chamilo /
chamilo-lms
| Total Complexity | 80 |
| Total Lines | 569 |
| Duplicated Lines | 0 % |
| Changes | 0 | ||
Complex classes like Security often do a lot of different things. To break such a class down, we need to identify a cohesive component within that class. A common approach to find such a component is to look for fields/methods that share the same prefixes, or suffixes.
Once you have determined the fields that belong together, you can apply the Extract Class refactoring. If the component makes sense as a sub-class, Extract Subclass is also a candidate, and is often faster.
While breaking up the class, it is a good idea to analyze how other classes use Security, and based on these observations, apply Extract Interface, too.
| 1 | <?php |
||
| 40 | class Security |
||
| 41 | { |
||
| 42 | public static $clean = []; |
||
| 43 | |||
| 44 | /** |
||
| 45 | * Checks if the absolute path (directory) given is really under the |
||
| 46 | * checker path (directory). |
||
| 47 | * |
||
| 48 | * @param string $abs_path Absolute path to be checked (with trailing slash) |
||
| 49 | * @param string $checker_path Checker path under which the path |
||
| 50 | * should be (absolute path, with trailing slash, get it from api_get_path(SYS_COURSE_PATH)) |
||
| 51 | * |
||
| 52 | * @return bool True if the path is under the checker, false otherwise |
||
| 53 | */ |
||
| 54 | public static function check_abs_path(string $abs_path, string $checker_path): bool |
||
| 84 | } |
||
| 85 | |||
| 86 | public static function cleanPath(string $absPath): string |
||
| 87 | { |
||
| 88 | $absPath = str_replace(['//', '../'], ['/', ''], $absPath); |
||
| 89 | |||
| 90 | return str_replace("\\", '/', realpath($absPath)); |
||
| 91 | } |
||
| 92 | |||
| 93 | /** |
||
| 94 | * Checks if the relative path (directory) given is really under the |
||
| 95 | * checker path (directory). |
||
| 96 | * |
||
| 97 | * @param string $rel_path Relative path to be checked (relative to the current directory) (with trailing slash) |
||
| 98 | * @param string $checker_path Checker path under which the path |
||
| 99 | * should be (absolute path, with trailing slash, get it from api_get_path(SYS_COURSE_PATH)) |
||
| 100 | * |
||
| 101 | * @return bool True if the path is under the checker, false otherwise |
||
| 102 | */ |
||
| 103 | public static function check_rel_path(string $rel_path, string $checker_path): bool |
||
| 104 | { |
||
| 105 | // The checker path must be set. |
||
| 106 | if (empty($checker_path)) { |
||
| 107 | return false; |
||
| 108 | } |
||
| 109 | $current_path = getcwd(); // No trailing slash. |
||
| 110 | if ('/' != substr($rel_path, -1, 1)) { |
||
| 111 | $rel_path = '/'.$rel_path; |
||
| 112 | } |
||
| 113 | $abs_path = $current_path.$rel_path; |
||
| 114 | $true_path = str_replace("\\", '/', realpath($abs_path)); |
||
| 115 | $found = strpos($true_path.'/', $checker_path); |
||
| 116 | if (0 === $found) { |
||
| 117 | return true; |
||
| 118 | } |
||
| 119 | |||
| 120 | return false; |
||
| 121 | } |
||
| 122 | |||
| 123 | /** |
||
| 124 | * Filters dangerous filenames (*.php[.]?* and .htaccess) and returns it in |
||
| 125 | * a non-executable form (for PHP and htaccess, this is still vulnerable to |
||
| 126 | * other languages' files extensions). |
||
| 127 | * |
||
| 128 | * @param string $filename Unfiltered filename |
||
| 129 | */ |
||
| 130 | public static function filter_filename(string $filename): string |
||
| 131 | { |
||
| 132 | return disable_dangerous_file($filename); |
||
| 133 | } |
||
| 134 | |||
| 135 | public static function getTokenFromSession(string $prefix = ''): string |
||
| 136 | { |
||
| 137 | $secTokenVariable = self::generateSecTokenVariable($prefix); |
||
| 138 | |||
| 139 | return Session::read($secTokenVariable); |
||
|
Bug
Best Practice
introduced
by
|
|||
| 140 | } |
||
| 141 | |||
| 142 | /** |
||
| 143 | * This function checks that the token generated in get_token() has been kept (prevents |
||
| 144 | * Cross-Site Request Forgeries attacks). |
||
| 145 | * |
||
| 146 | * @param string $requestType The array in which to get the token ('get' or 'post') |
||
| 147 | * @param ?FormValidator $form |
||
| 148 | * |
||
| 149 | * @return bool True if it's the right token, false otherwise |
||
| 150 | */ |
||
| 151 | public static function check_token(string $requestType = 'post', FormValidator $form = null, string $prefix = ''): bool |
||
| 152 | { |
||
| 153 | $secTokenVariable = self::generateSecTokenVariable($prefix); |
||
| 154 | $sessionToken = Session::read($secTokenVariable); |
||
| 155 | switch ($requestType) { |
||
| 156 | case 'request': |
||
| 157 | if (!empty($sessionToken) && isset($_REQUEST[$secTokenVariable]) && $sessionToken === $_REQUEST[$secTokenVariable]) { |
||
| 158 | return true; |
||
| 159 | } |
||
| 160 | |||
| 161 | return false; |
||
| 162 | case 'get': |
||
| 163 | if (!empty($sessionToken) && isset($_GET[$secTokenVariable]) && $sessionToken === $_GET[$secTokenVariable]) { |
||
| 164 | return true; |
||
| 165 | } |
||
| 166 | |||
| 167 | return false; |
||
| 168 | case 'post': |
||
| 169 | if (!empty($sessionToken) && isset($_POST[$secTokenVariable]) && $sessionToken === $_POST[$secTokenVariable]) { |
||
| 170 | return true; |
||
| 171 | } |
||
| 172 | |||
| 173 | return false; |
||
| 174 | case 'form': |
||
| 175 | $token = $form->getSubmitValue('protect_token'); |
||
| 176 | |||
| 177 | if (!empty($sessionToken) && !empty($token) && $sessionToken === $token) { |
||
| 178 | return true; |
||
| 179 | } |
||
| 180 | |||
| 181 | return false; |
||
| 182 | default: |
||
| 183 | if (!empty($sessionToken) && isset($requestType) && $sessionToken === $requestType) { |
||
| 184 | return true; |
||
| 185 | } |
||
| 186 | } |
||
| 187 | |||
| 188 | return false; // Just in case, don't let anything slip. |
||
| 189 | } |
||
| 190 | |||
| 191 | /** |
||
| 192 | * Checks the user agent of the client as recorder by get_ua() to prevent |
||
| 193 | * most session hijacking attacks. |
||
| 194 | * |
||
| 195 | * @return bool True if the user agent is the same, false otherwise |
||
| 196 | */ |
||
| 197 | public static function check_ua(): bool |
||
| 198 | { |
||
| 199 | $security = Session::read('sec_ua'); |
||
| 200 | $securitySeed = Session::read('sec_ua_seed'); |
||
| 201 | |||
| 202 | if ($security === $_SERVER['HTTP_USER_AGENT'].$securitySeed) { |
||
| 203 | return true; |
||
| 204 | } |
||
| 205 | |||
| 206 | return false; |
||
| 207 | } |
||
| 208 | |||
| 209 | /** |
||
| 210 | * Clear the security token from the session. |
||
| 211 | */ |
||
| 212 | public static function clear_token(string $prefix = ''): void |
||
| 213 | { |
||
| 214 | $secTokenVariable = self::generateSecTokenVariable($prefix); |
||
| 215 | |||
| 216 | Session::erase($secTokenVariable); |
||
| 217 | } |
||
| 218 | |||
| 219 | /** |
||
| 220 | * This function sets a random token to be included in a form as a hidden field |
||
| 221 | * and saves it into the user's session. Returns an HTML form element |
||
| 222 | * This later prevents Cross-Site Request Forgeries by checking that the user is really |
||
| 223 | * the one that sent this form in knowingly (this form hasn't been generated from |
||
| 224 | * another website visited by the user at the same time). |
||
| 225 | * Check the token with check_token(). |
||
| 226 | * |
||
| 227 | * @return string Hidden-type input ready to insert into a form |
||
| 228 | */ |
||
| 229 | public static function get_HTML_token(string $prefix = ''): string |
||
| 230 | { |
||
| 231 | $secTokenVariable = self::generateSecTokenVariable($prefix); |
||
| 232 | $token = md5(uniqid(rand(), true)); |
||
| 233 | $string = '<input type="hidden" name="'.$secTokenVariable.'" value="'.$token.'" />'; |
||
| 234 | Session::write($secTokenVariable, $token); |
||
| 235 | |||
| 236 | return $string; |
||
| 237 | } |
||
| 238 | |||
| 239 | /** |
||
| 240 | * This function sets a random token to be included in a form as a hidden field |
||
| 241 | * and saves it into the user's session. |
||
| 242 | * This later prevents Cross-Site Request Forgeries by checking that the user is really |
||
| 243 | * the one that sent this form in knowingly (this form hasn't been generated from |
||
| 244 | * another website visited by the user at the same time). |
||
| 245 | * Check the token with check_token(). |
||
| 246 | * |
||
| 247 | * @return string Token |
||
| 248 | */ |
||
| 249 | public static function get_token($prefix = ''): string |
||
| 250 | { |
||
| 251 | $secTokenVariable = self::generateSecTokenVariable($prefix); |
||
| 252 | $token = md5(uniqid(rand(), true)); |
||
| 253 | Session::write($secTokenVariable, $token); |
||
| 254 | |||
| 255 | return $token; |
||
| 256 | } |
||
| 257 | |||
| 258 | public static function get_existing_token(string $prefix = ''): string |
||
| 259 | { |
||
| 260 | $secTokenVariable = self::generateSecTokenVariable($prefix); |
||
| 261 | $token = Session::read($secTokenVariable); |
||
| 262 | if (!empty($token)) { |
||
| 263 | return $token; |
||
| 264 | } else { |
||
| 265 | return self::get_token($prefix); |
||
| 266 | } |
||
| 267 | } |
||
| 268 | |||
| 269 | /** |
||
| 270 | * Gets the user agent in the session to later check it with check_ua() to prevent |
||
| 271 | * most cases of session hijacking. |
||
| 272 | */ |
||
| 273 | public static function get_ua() |
||
| 278 | } |
||
| 279 | |||
| 280 | /** |
||
| 281 | * This function returns a variable from the clean array. If the variable doesn't exist, |
||
| 282 | * it returns null. |
||
| 283 | * |
||
| 284 | * @param string $varname Variable name |
||
| 285 | * |
||
| 286 | * @return mixed Variable or NULL on error |
||
| 287 | */ |
||
| 288 | public static function get(string $varname) |
||
| 289 | { |
||
| 290 | if (isset(self::$clean[$varname])) { |
||
| 291 | return self::$clean[$varname]; |
||
| 292 | } |
||
| 293 | |||
| 294 | return null; |
||
| 295 | } |
||
| 296 | |||
| 297 | /** |
||
| 298 | * This function tackles the XSS injections. |
||
| 299 | * Filtering for XSS is very easily done by using the htmlentities() function. |
||
| 300 | * This kind of filtering prevents JavaScript snippets to be understood as such. |
||
| 301 | * |
||
| 302 | * @param string|array $var The variable to filter for XSS, this params can be a string or an array (example : array(x,y)) |
||
| 303 | * @param ?int $user_status The user status,constant allowed (STUDENT, COURSEMANAGER, ANONYMOUS, COURSEMANAGERLOWSECURITY) |
||
| 304 | * |
||
| 305 | * @return mixed Filtered string or array |
||
| 306 | */ |
||
| 307 | public static function remove_XSS($var, int $user_status = null, bool $filter_terms = false) |
||
| 308 | { |
||
| 309 | if ($filter_terms) { |
||
| 310 | $var = self::filter_terms($var); |
||
| 311 | } |
||
| 312 | |||
| 313 | if (empty($user_status)) { |
||
| 314 | if (api_is_anonymous()) { |
||
| 315 | $user_status = ANONYMOUS; |
||
| 316 | } else { |
||
| 317 | if (api_is_allowed_to_edit()) { |
||
| 318 | $user_status = COURSEMANAGER; |
||
| 319 | } else { |
