1
|
|
|
<?php |
2
|
|
|
|
3
|
|
|
namespace Elgg\Security; |
4
|
|
|
|
5
|
|
|
/** |
6
|
|
|
* Component for creating signed URLs |
7
|
|
|
* |
8
|
|
|
* @access private |
9
|
|
|
*/ |
10
|
|
|
class UrlSigner { |
11
|
|
|
|
12
|
|
|
const KEY_MAC = '__elgg_mac'; |
13
|
|
|
const KEY_EXPIRES = '__elgg_exp'; |
14
|
|
|
|
15
|
|
|
/** |
16
|
|
|
* Normalizes and signs the URL with SHA256 HMAC key |
17
|
|
|
* |
18
|
|
|
* @note Signed URLs do not offer CSRF protection and should not be used instead of action tokens. |
19
|
|
|
* |
20
|
|
|
* @param string $url URL to sign |
21
|
|
|
* @param string $expires Expiration time |
22
|
|
|
* Accepts a string suitable for strtotime() |
23
|
|
|
* Falsey values indicate non-expiring URL |
24
|
|
|
* @return string |
25
|
|
|
* @throws \InvalidArgumentException |
26
|
|
|
*/ |
27
|
5 |
|
public function sign($url, $expires = false) { |
28
|
5 |
|
$url = elgg_normalize_url($url); |
29
|
|
|
|
30
|
5 |
|
$parts = parse_url($url); |
31
|
|
|
|
32
|
5 |
|
if (isset($parts['query'])) { |
33
|
5 |
|
$query = elgg_parse_str($parts['query']); |
34
|
|
|
} else { |
35
|
|
|
$query = []; |
36
|
|
|
} |
37
|
|
|
|
38
|
5 |
|
if (isset($query[self::KEY_MAC])) { |
39
|
1 |
|
throw new \InvalidArgumentException('URL has already been signed'); |
40
|
|
|
} |
41
|
|
|
|
42
|
5 |
|
if ($expires) { |
|
|
|
|
43
|
3 |
|
$query[self::KEY_EXPIRES] = strtotime($expires); |
44
|
|
|
} |
45
|
|
|
|
46
|
5 |
|
ksort($query); |
47
|
|
|
|
48
|
5 |
|
$parts['query'] = http_build_query($query); |
49
|
|
|
|
50
|
5 |
|
$url = elgg_http_build_url($parts, false); |
51
|
|
|
|
52
|
5 |
|
$token = elgg_build_hmac($url)->getToken(); |
53
|
|
|
|
54
|
5 |
|
return elgg_http_add_url_query_elements($url, [ |
55
|
5 |
|
self::KEY_MAC => $token, |
56
|
|
|
]); |
57
|
|
|
} |
58
|
|
|
|
59
|
|
|
/** |
60
|
|
|
* Validates HMAC signature |
61
|
|
|
* |
62
|
|
|
* @param string $url URL to vlaidate |
63
|
|
|
* @return bool |
64
|
|
|
*/ |
65
|
4 |
|
public function isValid($url) { |
66
|
|
|
|
67
|
4 |
|
$parts = parse_url($url); |
68
|
|
|
|
69
|
4 |
|
if (isset($parts['query'])) { |
70
|
4 |
|
$query = elgg_parse_str($parts['query']); |
71
|
|
|
} else { |
72
|
|
|
$query = []; |
73
|
|
|
} |
74
|
|
|
|
75
|
4 |
|
if (!isset($query[self::KEY_MAC])) { |
76
|
|
|
// No signature found |
77
|
|
|
return false; |
78
|
|
|
} |
79
|
|
|
|
80
|
4 |
|
$token = $query[self::KEY_MAC]; |
81
|
4 |
|
unset($query[self::KEY_MAC]); |
82
|
|
|
|
83
|
4 |
|
if (isset($query[self::KEY_EXPIRES]) && $query[self::KEY_EXPIRES] < time()) { |
84
|
|
|
// Signature has expired |
85
|
1 |
|
return false; |
86
|
|
|
} |
87
|
|
|
|
88
|
4 |
|
ksort($query); |
89
|
|
|
|
90
|
4 |
|
$parts['query'] = http_build_query($query); |
91
|
|
|
|
92
|
4 |
|
$url = elgg_http_build_url($parts, false); |
93
|
|
|
|
94
|
4 |
|
return elgg_build_hmac($url)->matchesToken($token); |
95
|
|
|
|
96
|
|
|
} |
97
|
|
|
} |
98
|
|
|
|
In PHP, under loose comparison (like
==
, or!=
, orswitch
conditions), values of different types might be equal.For
string
values, the empty string''
is a special case, in particular the following results might be unexpected: