Skip to content

Commit

Permalink
Move security check into Functions.php and fix it (ChurchCRM#309)
Browse files Browse the repository at this point in the history
  • Loading branch information
@dschwen
dschwen committed Feb 11, 2016
1 parent 8032006 commit f12f94f
Show file tree
Hide file tree
Showing 3 changed files with 75 additions and 90 deletions.
31 changes: 1 addition & 30 deletions churchinfo/Default.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -373,42 +373,13 @@
document.LoginForm.User.focus();
</script><?php

//
// Basic security checks:
//
// Check if https is required:
// Verify that page has an authorized URL in the browser address bar.
// Otherwise redirect to login page.
// An array of authorized URL's is specified in Config.php ... $URL
//
if (isset($bLockURL) && ($bLockURL === TRUE))
{
// get the URL of this page
$currentURL = 'http' . (isset($_SERVER['HTTPS']) ? 's' : '') . '://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];

// chop off the query string
$currentURL = explode('?', $currentURL)[0];

// check if this matches any one of teh whitelisted login URLS
$validURL = false;
foreach ($URL as $value)
if ($value === $currentURL)
{
$validURL = true;
break;
}

// jump to the first whitelisted url (TODO: maybe pick a ranodm URL?)
if (!$validURL)
{
header('Location: '.$URL[0]);
exit;
}
}
checkAllowedURL();

//
// End of basic security checks
//
?>
<!--<a href="#">I forgot my password</a><br>
<a href="register.html" class="text-center">Register a new membership</a>-->
Expand Down
41 changes: 37 additions & 4 deletions churchinfo/Include/Functions.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,40 @@
}
// End of basic security checks

// check if bLockURL is set and if so if the current page is accessed via an allowed URL
function checkAllowedURL()
{
global $bLockURL, $URL;

if (isset($bLockURL) && ($bLockURL === TRUE))
{
// get the URL of this page
$currentURL = 'http' . (isset($_SERVER['HTTPS']) ? 's' : '') . '://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];

// chop off the query string
$currentURL = explode('?', $currentURL)[0];

// check if this matches any one of teh whitelisted login URLS
$validURL = false;
foreach ($URL as $value)
{
$base = substr($value, 0, -strlen('/Default.php'));
if (strpos($currentURL, $base) === 0)
{
$validURL = true;
break;
}
}

// jump to the first whitelisted url (TODO: maybe pick a ranodm URL?)
if (!$validURL)
{
header('Location: '.$URL[0]);
exit;
}
}
}

function deletePhotos($type, $id) {
$validExtensions = array("jpeg", "jpg", "png");
$finalFileName = "Images/".$type."/" . $id;
Expand Down Expand Up @@ -119,10 +153,9 @@ function addslashes_deep($value)
}

// If Magic Quotes is turned off, do the same thing manually..
if (empty($_SESSION['bHasMagicQuotes']))
{
foreach ($_REQUEST as $key=>$value) $value = addslashes_deep($value);
}
if (!isset($_SESSION['bHasMagicQuotes']))
foreach ($_REQUEST as $key=>$value)
$value = addslashes_deep($value);

// Constants
$aPropTypes = array(
Expand Down
93 changes: 37 additions & 56 deletions churchinfo/Include/Header-function.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,49 +28,29 @@
******************************************************************************/

require_once dirname(__FILE__).'/../service/PersonService.php';
require_once 'Functions.php';

function Header_head_metatag() {
global $sLanguage, $bExportCSV, $sMetaRefresh, $bToolTipsOn, $bRegistered, $sHeader, $sGlobalMessage;
global $sPageTitle, $sRootPath;
function Header_head_metatag()
{
global $sLanguage, $bExportCSV, $sMetaRefresh, $bToolTipsOn, $bRegistered, $sHeader, $sGlobalMessage;
global $sPageTitle, $sRootPath;

$sRootPath = $_SESSION['sRootPath'];
?>
<?php if (strlen($sMetaRefresh)) echo $sMetaRefresh; ?>
<title>ChurchCRM: <?php echo $sPageTitle; ?></title>
<?php
if (strlen($sMetaRefresh))
echo $sMetaRefresh;

?><title>ChurchCRM: <?= $sPageTitle; ?></title><?php
}

function Header_body_scripts() {
global $sLanguage, $bExportCSV, $sMetaRefresh, $bToolTipsOn, $bRegistered, $sHeader, $sGlobalMessage,
$bLockURL, $URL, $sRootPath;
function Header_body_scripts()
{
global $sLanguage, $bExportCSV, $sMetaRefresh, $bToolTipsOn, $bRegistered, $sHeader, $sGlobalMessage;
global $bLockURL, $URL, $sRootPath;

