mirror of
https://github.com/Lastorder-DC/rhymix.git
synced 2026-04-27 22:33:10 +09:00
Merge pull request #366 from kijin/pr/security-refactor
보안관련 클래스 전반적 정리 및 기능 개선 프로젝트
This commit is contained in:
Kijin Sung
commit
4f015f7bbc
78 changed files with 3860 additions and 3336 deletions
|
|
@ -556,33 +556,38 @@ class adminAdminController extends admin
|
|||
$vars = Context::getRequestVars();
|
||||
|
||||
// iframe filter
|
||||
$embed_iframe = $vars->embedfilter_iframe;
|
||||
$embed_iframe = array_filter(array_map('trim', preg_split('/[\r\n]/', $embed_iframe)), function($item) {
|
||||
$iframe_whitelist = $vars->mediafilter_iframe;
|
||||
$iframe_whitelist = array_filter(array_map('trim', preg_split('/[\r\n]/', $iframe_whitelist)), function($item) {
|
||||
return $item !== '';
|
||||
});
|
||||
$embed_iframe = array_unique(array_map(function($item) {
|
||||
return preg_match('@^https?://(.*)$@i', $item, $matches) ? $matches[1] : $item;
|
||||
}, $embed_iframe));
|
||||
natcasesort($embed_iframe);
|
||||
Rhymix\Framework\Config::set('embedfilter.iframe', array_values($embed_iframe));
|
||||
$iframe_whitelist = array_unique(array_map(function($item) {
|
||||
return Rhymix\Framework\Filters\MediaFilter::formatPrefix($item);
|
||||
}, $iframe_whitelist));
|
||||
natcasesort($iframe_whitelist);
|
||||
Rhymix\Framework\Config::set('mediafilter.iframe', array_values($iframe_whitelist));
|
||||
|
||||
// object filter
|
||||
$embed_object = $vars->embedfilter_object;
|
||||
$embed_object = array_filter(array_map('trim', preg_split('/[\r\n]/', $embed_object)), function($item) {
|
||||
$object_whitelist = $vars->mediafilter_object;
|
||||
$object_whitelist = array_filter(array_map('trim', preg_split('/[\r\n]/', $object_whitelist)), function($item) {
|
||||
return $item !== '';
|
||||
});
|
||||
$embed_object = array_unique(array_map(function($item) {
|
||||
return preg_match('@^https?://(.*)$@i', $item, $matches) ? $matches[1] : $item;
|
||||
}, $embed_object));
|
||||
natcasesort($embed_object);
|
||||
Rhymix\Framework\Config::set('embedfilter.object', array_values($embed_object));
|
||||
$object_whitelist = array_unique(array_map(function($item) {
|
||||
return Rhymix\Framework\Filters\MediaFilter::formatPrefix($item);
|
||||
}, $object_whitelist));
|
||||
natcasesort($object_whitelist);
|
||||
Rhymix\Framework\Config::set('mediafilter.object', array_values($object_whitelist));
|
||||
|
||||
// Remove old embed filter
|
||||
$config = Rhymix\Framework\Config::getAll();
|
||||
unset($config['embedfilter']);
|
||||
Rhymix\Framework\Config::setAll($config);
|
||||
|
||||
// Admin IP access control
|
||||
$allowed_ip = array_map('trim', preg_split('/[\r\n]/', $vars->admin_allowed_ip));
|
||||
$allowed_ip = array_unique(array_filter($allowed_ip, function($item) {
|
||||
return $item !== '';
|
||||
}));
|
||||
if (!IpFilter::validate($whitelist)) {
|
||||
if (!Rhymix\Framework\Filters\IpFilter::validateRanges($allowed_ip)) {
|
||||
return new Object(-1, 'msg_invalid_ip');
|
||||
}
|
||||
|
||||
|
|
@ -590,7 +595,7 @@ class adminAdminController extends admin
|
|||
$denied_ip = array_unique(array_filter($denied_ip, function($item) {
|
||||
return $item !== '';
|
||||
}));
|
||||
if (!IpFilter::validate($whitelist)) {
|
||||
if (!Rhymix\Framework\Filters\IpFilter::validateRanges($denied_ip)) {
|
||||
return new Object(-1, 'msg_invalid_ip');
|
||||
}
|
||||
|
||||
|
|
@ -740,7 +745,7 @@ class adminAdminController extends admin
|
|||
$allowed_ip = array_unique(array_filter($allowed_ip, function($item) {
|
||||
return $item !== '';
|
||||
}));
|
||||
if (!IpFilter::validate($whitelist)) {
|
||||
if (!Rhymix\Framework\Filters\IpFilter::validate($allowed_ip)) {
|
||||
return new Object(-1, 'msg_invalid_ip');
|
||||
}
|
||||
Rhymix\Framework\Config::set('debug.allow', array_values($allowed_ip));
|
||||
|
|
@ -766,30 +771,17 @@ class adminAdminController extends admin
|
|||
|
||||
if ($vars->sitelock_locked === 'Y')
|
||||
{
|
||||
$allowed_localhost = false;
|
||||
$allowed_current = false;
|
||||
foreach ($allowed_ip as $range)
|
||||
{
|
||||
if (Rhymix\Framework\IpFilter::inRange('127.0.0.1', $range))
|
||||
{
|
||||
$allowed_localhost = true;
|
||||
}
|
||||
if (Rhymix\Framework\IpFilter::inRange(RX_CLIENT_IP, $range))
|
||||
{
|
||||
$allowed_current = true;
|
||||
}
|
||||
}
|
||||
if (!$allowed_localhost)
|
||||
if (!Rhymix\Framework\Filters\IpFilter::inRanges('127.0.0.1', $allowed_ip))
|
||||
{
|
||||
array_unshift($allowed_ip, '127.0.0.1');
|
||||
}
|
||||
if (!$allowed_current)
|
||||
if (!Rhymix\Framework\Filters\IpFilter::inRanges(RX_CLIENT_IP, $allowed_ip))
|
||||
{
|
||||
array_unshift($allowed_ip, RX_CLIENT_IP);
|
||||
}
|
||||
}
|
||||
|
||||
if (!IpFilter::validate($whitelist))
|
||||
if (!Rhymix\Framework\Filters\IpFilter::validateRanges($allowed_ip))
|
||||
{
|
||||
return new Object(-1, 'msg_invalid_ip');
|
||||
}
|
||||
|
|
|
|||
|
|
@ -418,9 +418,8 @@ class adminAdminView extends admin
|
|||
function dispAdminConfigSecurity()
|
||||
{
|
||||
// Load embed filter.
|
||||
$oEmbedFilter = EmbedFilter::getInstance();
|
||||
context::set('embedfilter_iframe', implode(PHP_EOL, $oEmbedFilter->whiteIframeUrlList));
|
||||
context::set('embedfilter_object', implode(PHP_EOL, $oEmbedFilter->whiteUrlList));
|
||||
context::set('mediafilter_iframe', implode(PHP_EOL, Rhymix\Framework\Filters\MediaFilter::getIframeWhitelist()));
|
||||
context::set('mediafilter_object', implode(PHP_EOL, Rhymix\Framework\Filters\MediaFilter::getObjectWhitelist()));
|
||||
|
||||
// Admin IP access control
|
||||
$allowed_ip = Rhymix\Framework\Config::get('admin.allow');
|
||||
|
|
@ -519,24 +518,11 @@ class adminAdminView extends admin
|
|||
Context::set('sitelock_message', escape(Rhymix\Framework\Config::get('lock.message')));
|
||||
|
||||
$allowed_ip = Rhymix\Framework\Config::get('lock.allow') ?: array();
|
||||
$allowed_localhost = false;
|
||||
$allowed_current = false;
|
||||
foreach ($allowed_ip as $range)
|
||||
{
|
||||
if (Rhymix\Framework\IpFilter::inRange('127.0.0.1', $range))
|
||||
{
|
||||
$allowed_localhost = true;
|
||||
}
|
||||
if (Rhymix\Framework\IpFilter::inRange(RX_CLIENT_IP, $range))
|
||||
{
|
||||
$allowed_current = true;
|
||||
}
|
||||
}
|
||||
if (!$allowed_localhost)
|
||||
if (!Rhymix\Framework\Filters\IpFilter::inRanges('127.0.0.1', $allowed_ip))
|
||||
{
|
||||
array_unshift($allowed_ip, '127.0.0.1');
|
||||
}
|
||||
if (!$allowed_current)
|
||||
if (!Rhymix\Framework\Filters\IpFilter::inRanges(RX_CLIENT_IP, $allowed_ip))
|
||||
{
|
||||
array_unshift($allowed_ip, RX_CLIENT_IP);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -8,15 +8,15 @@
|
|||
<input type="hidden" name="act" value="procAdminUpdateSecurity" />
|
||||
<input type="hidden" name="xe_validator_id" value="modules/admin/tpl/config_security/1" />
|
||||
<div class="x_control-group">
|
||||
<label class="x_control-label" for="embedfilter_iframe">iframe</label>
|
||||
<label class="x_control-label" for="mediafilter_iframe">iframe</label>
|
||||
<div class="x_controls" style="margin-right:14px">
|
||||
<textarea name="embedfilter_iframe" id="embedfilter_iframe" rows="8" style="width:100%;">{$embedfilter_iframe}</textarea>
|
||||
<textarea name="mediafilter_iframe" id="mediafilter_iframe" rows="8" style="width:100%;">{$mediafilter_iframe}</textarea>
|
||||
</div>
|
||||
</div>
|
||||
<div class="x_control-group">
|
||||
<label class="x_control-label" for="embedfilter_object">object/embed</label>
|
||||
<label class="x_control-label" for="mediafilter_object">object/embed</label>
|
||||
<div class="x_controls" style="margin-right:14px">
|
||||
<textarea name="embedfilter_object" id="embedfilter_object" rows="8" style="width:100%;">{$embedfilter_object}</textarea>
|
||||
<textarea name="mediafilter_object" id="mediafilter_object" rows="8" style="width:100%;">{$mediafilter_object}</textarea>
|
||||
</div>
|
||||
</div>
|
||||
<div class="x_control-group">
|
||||
|
|
|
|||
|
|
@ -285,8 +285,7 @@ class fileController extends file
|
|||
// Redirect to procFileOutput using file key
|
||||
if(!isset($_SESSION['__XE_FILE_KEY__']) || !is_string($_SESSION['__XE_FILE_KEY__']) || strlen($_SESSION['__XE_FILE_KEY__']) != 32)
|
||||
{
|
||||
$random = new Password();
|
||||
$_SESSION['__XE_FILE_KEY__'] = $random->createSecureSalt(32, 'hex');
|
||||
$_SESSION['__XE_FILE_KEY__'] = Rhymix\Framework\Security::getRandom(32, 'hex');
|
||||
}
|
||||
$file_key_data = $file_obj->file_srl . $file_obj->file_size . $file_obj->uploaded_filename . $_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT'];
|
||||
$file_key = substr(hash_hmac('sha256', $file_key_data, $_SESSION['__XE_FILE_KEY__']), 0, 32);
|
||||
|
|
@ -732,13 +731,8 @@ class fileController extends file
|
|||
}
|
||||
}
|
||||
|
||||
// https://github.com/xpressengine/xe-core/issues/1713
|
||||
$file_info['name'] = preg_replace('/\.(php|phtm|phar|html?|cgi|pl|exe|jsp|asp|inc)/i', '$0-x',$file_info['name']);
|
||||
$file_info['name'] = removeHackTag($file_info['name']);
|
||||
$file_info['name'] = str_replace(array('<','>'),array('%3C','%3E'),$file_info['name']);
|
||||
|
||||
// Get random number generator
|
||||
$random = new Password();
|
||||
// Sanitize filename
|
||||
$file_info['name'] = Rhymix\Framework\Filters\FilenameFilter::clean($file_info['name']);
|
||||
|
||||
// Set upload path by checking if the attachement is an image or other kinds of file
|
||||
if(preg_match("/\.(jpe?g|gif|png|wm[va]|mpe?g|avi|swf|flv|mp[1-4]|as[fx]|wav|midi?|moo?v|qt|r[am]{1,2}|m4v)$/i", $file_info['name']))
|
||||
|
|
@ -749,7 +743,7 @@ class fileController extends file
|
|||
// change to random file name. because window php bug. window php is not recognize unicode character file name - by cherryfilter
|
||||
$ext = substr(strrchr($file_info['name'],'.'),1);
|
||||
//$_filename = preg_replace('/[#$&*?+%"\']/', '_', $file_info['name']);
|
||||
$_filename = $random->createSecureSalt(32, 'hex').'.'.$ext;
|
||||
$_filename = Rhymix\Framework\Security::getRandom(32, 'hex') . '.' . $ext;
|
||||
$filename = $path.$_filename;
|
||||
$idx = 1;
|
