1
|
|
|
<?php |
2
|
|
|
namespace Elgg; |
3
|
|
|
|
4
|
|
|
use Elgg\Http\ResponseBuilder; |
5
|
|
|
use ElggCrypto; |
6
|
|
|
use ElggSession; |
7
|
|
|
|
8
|
|
|
/** |
9
|
|
|
* WARNING: API IN FLUX. DO NOT USE DIRECTLY. |
10
|
|
|
* |
11
|
|
|
* Use the elgg_* versions instead. |
12
|
|
|
* |
13
|
|
|
* @access private |
14
|
|
|
* |
15
|
|
|
* @package Elgg.Core |
16
|
|
|
* @subpackage Actions |
17
|
|
|
* @since 1.9.0 |
18
|
|
|
*/ |
19
|
|
|
class ActionsService { |
20
|
|
|
|
21
|
|
|
use \Elgg\TimeUsing; |
22
|
|
|
|
23
|
|
|
/** |
24
|
|
|
* @var Config |
25
|
|
|
*/ |
26
|
|
|
private $config; |
27
|
|
|
|
28
|
|
|
/** |
29
|
|
|
* @var ElggSession |
30
|
|
|
*/ |
31
|
|
|
private $session; |
32
|
|
|
|
33
|
|
|
/** |
34
|
|
|
* @var ElggCrypto |
35
|
|
|
*/ |
36
|
|
|
private $crypto; |
37
|
|
|
|
38
|
|
|
/** |
39
|
|
|
* Registered actions storage |
40
|
|
|
* |
41
|
|
|
* Each element has keys: |
42
|
|
|
* "file" => filename |
43
|
|
|
* "access" => access level |
44
|
|
|
* |
45
|
|
|
* @var array |
46
|
|
|
*/ |
47
|
|
|
private $actions = []; |
48
|
|
|
|
49
|
|
|
/** |
50
|
|
|
* The current action being processed |
51
|
|
|
* @var string |
52
|
|
|
*/ |
53
|
|
|
private $currentAction = null; |
54
|
|
|
|
55
|
|
|
/** |
56
|
|
|
* @var string[] |
57
|
|
|
*/ |
58
|
|
|
private static $access_levels = ['public', 'logged_in', 'admin']; |
59
|
|
|
|
60
|
|
|
/** |
61
|
|
|
* Constructor |
62
|
|
|
* |
63
|
|
|
* @param Config $config Config |
64
|
|
|
* @param ElggSession $session Session |
65
|
|
|
* @param ElggCrypto $crypto Crypto service |
66
|
|
|
*/ |
67
|
75 |
|
public function __construct(Config $config, ElggSession $session, ElggCrypto $crypto) { |
68
|
75 |
|
$this->config = $config; |
69
|
75 |
|
$this->session = $session; |
70
|
75 |
|
$this->crypto = $crypto; |
71
|
75 |
|
} |
72
|
|
|
|
73
|
|
|
/** |
74
|
|
|
* Executes an action |
75
|
|
|
* If called from action() redirect will be issued by the response factory |
76
|
|
|
* If called as /action page handler response will be handled by \Elgg\Router |
77
|
|
|
* |
78
|
|
|
* @param string $action Action name |
79
|
|
|
* @param string $forwarder URL to forward to after completion |
80
|
|
|
* @return ResponseBuilder|null |
81
|
|
|
* @see action() |
82
|
|
|
* @access private |
83
|
|
|
*/ |
84
|
66 |
|
public function execute($action, $forwarder = "") { |
85
|
66 |
|
$action = rtrim($action, '/'); |
86
|
66 |
|
$this->currentAction = $action; |
87
|
|
|
|
88
|
|
|
// Logout is for convenience. |
89
|
|
|
$exceptions = [ |
90
|
66 |
|
'logout', |
91
|
|
|
]; |
92
|
|
|
|
93
|
66 |
|
if (!in_array($action, $exceptions)) { |
94
|
|
|
// All actions require a token. |
95
|
66 |
|
$pass = $this->gatekeeper($action); |
96
|
66 |
|
if (!$pass) { |
97
|
1 |
|
return; |
98
|
|
|
} |
99
|
|
|
} |
100
|
|
|
|
101
|
65 |
|
$forwarder = str_replace($this->config->wwwroot, "", $forwarder); |
102
|
65 |
|
$forwarder = str_replace("http://", "", $forwarder); |
103
|
65 |
|
$forwarder = str_replace("@", "", $forwarder); |
104
|
65 |
|
if (substr($forwarder, 0, 1) == "/") { |