$sRootPath = $_SESSION['sRootPath'];
//
// Basic sercurity checks:
//
// Check if https is required:
// Verify that page has an authorized URL in the browser address bar.
// Otherwise redirect to login page.
// An array of authorized URL's is specified in Config.php ... $URL
if (isset($bLockURL) && ($bLockURL === TRUE)) {
echo '
<script language="javascript" type="text/javascript">
v_test="FAIL"'; // Set "FAIL" to assume the URL is not allowed
// Set "PASS" if we learn it is allowed
foreach ($URL as $value) { // Default.php is 11 characters
$value = substr($value, 0, -11);
echo '
if(window.location.href.indexOf("'.$value.'") == 0) v_test="PASS";';
}
echo '
if (v_test == "FAIL") window.location="'.$URL[0].'";
</script>';
}
// End of basic security checks
?>
checkAllowedURL();
?>

<script type="text/javascript" src="<?php echo $sRootPath."/"; ?>Include/jscalendar/calendar.js"></script>
<script type="text/javascript" src="<?php echo $sRootPath."/"; ?>Include/jscalendar/lang/calendar-<?php echo substr($sLanguage,0,2); ?>.js"></script>
<script type="text/javascript" src="<?= $sRootPath."/"; ?>Include/jscalendar/calendar.js"></script>
<script type="text/javascript" src="<?= $sRootPath."/"; ?>Include/jscalendar/lang/calendar-<?= substr($sLanguage,0,2); ?>.js"></script>

<script language="javascript" type="text/javascript">

Expand Down Expand Up @@ -150,7 +130,8 @@ function popUp(URL)

$security_matrix = GetSecuritySettings();

function GetSecuritySettings() {
function GetSecuritySettings()
{
$aSecurityList[] = "bAdmin";
$aSecurityList[] = "bAddRecords";
$aSecurityList[] = "bEditRecords";
Expand All @@ -163,10 +144,10 @@ function GetSecuritySettings() {
$aSecurityList[] = "bCanvasser";
$aSecurityList[] = "bAddEvent";
$aSecurityList[] = "bSeePrivacyData";

$sSQL = "SELECT DISTINCT ucfg_name FROM userconfig_ucfg WHERE ucfg_per_id = 0 AND ucfg_cat = 'SECURITY' ORDER by ucfg_id";
$rsSecGrpList = RunQuery($sSQL);

while ($aRow = mysql_fetch_array($rsSecGrpList))
{
$aSecurityList[] = $aRow['ucfg_name'];
Expand All @@ -186,9 +167,9 @@ function GetSecuritySettings() {

function addMenu($menu) {
global $security_matrix;

$sSQL = "SELECT name, ismenu, parent, content, uri, statustext, session_var, session_var_in_text, session_var_in_uri, url_parm_name, security_grp, icon FROM menuconfig_mcf WHERE parent = '$menu' AND active=1 ".$security_matrix." ORDER BY sortorder";

$rsMenu = RunQuery($sSQL);
$item_cnt = mysql_num_rows($rsMenu);
$idx = 1;
Expand Down Expand Up @@ -216,7 +197,7 @@ function addMenuItem($aMenu,$mIdx) {
if (strstr($link, "?")&&true) {
$cConnector = "&";
} else {
$cConnector = "?";
$cConnector = "?";
}
$link .= $cConnector.$aMenu['url_parm_name']."=".$_SESSION[$aMenu['session_var']];
}
Expand Down Expand Up @@ -320,7 +301,7 @@ function Header_body_menu() {
<div class="navbar-custom-menu">
<ul class="nav navbar-nav">
<li class="dropdown settings-dropdown">
<a href="<?php echo $sRootPath."/"; ?>CartView.php">
<a href="<?= $sRootPath."/"; ?>CartView.php">
<i class="fa fa-shopping-cart"></i>
<span class="label label-success"><?= count($_SESSION['aPeopleCart'])?></span>
</a>
Expand All @@ -330,7 +311,7 @@ function Header_body_menu() {
<li class="dropdown user user-menu">
<a href="#" class="dropdown-toggle" data-toggle="dropdown">
<img src="<?= $loggedInUserPhoto ?>" class="user-image" alt="User Image">
<span class="hidden-xs"><?php echo $_SESSION['UserFirstName'] . " " . $_SESSION['UserLastName']; ?> </span>
<span class="hidden-xs"><?= $_SESSION['UserFirstName'] . " " . $_SESSION['UserLastName']; ?> </span>