||||
while(file_exists($filename))
|
||||
|
|
@ -762,17 +756,12 @@ class fileController extends file
|
|||
else
|
||||
{
|
||||
$path = sprintf("./files/attach/binaries/%s/%s", $module_srl, getNumberingPath($upload_target_srl,3));
|
||||
$filename = $path.$random->createSecureSalt(32, 'hex');
|
||||
$filename = $path . Rhymix\Framework\Security::getRandom(32, 'hex');
|
||||
$direct_download = 'N';
|
||||
}
|
||||
|
||||
// Create a directory
|
||||
if(!FileHandler::makeDir($path)) return new Object(-1,'msg_not_permitted_create');
|
||||
|
||||
// Check uploaded file
|
||||
if(!checkUploadedFile($file_info['tmp_name'])) return new Object(-1,'msg_file_upload_error');
|
||||
|
||||
// Get random number generator
|
||||
$random = new Password();
|
||||
|
||||
// Move the file
|
||||
if($manual_insert)
|
||||
|
|
@ -780,7 +769,7 @@ class fileController extends file
|
|||
@copy($file_info['tmp_name'], $filename);
|
||||
if(!file_exists($filename))
|
||||
{
|
||||
$filename = $path.$random->createSecureSalt(32, 'hex').'.'.$ext;
|
||||
$filename = $path . Rhymix\Framework\Security::getRandom(32, 'hex') . '.' . $ext;
|
||||
@copy($file_info['tmp_name'], $filename);
|
||||
}
|
||||
}
|
||||
|
|
@ -788,7 +777,7 @@ class fileController extends file
|
|||
{
|
||||
if(!@move_uploaded_file($file_info['tmp_name'], $filename))
|
||||
{
|
||||
$filename = $path.$random->createSecureSalt(32, 'hex').'.'.$ext;
|
||||
$filename = $path . Rhymix\Framework\Security::getRandom(32, 'hex') . '.' . $ext;
|
||||
if(!@move_uploaded_file($file_info['tmp_name'], $filename)) return new Object(-1,'msg_file_upload_error');
|
||||
}
|
||||
}
|
||||
|
|
@ -807,7 +796,7 @@ class fileController extends file
|
|||
$args->file_size = @filesize($filename);
|
||||
$args->comment = NULL;
|
||||
$args->member_srl = $member_srl;
|
||||
$args->sid = $random->createSecureSalt(32, 'hex');
|
||||
$args->sid = Rhymix\Framework\Security::getRandom(32, 'hex');
|
||||
|
||||
$output = executeQuery('file.insertFile', $args);
|
||||
if(!$output->toBool()) return $output;
|
||||
|
|
@ -982,13 +971,12 @@ class fileController extends file
|
|||
if(preg_match("/\.(jpg|jpeg|gif|png|wmv|wma|mpg|mpeg|avi|swf|flv|mp1|mp2|mp3|mp4|asf|wav|asx|mid|midi|asf|mov|moov|qt|rm|ram|ra|rmm|m4v)$/i", $file_info->source_filename))
|
||||
{
|
||||
$path = sprintf("./files/attach/images/%s/%s/", $target_module_srl,$target_srl);
|
||||
$new_file = $path.$file_info->source_filename;
|
||||
$new_file = $path . $file_info->source_filename;
|
||||
}
|
||||
else
|
||||
{
|
||||
$path = sprintf("./files/attach/binaries/%s/%s/", $target_module_srl, $target_srl);
|
||||
$random = new Password();
|
||||
$new_file = $path.$random->createSecureSalt(32, 'hex');
|
||||
$new_file = $path . Rhymix\Framework\Security::getRandom(32, 'hex');
|
||||
}
|
||||
// Pass if a target document to move is same
|
||||
if($old_file == $new_file) continue;
|
||||
|
|
|
|||
|
|
@ -74,7 +74,7 @@ class installView extends install
|
|||
function dispInstallCheckEnv()
|
||||
{
|
||||
// Create a temporary file for mod_rewrite check.
|
||||
self::$rewriteCheckString = Password::createSecureSalt(32);
|
||||
self::$rewriteCheckString = Rhymix\Framework\Security::getRandom(32);
|
||||
FileHandler::writeFile(_XE_PATH_ . self::$rewriteCheckFilePath, self::$rewriteCheckString);;
|
||||
|
||||
// Check if the web server is nginx.