105
|
1 |
|
$forwarder = substr($forwarder, 1); |
106
|
|
|
} |
107
|
|
|
|
108
|
65 |
|
$ob_started = false; |
109
|
|
|
|
110
|
|
|
/** |
111
|
|
|
* Prepare action response |
112
|
|
|
* |
113
|
|
|
* @param string $error_key Error message key |
114
|
|
|
* @param int $status_code HTTP status code |
115
|
|
|
* @return ResponseBuilder |
116
|
|
|
*/ |
117
|
65 |
|
$forward = function ($error_key = '', $status_code = ELGG_HTTP_OK) use ($action, $forwarder, &$ob_started) { |
118
|
23 |
|
if ($error_key) { |
119
|
9 |
|
if ($ob_started) { |
120
|
|
|
ob_end_clean(); |
121
|
|
|
} |
122
|
9 |
|
$msg = _elgg_services()->translator->translate($error_key, [$action]); |
123
|
9 |
|
_elgg_services()->systemMessages->addErrorMessage($msg); |
124
|
9 |
|
$response = new \Elgg\Http\ErrorResponse($msg, $status_code); |
125
|
|
|
} else { |
126
|
14 |
|
$content = ob_get_clean(); |
127
|
14 |
|
$response = new \Elgg\Http\OkResponse($content, $status_code); |
128
|
|
|
} |
129
|
|
|
|
130
|
23 |
|
$forwarder = empty($forwarder) ? REFERER : $forwarder; |
131
|
23 |
|
$response->setForwardURL($forwarder); |
132
|
23 |
|
return $response; |
133
|
65 |
|
}; |
134
|
|
|
|
135
|
65 |
|
if (!isset($this->actions[$action])) { |
136
|
5 |
|
return $forward('actionundefined', ELGG_HTTP_NOT_IMPLEMENTED); |
137
|
|
|
} |
138
|
|
|
|
139
|
60 |
|
$user = $this->session->getLoggedInUser(); |
140
|
|
|
|
141
|
|
|
// access checks |
142
|
60 |
|
switch ($this->actions[$action]['access']) { |
143
|
|
|
case 'public': |
144
|
35 |
|
break; |
145
|
|
|
case 'logged_in': |
146
|
21 |
|
if (!$user) { |
147
|
1 |
|
return $forward('actionloggedout', ELGG_HTTP_FORBIDDEN); |
148
|
|
|
} |
149
|
20 |
|
break; |
150
|
|
|
default: |
151
|
|
|
// admin or misspelling |
152
|
4 |
|
if (!$user || !$user->isAdmin()) { |
153
|
1 |
|
return $forward('actionunauthorized', ELGG_HTTP_FORBIDDEN); |
154
|
|
|
} |
155
|
|
|
} |
156
|
|
|
|
157
|
58 |
|
ob_start(); |
158
|
|
|
|
159
|
|
|
// To quietly cancel the file, return a falsey value in the "action" hook. |
160
|
58 |
|
if (!_elgg_services()->hooks->trigger('action', $action, null, true)) { |
161
|
1 |
|
return $forward('', ELGG_HTTP_OK); |
162
|
|
|
} |
163
|
|
|
|
164
|
57 |
|
$file = $this->actions[$action]['file']; |
165
|
|
|
|
166
|
57 |
|
if (!is_file($file) || !is_readable($file)) { |
167
|
2 |
|
ob_end_clean(); |
168
|
2 |
|
return $forward('actionnotfound', ELGG_HTTP_NOT_IMPLEMENTED); |
169
|
|
|
} |
170
|
|
|
|
171
|
|
|
// set the maximum execution time for actions |
172
|
55 |
|
$action_timeout = $this->config->action_time_limit; |
173
|
55 |
|
if (isset($action_timeout)) { |
174
|
|
|
set_time_limit($action_timeout); |
175
|
|
|
} |
176
|
|
|
|
177
|
55 |
|
$result = Includer::includeFile($file); |
178
|
55 |
|
if ($result instanceof ResponseBuilder) { |
179
|
42 |
|
ob_end_clean(); |
180
|
42 |
|
return $result; |
181
|
|
|
} |
182
|
|
|
|
183
|
13 |
|
return $forward('', ELGG_HTTP_OK); |
184
|
|
|
} |
185
|
|
|
|
186
|
|
|
/** |
187
|
|
|
* Registers an action |
188
|
|
|
* |
189
|
