統計
| ブランチ: | リビジョン:

pictcode / lib / Cake / Controller / Component / SecurityComponent.php @ 635eef61

履歴 | 表示 | アノテート | ダウンロード (17.882 KB)

1 635eef61 spyder1211
<?php
2
/**
3
 * Security Component
4
 *
5
 * CakePHP(tm) : Rapid Development Framework (http://cakephp.org)
6
 * Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
7
 *
8
 * Licensed under The MIT License
9
 * For full copyright and license information, please see the LICENSE.txt
10
 * Redistributions of files must retain the above copyright notice.
11
 *
12
 * @copyright     Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
13
 * @link          http://cakephp.org CakePHP(tm) Project
14
 * @package       Cake.Controller.Component
15
 * @since         CakePHP(tm) v 0.10.8.2156
16
 * @license       http://www.opensource.org/licenses/mit-license.php MIT License
17
 */
18
19
App::uses('Component', 'Controller');
20
App::uses('CakeText', 'Utility');
21
App::uses('Hash', 'Utility');
22
App::uses('Security', 'Utility');
23
24
/**
25
 * The Security Component creates an easy way to integrate tighter security in
26
 * your application. It provides methods for various tasks like:
27
 *
28
 * - Restricting which HTTP methods your application accepts.
29
 * - CSRF protection.
30
 * - Form tampering protection
31
 * - Requiring that SSL be used.
32
 * - Limiting cross controller communication.
33
 *
34
 * @package       Cake.Controller.Component
35
 * @link http://book.cakephp.org/2.0/en/core-libraries/components/security-component.html
36
 */
37
class SecurityComponent extends Component {
38
39
/**
40
 * The controller method that will be called if this request is black-hole'd
41
 *
42
 * @var string
43
 */
44
        public $blackHoleCallback = null;
45
46
/**
47
 * List of controller actions for which a POST request is required
48
 *
49
 * @var array
50
 * @deprecated 3.0.0 Use CakeRequest::allowMethod() instead.
51
 * @see SecurityComponent::requirePost()
52
 */
53
        public $requirePost = array();
54
55
/**
56
 * List of controller actions for which a GET request is required
57
 *
58
 * @var array
59
 * @deprecated 3.0.0 Use CakeRequest::allowMethod() instead.
60
 * @see SecurityComponent::requireGet()
61
 */
62
        public $requireGet = array();
63
64
/**
65
 * List of controller actions for which a PUT request is required
66
 *
67
 * @var array
68
 * @deprecated 3.0.0 Use CakeRequest::allowMethod() instead.
69
 * @see SecurityComponent::requirePut()
70
 */
71
        public $requirePut = array();
72
73
/**
74
 * List of controller actions for which a DELETE request is required
75
 *
76
 * @var array
77
 * @deprecated 3.0.0 Use CakeRequest::allowMethod() instead.
78
 * @see SecurityComponent::requireDelete()
79
 */
80
        public $requireDelete = array();
81
82
/**
83
 * List of actions that require an SSL-secured connection
84
 *
85
 * @var array
86
 * @see SecurityComponent::requireSecure()
87
 */
88
        public $requireSecure = array();
89
90
/**
91
 * List of actions that require a valid authentication key
92
 *
93
 * @var array
94
 * @see SecurityComponent::requireAuth()
95
 */
96
        public $requireAuth = array();
97
98
/**
99
 * Controllers from which actions of the current controller are allowed to receive
100
 * requests.
101
 *
102
 * @var array
103
 * @see SecurityComponent::requireAuth()
104
 */
105
        public $allowedControllers = array();
106
107
/**
108
 * Actions from which actions of the current controller are allowed to receive
109
 * requests.
110
 *
111
 * @var array
112
 * @see SecurityComponent::requireAuth()
113
 */
114
        public $allowedActions = array();
115
116
/**
117
 * Deprecated property, superseded by unlockedFields.
118
 *
119
 * @var array
120
 * @deprecated 3.0.0 Superseded by unlockedFields.
121
 * @see SecurityComponent::$unlockedFields
122
 */
123
        public $disabledFields = array();
124
125
/**
126
 * Form fields to exclude from POST validation. Fields can be unlocked
127
 * either in the Component, or with FormHelper::unlockField().
128
 * Fields that have been unlocked are not required to be part of the POST
129
 * and hidden unlocked fields do not have their values checked.
130
 *
131
 * @var array
132
 */
133
        public $unlockedFields = array();
134
135
/**
136
 * Actions to exclude from CSRF and POST validation checks.
137
 * Other checks like requireAuth(), requireSecure(),
138
 * requirePost(), requireGet() etc. will still be applied.
139
 *
140
 * @var array
141
 */
142
        public $unlockedActions = array();
143
144
/**
145
 * Whether to validate POST data. Set to false to disable for data coming from 3rd party
146
 * services, etc.
147
 *
148
 * @var bool
149
 */
150
        public $validatePost = true;
151
152
/**
153
 * Whether to use CSRF protected forms. Set to false to disable CSRF protection on forms.
154
 *
155
 * @var bool
156
 * @see http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
157
 * @see SecurityComponent::$csrfExpires
158
 */
159
        public $csrfCheck = true;
160
161
/**
162
 * The duration from when a CSRF token is created that it will expire on.
163
 * Each form/page request will generate a new token that can only be submitted once unless
164
 * it expires. Can be any value compatible with strtotime()
165
 *
166
 * @var string
167
 */
168
        public $csrfExpires = '+30 minutes';
169
170
/**
171
 * Controls whether or not CSRF tokens are use and burn. Set to false to not generate
172
 * new tokens on each request. One token will be reused until it expires. This reduces
173
 * the chances of users getting invalid requests because of token consumption.
174
 * It has the side effect of making CSRF less secure, as tokens are reusable.
175
 *
176
 * @var bool
177
 */
178
        public $csrfUseOnce = true;
179
180
/**
181
 * Control the number of tokens a user can keep open.
182
 * This is most useful with one-time use tokens. Since new tokens
183
 * are created on each request, having a hard limit on the number of open tokens
184
 * can be useful in controlling the size of the session file.
185
 *
186
 * When tokens are evicted, the oldest ones will be removed, as they are the most likely
187
 * to be dead/expired.
188
 *
189
 * @var int
190
 */
191
        public $csrfLimit = 100;
192
193
/**
194
 * Other components used by the Security component
195
 *
196
 * @var array
197
 */
198
        public $components = array('Session');
199
200
/**
201
 * Holds the current action of the controller
202
 *
203
 * @var string
204
 */
205
        protected $_action = null;
206
207
/**
208
 * Request object
209
 *
210
 * @var CakeRequest
211
 */
212
        public $request;
213
214
/**
215
 * Component startup. All security checking happens here.
216
 *
217
 * @param Controller $controller Instantiating controller
218
 * @return void
219
 */
220
        public function startup(Controller $controller) {
221
                $this->request = $controller->request;
222
                $this->_action = $this->request->params['action'];
223
                $this->_methodsRequired($controller);
224
                $this->_secureRequired($controller);
225
                $this->_authRequired($controller);
226
227
                $hasData = !empty($this->request->data);
228
                $isNotRequestAction = (
229
                        !isset($controller->request->params['requested']) ||
230
                        $controller->request->params['requested'] != 1
231
                );
232
233
                if ($this->_action === $this->blackHoleCallback) {
234
                        return $this->blackHole($controller, 'auth');
235
                }
236
237
                if (!in_array($this->_action, (array)$this->unlockedActions) && $hasData && $isNotRequestAction) {
238
                        if ($this->validatePost && $this->_validatePost($controller) === false) {
239
                                return $this->blackHole($controller, 'auth');
240
                        }
241
                        if ($this->csrfCheck && $this->_validateCsrf($controller) === false) {
242
                                return $this->blackHole($controller, 'csrf');
243
                        }
244
                }
245
                $this->generateToken($controller->request);
246
                if ($hasData && is_array($controller->request->data)) {
247
                        unset($controller->request->data['_Token']);
248
                }
249
        }
250
251
/**
252
 * Sets the actions that require a POST request, or empty for all actions
253
 *
254
 * @return void
255
 * @deprecated 3.0.0 Use CakeRequest::onlyAllow() instead.
256
 * @link http://book.cakephp.org/2.0/en/core-libraries/components/security-component.html#SecurityComponent::requirePost
257
 */
258
        public function requirePost() {
259
                $args = func_get_args();
260
                $this->_requireMethod('Post', $args);
261
        }
262
263
/**
264
 * Sets the actions that require a GET request, or empty for all actions
265
 *
266
 * @deprecated 3.0.0 Use CakeRequest::onlyAllow() instead.
267
 * @return void
268
 */
269
        public function requireGet() {
270
                $args = func_get_args();
271
                $this->_requireMethod('Get', $args);
272
        }
273
274
/**
275
 * Sets the actions that require a PUT request, or empty for all actions
276
 *
277
 * @deprecated 3.0.0 Use CakeRequest::onlyAllow() instead.
278
 * @return void
279
 */
280
        public function requirePut() {
281
                $args = func_get_args();
282
                $this->_requireMethod('Put', $args);
283
        }
284
285
/**
286
 * Sets the actions that require a DELETE request, or empty for all actions
287
 *
288
 * @deprecated 3.0.0 Use CakeRequest::onlyAllow() instead.
289
 * @return void
290
 */
291
        public function requireDelete() {
292
                $args = func_get_args();
293
                $this->_requireMethod('Delete', $args);
294
        }
295
296
/**
297
 * Sets the actions that require a request that is SSL-secured, or empty for all actions
298
 *
299
 * @return void
300
 * @link http://book.cakephp.org/2.0/en/core-libraries/components/security-component.html#SecurityComponent::requireSecure
301
 */
302
        public function requireSecure() {
303
                $args = func_get_args();
304
                $this->_requireMethod('Secure', $args);
305
        }
306
307
/**
308
 * Sets the actions that require whitelisted form submissions.
309
 *
310
 * Adding actions with this method will enforce the restrictions
311
 * set in SecurityComponent::$allowedControllers and
312
 * SecurityComponent::$allowedActions.
313
 *
314
 * @return void
315
 * @link http://book.cakephp.org/2.0/en/core-libraries/components/security-component.html#SecurityComponent::requireAuth
316
 */
317
        public function requireAuth() {
318
                $args = func_get_args();
319
                $this->_requireMethod('Auth', $args);
320
        }
321
322
/**
323
 * Black-hole an invalid request with a 400 error or custom callback. If SecurityComponent::$blackHoleCallback
324
 * is specified, it will use this callback by executing the method indicated in $error
325
 *
326
 * @param Controller $controller Instantiating controller
327
 * @param string $error Error method
328
 * @return mixed If specified, controller blackHoleCallback's response, or no return otherwise
329
 * @see SecurityComponent::$blackHoleCallback
330
 * @link http://book.cakephp.org/2.0/en/core-libraries/components/security-component.html#handling-blackhole-callbacks
331
 * @throws BadRequestException
332
 */
333
        public function blackHole(Controller $controller, $error = '') {
334
                if (!$this->blackHoleCallback) {
335
                        throw new BadRequestException(__d('cake_dev', 'The request has been black-holed'));
336
                }
337
                return $this->_callback($controller, $this->blackHoleCallback, array($error));
338
        }
339
340
/**
341
 * Sets the actions that require a $method HTTP request, or empty for all actions
342
 *
343
 * @param string $method The HTTP method to assign controller actions to
344
 * @param array $actions Controller actions to set the required HTTP method to.
345
 * @return void
346
 */
347
        protected function _requireMethod($method, $actions = array()) {
348
                if (isset($actions[0]) && is_array($actions[0])) {
349
                        $actions = $actions[0];
350
                }
351
                $this->{'require' . $method} = (empty($actions)) ? array('*') : $actions;
352
        }
353
354
/**
355
 * Check if HTTP methods are required
356
 *
357
 * @param Controller $controller Instantiating controller
358
 * @return bool True if $method is required
359
 */
360
        protected function _methodsRequired(Controller $controller) {
361
                foreach (array('Post', 'Get', 'Put', 'Delete') as $method) {
362
                        $property = 'require' . $method;
363
                        if (is_array($this->$property) && !empty($this->$property)) {
364
                                $require = $this->$property;
365
                                if (in_array($this->_action, $require) || $this->$property === array('*')) {
366
                                        if (!$this->request->is($method)) {
367
                                                if (!$this->blackHole($controller, $method)) {
368
                                                        return false;
369
                                                }
370
                                        }
371
                                }
372
                        }
373
                }
374
                return true;
375
        }
376
377
/**
378
 * Check if access requires secure connection
379
 *
380
 * @param Controller $controller Instantiating controller
381
 * @return bool True if secure connection required
382
 */
383
        protected function _secureRequired(Controller $controller) {
384
                if (is_array($this->requireSecure) && !empty($this->requireSecure)) {
385
                        $requireSecure = $this->requireSecure;
386
387
                        if (in_array($this->_action, $requireSecure) || $this->requireSecure === array('*')) {
388
                                if (!$this->request->is('ssl')) {
389
                                        if (!$this->blackHole($controller, 'secure')) {
390
                                                return false;
391
                                        }
392
                                }
393
                        }
394
                }
395
                return true;
396
        }
397
398
/**
399
 * Check if authentication is required
400
 *
401
 * @param Controller $controller Instantiating controller
402
 * @return bool|null True if authentication required
403
 */
404
        protected function _authRequired(Controller $controller) {
405
                if (is_array($this->requireAuth) && !empty($this->requireAuth) && !empty($this->request->data)) {
406
                        $requireAuth = $this->requireAuth;
407
408
                        if (in_array($this->request->params['action'], $requireAuth) || $this->requireAuth === array('*')) {
409
                                if (!isset($controller->request->data['_Token'])) {
410
                                        if (!$this->blackHole($controller, 'auth')) {
411
                                                return null;
412
                                        }
413
                                }
414
415
                                if ($this->Session->check('_Token')) {
416
                                        $tData = $this->Session->read('_Token');
417
418
                                        if (!empty($tData['allowedControllers']) &&
419
                                                !in_array($this->request->params['controller'], $tData['allowedControllers']) ||
420
                                                !empty($tData['allowedActions']) &&
421
                                                !in_array($this->request->params['action'], $tData['allowedActions'])
422
                                        ) {
423
                                                if (!$this->blackHole($controller, 'auth')) {
424
                                                        return null;
425
                                                }
426
                                        }
427
                                } else {
428
                                        if (!$this->blackHole($controller, 'auth')) {
429
                                                return null;
430
                                        }
431
                                }
432
                        }
433
                }
434
                return true;
435
        }
436
437
/**
438
 * Validate submitted form
439
 *
440
 * @param Controller $controller Instantiating controller
441
 * @return bool true if submitted form is valid
442
 */
443
        protected function _validatePost(Controller $controller) {
444
                if (empty($controller->request->data)) {
445
                        return true;
446
                }
447
                $data = $controller->request->data;
448
449
                if (!isset($data['_Token']) || !isset($data['_Token']['fields']) || !isset($data['_Token']['unlocked'])) {
450
                        return false;
451
                }
452
453
                $locked = '';
454
                $check = $controller->request->data;
455
                $token = urldecode($check['_Token']['fields']);
456
                $unlocked = urldecode($check['_Token']['unlocked']);
457
458
                if (strpos($token, ':')) {
459
                        list($token, $locked) = explode(':', $token, 2);
460
                }
461
                unset($check['_Token']);
462
463
                $locked = explode('|', $locked);
464
                $unlocked = explode('|', $unlocked);
465
466
                $lockedFields = array();
467
                $fields = Hash::flatten($check);
468
                $fieldList = array_keys($fields);
469
                $multi = array();
470
471
                foreach ($fieldList as $i => $key) {
472
                        if (preg_match('/(\.\d+){1,10}$/', $key)) {
473
                                $multi[$i] = preg_replace('/(\.\d+){1,10}$/', '', $key);
474
                                unset($fieldList[$i]);
475
                        }
476
                }
477
                if (!empty($multi)) {
478
                        $fieldList += array_unique($multi);
479
                }
480
481
                $unlockedFields = array_unique(
482
                        array_merge((array)$this->disabledFields, (array)$this->unlockedFields, $unlocked)
483
                );
484
485
                foreach ($fieldList as $i => $key) {
486
                        $isLocked = (is_array($locked) && in_array($key, $locked));
487
488
                        if (!empty($unlockedFields)) {
489
                                foreach ($unlockedFields as $off) {
490
                                        $off = explode('.', $off);
491
                                        $field = array_values(array_intersect(explode('.', $key), $off));
492
                                        $isUnlocked = ($field === $off);
493
                                        if ($isUnlocked) {
494
                                                break;
495
                                        }
496
                                }
497
                        }
498
499
                        if ($isUnlocked || $isLocked) {
500
                                unset($fieldList[$i]);
501
                                if ($isLocked) {
502
                                        $lockedFields[$key] = $fields[$key];
503
                                }
504
                        }
505
                }
506
                sort($unlocked, SORT_STRING);
507
                sort($fieldList, SORT_STRING);
508
                ksort($lockedFields, SORT_STRING);
509
510
                $fieldList += $lockedFields;
511
                $unlocked = implode('|', $unlocked);
512
                $hashParts = array(
513
                        $this->request->here(),
514
                        serialize($fieldList),
515
                        $unlocked,
516
                        Configure::read('Security.salt')
517
                );
518
                $check = Security::hash(implode('', $hashParts), 'sha1');
519
                return ($token === $check);
520
        }
521
522
/**
523
 * Manually add CSRF token information into the provided request object.
524
 *
525
 * @param CakeRequest $request The request object to add into.
526
 * @return bool
527
 */
528
        public function generateToken(CakeRequest $request) {
529
                if (isset($request->params['requested']) && $request->params['requested'] === 1) {
530
                        if ($this->Session->check('_Token')) {
531
                                $request->params['_Token'] = $this->Session->read('_Token');
532
                        }
533
                        return false;
534
                }
535
                $authKey = Security::generateAuthKey();
536
                $token = array(
537
                        'key' => $authKey,
538
                        'allowedControllers' => $this->allowedControllers,
539
                        'allowedActions' => $this->allowedActions,
540
                        'unlockedFields' => array_merge($this->disabledFields, $this->unlockedFields),
541
                        'csrfTokens' => array()
542
                );
543
544
                $tokenData = array();
545
                if ($this->Session->check('_Token')) {
546
                        $tokenData = $this->Session->read('_Token');
547
                        if (!empty($tokenData['csrfTokens']) && is_array($tokenData['csrfTokens'])) {
548
                                $token['csrfTokens'] = $this->_expireTokens($tokenData['csrfTokens']);
549
                        }
550
                }
551
                if ($this->csrfUseOnce || empty($token['csrfTokens'])) {
552
                        $token['csrfTokens'][$authKey] = strtotime($this->csrfExpires);
553
                }
554
                if (!$this->csrfUseOnce) {
555
                        $csrfTokens = array_keys($token['csrfTokens']);
556
                        $authKey = $csrfTokens[0];
557
                        $token['key'] = $authKey;
558
                        $token['csrfTokens'][$authKey] = strtotime($this->csrfExpires);
559
                }
560
                $this->Session->write('_Token', $token);
561
                $request->params['_Token'] = array(
562
                        'key' => $token['key'],
563
                        'unlockedFields' => $token['unlockedFields']
564
                );
565
                return true;
566
        }
567
568
/**
569
 * Validate that the controller has a CSRF token in the POST data
570
 * and that the token is legit/not expired. If the token is valid
571
 * it will be removed from the list of valid tokens.
572
 *
573
 * @param Controller $controller A controller to check
574
 * @return bool Valid csrf token.
575
 */
576
        protected function _validateCsrf(Controller $controller) {
577
                $token = $this->Session->read('_Token');
578
                $requestToken = $controller->request->data('_Token.key');
579
                if (isset($token['csrfTokens'][$requestToken]) && $token['csrfTokens'][$requestToken] >= time()) {
580
                        if ($this->csrfUseOnce) {
581
                                $this->Session->delete('_Token.csrfTokens.' . $requestToken);
582
                        }
583
                        return true;
584
                }
585
                return false;
586
        }
587
588
/**
589
 * Expire CSRF nonces and remove them from the valid tokens.
590
 * Uses a simple timeout to expire the tokens.
591
 *
592
 * @param array $tokens An array of nonce => expires.
593
 * @return array An array of nonce => expires.
594
 */
595
        protected function _expireTokens($tokens) {
596
                $now = time();
597
                foreach ($tokens as $nonce => $expires) {
598
                        if ($expires < $now) {
599
                                unset($tokens[$nonce]);
600
                        }
601
                }
602
                $overflow = count($tokens) - $this->csrfLimit;
603
                if ($overflow > 0) {
604
                        $tokens = array_slice($tokens, $overflow + 1, null, true);
605
                }
606
                return $tokens;
607
        }
608
609
/**
610
 * Calls a controller callback method
611
 *
612
 * @param Controller $controller Controller to run callback on
613
 * @param string $method Method to execute
614
 * @param array $params Parameters to send to method
615
 * @return mixed Controller callback method's response
616
 * @throws BadRequestException When a the blackholeCallback is not callable.
617
 */
618
        protected function _callback(Controller $controller, $method, $params = array()) {
619
                if (!is_callable(array($controller, $method))) {
620
                        throw new BadRequestException(__d('cake_dev', 'The request has been black-holed'));
621
                }
622
                return call_user_func_array(array(&$controller, $method), empty($params) ? null : $params);
623
        }
624
625
}