CRM/Core/Key.php

   1 <?php
   2 /*
   3  +--------------------------------------------------------------------+
   4  | CiviCRM version 4.5                                                |
   5  +--------------------------------------------------------------------+
   6  | Copyright CiviCRM LLC (c) 2004-2014                                |
   7  +--------------------------------------------------------------------+
   8  | This file is a part of CiviCRM.                                    |
   9  |                                                                    |
  10  | CiviCRM is free software; you can copy, modify, and distribute it  |
  11  | under the terms of the GNU Affero General Public License           |
  12  | Version 3, 19 November 2007 and the CiviCRM Licensing Exception.   |
  13  |                                                                    |
  14  | CiviCRM is distributed in the hope that it will be useful, but     |
  15  | WITHOUT ANY WARRANTY; without even the implied warranty of         |
  16  | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.               |
  17  | See the GNU Affero General Public License for more details.        |
  18  |                                                                    |
  19  | You should have received a copy of the GNU Affero General Public   |
  20  | License and the CiviCRM Licensing Exception along                  |
  21  | with this program; if not, contact CiviCRM LLC                     |
  22  | at info[AT]civicrm[DOT]org. If you have questions about the        |
  23  | GNU Affero General Public License or the licensing of CiviCRM,     |
  24  | see the CiviCRM license FAQ at http://civicrm.org/licensing        |
  25  +--------------------------------------------------------------------+
  26 */
  27
  28 /**
  29  *
  30  * @package CRM
  31  * @copyright CiviCRM LLC (c) 2004-2014
  32  * $Id$
  33  *
  34  */
  35 class CRM_Core_Key {
  36   static $_key = NULL;
  37
  38   static $_sessionID = NULL;
  39
  40   /**
  41    * Generate a private key per session and store in session
  42    *
  43    * @return string private key for this session
  44    * @static
  45    * @access private
  46    */
  47   static function privateKey() {
  48     if (!self::$_key) {
  49       $session = CRM_Core_Session::singleton();
  50       self::$_key = $session->get('qfPrivateKey');
  51       if (!self::$_key) {
  52         self::$_key = md5(uniqid(mt_rand(), TRUE)) . md5(uniqid(mt_rand(), TRUE));
  53         $session->set('qfPrivateKey', self::$_key);
  54       }
  55     }
  56     return self::$_key;
  57   }
  58
  59   /**
  60    * @return mixed|null|string
  61    */
  62   static function sessionID() {
  63     if (!self::$_sessionID) {
  64       $session = CRM_Core_Session::singleton();
  65       self::$_sessionID = $session->get('qfSessionID');
  66       if (!self::$_sessionID) {
  67         self::$_sessionID = session_id();
  68         $session->set('qfSessionID', self::$_sessionID);
  69       }
  70     }
  71     return self::$_sessionID;
  72   }
  73
  74   /**
  75    * Generate a form key based on form name, the current user session
  76    * and a private key. Modelled after drupal's form API
  77    *
  78    * @param $name
  79    * @param bool $addSequence
  80    *
  81    * @internal param string $value name of the form
  82    * @paeam boolean $addSequence should we add a unique sequence number to the end of the key
  83    *
  84    * @return string       valid formID
  85    * @static
  86    * @acess public
  87    */
  88   static function get($name, $addSequence = FALSE) {
  89     $privateKey = self::privateKey();
  90     $sessionID  = self::sessionID();
  91     $key        = md5($sessionID . $name . $privateKey);
  92
  93     if ($addSequence) {
  94       // now generate a random number between 1 and 100K and add it to the key
  95       // so that we can have forms in mutiple tabs etc
  96       $key = $key . '_' . mt_rand(1, 10000);
  97     }
  98     return $key;
  99   }
 100
 101   /**
 102    * Validate a form key based on the form name
 103    *
 104    * @param $key
 105    * @param string $name
 106    *
 107    * @param bool $addSequence
 108    *
 109    * @internal param string $formKey
 110    * @return string $formKey if valid, else null
 111    * @static
 112    * @acess public
 113    */
 114   static function validate($key, $name, $addSequence = FALSE) {
 115     if (!is_string($key)) {
 116       return NULL;
 117     }
 118
 119     if ($addSequence) {
 120       list($k, $t) = explode('_', $key);
 121       if ($t < 1 || $t > 10000) {
 122         return NULL;
 123       }
 124     }
 125     else {
 126       $k = $key;
 127     }
 128
 129     $privateKey = self::privateKey();
 130     $sessionID = self::sessionID();
 131     if ($k != md5($sessionID . $name . $privateKey)) {
 132       return NULL;
 133     }
 134     return $key;
 135   }
 136
 137   /**
 138    * @param $key
 139    *
 140    * @return bool
 141    */
 142   static function valid($key) {
 143     // a valid key is a 32 digit hex number
 144     // followed by an optional _ and a number between 1 and 10000
 145     if (strpos('_', $key) !== FALSE) {
 146       list($hash, $seq) = explode('_', $key);
 147
 148       // ensure seq is between 1 and 10000
 149       if (!is_numeric($seq) ||
 150         $seq < 1 ||
 151         $seq > 10000
 152       ) {
 153         return FALSE;
 154       }
 155     }
 156     else {
 157       $hash = $key;
 158     }
 159
 160     // ensure that hash is a 32 digit hex number
 161     return preg_match('#[0-9a-f]{32}#i', $hash) ? TRUE : FALSE;
 162   }
 163 }
 164