|
|
* @param string $action The name of the action (eg "register", "account/settings/save") |
190
|
|
|
* @param string $filename Optionally, the filename where this action is located. If not specified, |
191
|
|
|
* will assume the action is in elgg/actions/<action>.php |
192
|
|
|
* @param string $access Who is allowed to execute this action: public, logged_in, admin. |
193
|
|
|
* (default: logged_in) |
194
|
|
|
* |
195
|
|
|
* @return bool |
196
|
|
|
* |
197
|
|
|
* @see elgg_register_action() |
198
|
|
|
* @access private |
199
|
|
|
*/ |
200
|
87 |
|
public function register($action, $filename = "", $access = 'logged_in') { |
201
|
|
|
// plugins are encouraged to call actions with a trailing / to prevent 301 |
202
|
|
|
// redirects but we store the actions without it |
203
|
87 |
|
$action = rtrim($action, '/'); |
204
|
|
|
|
205
|
87 |
|
if (empty($filename)) { |
206
|
32 |
|
$path = __DIR__ . '/../../../actions'; |
207
|
32 |
|
$filename = realpath("$path/$action.php"); |
208
|
|
|
} |
209
|
|
|
|
210
|
87 |
|
if (!in_array($access, self::$access_levels)) { |
211
|
1 |
|
_elgg_services()->logger->error("Unrecognized value '$access' for \$access in " . __METHOD__); |
212
|
1 |
|
$access = 'admin'; |
213
|
|
|
} |
214
|
|
|
|
215
|
87 |
|
$this->actions[$action] = [ |
216
|
87 |
|
'file' => $filename, |
217
|
87 |
|
'access' => $access, |
218
|
|
|
]; |
219
|
87 |
|
return true; |
220
|
|
|
} |
221
|
|
|
|
222
|
|
|
/** |
223
|
|
|
* Unregisters an action |
224
|
|
|
* |
225
|
|
|
* @param string $action Action name |
226
|
|
|
* |
227
|
|
|
* @return bool |
228
|
|
|
* |
229
|
|
|
* @see elgg_unregister_action() |
230
|
|
|
* @access private |
231
|
|
|
*/ |
232
|
1 |
|
public function unregister($action) { |
233
|
1 |
|
if (isset($this->actions[$action])) { |
234
|
1 |
|
unset($this->actions[$action]); |
235
|
1 |
|
return true; |
236
|
|
|
} else { |
237
|
1 |
|
return false; |
238
|
|
|
} |
239
|
|
|
} |
240
|
|
|
|
241
|
|
|
/** |
242
|
|
|
* Validate an action token. |
243
|
|
|
* |
244
|
|
|
* Calls to actions will automatically validate tokens. If tokens are not |
245
|
|
|
* present or invalid, the action will be denied and the user will be redirected. |
246
|
|
|
* |
247
|
|
|
* Plugin authors should never have to manually validate action tokens. |
248
|
|
|
* |
249
|
|
|
* @param bool $visible_errors Emit {@link register_error()} errors on failure? |
250
|
|
|
* @param mixed $token The token to test against. Default: $_REQUEST['__elgg_token'] |
251
|
|
|
* @param mixed $ts The time stamp to test against. Default: $_REQUEST['__elgg_ts'] |
252
|
|
|
* |
253
|
|
|
* @return bool |
254
|
|
|
* |
255
|
|
|
* @see validate_action_token() |
256
|
|
|
* @access private |
257
|
|
|
*/ |
258
|
70 |
|
public function validateActionToken($visible_errors = true, $token = null, $ts = null) { |
259
|
70 |
|
if (!$token) { |
260
|
67 |
|
$token = get_input('__elgg_token'); |
261
|
|
|
} |
262
|
|
|
|
263
|
70 |
|
if (!$ts) { |
264
|
67 |
|
$ts = get_input('__elgg_ts'); |
265
|
|
|
} |
266
|
|
|
|
267
|
70 |
|
$session_id = $this->session->getId(); |
268
|
|
|
|
269
|
70 |
|
if (($token) && ($ts) && ($session_id)) { |
270
|
70 |
|
if ($this->validateTokenOwnership($token, $ts)) { |
|
|
|
|
271
|
68 |
|
if ($this->validateTokenTimestamp($ts)) { |
|
|
|
|
272
|
|
|
// We have already got this far, so unless anything |
273
|
|
|
// else says something to the contrary we assume we're ok |
274
|
67 |
|
$returnval = _elgg_services()->hooks->trigger('action_gatekeeper:permissions:check', 'all', [ |
275
|
67 |
|
'token' => $token, |
276
|
67 |
|
'time' => $ts |
277
|
67 |
|
], true); |
278
|
|
|
|
279
|
67 |
|
if ($returnval) { |
280
|
67 |
|
return true; |
281
|
|
|
} else if ($visible_errors) { |
282
|
|
|
register_error(_elgg_services()->translator->translate('actiongatekeeper:pluginprevents')); |
283
|
|
|
} |
284
|
1 |
|
} else if ($visible_errors) { |
285
|
|
|
// this is necessary because of #5133 |
286
|
|
|
if (elgg_is_xhr()) { |
287
|
|
|
register_error(_elgg_services()->translator->translate( |
288
|
|
|
'js:security:token_refresh_failed', |
289
|
|
|
[$this->config->wwwroot] |
290
|
|
|
)); |
291
|
|
|
} else { |
292
|
1 |
|
register_error(_elgg_services()->translator->translate('actiongatekeeper:timeerror')); |
293
|
|
|
} |
294
|
|
|
} |
295
|
3 |
|
} else if ($visible_errors) { |
296
|
|
|
// this is necessary because of #5133 |
297
|
1 |
|
if (elgg_is_xhr()) { |
298
|
|
|
register_error(_elgg_services()->translator->translate('js:security:token_refresh_failed', [$this->config->wwwroot])); |
299
|
|
|
} else { |
300
|
4 |
|
register_error(_elgg_services()->translator->translate('actiongatekeeper:tokeninvalid')); |
301
|
|
|
} |
302
|
|
|
} |
303
|
|
|
} else { |
304
|
1 |
|
$req = _elgg_services()->request; |
305
|
1 |
|
$length = $req->server->get('CONTENT_LENGTH'); |
306
|
1 |
|
$post_count = count($req->request); |
307
|
1 |
|
if ($length && $post_count < 1) { |
308
|
|
|
// The size of $_POST or uploaded file has exceed the size limit |
309
|
|
|
$error_msg = _elgg_services()->hooks->trigger('action_gatekeeper:upload_exceeded_msg', 'all', [ |
310
|
|
|
'post_size' => $length, |
311
|
|
|
'visible_errors' => $visible_errors, |
312
|
|
|
], _elgg_services()->translator->translate('actiongatekeeper:uploadexceeded')); |
313
|
|
|
} else { |
314
|
1 |
|
$error_msg = _elgg_services()->translator->translate('actiongatekeeper:missingfields'); |
315
|
|
|
} |
316
|
1 |
|
if ($visible_errors) { |
317
|
1 |
|
register_error($error_msg); |
318
|
|
|
} |
319
|
|
|
} |
320
|
|
|
|
321
|
5 |
|
return false; |
322
|
|
|
} |
323
|
|
|
|
324
|
|
|
/** |
325
|
|
|
* Is the token timestamp within acceptable range? |
326
|
|
|
* |
327
|
|
|
* @param int $ts timestamp from the CSRF token |
328
|
|
|
* |
329
|
|
|
* @return bool |
330
|
|
|
*/ |
331
|
68 |
|
protected function validateTokenTimestamp($ts) { |
332
|
68 |
|
$timeout = $this->getActionTokenTimeout(); |
333
|
68 |
|
$now = $this->getCurrentTime()->getTimestamp(); |
334
|
68 |
|
return ($timeout == 0 || ($ts > $now - $timeout) && ($ts < $now + $timeout)); |
335
|
|
|
} |
336
|
|
|
|
337
|
|
|
/** |
338
|
|
|
* Returns the action token timeout in seconds |
339
|
|
|
* |
340
|
|
|
* @return int number of seconds that action token is valid |
341
|
|
|
* |
342
|
|
|
* @see ActionsService::validateActionToken |
343
|
|
|
* @access private |
344
|
|
|
* @since 1.9.0 |
345
|
|
|
*/ |
346
|
69 |
|
public function getActionTokenTimeout() { |
347
|
69 |
|
if (($timeout = $this->config->action_token_timeout) === null) { |
348
|
|
|
// default to 2 hours |
349
|
69 |
|
$timeout = 2; |
350
|
|
|
} |
351
|
69 |
|
$hour = 60 * 60; |
352
|
69 |
|
return (int) ((float) $timeout * $hour); |
353
|
|
|
} |
354
|
|
|
|
355
|
|
|
/** |
356
|
|
|
* Validates the presence of action tokens. |
357
|
|
|
* |
358
|
|
|
* This function is called for all actions. If action tokens are missing, |
359
|
|
|
* the user will be forwarded to the site front page and an error emitted. |
360
|
|
|
* |
361
|
|
|
* This function verifies form input for security features (like a generated token), |
362
|
|
|
* and forwards if they are invalid. |
363
|
|
|
* |
364
|
|
|
* @param string $action The action being performed |
365
|
|
|
* |
366
|
|
|
* @return bool |
367
|
|
|
* |
368
|
|
|
* @see action_gatekeeper() |
369
|
|
|
* @access private |
370
|
|
|
*/ |
371
|
67 |
|
public function gatekeeper($action) { |
372
|
67 |
|
if ($action === 'login') { |
373
|
8 |
|
if ($this->validateActionToken(false)) { |
374
|
8 |
|
return true; |
375
|
|
|
} |
376
|
|
|
|
377
|
|
|
$token = get_input('__elgg_token'); |
378
|
|
|
$ts = (int) get_input('__elgg_ts'); |
379
|
|
|
if ($token && $this->validateTokenTimestamp($ts)) { |
380
|
|
|
// The tokens are present and the time looks valid: this is probably a mismatch due to the |
381
|
|
|
// login form being on a different domain. |
382
|
|
|
register_error(_elgg_services()->translator->translate('actiongatekeeper:crosssitelogin')); |
383
|
|
|
_elgg_services()->responseFactory->redirect('login', 'csrf'); |
384
|
|
|
return false; |
385
|
|
|
} |
386
|
|
|
} |
387
|
|
|
|
388
|
59 |
|
if ($this->validateActionToken()) { |
389
|
58 |
|
return true; |
390
|
|
|
} |
391
|
|
|
|
392
|
2 |
|
_elgg_services()->responseFactory->redirect(REFERER, 'csrf'); |
393
|
2 |
|
return false; |
394
|
|
|
} |
395
|
|
|
|
396
|
|
|
/** |
397
|
|
|
* Was the given token generated for the session defined by session_token? |
398
|
|
|
* |
399
|
|
|
* @param string $token CSRF token |
400
|
|
|
* @param int $timestamp Unix time |
401
|
|
|
* @param string $session_token Session-specific token |
402
|
|
|
* |
403
|
|
|
* @return bool |
404
|
|
|
* @access private |
405
|
|
|
*/ |
406
|
71 |
|
public function validateTokenOwnership($token, $timestamp, $session_token = '') { |
407
|
71 |
|
$required_token = $this->generateActionToken($timestamp, $session_token); |
408
|
|
|
|
409
|
71 |
|
return _elgg_services()->crypto->areEqual($token, $required_token); |
410
|
|
|
} |
411
|
|
|
|
412
|
|
|
/** |
413
|
|
|
* Generate a token from a session token (specifying the user), the timestamp, and the site key. |
414
|
|
|
* |
415
|
|
|
* @see generate_action_token() |
416
|
|
|
* |
417
|
|
|
* @param int $timestamp Unix timestamp |
418
|
|
|
* @param string $session_token Session-specific token |
419
|
|
|
* |
420
|
|
|
* @return string |
421
|
|
|
* @access private |
422
|
|
|
*/ |
423
|
71 |
|
public function generateActionToken($timestamp, $session_token = '') { |
424
|
71 |
|
if (!$session_token) { |
425
|
71 |
|
$session_token = elgg_get_session()->get('__elgg_session'); |
426
|
71 |
|
if (!$session_token) { |
427
|
|
|
return false; |
|
|
|
|
428
|
|
|
} |
429
|
|
|
} |
430
|
|
|
|
431
|
71 |
|
return _elgg_services()->hmac->getHmac([(int) $timestamp, $session_token], 'md5') |
432
|
71 |
|
->getToken(); |
433
|
|
|
} |
434
|
|
|
|
435
|
|
|
/** |
436
|
|
|
* Check if an action is registered and its script exists. |
437
|
|
|
* |
438
|
|
|
* @param string $action Action name |
439
|
|
|
* |
440
|
|
|
* @return bool |
441
|
|
|
* |
442
|
|
|
* @see elgg_action_exists() |
443
|
|
|
* @access private |
444
|
|
|
*/ |
445
|
4 |
|
public function exists($action) { |
446
|
4 |
|
return (isset($this->actions[$action]) && file_exists($this->actions[$action]['file'])); |
447
|
|
|
} |
448
|
|
|
|
449
|
|
|
/** |
450
|
|
|
* Get all actions |
451
|
|
|
* |
452
|
|
|
* @return array |
453
|
|
|
*/ |
454
|
4 |
|
public function getAllActions() { |
455
|
4 |
|
return $this->actions; |
456
|
|
|
} |
457
|
|
|
|
458
|
|
|
/** |
459
|
|
|
* Send an updated CSRF token, provided the page's current tokens were not fake. |
460
|
|
|
* |
461
|
|
|
* @return ResponseBuilder |
462
|
|
|
* @access private |
463
|
|
|
*/ |
464
|
1 |
|
public function handleTokenRefreshRequest() { |
465
|
1 |
|
if (!elgg_is_xhr()) { |
466
|
|
|
return false; |
|
|
|
|
467
|
|
|
} |
468
|
|
|
|
469
|
|
|
// the page's session_token might have expired (not matching __elgg_session in the session), but |
470
|
|
|
// we still allow it to be given to validate the tokens in the page. |
471
|
1 |
|
$session_token = get_input('session_token', null, false); |
472
|
1 |
|
$pairs = (array) get_input('pairs', [], false); |
473
|
1 |
|
$valid_tokens = (object) []; |
474
|
1 |
|
foreach ($pairs as $pair) { |
475
|
1 |
|
list($ts, $token) = explode(',', $pair, 2); |
476
|
1 |
|
if ($this->validateTokenOwnership($token, $ts, $session_token)) { |
477
|
1 |
|
$valid_tokens->{$token} = true; |
478
|
|
|
} |
479
|
|
|
} |
480
|
|
|
|
481
|
1 |
|
$ts = $this->getCurrentTime()->getTimestamp(); |
482
|
1 |
|
$token = $this->generateActionToken($ts); |
483
|
|
|
$data = [ |
484
|
|
|
'token' => [ |
485
|
1 |
|
'__elgg_ts' => $ts, |
486
|
1 |
|
'__elgg_token' => $token, |
487
|
1 |
|
'logged_in' => $this->session->isLoggedIn(), |
488
|
|
|
], |
489
|
1 |
|
'valid_tokens' => $valid_tokens, |
490
|
1 |
|
'session_token' => $this->session->get('__elgg_session'), |
491
|
1 |
|
'user_guid' => $this->session->getLoggedInUserGuid(), |
492
|
|
|
]; |
493
|
|
|
|
494
|
1 |
|
elgg_set_http_header("Content-Type: application/json;charset=utf-8"); |
495
|
1 |
|
return elgg_ok_response($data); |
496
|
|
|
} |
497
|
|
|
} |
498
|
|
|
|
499
|
|
|
|