Changeset 2249 for sandbox/workflow/branches/609/lib
- Timestamp:
- 03/15/10 14:41:49 (14 years ago)
- Location:
- sandbox/workflow/branches/609/lib
- Files:
-
- 1 added
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
sandbox/workflow/branches/609/lib/factory/Factory.php
r2233 r2249 58 58 59 59 /** 60 * Just forward this call to the correct class.60 * Just forward this call. 61 61 * 62 62 * @access public 63 * @retu n object63 * @return object 64 64 * @static 65 65 */ 66 66 public static function &getInstance() { 67 67 68 /* oops. we are in the process space. */ 69 if (Security::isEnabled()) { 70 71 /* must instatiate it */ 72 if (is_null(self::$_securedFactory)) 73 self::$_securedFactory = new ProcessFactory(); 74 75 $args = func_get_args(); 76 return call_user_func_array(array(self::$_securedFactory, "getInstance"), $args); 77 78 } 79 /* regular module space */ 80 else { 81 82 /* must instatiate it */ 83 if (is_null(self::$_unsecuredFactory)) 84 self::$_unsecuredFactory = new WorkflowFactory(); 85 86 $args = func_get_args(); 87 return call_user_func_array(array(self::$_unsecuredFactory, "getInstance"), $args); 88 } 68 $args = func_get_args(); 69 return self::_callMethod(__FUNCTION__, $args); 89 70 } 90 71 91 72 92 73 /** 93 * Just forward this call to the correct class.74 * Just forward this call. 94 75 * 95 76 * @access public 96 * @retu n object77 * @return object 97 78 * @static 98 79 */ 99 80 public static function &newInstance() { 100 81 101 /* oops. we are in the process space. */ 102 if (Security::isEnabled()) { 82 $args = func_get_args(); 83 return self::_callMethod(__FUNCTION__, $args); 84 } 103 85 104 /* must instatiate it */ 86 87 /** 88 * Selecting the proper factory to call. This function 89 * should never be called with a random $methodName. Allowed 90 * values are 'getInstance' and 'newInstance'. 91 * 92 * @access private 93 * @return object 94 * @static 95 */ 96 private static function &_callMethod($methodName, $args) { 97 98 /* security off (module space) */ 99 if (!Security::isEnabled()) { 100 101 /* it must be instatiated */ 102 if (is_null(self::$_unsecuredFactory)) 103 self::$_unsecuredFactory = new WorkflowFactory(); 104 105 return call_user_func_array(array(self::$_unsecuredFactory, $methodName), $args); 106 } 107 /* oops. we are in the process space (restricted). */ 108 else { 109 110 /* it must be instatiated */ 105 111 if (is_null(self::$_securedFactory)) 106 112 self::$_securedFactory = new ProcessFactory(); 107 113 108 $args = func_get_args(); 109 return call_user_func_array(array(self::$_securedFactory, "newInstance"), $args); 114 /** 115 * If the class is not allowed, we must check who is trying 116 * to instantiate it. If it's a module guy, let's allow him. 117 * Throw up the exception otherwise. 118 */ 119 try { 120 $obj = call_user_func_array(array(self::$_securedFactory, $methodName), $args); 121 } 110 122 111 } 112 /* regular module space */ 113 else { 123 /** 124 * We are erroneously catching any exceptions. We should catch only the 'class not allowed' 125 * types of exceptions. To do so, a custom exception class must be defined. 126 */ 127 catch(Exception $e) { 114 128 115 /* must instatiate it */ 116 if (is_null(self::$_unsecuredFactory)) 117 self::$_unsecuredFactory = new WorkflowFactory(); 129 /** 130 * Here we are using depth 2 in isSafeDir method, because we are on a private 131 * method. Thus, we need to know if the "caller's caller's" function is on a 132 * safe dir, instead of the direct caller's method. 133 */ 134 if (Security::isSafeDir(2)) 135 $obj = call_user_func_array(array(self::$_unsecuredFactory, $methodName), $args); 118 136 119 $args = func_get_args(); 120 return call_user_func_array(array(self::$_unsecuredFactory, "newInstance"), $args); 137 /* nasty one. take this... */ 138 else 139 throw($e); 140 } 141 142 // finally 143 return $obj; 121 144 } 122 145 } -
sandbox/workflow/branches/609/lib/factory/ProcessFactory.php
