your HTML input. Your activity is a bit suspicious, hence aborting'); |
294 | ||
f3a27f08 | 295 | if (in_array( |
7c877abd | 296 | $this->path, |
353ffa53 TO |
297 | array("civicrm/ajax/rest", "civicrm/api/json") |
298 | )) { | |
f3a27f08 DL |
299 | require_once "api/v3/utils.php"; |
300 | $error = civicrm_api3_create_error( | |
301 | $msg, | |
6a488035 TO |
302 | array( |
303 | 'IP' => $_SERVER['REMOTE_ADDR'], | |
304 | 'error_code' => 'IDS_KICK', | |
305 | 'level' => 'security', | |
306 | 'referer' => $_SERVER['HTTP_REFERER'], | |
307 | 'reason' => 'XSS suspected', | |
308 | ) | |
309 | ); | |
ecdef330 | 310 | CRM_Utils_JSON::output($error); |
6a488035 | 311 | } |
f3a27f08 | 312 | CRM_Core_Error::fatal($msg); |
6a488035 | 313 | } |
96025800 | 314 | |
6a488035 | 315 | } |