[civicrm-core.git] / CRM / Core / Key.php

<?php
/*
 +--------------------------------------------------------------------+
 | CiviCRM version 4.6                                                |
 +--------------------------------------------------------------------+
 | Copyright CiviCRM LLC (c) 2004-2014                                |
 +--------------------------------------------------------------------+
 | This file is a part of CiviCRM.                                    |
 |                                                                    |
 | CiviCRM is free software; you can copy, modify, and distribute it  |
 | under the terms of the GNU Affero General Public License           |
 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception.   |
 |                                                                    |
 | CiviCRM is distributed in the hope that it will be useful, but     |
 | WITHOUT ANY WARRANTY; without even the implied warranty of         |
 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.               |
 | See the GNU Affero General Public License for more details.        |
 |                                                                    |
 | You should have received a copy of the GNU Affero General Public   |
 | License and the CiviCRM Licensing Exception along                  |
 | with this program; if not, contact CiviCRM LLC                     |
 | at info[AT]civicrm[DOT]org. If you have questions about the        |
 | GNU Affero General Public License or the licensing of CiviCRM,     |
 | see the CiviCRM license FAQ at http://civicrm.org/licensing        |
 +--------------------------------------------------------------------+
*/

/**
 *
 * @package CRM
 * @copyright CiviCRM LLC (c) 2004-2014
 * $Id$
 *
 */
class CRM_Core_Key {
  static $_key = NULL;

  static $_sessionID = NULL;

  /**
   * Generate a private key per session and store in session
   *
   * @return string private key for this session
   * @static
   * @access private
   */
  static function privateKey() {
    if (!self::$_key) {
      $session = CRM_Core_Session::singleton();
      self::$_key = $session->get('qfPrivateKey');
      if (!self::$_key) {
        self::$_key = md5(uniqid(mt_rand(), TRUE)) . md5(uniqid(mt_rand(), TRUE));
        $session->set('qfPrivateKey', self::$_key);
      }
    }
    return self::$_key;
  }

  /**
   * @return mixed|null|string
   */
  static function sessionID() {
    if (!self::$_sessionID) {
      $session = CRM_Core_Session::singleton();
      self::$_sessionID = $session->get('qfSessionID');
      if (!self::$_sessionID) {
        self::$_sessionID = session_id();
        $session->set('qfSessionID', self::$_sessionID);
      }
    }
    return self::$_sessionID;
  }

  /**
   * Generate a form key based on form name, the current user session
   * and a private key. Modelled after drupal's form API
   *
   * @param string $name
   * @param bool $addSequence should we add a unique sequence number to the end of the key
   *
   * @return string       valid formID
   * @static
   * @access public
   */
  static function get($name, $addSequence = FALSE) {
    $privateKey = self::privateKey();
    $sessionID  = self::sessionID();
    $key        = md5($sessionID . $name . $privateKey);

    if ($addSequence) {
      // now generate a random number between 1 and 100K and add it to the key
      // so that we can have forms in mutiple tabs etc
      $key = $key . '_' . mt_rand(1, 10000);
    }
    return $key;
  }

  /**
   * Validate a form key based on the form name
   *
   * @param string $key
   * @param string $name
   * @param bool $addSequence
   *
   * @return string $formKey if valid, else null
   * @static
   * @access public
   */
  static function validate($key, $name, $addSequence = FALSE) {
    if (!is_string($key)) {
      return NULL;
    }

    if ($addSequence) {
      list($k, $t) = explode('_', $key);
      if ($t < 1 || $t > 10000) {
        return NULL;
      }
    }
    else {
      $k = $key;
    }

    $privateKey = self::privateKey();
    $sessionID = self::sessionID();
    if ($k != md5($sessionID . $name . $privateKey)) {
      return NULL;
    }
    return $key;
  }

  /**
   * @param $key
   *
   * @return bool
   */
  static function valid($key) {
    // a valid key is a 32 digit hex number
    // followed by an optional _ and a number between 1 and 10000
    if (strpos('_', $key) !== FALSE) {
      list($hash, $seq) = explode('_', $key);

      // ensure seq is between 1 and 10000
      if (!is_numeric($seq) ||
        $seq < 1 ||
        $seq > 10000
      ) {
        return FALSE;
      }
    }
    else {
      $hash = $key;
    }