r2222 r2249 48 48 49 49 /* registering allowed classes */ 50 //$this->registerFileInfo('WorkflowObjects', 'class.WorkflowObjects.inc.php', 'inc'); 50 $this->registerFileInfo('wf_orgchart', 'class.wf_orgchart.php', 'inc/local/classes'); 51 $this->registerFileInfo('wf_ldap', 'class.wf_ldap.php', 'inc/local/classes'); 52 $this->registerFileInfo('wf_engine', 'class.wf_engine.php', 'inc/local/classes'); 53 $this->registerFileInfo('wf_role', 'class.wf_role.php', 'inc/local/classes'); 54 $this->registerFileInfo('wf_instance', 'class.wf_instance.php', 'inc/local/classes'); 55 $this->registerFileInfo('wf_location', 'class.wf_location.php', 'inc/local/classes'); 56 $this->registerFileInfo('wf_db', 'class.wf_db.php', 'inc/local/classes'); 57 $this->registerFileInfo('wf_fpdf', 'class.wf_fpdf.php', 'inc/local/classes'); 58 $this->registerFileInfo('wf_paging', 'class.wf_paging.php', 'inc/local/classes'); 51 59 52 60 /* ok. no more instances of this class.. */ -
sandbox/workflow/branches/609/lib/factory/WorkflowFactory.php
r2233 r2249 68 68 $this->registerFileInfo('accounts', 'class.accounts.inc.php', '', EGW_INC_ROOT); 69 69 70 71 /** 72 * TODO - This is a veeery big workaround to maintain compatibility with 73 * processes that uses the old not-static factory. So, we made this wrapper 74 * (adapter) that just calls the new and cute static factory class in the 75 * right way. It should be removed as soon as possible. 76 */ 77 $this->registerFileInfo('ProcessWrapperFactory', 'ProcessWrapperFactory.php', 'lib/factory/'); 78 79 70 80 /* ok. no more instances of this class.. */ 71 81 self::$_instantiated = true; -
sandbox/workflow/branches/609/lib/security/Security.php
r2222 r2249 16 16 * executing process code. 17 17 * 18 * @package Factory18 * @package Security 19 19 * @license http://www.gnu.org/copyleft/gpl.html GPL 20 20 * @author Pedro Eugênio Rocha - pedro.eugenio.rocha@gmail.com … … 43 43 * Returns the current security mode. 44 44 * @access public 45 * @return boolean 45 * @return boolea 46 * @static 46 47 */ 47 48 public static function isEnabled() { … … 58 59 public static function enable() { 59 60 60 if (self:: _isAllowed())61 if (self::isSafeDir()) 61 62 self::$_protection = true; 62 63 else 63 throw new Exception('You are not allowed to change security mode.');64 throw new Exception('You are not allowed to change the security mode.'); 64 65 return true; 65 66 } … … 73 74 public static function disable() { 74 75 75 if (self:: _isAllowed())76 if (self::isSafeDir()) 76 77 self::$_protection = false; 77 78 else 78 throw new Exception('You are not allowed to change security mode.');79 throw new Exception('You are not allowed to change the security mode.'); 79 80 return true; 81 } 82 83 84 /** 85 * Implements the security validation. 86 * This function tell us if a fileName is on a safe directory. 87 * For safe dir we mean that no process code exists under it. 88 * The 'depth' parameter specifies the deepness of the file that 89 * we are validate. Default value is to validate the imediate 90 * previous function. 91 * 92 * @access public 93 * @return boolean 94 * @static 95 */ 96 public static function isSafeDir($depth = 1) { 97 98 /* our backtrace based policy */ 99 $backtrace = debug_backtrace(); 100 $originFile = $backtrace[$depth]['file']; 101 102 if (empty($originFile)) 103 return false; 104 105 /* if $fileName is a file under our server root, then it's safe. */ 106 if (substr_compare($originFile, EGW_SERVER_ROOT, 0, strlen(EGW_SERVER_ROOT)) == 0) 107 return true; 108 return false; 80 109 } 81 110 … … 93 122 $backtrace = debug_backtrace(); 94 123 95 /* TODO - These are not definitive validations */ 124 96 125 /* $backtrace[1] specifies the imediate antecessor function */ 97 $ basedir = dirname($backtrace[1]['file']);126 $originFile = basename($backtrace[1]['file']); 98 127 99 if ($basedir == dirname(__FILE__)) 128 129 /** 130 * TODO - TODO - TODO - TODO 131 * We all know that compare file names is a awful thing.. 132 * what makes it even worse is the fact that the file name 133 * could contain double slashes (e.g. //) caused by wrong 134 * concatenations. So we cannot compare the whole file path. 135 * Moreover, if the process has a file named $allowedFile, 136 * our security will eventually fail.. 137 * 138 * Anyway, we should think in a better way to validate this... 139 */ 140 if (basename($originFile) == basename($allowedFile)) 100 141 return true; 101 142 return false; 102 143 } 103 144 } 104 105 145 ?>
Note: See TracChangeset
for help on using the changeset viewer.