|
||||
|
|
|
|||
|
|
@ -85,7 +85,7 @@ class integration_searchAdminController extends integration_search
|
|||
continue;
|
||||
}
|
||||
// Ignore if the file is not successfully uploaded, and check uploaded file
|
||||
if(!is_uploaded_file($image_obj['tmp_name']) || !checkUploadedFile($image_obj['tmp_name']))
|
||||
if(!is_uploaded_file($image_obj['tmp_name']))
|
||||
{
|
||||
unset($obj->{$vars->name});
|
||||
continue;
|
||||
|
|
|
|||
|
|
@ -435,9 +435,6 @@ class layoutAdminController extends layout
|
|||
$ext = substr(strrchr($filename,'.'),1);
|
||||
$filename = sprintf('%s.%s', md5($filename), $ext);
|
||||
}
|
||||
|
||||
// Check uploaded file
|
||||
if(!checkUploadedFile($source['tmp_name'])) return false;
|
||||
|
||||
if(file_exists($path .'/'. $filename)) @unlink($path . $filename);
|
||||
if(!move_uploaded_file($source['tmp_name'], $path . $filename )) return false;
|
||||
|
|
@ -690,7 +687,7 @@ class layoutAdminController extends layout
|
|||
// check upload
|
||||
if(!Context::isUploaded()) exit();
|
||||
$file = Context::get('file');
|
||||
if(!is_uploaded_file($file['tmp_name']) || !checkUploadedFile($file['tmp_name'])) exit();
|
||||
if(!is_uploaded_file($file['tmp_name'])) exit();
|
||||
|
||||
if(substr_compare($file['name'], '.tar', -4) !== 0) exit();
|
||||
|
||||
|
|
@ -925,7 +922,7 @@ class layoutAdminController extends layout
|
|||
$this->setTemplatePath($this->module_path.'tpl');
|
||||
$this->setTemplateFile("after_upload_config_image.html");
|
||||
|
||||
if(!$img['tmp_name'] || !is_uploaded_file($img['tmp_name']) || !checkUploadedFile($img['tmp_name']))
|
||||
if(!$img['tmp_name'] || !is_uploaded_file($img['tmp_name']))
|
||||
{
|
||||
Context::set('msg', lang('upload failed'));
|
||||
return;
|
||||
|
|
|
|||
|
|
@ -166,8 +166,7 @@ class memberAdminController extends member
|
|||
'update_nickname_log'
|
||||
);
|
||||
|
||||
$oPassword = new Password();
|
||||
if(!array_key_exists($args->password_hashing_algorithm, $oPassword->getSupportedAlgorithms()))
|
||||
if(!array_key_exists($args->password_hashing_algorithm, Rhymix\Framework\Password::getSupportedAlgorithms()))
|
||||
{
|
||||
$args->password_hashing_algorithm = 'md5';
|
||||
}
|
||||
|
|
|
|||
|
|
@ -298,26 +298,12 @@ class memberAdminModel extends member
|
|||
{
|
||||
if ($allow_list = ($allow_list === null) ? config('admin.allow') : $allow_list)
|
||||
{
|
||||
foreach ($allow_list as $range)
|
||||
{
|
||||
if (Rhymix\Framework\IpFilter::inRange(RX_CLIENT_IP, $range))
|
||||
{
|
||||
return true;
|
||||
}
|
||||
}
|
||||
return false;
|
||||
return Rhymix\Framework\Filters\IpFilter::inRanges(RX_CLIENT_IP, $allow_list);
|
||||
}
|
||||
|
||||
if ($deny_list = ($deny_list === null) ? config('admin.deny') : $deny_list)
|
||||
{
|
||||
foreach ($deny_list as $range)
|
||||
{
|
||||
if (Rhymix\Framework\IpFilter::inRange(RX_CLIENT_IP, $range))
|
||||
{
|
||||
return false;
|
||||
}
|
||||
}
|
||||
return true;
|
||||
return !Rhymix\Framework\Filters\IpFilter::inRanges(RX_CLIENT_IP, $deny_list);
|
||||
}
|
||||
|
||||
return true;
|
||||
|
|
|
|||
|
|
@ -129,8 +129,7 @@ class memberAdminView extends member
|
|||
*/
|
||||
public function dispMemberAdminConfig()
|
||||
{
|
||||
$oPassword = new Password();
|
||||
Context::set('password_hashing_algos', $oPassword->getSupportedAlgorithms());
|
||||
Context::set('password_hashing_algos', Rhymix\Framework\Password::getSupportedAlgorithms());
|
||||
|
||||
$this->setTemplateFile('default_config');
|
||||
}
|
||||
|
|
|
|||
|
|
@ -73,8 +73,7 @@ class member extends ModuleObject {
|
|||
|
||||
if(!$config->password_hashing_algorithm)
|
||||
{
|
||||
$oPassword = new Password();
|
||||
$config->password_hashing_algorithm = $oPassword->getBestAlgorithm();
|
||||
$config->password_hashing_algorithm = Rhymix\Framework\Password::getBestSupportedAlgorithm();
|
||||
}
|
||||
if(!$config->password_hashing_work_factor)
|
||||
