Changeset 2249 for sandbox/workflow/branches/609/lib/security/Security.php
- Timestamp:
- 03/15/10 14:41:49 (14 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
sandbox/workflow/branches/609/lib/security/Security.php
r2222 r2249 16 16 * executing process code. 17 17 * 18 * @package Factory18 * @package Security 19 19 * @license http://www.gnu.org/copyleft/gpl.html GPL 20 20 * @author Pedro Eugênio Rocha - pedro.eugenio.rocha@gmail.com … … 43 43 * Returns the current security mode. 44 44 * @access public 45 * @return boolean 45 * @return boolea 46 * @static 46 47 */ 47 48 public static function isEnabled() { … … 58 59 public static function enable() { 59 60 60 if (self:: _isAllowed())61 if (self::isSafeDir()) 61 62 self::$_protection = true; 62 63 else 63 throw new Exception('You are not allowed to change security mode.');64 throw new Exception('You are not allowed to change the security mode.'); 64 65 return true; 65 66 } … … 73 74 public static function disable() { 74 75 75 if (self:: _isAllowed())76 if (self::isSafeDir()) 76 77 self::$_protection = false; 77 78 else 78 throw new Exception('You are not allowed to change security mode.');79 throw new Exception('You are not allowed to change the security mode.'); 79 80 return true; 81 } 82 83 84 /** 85 * Implements the security validation. 86 * This function tell us if a fileName is on a safe directory. 87 * For safe dir we mean that no process code exists under it. 88 * The 'depth' parameter specifies the deepness of the file that 89 * we are validate. Default value is to validate the imediate 90 * previous function. 91 * 92 * @access public 93 * @return boolean 94 * @static 95 */ 96 public static function isSafeDir($depth = 1) { 97 98 /* our backtrace based policy */ 99 $backtrace = debug_backtrace(); 100 $originFile = $backtrace[$depth]['file']; 101 102 if (empty($originFile)) 103 return false; 104 105 /* if $fileName is a file under our server root, then it's safe. */ 106 if (substr_compare($originFile, EGW_SERVER_ROOT, 0, strlen(EGW_SERVER_ROOT)) == 0) 107 return true; 108 return false; 80 109 } 81 110 … … 93 122 $backtrace = debug_backtrace(); 94 123 95 /* TODO - These are not definitive validations */ 124 96 125 /* $backtrace[1] specifies the imediate antecessor function */ 97 $ basedir = dirname($backtrace[1]['file']);126 $originFile = basename($backtrace[1]['file']); 98 127 99 if ($basedir == dirname(__FILE__)) 128 129 /** 130 * TODO - TODO - TODO - TODO 131 * We all know that compare file names is a awful thing.. 132 * what makes it even worse is the fact that the file name 133 * could contain double slashes (e.g. //) caused by wrong 134 * concatenations. So we cannot compare the whole file path. 135 * Moreover, if the process has a file named $allowedFile, 136 * our security will eventually fail.. 137 * 138 * Anyway, we should think in a better way to validate this... 139 */ 140 if (basename($originFile) == basename($allowedFile)) 100 141 return true; 101 142 return false; 102 143 } 103 144 } 104 105 145 ?>
Note: See TracChangeset
for help on using the changeset viewer.