</a>
<ul class="dropdown-menu">
Expand All @@ -339,7 +320,7 @@ function Header_body_menu() {
<img src="<?= $loggedInUserPhoto ?>" class="img-circle" alt="User Image">

<p>
<?php echo $_SESSION['UserFirstName'] . " " . $_SESSION['UserLastName']; ?>
<?= $_SESSION['UserFirstName'] . " " . $_SESSION['UserLastName']; ?>
<!--<small>Member since Nov. 2012</small>-->
</p>
</li>
Expand All @@ -361,10 +342,10 @@ function Header_body_menu() {
<!-- Menu Footer-->
<li class="user-footer">
<div class="pull-left">
<a href="<?php echo $sRootPath."/"; ?>UserPasswordChange.php" class="btn btn-default btn-flat">Change Password</a>
<a href="<?= $sRootPath."/"; ?>UserPasswordChange.php" class="btn btn-default btn-flat">Change Password</a>
</div>
<div class="pull-right">
<a href="<?php echo $sRootPath."/"; ?>SettingsIndividual.php" class="btn btn-default btn-flat">My Settings</a>
<a href="<?= $sRootPath."/"; ?>SettingsIndividual.php" class="btn btn-default btn-flat">My Settings</a>
</div>
</li>
</ul>
Expand All @@ -387,7 +368,7 @@ function Header_body_menu() {
</a>
</li>
<li class="hidden-xxs">
<a href="<?php echo $sRootPath."/"; ?>Default.php?Logoff=True">
<a href="<?= $sRootPath."/"; ?>Default.php?Logoff=True">
<i class="fa fa-power-off"></i>
</a>
</li>
Expand All @@ -412,7 +393,7 @@ function Header_body_menu() {
<!-- sidebar menu: : style can be found in sidebar.less -->
<ul class="sidebar-menu">
<li>
<a href="<?php echo $sRootPath."/"; ?>Menu.php">
<a href="<?= $sRootPath."/"; ?>Menu.php">
<i class="fa fa-dashboard"></i> <span>Dashboard</span>
</a>
</li>
Expand All @@ -431,8 +412,8 @@ function Header_body_menu() {
}?>
</h1>
<ol class="breadcrumb">
<li><a href="<?php echo $sRootPath."/Menu.php"; ?>"><i class="fa fa-dashboard"></i> Home</a></li>
<li class="active"><?php echo $sPageTitle; ?></li>
<li><a href="<?= $sRootPath."/Menu.php"; ?>"><i class="fa fa-dashboard"></i> Home</a></li>
<li class="active"><?= $sPageTitle; ?></li>
</ol>
</section>
<!-- Main content -->
Expand All @@ -442,7 +423,7 @@ function Header_body_menu() {
<div class="alert alert-info fade in">
<button type="button" class="close" data-dismiss="alert" aria-hidden="true">×</button>
<i class="fa fa-exclamation-triangle fa-fw fa-lg"></i>
<?php echo $sGlobalMessage; ?>
<?= $sGlobalMessage; ?>
</div>
</div>
<?php }
Expand All @@ -456,7 +437,7 @@ function create_side_nav($menu) {
}
function addSection($menu) {
global $cnInfoCentral;

$security_matrix = " AND (security_grp = 'bALL'";
if ($_SESSION['bAdmin']) {
$security_matrix .= " OR security_grp = 'bAdmin'";
Expand All @@ -475,11 +456,11 @@ function addSection($menu) {
}
$security_matrix .= ")";
$query = "SELECT name, ismenu, content, uri, statustext, session_var, session_var_in_text, session_var_in_uri, url_parm_name, security_grp FROM menuconfig_mcf WHERE parent = '$menu' AND active=1 ".$security_matrix." ORDER BY sortorder";

$rsMenu = mysql_query($query, $cnInfoCentral);
$item_cnt = mysql_num_rows($rsMenu);
$ptr = 1;
while ($aRow = mysql_fetch_array($rsMenu)) {
while ($aRow = mysql_fetch_array($rsMenu)) {
if (isset($aRow['admin_only']) & !$_SESSION['bAdmin']) {
// hide admin menu
} else {
Expand Down

0 comments on commit f12f94f

Please sign in to comment.