{
|
||||
|
|
|
|||
|
|
@ -748,10 +748,6 @@ class memberController extends member
|
|||
*/
|
||||
function insertProfileImage($member_srl, $target_file)
|
||||
{
|
||||
|
||||
// Check uploaded file
|
||||
if(!checkUploadedFile($target_file)) return;
|
||||
|
||||
$oMemberModel = getModel('member');
|
||||
$config = $oMemberModel->getMemberConfig();
|
||||
|
||||
|
|
@ -827,9 +823,6 @@ class memberController extends member
|
|||
*/
|
||||
function insertImageName($member_srl, $target_file)
|
||||
{
|
||||
// Check uploaded file
|
||||
if(!checkUploadedFile($target_file)) return;
|
||||
|
||||
$oModuleModel = getModel('module');
|
||||
$config = $oModuleModel->getModuleConfig('member');
|
||||
// Get an image size
|
||||
|
|
@ -936,9 +929,6 @@ class memberController extends member
|
|||
*/
|
||||
function insertImageMark($member_srl, $target_file)
|
||||
{
|
||||
// Check uploaded file
|
||||
if(!checkUploadedFile($target_file)) return;
|
||||
|
||||
$oModuleModel = getModel('module');
|
||||
$config = $oModuleModel->getModuleConfig('member');
|
||||
// Get an image size
|
||||
|
|
@ -1013,12 +1003,11 @@ class memberController extends member
|
|||
}
|
||||
|
||||
// Insert data into the authentication DB
|
||||
$oPassword = new Password();
|
||||
$args = new stdClass();
|
||||
$args->user_id = $member_info->user_id;
|
||||
$args->member_srl = $member_info->member_srl;
|
||||
$args->new_password = $oPassword->createTemporaryPassword(8);
|
||||
$args->auth_key = $oPassword->createSecureSalt(40);
|
||||
$args->new_password = Rhymix\Framework\Password::getRandomPassword(8);
|
||||
$args->auth_key = Rhymix\Framework\Security::getRandom(40, 'hex');
|
||||
$args->is_register = 'N';
|
||||
|
||||
$output = executeQuery('member.insertAuthMail', $args);
|
||||
|
|
@ -1122,8 +1111,7 @@ class memberController extends member
|
|||
}
|
||||
|
||||
// Update to a temporary password and set change_password_date to 1
|
||||
$oPassword = new Password();
|
||||
$temp_password = $oPassword->createTemporaryPassword(8);
|
||||
$temp_password = Rhymix\Framework\Password::getRandomPassword(8);
|
||||
|
||||
$args = new stdClass();
|
||||
$args->member_srl = $member_srl;
|
||||
|
|
@ -1352,12 +1340,11 @@ class memberController extends member
|
|||
$this->_clearMemberCache($args->member_srl);
|
||||
|
||||
// generate new auth key
|
||||
$oPassword = new Password();
|
||||
$auth_args = new stdClass();
|
||||
$auth_args->user_id = $memberInfo->user_id;
|
||||
$auth_args->member_srl = $memberInfo->member_srl;
|
||||
$auth_args->new_password = $memberInfo->password;
|
||||
$auth_args->auth_key = $oPassword->createSecureSalt(40);
|
||||
$auth_args->auth_key = Rhymix\Framework\Security::getRandom(40, 'hex');
|
||||
$auth_args->is_register = 'Y';
|
||||
|
||||
$output = executeQuery('member.insertAuthMail', $auth_args);
|
||||
|
|
@ -1842,8 +1829,7 @@ class memberController extends member
|
|||
if($keep_signed)
|
||||
{
|
||||
// Key generate for auto login
|
||||
$oPassword = new Password();
|
||||
$random_key = $oPassword->createSecureSalt(32, 'hex');
|
||||
$random_key = Rhymix\Framework\Security::getRandom(32, 'hex');
|
||||
$extra_key = strtolower($user_id).$this->memberInfo->password.$_SERVER['HTTP_USER_AGENT'];
|
||||
$extra_key = substr(hash_hmac('sha256', $extra_key, $random_key), 0, 32);
|
||||
$autologin_args = new stdClass;
|
||||
|
|
@ -2175,12 +2161,11 @@ class memberController extends member
|
|||
if($args->denied == 'Y')
|
||||
{
|
||||
// Insert data into the authentication DB
|
||||
$oPassword = new Password();
|
||||
$auth_args = new stdClass();
|
||||
$auth_args->user_id = $args->user_id;
|
||||
$auth_args->member_srl = $args->member_srl;
|
||||
$auth_args->new_password = $args->password;
|
||||
$auth_args->auth_key = $oPassword->createSecureSalt(40);
|
||||
$auth_args->auth_key = Rhymix\Framework\Security::getRandom(40, 'hex');
|
||||
$auth_args->is_register = 'Y';
|
||||
|
||||
$output = executeQuery('member.insertAuthMail', $auth_args);
|
||||
|
|
@ -2692,11 +2677,10 @@ class memberController extends member
|
|||
}
|
||||
unset($_SESSION['rechecked_password_step']);
|
||||
|
||||
$oPassword = new Password();
|
||||
$auth_args = new stdClass();
|
||||
$auth_args->user_id = $newEmail;
|
||||
$auth_args->member_srl = $member_info->member_srl;
|
||||
$auth_args->auth_key = $oPassword->createSecureSalt(40);
|
||||
$auth_args->auth_key = Rhymix\Framework\Security::getRandom(40, 'hex');
|
||||
$auth_args->new_password = 'XE_change_emaill_address';
|
||||
|
||||
$oDB = &DB::getInstance();
|
||||
|
|
|
|||
|
|
@ -1107,10 +1107,19 @@ class memberModel extends member
|
|||
}
|
||||
|
||||
// Check the password
|
||||
$oPassword = new Password();
|
||||
$current_algorithm = $oPassword->checkAlgorithm($hashed_password);
|
||||
$match = $oPassword->checkPassword($password_text, $hashed_password, $current_algorithm);
|
||||
if(!$match)
|
||||
$password_match = false;
|
||||
$current_algorithm = false;
|
||||
$possible_algorithms = Rhymix\Framework\Password::checkAlgorithm($hashed_password);
|
||||
foreach ($possible_algorithms as $algorithm)
|
||||
{
|
||||
if (Rhymix\Framework\Password::checkPassword($password_text, $hashed_password, $algorithm))
|
||||
{
|
||||
$password_match = true;
|
||||
$current_algorithm = $algorithm;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (!$password_match)
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
|
@ -1119,22 +1128,26 @@ class memberModel extends member
|
|||
$config = $this->getMemberConfig();
|
||||
if($member_srl > 0 && $config->password_hashing_auto_upgrade != 'N')
|
||||
{
|
||||
$need_upgrade = false;
|
||||
|
||||
if(!$need_upgrade)
|
||||
$required_algorithm = Rhymix\Framework\Password::getDefaultAlgorithm();
|
||||
if ($required_algorithm !== $current_algorithm)
|
||||
{
|
||||
$required_algorithm = $oPassword->getCurrentlySelectedAlgorithm();
|
||||
if($required_algorithm !== $current_algorithm) $need_upgrade = true;
|
||||
$need_upgrade = true;
|
||||
}
|
||||
else
|
||||
{
|
||||
$required_work_factor = Rhymix\Framework\Password::getWorkFactor();
|
||||
$current_work_factor = Rhymix\Framework\Password::checkWorkFactor($hashed_password);
|
||||
if ($current_work_factor !== false && $required_work_factor > $current_work_factor)
|
||||
{
|
||||
$need_upgrade = true;
|
||||
}
|
||||
else
|
||||
{
|
||||
$need_upgrade = false;
|
||||
}
|
||||
}
|
||||
|
||||
if(!$need_upgrade)
|
||||
{
|
||||
$required_work_factor = $oPassword->getWorkFactor();
|
||||
$current_work_factor = $oPassword->checkWorkFactor($hashed_password);
|
||||
if($current_work_factor !== false && $required_work_factor > $current_work_factor) $need_upgrade = true;
|
||||
}
|
||||
|
||||
if($need_upgrade === true)
|
||||
if ($need_upgrade)
|
||||
{
|
||||
$args = new stdClass();
|
||||
$args->member_srl = $member_srl;
|
||||
|
|
@ -1155,8 +1168,7 @@ class memberModel extends member
|
|||
*/
|
||||
function hashPassword($password_text, $algorithm = null)
|
||||
{
|
||||
$oPassword = new Password();
|
||||
return $oPassword->createHash($password_text, $algorithm);
|
||||
return Rhymix\Framework\Password::hashPassword($password_text, $algorithm);
|
||||
}
|
||||
|
||||
function checkPasswordStrength($password, $strength)
|
||||
|
|
|
|||
|
|
@ -1520,7 +1520,7 @@ class menuAdminController extends menu
|
|||
Context::set('error_messge', lang('msg_invalid_request'));
|
||||
|
||||
}
|
||||
else if(!$target_file || !is_uploaded_file($target_file['tmp_name']) || !preg_match('/\.(gif|jpeg|jpg|png)$/i',$target_file['name']) || !checkUploadedFile($target_file['tmp_name']))
|
||||
else if(!$target_file || !is_uploaded_file($target_file['tmp_name']) || !preg_match('/\.(gif|jpeg|jpg|png)$/i',$target_file['name']))
|
||||
{
|
||||
Context::set('error_messge', lang('msg_invalid_request'));
|
||||
}
|