    // ensure that hash is a 32 digit hex number
    return preg_match('#[0-9a-f]{32}#i', $hash) ? TRUE : FALSE;
  }
}
Commit	Line	Data
6a488035 TO	1	<?php
	2	/*
	3	+--------------------------------------------------------------------+
39de6fd5	4	\| CiviCRM version 4.6 \|
6a488035	5	+--------------------------------------------------------------------+
06b69b18	6	\| Copyright CiviCRM LLC (c) 2004-2014 \|
6a488035 TO	7	+--------------------------------------------------------------------+
	8	\| This file is a part of CiviCRM. \|
	9	\| \|
	10	\| CiviCRM is free software; you can copy, modify, and distribute it \|
	11	\| under the terms of the GNU Affero General Public License \|
	12	\| Version 3, 19 November 2007 and the CiviCRM Licensing Exception. \|
	13	\| \|
	14	\| CiviCRM is distributed in the hope that it will be useful, but \|
	15	\| WITHOUT ANY WARRANTY; without even the implied warranty of \|
	16	\| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. \|
	17	\| See the GNU Affero General Public License for more details. \|
	18	\| \|
	19	\| You should have received a copy of the GNU Affero General Public \|
	20	\| License and the CiviCRM Licensing Exception along \|
	21	\| with this program; if not, contact CiviCRM LLC \|
	22	\| at info[AT]civicrm[DOT]org. If you have questions about the \|
	23	\| GNU Affero General Public License or the licensing of CiviCRM, \|
	24	\| see the CiviCRM license FAQ at http://civicrm.org/licensing \|
	25	+--------------------------------------------------------------------+
	26	*/
	27
	28	/**
	29	*
	30	* @package CRM
06b69b18	31	* @copyright CiviCRM LLC (c) 2004-2014
6a488035 TO	32	* $Id$
	33	*
	34	*/
	35	class CRM_Core_Key {
	36	static $_key = NULL;
	37
	38	static $_sessionID = NULL;
	39
	40	/**
	41	* Generate a private key per session and store in session
	42	*
	43	* @return string private key for this session
	44	* @static
	45	* @access private
	46	*/
	47	static function privateKey() {
	48	if (!self::$_key) {
	49	$session = CRM_Core_Session::singleton();
	50	self::$_key = $session->get('qfPrivateKey');
	51	if (!self::$_key) {
	52	self::$_key = md5(uniqid(mt_rand(), TRUE)) . md5(uniqid(mt_rand(), TRUE));
	53	$session->set('qfPrivateKey', self::$_key);
	54	}
	55	}
	56	return self::$_key;
	57	}
	58
a0ee3941 EM	59	/**
	60	* @return mixed\|null\|string
	61	*/
6a488035 TO	62	static function sessionID() {
	63	if (!self::$_sessionID) {
	64	$session = CRM_Core_Session::singleton();
	65	self::$_sessionID = $session->get('qfSessionID');
	66	if (!self::$_sessionID) {
	67	self::$_sessionID = session_id();
	68	$session->set('qfSessionID', self::$_sessionID);
	69	}
	70	}
	71	return self::$_sessionID;
	72	}
	73
	74	/**
	75	* Generate a form key based on form name, the current user session
	76	* and a private key. Modelled after drupal's form API
	77	*
c490a46a CW	78	* @param string $name
c490a46a CW	79	* @param bool $addSequence should we add a unique sequence number to the end of the key
6a488035 TO	80	*
	81	* @return string valid formID
	82	* @static
c490a46a	83	* @access public
6a488035 TO	84	*/
	85	static function get($name, $addSequence = FALSE) {
	86	$privateKey = self::privateKey();
	87	$sessionID = self::sessionID();
	88	$key = md5($sessionID . $name . $privateKey);
	89
	90	if ($addSequence) {
	91	// now generate a random number between 1 and 100K and add it to the key
	92	// so that we can have forms in mutiple tabs etc
	93	$key = $key . '_' . mt_rand(1, 10000);
	94	}
	95	return $key;
	96	}
	97
	98	/**
	99	* Validate a form key based on the form name
	100	*
c490a46a	101	* @param string $key
6a488035	102	* @param string $name
77b97be7 EM	103	* @param bool $addSequence
77b97be7 EM	104	*
6a488035 TO	105	* @return string $formKey if valid, else null
6a488035 TO	106	* @static
c490a46a	107	* @access public
6a488035 TO	108	*/
	109	static function validate($key, $name, $addSequence = FALSE) {
	110	if (!is_string($key)) {
	111	return NULL;
	112	}
	113
	114	if ($addSequence) {
	115	list($k, $t) = explode('_', $key);
	116	if ($t < 1 \|\| $t > 10000) {
	117	return NULL;
	118	}
	119	}
	120	else {
	121	$k = $key;
	122	}
	123
	124	$privateKey = self::privateKey();
	125	$sessionID = self::sessionID();
	126	if ($k != md5($sessionID . $name . $privateKey)) {
	127	return NULL;
	128	}
	129	return $key;
	130	}
	131
a0ee3941 EM	132	/**
	133	* @param $key
	134	*
	135	* @return bool
	136	*/
6a488035 TO	137	static function valid($key) {
	138	// a valid key is a 32 digit hex number
	139	// followed by an optional _ and a number between 1 and 10000
	140	if (strpos('_', $key) !== FALSE) {
	141	list($hash, $seq) = explode('_', $key);
	142
	143	// ensure seq is between 1 and 10000
	144	if (!is_numeric($seq) \|\|
	145	$seq < 1 \|\|
	146	$seq > 10000
	147	) {
	148	return FALSE;
	149	}
	150	}
	151	else {
	152	$hash = $key;
	153	}
	154
	155	// ensure that hash is a 32 digit hex number
	156	return preg_match('#[0-9a-f]{32}#i', $hash) ? TRUE : FALSE;
	157	}
	158	}
	159