source: sandbox/workflow/branches/609/lib/security/Security.php @ 2249

Revision 2249, 3.7 KB checked in by pedroerp, 14 years ago (diff)

Ticket #609 - Adaptando os processos do workflow para utilizar o nova factory.
  • Property svn:executable set to *
Line 
1<?php
2/**************************************************************************\
3* eGroupWare                                                               *
4* http://www.egroupware.org                                                *
5* --------------------------------------------                             *
6*  This program is free software; you can redistribute it and/or modify it *
7*  under the terms of the GNU General Public License as published by the   *
8*  Free Software Foundation; either version 2 of the License, or (at your  *
9*  option) any later version.                                              *
10\**************************************************************************/
11
12/**
13 * Security class for Workflow module.
14 * You should never forget to call 'enable'
15 * public method to enable security before
16 * executing process code.
17 *
18 * @package Security
19 * @license http://www.gnu.org/copyleft/gpl.html GPL
20 * @author Pedro Eugênio Rocha - pedro.eugenio.rocha@gmail.com
21 */
22class Security {
23
24        /**
25         * @var boolean $_protection Stores the current security mode.
26         * @access private
27         * @static
28         */
29        private static $_protection = false;
30
31
32        /**
33         * Disallow the instantiation of this class.
34         * @access public
35         * @return void
36         */
37        public function __construct() {
38                throw new Exception("Oops! Static only class.");
39        }
40
41
42        /**
43         * Returns the current security mode.
44         * @access public
45         * @return boolea
46         * @static
47         */
48        public static function isEnabled() {
49                return self::$_protection;
50        }
51
52
53        /**
54         * Change to secured mode.
55         * @access public
56         * @return boolean
57         * @static
58         */
59        public static function enable() {
60
61                if (self::isSafeDir())
62                        self::$_protection = true;
63                else
64                        throw new Exception('You are not allowed to change the security mode.');
65                return true;
66        }
67
68        /**
69         * Change to unsecured mode.
70         * @access public
71         * @return boolean
72         * @static
73         */
74        public static function disable() {
75
76                if (self::isSafeDir())
77                        self::$_protection = false;
78                else
79                        throw new Exception('You are not allowed to change the security mode.');
80                return true;
81        }
82
83
84        /**
85         * Implements the security validation.
86         * This function tell us if a fileName is on a safe directory.
87         * For safe dir we mean that no process code exists under it.
88         * The 'depth' parameter specifies the deepness of the file that
89         * we are validate. Default value is to validate the imediate
90         * previous function.
91         *
92         * @access public
93         * @return boolean
94         * @static
95         */
96        public static function isSafeDir($depth = 1) {
97
98                /* our backtrace based policy */
99                $backtrace = debug_backtrace();
100                $originFile = $backtrace[$depth]['file'];
101
102                if (empty($originFile))
103                        return false;
104
105                /* if $fileName is a file under our server root, then it's safe. */
106                if (substr_compare($originFile, EGW_SERVER_ROOT, 0, strlen(EGW_SERVER_ROOT)) == 0)
107                        return true;
108                return false;
109        }
110
111
112        /**
113         * This function do all the security stuff.
114         * Here we must define in which files we are able
115         * to change the security mode.
116         *
117         * @access private
118         * @return boolean
119         * @static
120         */
121        private static function _isAllowed() {
122                $backtrace = debug_backtrace();
123
124
125                /* $backtrace[1] specifies the imediate antecessor function */
126                $originFile = basename($backtrace[1]['file']);
127
128
129                /**
130                 * TODO - TODO - TODO - TODO
131                 * We all know that compare file names is a awful thing..
132                 * what makes it even worse is the fact that the file name
133                 * could contain double slashes (e.g. //) caused by wrong
134                 * concatenations. So we cannot compare the whole file path.
135                 * Moreover, if the process has a file named $allowedFile,
136                 * our security will eventually fail..
137                 *
138                 * Anyway, we should think in a better way to validate this...
139                 */
140                if (basename($originFile) == basename($allowedFile))
141                        return true;
142                return false;
143        }
144}
145?>
Note: See TracBrowser for help on using the repository browser.