||||
|
|
@ -2132,19 +2132,15 @@ class menuAdminController extends menu
|
|||
|
||||
$returnArray = array();
|
||||
$date = date('YmdHis');
|
||||
|
||||
// normal button
|
||||
if($args->menu_normal_btn)
|
||||
{
|
||||
$tmp_arr = explode('.',$args->menu_normal_btn['name']);
|
||||
$ext = $tmp_arr[count($tmp_arr)-1];
|
||||
|
||||
$filename = sprintf('%s%d.%s.%s.%s', $path, $args->menu_item_srl, $date, 'menu_normal_btn', $ext);
|
||||
|
||||
if(checkUploadedFile($args->menu_normal_btn['tmp_name']))
|
||||
{
|
||||
move_uploaded_file ( $args->menu_normal_btn ['tmp_name'], $filename );
|
||||
$returnArray ['normal_btn'] = $filename;
|
||||
}
|
||||
move_uploaded_file($args->menu_normal_btn['tmp_name'], $filename);
|
||||
$returnArray['normal_btn'] = $filename;
|
||||
}
|
||||
|
||||
// hover button
|
||||
|
|
@ -2152,14 +2148,9 @@ class menuAdminController extends menu
|
|||
{
|
||||
$tmp_arr = explode('.',$args->menu_hover_btn['name']);
|
||||
$ext = $tmp_arr[count($tmp_arr)-1];
|
||||
|
||||
$filename = sprintf('%s%d.%s.%s.%s', $path, $args->menu_item_srl, $date, 'menu_hover_btn', $ext);
|
||||
|
||||
if(checkUploadedFile($args->menu_hover_btn['tmp_name']))
|
||||
{
|
||||
move_uploaded_file($args->menu_hover_btn['tmp_name'], $filename);
|
||||
$returnArray['hover_btn'] = $filename;
|
||||
}
|
||||
move_uploaded_file($args->menu_hover_btn['tmp_name'], $filename);
|
||||
$returnArray['hover_btn'] = $filename;
|
||||
}
|
||||
|
||||
// active button
|
||||
|
|
@ -2167,15 +2158,9 @@ class menuAdminController extends menu
|
|||
{
|
||||
$tmp_arr = explode('.',$args->menu_active_btn['name']);
|
||||
$ext = $tmp_arr[count($tmp_arr)-1];
|
||||
|
||||
$filename = sprintf('%s%d.%s.%s.%s', $path, $args->menu_item_srl, $date, 'menu_active_btn', $ext);
|
||||
|
||||
if(checkUploadedFile($args->menu_active_btn['tmp_name']))
|
||||
{
|
||||
move_uploaded_file($args->menu_active_btn['tmp_name'], $filename);
|
||||
$returnArray['active_btn'] = $filename;
|
||||
}
|
||||
|
||||
move_uploaded_file($args->menu_active_btn['tmp_name'], $filename);
|
||||
$returnArray['active_btn'] = $filename;
|
||||
}
|
||||
return $returnArray;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -439,7 +439,7 @@ class moduleAdminController extends module
|
|||
continue;
|
||||
}
|
||||
// Ignore if the file is not successfully uploaded
|
||||
if(!is_uploaded_file($image_obj['tmp_name']) || !checkUploadedFile($image_obj['tmp_name']))
|
||||
if(!is_uploaded_file($image_obj['tmp_name']))
|
||||
{
|
||||
unset($obj->{$vars->name});
|
||||
continue;
|
||||
|
|
|
|||
|
|
@ -1303,9 +1303,6 @@ class moduleController extends module
|
|||
$save_filename = sprintf('%s%s.%s',$path, $vars->module_filebox_srl, $ext);
|
||||
$tmp = $vars->addfile['tmp_name'];
|
||||
|
||||
// Check uploaded file
|
||||
if(!checkUploadedFile($tmp)) return false;
|
||||
|
||||
if(!@move_uploaded_file($tmp, $save_filename))
|
||||
{
|
||||
return false;
|
||||
|
|
@ -1340,9 +1337,6 @@ class moduleController extends module
|
|||
$save_filename = sprintf('%s%s.%s',$path, $vars->module_filebox_srl, $vars->ext);
|
||||
$tmp = $vars->addfile['tmp_name'];
|
||||
|
||||
// Check uploaded file
|
||||
if(!checkUploadedFile($tmp)) return false;
|
||||
|
||||
// upload
|
||||
if(!@move_uploaded_file($tmp, $save_filename))
|
||||
{
|
||||
|
|
|
|||
|
|
@ -44,7 +44,7 @@ class rssAdminController extends rss
|
|||
$total_config->image = '';
|
||||
}
|
||||
// Ignore if the file is not the one which has been successfully uploaded
|
||||
if($image_obj['tmp_name'] && is_uploaded_file($image_obj['tmp_name']) && checkUploadedFile($image_obj['tmp_name']))
|
||||
if($image_obj['tmp_name'] && is_uploaded_file($image_obj['tmp_name']))
|
||||
{
|
||||
// Ignore if the file is not an image (swf is accepted ~)
|
||||
$image_obj['name'] = Context::convertEncodingStr($image_obj['name']);
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue