Commit | Line | Data |
---|---|---|
6a488035 TO |
1 | <?php |
2 | /* | |
3 | +--------------------------------------------------------------------+ | |
bc77d7c0 | 4 | | Copyright CiviCRM LLC. All rights reserved. | |
6a488035 | 5 | | | |
bc77d7c0 TO |
6 | | This work is published under the GNU AGPLv3 license with some | |
7 | | permitted exceptions and without any warranty. For full license | | |
8 | | and copyright information, see https://civicrm.org/licensing | | |
6a488035 | 9 | +--------------------------------------------------------------------+ |
d25dd0ee | 10 | */ |
6a488035 TO |
11 | |
12 | /** | |
13 | * | |
14 | * @package CRM | |
ca5cec67 | 15 | * @copyright CiviCRM LLC https://civicrm.org/licensing |
6a488035 TO |
16 | */ |
17 | class CRM_Core_Key { | |
518fa0ee | 18 | public static $_key = NULL; |
6a488035 | 19 | |
518fa0ee | 20 | public static $_sessionID = NULL; |
6a488035 TO |
21 | |
22 | /** | |
fe482240 | 23 | * Generate a private key per session and store in session. |
6a488035 | 24 | * |
a6c01b45 CW |
25 | * @return string |
26 | * private key for this session | |
6a488035 | 27 | */ |
00be9182 | 28 | public static function privateKey() { |
6a488035 TO |
29 | if (!self::$_key) { |
30 | $session = CRM_Core_Session::singleton(); | |
31 | self::$_key = $session->get('qfPrivateKey'); | |
32 | if (!self::$_key) { | |
33 | self::$_key = md5(uniqid(mt_rand(), TRUE)) . md5(uniqid(mt_rand(), TRUE)); | |
34 | $session->set('qfPrivateKey', self::$_key); | |
35 | } | |
36 | } | |
37 | return self::$_key; | |
38 | } | |
39 | ||
a0ee3941 EM |
40 | /** |
41 | * @return mixed|null|string | |
42 | */ | |
00be9182 | 43 | public static function sessionID() { |
6a488035 TO |
44 | if (!self::$_sessionID) { |
45 | $session = CRM_Core_Session::singleton(); | |
46 | self::$_sessionID = $session->get('qfSessionID'); | |
47 | if (!self::$_sessionID) { | |
48 | self::$_sessionID = session_id(); | |
49 | $session->set('qfSessionID', self::$_sessionID); | |
50 | } | |
51 | } | |
52 | return self::$_sessionID; | |
53 | } | |
54 | ||
55 | /** | |
56 | * Generate a form key based on form name, the current user session | |
57 | * and a private key. Modelled after drupal's form API | |
58 | * | |
c490a46a | 59 | * @param string $name |
6a0b768e TO |
60 | * @param bool $addSequence |
61 | * Should we add a unique sequence number to the end of the key. | |
6a488035 | 62 | * |
a6c01b45 CW |
63 | * @return string |
64 | * valid formID | |
6a488035 | 65 | */ |
00be9182 | 66 | public static function get($name, $addSequence = FALSE) { |
6a488035 | 67 | $privateKey = self::privateKey(); |
353ffa53 TO |
68 | $sessionID = self::sessionID(); |
69 | $key = md5($sessionID . $name . $privateKey); | |
6a488035 TO |
70 | |
71 | if ($addSequence) { | |
72 | // now generate a random number between 1 and 100K and add it to the key | |
73 | // so that we can have forms in mutiple tabs etc | |
74 | $key = $key . '_' . mt_rand(1, 10000); | |
75 | } | |
76 | return $key; | |
77 | } | |
78 | ||
79 | /** | |
fe482240 | 80 | * Validate a form key based on the form name. |
6a488035 | 81 | * |
c490a46a | 82 | * @param string $key |
6a488035 | 83 | * @param string $name |
77b97be7 EM |
84 | * @param bool $addSequence |
85 | * | |
a6c01b45 CW |
86 | * @return string |
87 | * if valid, else null | |
6a488035 | 88 | */ |
00be9182 | 89 | public static function validate($key, $name, $addSequence = FALSE) { |
6a488035 TO |
90 | if (!is_string($key)) { |
91 | return NULL; | |
92 | } | |
93 | ||
94 | if ($addSequence) { | |
95 | list($k, $t) = explode('_', $key); | |
96 | if ($t < 1 || $t > 10000) { | |
97 | return NULL; | |
98 | } | |
99 | } | |
100 | else { | |
101 | $k = $key; | |
102 | } | |
103 | ||
104 | $privateKey = self::privateKey(); | |
105 | $sessionID = self::sessionID(); | |
106 | if ($k != md5($sessionID . $name . $privateKey)) { | |
107 | return NULL; | |
108 | } | |
109 | return $key; | |
110 | } | |
111 | ||
a0ee3941 | 112 | /** |
49b215d2 | 113 | * The original version of this function, added circa 2010 and untouched |
114 | * since then, seemed intended to check for a 32-digit hex string followed | |
115 | * optionally by an underscore and 4-digit number. But it had a bug where | |
116 | * the optional part was never checked ever. So have decided to remove that | |
117 | * second check to keep it simple since it seems like pseudo-security. | |
118 | * | |
119 | * @param string $key | |
a0ee3941 EM |
120 | * |
121 | * @return bool | |
122 | */ | |
00be9182 | 123 | public static function valid($key) { |
49b215d2 | 124 | // ensure that key contains a 32 digit hex string |
125 | return (bool) preg_match('#[0-9a-f]{32}#i', $key); | |
6a488035 | 126 | } |
96025800 | 127 | |
6a488035 | 128 | } |