Commit | Line | Data |
---|---|---|
6a488035 TO |
1 | <?php |
2 | /* | |
3 | +--------------------------------------------------------------------+ | |
06b69b18 | 4 | | CiviCRM version 4.5 | |
6a488035 | 5 | +--------------------------------------------------------------------+ |
06b69b18 | 6 | | Copyright CiviCRM LLC (c) 2004-2014 | |
6a488035 TO |
7 | +--------------------------------------------------------------------+ |
8 | | This file is a part of CiviCRM. | | |
9 | | | | |
10 | | CiviCRM is free software; you can copy, modify, and distribute it | | |
11 | | under the terms of the GNU Affero General Public License | | |
12 | | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. | | |
13 | | | | |
14 | | CiviCRM is distributed in the hope that it will be useful, but | | |
15 | | WITHOUT ANY WARRANTY; without even the implied warranty of | | |
16 | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. | | |
17 | | See the GNU Affero General Public License for more details. | | |
18 | | | | |
19 | | You should have received a copy of the GNU Affero General Public | | |
20 | | License and the CiviCRM Licensing Exception along | | |
21 | | with this program; if not, contact CiviCRM LLC | | |
22 | | at info[AT]civicrm[DOT]org. If you have questions about the | | |
23 | | GNU Affero General Public License or the licensing of CiviCRM, | | |
24 | | see the CiviCRM license FAQ at http://civicrm.org/licensing | | |
25 | +--------------------------------------------------------------------+ | |
26 | */ | |
27 | ||
28 | /** | |
29 | * | |
30 | * @package CRM | |
06b69b18 | 31 | * @copyright CiviCRM LLC (c) 2004-2014 |
6a488035 TO |
32 | * $Id$ |
33 | * | |
34 | */ | |
35 | class CRM_Core_Key { | |
36 | static $_key = NULL; | |
37 | ||
38 | static $_sessionID = NULL; | |
39 | ||
40 | /** | |
41 | * Generate a private key per session and store in session | |
42 | * | |
43 | * @return string private key for this session | |
44 | * @static | |
45 | * @access private | |
46 | */ | |
47 | static function privateKey() { | |
48 | if (!self::$_key) { | |
49 | $session = CRM_Core_Session::singleton(); | |
50 | self::$_key = $session->get('qfPrivateKey'); | |
51 | if (!self::$_key) { | |
52 | self::$_key = md5(uniqid(mt_rand(), TRUE)) . md5(uniqid(mt_rand(), TRUE)); | |
53 | $session->set('qfPrivateKey', self::$_key); | |
54 | } | |
55 | } | |
56 | return self::$_key; | |
57 | } | |
58 | ||
a0ee3941 EM |
59 | /** |
60 | * @return mixed|null|string | |
61 | */ | |
6a488035 TO |
62 | static function sessionID() { |
63 | if (!self::$_sessionID) { | |
64 | $session = CRM_Core_Session::singleton(); | |
65 | self::$_sessionID = $session->get('qfSessionID'); | |
66 | if (!self::$_sessionID) { | |
67 | self::$_sessionID = session_id(); | |
68 | $session->set('qfSessionID', self::$_sessionID); | |
69 | } | |
70 | } | |
71 | return self::$_sessionID; | |
72 | } | |
73 | ||
74 | /** | |
75 | * Generate a form key based on form name, the current user session | |
76 | * and a private key. Modelled after drupal's form API | |
77 | * | |
77b97be7 EM |
78 | * @param $name |
79 | * @param bool $addSequence | |
80 | * | |
81 | * @internal param string $value name of the form | |
6a488035 TO |
82 | * @paeam boolean $addSequence should we add a unique sequence number to the end of the key |
83 | * | |
84 | * @return string valid formID | |
85 | * @static | |
86 | * @acess public | |
87 | */ | |
88 | static function get($name, $addSequence = FALSE) { | |
89 | $privateKey = self::privateKey(); | |
90 | $sessionID = self::sessionID(); | |
91 | $key = md5($sessionID . $name . $privateKey); | |
92 | ||
93 | if ($addSequence) { | |
94 | // now generate a random number between 1 and 100K and add it to the key | |
95 | // so that we can have forms in mutiple tabs etc | |
96 | $key = $key . '_' . mt_rand(1, 10000); | |
97 | } | |
98 | return $key; | |
99 | } | |
100 | ||
101 | /** | |
102 | * Validate a form key based on the form name | |
103 | * | |
77b97be7 | 104 | * @param $key |
6a488035 TO |
105 | * @param string $name |
106 | * | |
77b97be7 EM |
107 | * @param bool $addSequence |
108 | * | |
109 | * @internal param string $formKey | |
6a488035 TO |
110 | * @return string $formKey if valid, else null |
111 | * @static | |
112 | * @acess public | |
113 | */ | |
114 | static function validate($key, $name, $addSequence = FALSE) { | |
115 | if (!is_string($key)) { | |
116 | return NULL; | |
117 | } | |
118 | ||
119 | if ($addSequence) { | |
120 | list($k, $t) = explode('_', $key); | |
121 | if ($t < 1 || $t > 10000) { | |
122 | return NULL; | |
123 | } | |
124 | } | |
125 | else { | |
126 | $k = $key; | |
127 | } | |
128 | ||
129 | $privateKey = self::privateKey(); | |
130 | $sessionID = self::sessionID(); | |
131 | if ($k != md5($sessionID . $name . $privateKey)) { | |
132 | return NULL; | |
133 | } | |
134 | return $key; | |
135 | } | |
136 | ||
a0ee3941 EM |
137 | /** |
138 | * @param $key | |
139 | * | |
140 | * @return bool | |
141 | */ | |
6a488035 TO |
142 | static function valid($key) { |
143 | // a valid key is a 32 digit hex number | |
144 | // followed by an optional _ and a number between 1 and 10000 | |
145 | if (strpos('_', $key) !== FALSE) { | |
146 | list($hash, $seq) = explode('_', $key); | |
147 | ||
148 | // ensure seq is between 1 and 10000 | |
149 | if (!is_numeric($seq) || | |
150 | $seq < 1 || | |
151 | $seq > 10000 | |
152 | ) { | |
153 | return FALSE; | |
154 | } | |
155 | } | |
156 | else { | |
157 | $hash = $key; | |
158 | } | |
159 | ||
160 | // ensure that hash is a 32 digit hex number | |
161 | return preg_match('#[0-9a-f]{32}#i', $hash) ? TRUE : FALSE; | |
162 | } | |
163 | } | |
164 |