[civicrm-core.git] / CRM / Core / Key.php

<?php
/*
 +--------------------------------------------------------------------+
 | CiviCRM version 5                                                  |
 +--------------------------------------------------------------------+
 | Copyright CiviCRM LLC (c) 2004-2019                                |
 +--------------------------------------------------------------------+
 | This file is a part of CiviCRM.                                    |
 |                                                                    |
 | CiviCRM is free software; you can copy, modify, and distribute it  |
 | under the terms of the GNU Affero General Public License           |
 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception.   |
 |                                                                    |
 | CiviCRM is distributed in the hope that it will be useful, but     |
 | WITHOUT ANY WARRANTY; without even the implied warranty of         |
 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.               |
 | See the GNU Affero General Public License for more details.        |
 |                                                                    |
 | You should have received a copy of the GNU Affero General Public   |
 | License and the CiviCRM Licensing Exception along                  |
 | with this program; if not, contact CiviCRM LLC                     |
 | at info[AT]civicrm[DOT]org. If you have questions about the        |
 | GNU Affero General Public License or the licensing of CiviCRM,     |
 | see the CiviCRM license FAQ at http://civicrm.org/licensing        |
 +--------------------------------------------------------------------+
 */

/**
 *
 * @package CRM
 * @copyright CiviCRM LLC (c) 2004-2019
 * $Id$
 *
 */
class CRM_Core_Key {
  static $_key = NULL;

  static $_sessionID = NULL;

  /**
   * Generate a private key per session and store in session.
   *
   * @return string
   *   private key for this session
   */
  public static function privateKey() {
    if (!self::$_key) {
      $session = CRM_Core_Session::singleton();
      self::$_key = $session->get('qfPrivateKey');
      if (!self::$_key) {
        self::$_key = md5(uniqid(mt_rand(), TRUE)) . md5(uniqid(mt_rand(), TRUE));
        $session->set('qfPrivateKey', self::$_key);
      }
    }
    return self::$_key;
  }

  /**
   * @return mixed|null|string
   */
  public static function sessionID() {
    if (!self::$_sessionID) {
      $session = CRM_Core_Session::singleton();
      self::$_sessionID = $session->get('qfSessionID');
      if (!self::$_sessionID) {
        self::$_sessionID = session_id();
        $session->set('qfSessionID', self::$_sessionID);
      }
    }
    return self::$_sessionID;
  }

  /**
   * Generate a form key based on form name, the current user session
   * and a private key. Modelled after drupal's form API
   *
   * @param string $name
   * @param bool $addSequence
   *   Should we add a unique sequence number to the end of the key.
   *
   * @return string
   *   valid formID
   */
  public static function get($name, $addSequence = FALSE) {
    $privateKey = self::privateKey();
    $sessionID = self::sessionID();
    $key = md5($sessionID . $name . $privateKey);

    if ($addSequence) {
      // now generate a random number between 1 and 100K and add it to the key
      // so that we can have forms in mutiple tabs etc
      $key = $key . '_' . mt_rand(1, 10000);
    }
    return $key;
  }

  /**
   * Validate a form key based on the form name.
   *
   * @param string $key
   * @param string $name
   * @param bool $addSequence
   *
   * @return string
   *   if valid, else null
   */
  public static function validate($key, $name, $addSequence = FALSE) {
    if (!is_string($key)) {
      return NULL;
    }

    if ($addSequence) {
      list($k, $t) = explode('_', $key);
      if ($t < 1 || $t > 10000) {
        return NULL;
      }
    }
    else {
      $k = $key;
    }

    $privateKey = self::privateKey();
    $sessionID = self::sessionID();
    if ($k != md5($sessionID . $name . $privateKey)) {
      return NULL;
    }
    return $key;
  }

  /**
   * @param $key
   *
   * @return bool
   */
  public static function valid($key) {
    // a valid key is a 32 digit hex number
    // followed by an optional _ and a number between 1 and 10000
    if (strpos('_', $key) !== FALSE) {
      list($hash, $seq) = explode('_', $key);

      // ensure seq is between 1 and 10000
      if (!is_numeric($seq) ||
        $seq < 1 ||
        $seq > 10000
      ) {
        return FALSE;
      }
    }
    else {
      $hash = $key;
    }

    // ensure that hash is a 32 digit hex number
    return preg_match('#[0-9a-f]{32}#i', $hash) ? TRUE : FALSE;
  }

}
Commit	Line	Data
6a488035 TO	1	<?php
	2	/*
	3	+--------------------------------------------------------------------+
fee14197	4	\| CiviCRM version 5 \|
6a488035	5	+--------------------------------------------------------------------+
6b83d5bd	6	\| Copyright CiviCRM LLC (c) 2004-2019 \|
6a488035 TO	7	+--------------------------------------------------------------------+
	8	\| This file is a part of CiviCRM. \|
	9	\| \|
	10	\| CiviCRM is free software; you can copy, modify, and distribute it \|
	11	\| under the terms of the GNU Affero General Public License \|
	12	\| Version 3, 19 November 2007 and the CiviCRM Licensing Exception. \|
	13	\| \|
	14	\| CiviCRM is distributed in the hope that it will be useful, but \|
	15	\| WITHOUT ANY WARRANTY; without even the implied warranty of \|
	16	\| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. \|
	17	\| See the GNU Affero General Public License for more details. \|
	18	\| \|
	19	\| You should have received a copy of the GNU Affero General Public \|
	20	\| License and the CiviCRM Licensing Exception along \|
	21	\| with this program; if not, contact CiviCRM LLC \|
	22	\| at info[AT]civicrm[DOT]org. If you have questions about the \|
	23	\| GNU Affero General Public License or the licensing of CiviCRM, \|
	24	\| see the CiviCRM license FAQ at http://civicrm.org/licensing \|
	25	+--------------------------------------------------------------------+
d25dd0ee	26	*/
6a488035 TO	27
	28	/**
	29	*
	30	* @package CRM
6b83d5bd	31	* @copyright CiviCRM LLC (c) 2004-2019
6a488035 TO	32	* $Id$
	33	*
	34	*/
	35	class CRM_Core_Key {
	36	static $_key = NULL;
	37
	38	static $_sessionID = NULL;
	39
	40	/**
fe482240	41	* Generate a private key per session and store in session.
6a488035	42	*
a6c01b45 CW	43	* @return string
a6c01b45 CW	44	* private key for this session
6a488035	45	*/
00be9182	46	public static function privateKey() {
6a488035 TO	47	if (!self::$_key) {
	48	$session = CRM_Core_Session::singleton();
	49	self::$_key = $session->get('qfPrivateKey');
	50	if (!self::$_key) {
	51	self::$_key = md5(uniqid(mt_rand(), TRUE)) . md5(uniqid(mt_rand(), TRUE));
	52	$session->set('qfPrivateKey', self::$_key);
	53	}
	54	}
	55	return self::$_key;
	56	}
	57
a0ee3941 EM	58	/**
	59	* @return mixed\|null\|string
	60	*/
00be9182	61	public static function sessionID() {
6a488035 TO	62	if (!self::$_sessionID) {
	63	$session = CRM_Core_Session::singleton();
	64	self::$_sessionID = $session->get('qfSessionID');
	65	if (!self::$_sessionID) {
	66	self::$_sessionID = session_id();
	67	$session->set('qfSessionID', self::$_sessionID);
	68	}
	69	}
	70	return self::$_sessionID;
	71	}
	72
	73	/**
	74	* Generate a form key based on form name, the current user session
	75	* and a private key. Modelled after drupal's form API
	76	*
c490a46a	77	* @param string $name
6a0b768e TO	78	* @param bool $addSequence
6a0b768e TO	79	* Should we add a unique sequence number to the end of the key.
6a488035	80	*
a6c01b45 CW	81	* @return string
a6c01b45 CW	82	* valid formID
6a488035	83	*/
00be9182	84	public static function get($name, $addSequence = FALSE) {
6a488035	85	$privateKey = self::privateKey();
353ffa53 TO	86	$sessionID = self::sessionID();
353ffa53 TO	87	$key = md5($sessionID . $name . $privateKey);
6a488035 TO	88
	89	if ($addSequence) {
	90	// now generate a random number between 1 and 100K and add it to the key
	91	// so that we can have forms in mutiple tabs etc
	92	$key = $key . '_' . mt_rand(1, 10000);
	93	}
	94	return $key;
	95	}
	96
	97	/**
fe482240	98	* Validate a form key based on the form name.
6a488035	99	*
c490a46a	100	* @param string $key
6a488035	101	* @param string $name
77b97be7 EM	102	* @param bool $addSequence
77b97be7 EM	103	*
a6c01b45 CW	104	* @return string
a6c01b45 CW	105	* if valid, else null
6a488035	106	*/
00be9182	107	public static function validate($key, $name, $addSequence = FALSE) {
6a488035 TO	108	if (!is_string($key)) {
	109	return NULL;
	110	}
	111
	112	if ($addSequence) {
	113	list($k, $t) = explode('_', $key);
	114	if ($t < 1 \|\| $t > 10000) {
	115	return NULL;
	116	}
	117	}
	118	else {
	119	$k = $key;
	120	}
	121
	122	$privateKey = self::privateKey();
	123	$sessionID = self::sessionID();
	124	if ($k != md5($sessionID . $name . $privateKey)) {
	125	return NULL;
	126	}
	127	return $key;
	128	}
	129
a0ee3941 EM	130	/**
	131	* @param $key
	132	*
	133	* @return bool
	134	*/
00be9182	135	public static function valid($key) {
6a488035 TO	136	// a valid key is a 32 digit hex number
	137	// followed by an optional _ and a number between 1 and 10000
	138	if (strpos('_', $key) !== FALSE) {
	139	list($hash, $seq) = explode('_', $key);
	140
	141	// ensure seq is between 1 and 10000
	142	if (!is_numeric($seq) \|\|
	143	$seq < 1 \|\|
	144	$seq > 10000
	145	) {
	146	return FALSE;
	147	}
	148	}
	149	else {
	150	$hash = $key;
	151	}
	152
	153	// ensure that hash is a 32 digit hex number
	154	return preg_match('#[0-9a-f]{32}#i', $hash) ? TRUE : FALSE;
	155	}
96025800	156
6a488035	157	}