||
| 320 | $user_status = STUDENT; |
||
| 321 | } |
||
| 322 | } |
||
| 323 | } |
||
| 324 | |||
| 325 | if (COURSEMANAGERLOWSECURITY == $user_status) { |
||
| 326 | return $var; // No filtering. |
||
| 327 | } |
||
| 328 | |||
| 329 | static $purifier = []; |
||
| 330 | if (!isset($purifier[$user_status])) { |
||
| 331 | $cache_dir = api_get_path(SYS_ARCHIVE_PATH).'Serializer'; |
||
| 332 | if (!file_exists($cache_dir)) { |
||
| 333 | $mode = api_get_permissions_for_new_directories(); |
||
| 334 | mkdir($cache_dir, $mode); |
||
| 335 | } |
||
| 336 | $config = HTMLPurifier_Config::createDefault(); |
||
| 337 | $config->set('Cache.SerializerPath', $cache_dir); |
||
| 338 | $config->set('Core.Encoding', api_get_system_encoding()); |
||
| 339 | $config->set('HTML.Doctype', 'XHTML 1.0 Transitional'); |
||
| 340 | $config->set('HTML.MaxImgLength', '2560'); |
||
| 341 | $config->set('HTML.TidyLevel', 'light'); |
||
| 342 | $config->set('Core.ConvertDocumentToFragment', false); |
||
| 343 | $config->set('Core.RemoveProcessingInstructions', true); |
||
| 344 | |||
| 345 | if ('true' == api_get_setting('enable_iframe_inclusion')) { |
||
| 346 | $config->set('Filter.Custom', [new AllowIframes()]); |
||
| 347 | } |
||
| 348 | |||
| 349 | // Shows _target attribute in anchors |
||
| 350 | $config->set('Attr.AllowedFrameTargets', ['_blank', '_top', '_self', '_parent']); |
||
| 351 | |||
| 352 | if (STUDENT == $user_status) { |
||
| 353 | global $allowed_html_student; |
||
| 354 | $config->set('HTML.SafeEmbed', true); |
||
| 355 | $config->set('HTML.SafeObject', true); |
||
| 356 | $config->set('Filter.YouTube', true); |
||
| 357 | $config->set('HTML.FlashAllowFullScreen', true); |
||
| 358 | $config->set('HTML.Allowed', $allowed_html_student); |
||
| 359 | } elseif (COURSEMANAGER == $user_status) { |
||
| 360 | global $allowed_html_teacher; |
||
| 361 | $config->set('HTML.SafeEmbed', true); |
||
| 362 | $config->set('HTML.SafeObject', true); |
||
| 363 | $config->set('Filter.YouTube', true); |
||
| 364 | $config->set('HTML.FlashAllowFullScreen', true); |
||
| 365 | $config->set('HTML.Allowed', $allowed_html_teacher); |
||
| 366 | } else { |
||
| 367 | global $allowed_html_anonymous; |
||
| 368 | $config->set('HTML.Allowed', $allowed_html_anonymous); |
||
| 369 | } |
||
| 370 | |||
| 371 | // We need it for example for the flv player (ids of surrounding div-tags have to be preserved). |
||
| 372 | $config->set('Attr.EnableID', true); |
||
| 373 | $config->set('CSS.AllowImportant', true); |
||
| 374 | // We need for the flv player the css definition display: none; |
||
| 375 | $config->set('CSS.AllowTricky', true); |
||
| 376 | $config->set('CSS.Proprietary', true); |
||
| 377 | |||
| 378 | // Allow uri scheme. |
||
| 379 | $config->set('URI.AllowedSchemes', [ |
||
| 380 | 'http' => true, |
||
| 381 | 'https' => true, |
||
| 382 | 'mailto' => true, |
||
| 383 | 'ftp' => true, |
||
| 384 | 'nntp' => true, |
||
| 385 | 'news' => true, |
||
| 386 | 'data' => true, |
||
| 387 | ]); |
||
| 388 | |||
| 389 | // Allow <video> tag |
||
| 390 | //$config->set('HTML.Doctype', 'HTML 4.01 Transitional'); |
||
| 391 | $config->set('HTML.SafeIframe', true); |
||
| 392 | |||
| 393 | // Set some HTML5 properties |
||
| 394 | $config->set('HTML.DefinitionID', 'html5-definitions'); // unqiue id |
||
| 395 | $config->set('HTML.DefinitionRev', 1); |
||
| 396 | if ($def = $config->maybeGetRawHTMLDefinition()) { |
||
| 397 | // https://html.spec.whatwg.org/dev/media.html#the-video-element |
||
| 398 | $def->addElement( |
||
| 399 | 'video', |
||
| 400 | 'Block', |
||
| 401 | 'Optional: (source, Flow) | (Flow, source) | Flow', |
||
| 402 | 'Common', |
||
| 403 | [ |
||
| 404 | 'src' => 'URI', |
||
| 405 | 'type' => 'Text', |
||
| 406 | 'width' => 'Length', |
||
| 407 | 'height' => 'Length', |
||
| 408 | 'poster' => 'URI', |
||
| 409 | 'preload' => 'Enum#auto,metadata,none', |
||
| 410 | 'controls' => 'Bool', |
||
| 411 | ] |
||
| 412 | ); |
||
| 413 | // https://html.spec.whatwg.org/dev/media.html#the-audio-element |
||
| 414 | $def->addElement( |
||
| 415 | 'audio', |
||
| 416 | 'Block', |
||
| 417 | 'Optional: (source, Flow) | (Flow, source) | Flow', |
||
| 418 | 'Common', |
||
| 419 | [ |
||
| 420 | 'autoplay' => 'Bool', |
||
| 421 | 'src' => 'URI', |
||
| 422 | 'loop' => 'Bool', |
||
| 423 | 'preload' => 'Enum#auto,metadata,none', |
||
| 424 | 'controls' => 'Bool', |
||
| 425 | 'muted' => 'Bool', |
||
| 426 | ] |
||
| 427 | ); |
||
| 428 | $def->addElement( |
||
| 429 | 'source', |
||
| 430 | 'Block', |
||
| 431 | 'Flow', |
||
| 432 | 'Common', |
||
| 433 | ['src' => 'URI', 'type' => 'Text'] |
||
| 434 | ); |
||
| 435 | } |
||
| 436 | |||
| 437 | $purifier[$user_status] = new HTMLPurifier($config); |
||
| 438 | } |
||
| 439 | |||
| 440 | if (is_array($var)) { |
||
| 441 | return $purifier[$user_status]->purifyArray($var); |
||
| 442 | } else { |
||
| 443 | return $purifier[$user_status]->purify($var); |
||
| 444 | } |
||
| 445 | } |
||
| 446 | |||
| 447 | /** |
||
| 448 | * Filter content. |
||
| 449 | * |
||
| 450 | * @param string $text to be filtered |
||
| 451 | */ |
||
| 452 | public static function filter_terms(string $text): string |
||
| 453 | { |
||
| 454 | static $bad_terms = []; |
||
| 455 | |||
| 456 | if (empty($bad_terms)) { |
||
| 457 | $list = api_get_setting('filter_terms'); |
||
| 458 | if (!empty($list)) { |
||
| 459 | $list = explode("\n", $list); |
||
| 460 | $list = array_filter($list); |
||
| 461 | if (!empty($list)) { |
||
| 462 | foreach ($list as $term) { |
||
| 463 | $term = str_replace(["\r\n", "\r", "\n", "\t"], '', $term); |
||
| 464 | $html_entities_value = api_htmlentities($term, ENT_QUOTES, api_get_system_encoding()); |
||
| 465 | $bad_terms[] = $term; |
||
| 466 | if ($term != $html_entities_value) { |
||
| 467 | $bad_terms[] = $html_entities_value; |
||
| 468 | } |
||
| 469 | } |
||
| 470 | } |
||
| 471 | $bad_terms = array_filter($bad_terms); |
||
| 472 | } |
||
| 473 | } |
||
| 474 | |||
| 475 | $replace = '***'; |
||
| 476 | if (!empty($bad_terms)) { |
||
| 477 | // Fast way |
||
| 478 | $new_text = str_ireplace($bad_terms, $replace, $text); |
||
| 479 | $text = $new_text; |
||
| 480 | } |
||
| 481 | |||
| 482 | return $text; |
||
| 483 | } |
||
| 484 | |||
| 485 | /** |
||
| 486 | * This method provides specific protection (against XSS and other kinds of attacks) |
||
| 487 | * for static images (icons) used by the system. |
||
| 488 | * Image paths are supposed to be given by programmers - people who know what they do, anyway, |
||
| 489 | * this method encourages a safe practice for generating icon paths, without using heavy solutions |
||
| 490 | * based on HTMLPurifier for example. |
||
| 491 | * |
||
| 492 | * @param string $image_path the input path of the image, it could be relative or absolute URL |
||
| 493 | * |
||
| 494 | * @return string returns sanitized image path or an empty string when the image path is not secure |
||
| 495 | * |
||
| 496 | * @author Ivan Tcholakov, March 2011 |
||
| 497 | */ |
||
| 498 | public static function filter_img_path(string $image_path): string |
||
| 499 | { |
||
| 500 | static $allowed_extensions = ['png', 'gif', 'jpg', 'jpeg', 'svg', 'webp']; |
||
| 501 | $image_path = htmlspecialchars(trim($image_path)); // No html code is allowed. |
||
| 502 | // We allow static images only, query strings are forbidden. |
||
| 503 | if (false !== strpos($image_path, '?')) { |
||
| 504 | return ''; |
||
| 505 | } |
||
| 506 | if (false !== ($pos = strpos($image_path, ':'))) { |
||
| 507 | // Protocol has been specified, let's check it. |
||
| 508 | if (false !== stripos($image_path, 'javascript:')) { |
||
| 509 | // Javascript everywhere in the path is not allowed. |
||
| 510 | return ''; |
||
| 511 | } |
||
| 512 | // We allow only http: and https: protocols for now. |
||
| 513 | //if (!preg_match('/^https?:\/\//i', $image_path)) { |
||
| 514 | // return ''; |
||
| 515 | //} |
||
| 516 | if (0 !== stripos($image_path, 'http://') && 0 !== stripos($image_path, 'https://')) { |
||
| 517 | return ''; |
||
| 518 | } |
||
| 519 | } |
||
| 520 | // We allow file extensions for images only. |
||
| 521 | //if (!preg_match('/.+\.(png|gif|jpg|jpeg)$/i', $image_path)) { |
||
| 522 | // return ''; |
||
| 523 | //} |
||
| 524 | if (false !== ($pos = strrpos($image_path, '.'))) { |
||
| 525 | if (!in_array(strtolower(substr($image_path, $pos + 1)), $allowed_extensions)) { |
||
| 526 | return ''; |
||
| 527 | } |
||
| 528 | } else { |
||
| 529 | return ''; |
||
| 530 | } |
||
| 531 | |||
| 532 | return $image_path; |
||
| 533 | } |
||
| 534 | |||
| 535 | /** |
||
| 536 | * Get password requirements |
||
| 537 | * It checks config value 'password_requirements' or uses the "classic" |
||
| 538 | * Chamilo password requirements. |
||
| 539 | */ |
||
| 540 | public static function getPasswordRequirements(): array |
||
| 541 | { |
||
| 542 | // Default |
||
| 543 | $requirements = [ |
||
| 544 | 'min' => [ |
||
| 545 | 'lowercase' => 0, |
||
| 546 | 'uppercase' => 0, |
||
| 547 | 'numeric' => 2, |
||
| 548 | 'length' => 5, |
||
| 549 | 'specials' => 1, |
||
| 550 | ], |
||
| 551 | ]; |
||
| 552 | |||
| 553 | $passwordRequirements = api_get_setting('security.password_requirements', true); |
||
| 554 | if (is_array($passwordRequirements)) { |
||
| 555 | $requirements = $passwordRequirements; |
||
| 556 | } |
||
| 557 | |||
| 558 | return ['min' => $requirements['min']]; |
||
| 559 | } |
||
| 560 | |||
| 561 | /** |
||
| 562 | * Gets password requirements in the platform language using get_lang |
||
| 563 | * based in platform settings. See function 'self::getPasswordRequirements'. |
||
| 564 | * |
||
| 565 | * @return string |
||
| 566 | */ |
||
| 567 | public static function getPasswordRequirementsToString($passedConditions = []) |
||
| 568 | { |
||
| 569 | $output = ''; |
||
| 570 | $setting = self::getPasswordRequirements(); |
||
| 571 | foreach ($setting as $type => $rules) { |
||
| 572 | foreach ($rules as $rule => $parameter) { |
||
| 573 | if (empty($parameter)) { |
||
| 574 | continue; |
||
| 575 | } |
||
| 576 | $output .= sprintf( |
||
| 577 | get_lang( |
||
| 578 | 'NewPasswordRequirement'.ucfirst($type).'X'.ucfirst($rule) |
||
| 579 | ), |
||
| 580 | $parameter |
||
| 581 | ); |
||
| 582 | $output .= '<br />'; |
||
| 583 | } |
||
| 584 | } |
||
| 585 | |||
| 586 | return $output; |
||
| 587 | } |
||
| 588 | |||
| 589 | /** |
||
| 590 | * Sanitize a string, so it can be used in the exec() command without |
||
| 591 | * "jail-breaking" to execute other commands. |
||
| 592 | * |
||
| 593 | * @param string $param The string to filter |
||
| 594 | */ |
||
| 595 | public static function sanitizeExecParam(string $param): string |
||
| 596 | { |
||
| 597 | $param = preg_replace('/[`;&|]/', '', $param); |
||
| 598 | |||
| 599 | return escapeshellarg($param); |
||
| 600 | } |
||
| 601 | |||
| 602 | private static function generateSecTokenVariable(string $prefix = ''): string |
||
| 609 | } |
||
| 610 | } |
||
| 611 |
Loading history...
