marc
/
CiviProxy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

implementing #16

This commit is contained in:
systopia 2017-07-31 16:32:58 +02:00
parent 053c3f5fb9
commit 3c825a8f55
3 changed files with 82 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
proxy/config.php
View File

@ -38,7 +38,7 @@ $mail_subscription_user_key = NULL;
// CAREFUL: only enable temporarily on debug systems. Will log all queries to given PUBLIC file
$debug = NULL; //'debug.log';
// Local network interface or IP to be used for the relayed query
// Local network interface or IP to be used for the relayed query
// This is usefull in some VPN configurations (see CURLOPT_INTERFACE)
$target_interface = NULL;
@ -91,6 +91,10 @@ $rest_allowed_actions = array(
'getsingle' => array(
'first_name' => 'string',
'last_name' => 'string',
// the following means *all* remaining parameters will be
// added and sanitised as 'string'. Better leave it out
// if you know which parameters you expect
'*' => 'string',
),
),
),

128
proxy/proxy.php
View File

@ -14,10 +14,10 @@ $civiproxy_logo = "<img src='{$proxy_base}/static/images/proxy-logo.png' alt=
/**
* this will redirect the request to another URL,
* i.e. will pass the reply on to this request
*
*
* @see losely based on https://code.google.com/p/php-proxy/
*
* @param $url the URL to which the
* @param $url the URL to which the
* where type can be 'int', 'string' (unchecked),
*/
function civiproxy_redirect($url_requested, $parameters) {
@ -58,8 +58,8 @@ function civiproxy_redirect($url_requested, $parameters) {
}
//Send the request and store the result in an array
$response = curl_exec($curlSession);
$response = curl_exec($curlSession);
// Check that a connection was made
if (curl_error($curlSession)){
civiproxy_http_error(curl_error($curlSession), curl_errno($curlSession));
@ -67,7 +67,7 @@ function civiproxy_redirect($url_requested, $parameters) {
} else {
//clean duplicate header that seems to appear on fastcgi with output buffer on some servers!!
$response = str_replace("HTTP/1.1 100 Continue\r\n\r\n","",$response);
// split header / content
$content = explode("\r\n\r\n", $response, 2);
$header = $content[0];
@ -103,25 +103,25 @@ function civiproxy_mend_URLs(&$string) {
$string = preg_replace("#$target_rest#", $proxy_base . '/rest.php', $string);
}
if ($target_url) {
$string = preg_replace("#$target_url#", $proxy_base . '/url.php', $string);
$string = preg_replace("#$target_url#", $proxy_base . '/url.php', $string);
}
if ($target_open) {
$string = preg_replace("#$target_open#", $proxy_base . '/open.php', $string);
$string = preg_replace("#$target_open#", $proxy_base . '/open.php', $string);
}
if ($target_mail) {
$string = preg_replace("#$target_mail#", $proxy_base . '/mail.php', $string);
$string = preg_replace("#$target_mail#", $proxy_base . '/mail.php', $string);
}
if ($target_file) {
$string = preg_replace("#$target_file#", $proxy_base . '/file.php?id=', $string);
$string = preg_replace("#$target_file#", $proxy_base . '/file.php?id=', $string);
}
}
/**
* Will check the incoming connection.
* This hook allowes for (future) checks for flooding, spoofing,
* This hook allowes for (future) checks for flooding, spoofing,
* unauthorized access quantities, etc.
*
* @param $target
*
* @param $target
* @param $quit if TRUE, quit immediately if access denied
*
* @return TRUE if allowed, FALSE if not (or quits if $quit is set)
@ -130,7 +130,7 @@ function civiproxy_security_check($target, $quit=TRUE) {
// verify that we're SSL encrypted
if ($_SERVER['HTTPS'] != "on") {
civiproxy_http_error("This CiviProxy installation requires SSL encryption.", 400);
}
}
global $debug;
if (!empty($debug)) {
@ -138,7 +138,7 @@ function civiproxy_security_check($target, $quit=TRUE) {
fwrite($file, "REQUEST FROM " . $_SERVER['REMOTE_ADDR'] . " ON " . date('Y-m-d H:i:s') . ' -- ' . print_r($_REQUEST,1));
fclose($file);
}
// TODO: implement
return TRUE;
}
@ -146,57 +146,81 @@ function civiproxy_security_check($target, $quit=TRUE) {
/**
* extract and type check the parameters from the call params
*
*
* @param $valid_parameters array '<parameter name> => '<expected type>'
* where type can be 'int', 'string' (unchecked),
*/
function civiproxy_get_parameters($valid_parameters) {
$result = array();
$default_sanitation = NULL;
foreach ($valid_parameters as $name => $type) {
if ($name == '*') {
// this sets default_sanitation
$default_sanitation = $type;
continue;
}
if (isset($_REQUEST[$name])) {
$value = $_REQUEST[$name];
if ($type=='int') {
$value = (int) $value;
} elseif ($type == 'string') {
// TODO: sanitize? SQL?
$value = $value;
} elseif ($type == 'float2') {
// TODO: check if safe wrt l10n. rather use sprintf
$value = number_format($value, 2, '.', '');
} elseif ($type == 'hex') {
// hex code
if (!preg_match("#^[0-9a-f]*$#i", $value)) {
error_log("CiviProxy: removed invalid hex parameter: " . $value);
$value = '';
}
} elseif ($type == 'email') {
// valid email
if (!preg_match("#^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$#i", $value)) {
error_log("CiviProxy: removed invalid email parameter: " . $value);
$value = '';
}
} elseif (is_array($type)) {
// this is a list of valid options
$requested_value = $value;
$value = '';
foreach ($type as $allowed_value) {
if ($requested_value === $allowed_value) {
$value = $requested_value;
break;
}
}
} else {
error_log("CiviProxy: unknown type '$type'. Ignored.");
$value = '';
$result[$name] = civiproxy_sanitise($_REQUEST[$name], $type);
}
}
// process wildcard elements
if ($default_sanitation !== NULL) {
// i.e. we want the others too
$remove_parameters = array('key', 'api_key', 'version', 'entity', 'action');
foreach ($_REQUEST as $name => $value) {
if (!in_array($name, $remove_parameters) && !isset($valid_parameters[$name])) {
$result[$name] = civiproxy_sanitise($value, $default_sanitation);
}
$result[$name] = $value;
}
}
return $result;
}
/**
* sanitise the given value with the given sanitiation type
*/
function civiproxy_sanitise($value, $type) {
if ($type=='int') {
$value = (int) $value;
} elseif ($type == 'string') {
// TODO: sanitize? SQL?
$value = $value;
} elseif ($type == 'float2') {
// TODO: check if safe wrt l10n. rather use sprintf
$value = number_format($value, 2, '.', '');
} elseif ($type == 'hex') {
// hex code
if (!preg_match("#^[0-9a-f]*$#i", $value)) {
error_log("CiviProxy: removed invalid hex parameter: " . $value);
$value = '';
}
} elseif ($type == 'email') {
// valid email
if (!preg_match("#^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$#i", $value)) {
error_log("CiviProxy: removed invalid email parameter: " . $value);
$value = '';
}
} elseif (is_array($type)) {
// this is a list of valid options
$requested_value = $value;
$value = '';
foreach ($type as $allowed_value) {
if ($requested_value === $allowed_value) {
$value = $requested_value;
break;
}
}
} else {
error_log("CiviProxy: unknown type '$type'. Ignored.");
$value = '';
}
}
/**
* generates a CiviCRM REST API compliant error
* and ends processing
@ -224,7 +248,7 @@ function civicrm_api3($entity, $action, $data) {
// extract site key
$site_keys = array_values($sys_key_map);
if (empty($site_keys)) civiproxy_http_error('No site key set.');
$query = $data; // array copy(!)
$query['key'] = $site_keys[0];
$query['json'] = 1;
@ -247,7 +271,7 @@ function civicrm_api3($entity, $action, $data) {
}
$response = curl_exec($curlSession);
if (curl_error($curlSession)){
civiproxy_http_error(curl_error($curlSession));
} else {

2
proxy/rest.php
View File

@ -44,7 +44,7 @@ if (empty($credentials['api_key'])) {
// check if the call itself is allowed
$action = civiproxy_get_parameters(array('entity' => 'string', 'action' => 'string', 'version' => 'int', 'json' => 'int', 'sequential' => 'int'));
if (!isset($action['version']) || $action['version'] != 3) {
civiproxy_rest_error("Invalid entity/action.");
civiproxy_rest_error("API 'version' information missing.");
}
// in release 0.4, allowed entity/actions per IP were introduced. To introduce backward compatibility,