|
1
|
|
|
<?php |
|
2
|
|
|
|
|
3
|
|
|
/** |
|
4
|
|
|
* Copyright 2015 François Kooman <[email protected]>. |
|
5
|
|
|
* |
|
6
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License"); |
|
7
|
|
|
* you may not use this file except in compliance with the License. |
|
8
|
|
|
* You may obtain a copy of the License at |
|
9
|
|
|
* |
|
10
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0 |
|
11
|
|
|
* |
|
12
|
|
|
* Unless required by applicable law or agreed to in writing, software |
|
13
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS, |
|
14
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|
15
|
|
|
* See the License for the specific language governing permissions and |
|
16
|
|
|
* limitations under the License. |
|
17
|
|
|
*/ |
|
18
|
|
|
|
|
19
|
|
|
namespace fkooman\RemoteStorage\OAuth; |
|
20
|
|
|
|
|
21
|
|
|
class InputValidation |
|
22
|
|
|
{ |
|
23
|
|
|
const VSCHAR = '/^(?:[\x20-\x7E])*$/'; |
|
24
|
|
|
const NQCHAR = '/^(?:\x21|[\x23-\x5B]|[\x5D-\x7E])*$/'; |
|
25
|
|
|
|
|
26
|
|
|
public static function clientId($clientId) |
|
27
|
|
|
{ |
|
28
|
|
|
// The "client_id" element is defined in Section 2.3.1: |
|
29
|
|
|
// client-id = *VSCHAR |
|
30
|
|
|
|
|
31
|
|
|
// XXX: I do not understand why this is not 1*VSCHAR. So the client_id |
|
32
|
|
|
// parameter is allowed to be the empty string? |
|
33
|
|
|
return self::requireNonEmptyVsChar($clientId); |
|
34
|
|
|
} |
|
35
|
|
|
|
|
36
|
|
|
public static function responseType($responseType) |
|
37
|
|
|
{ |
|
38
|
|
|
$supportedResponseTypes = [ |
|
39
|
|
|
'code', |
|
40
|
|
|
'token', |
|
41
|
|
|
]; |
|
42
|
|
|
if (!in_array($responseType, $supportedResponseTypes)) { |
|
43
|
|
|
return false; |
|
44
|
|
|
} |
|
45
|
|
|
|
|
46
|
|
|
return $responseType; |
|
47
|
|
|
} |
|
48
|
|
|
|
|
49
|
|
|
public static function grantType($grantType) |
|
50
|
|
|
{ |
|
51
|
|
|
// we only support 'authorization_code' for now |
|
52
|
|
|
if ('authorization_code' !== $grantType) { |
|
53
|
|
|
return false; |
|
54
|
|
|
} |
|
55
|
|
|
|
|
56
|
|
|
return $grantType; |
|
57
|
|
|
} |
|
58
|
|
|
|
|
59
|
|
|
public static function redirectUri($redirectUri) |
|
60
|
|
|
{ |
|
61
|
|
|
// The "redirect_uri" element is defined in Sections 4.1.1, 4.1.3, |
|
62
|
|
|
// and 4.2.1: |
|
|
|
|
|
|
63
|
|
|
// redirect-uri = URI-reference |
|
64
|
|
|
|
|
65
|
|
|
// The redirection endpoint URI MUST be an absolute URI as defined by |
|
66
|
|
|
// [RFC3986] Section 4.3. The endpoint URI MAY include an |
|
67
|
|
|
// "application/x-www-form-urlencoded" formatted (per Appendix B) query |
|
68
|
|
|
// component ([RFC3986] Section 3.4), which MUST be retained when adding |
|
69
|
|
|
// additional query parameters. The endpoint URI MUST NOT include a |
|
70
|
|
|
// fragment component. |
|
71
|
|
|
|
|
72
|
|
|
// MUST be valid absolute URL |
|
73
|
|
|
if (false === filter_var($redirectUri, FILTER_VALIDATE_URL)) { |
|
74
|
|
|
return false; |
|
75
|
|
|
} |
|
76
|
|
|
|
|
77
|
|
|
// MUST not have fragment |
|
78
|
|
|
if (null !== parse_url($redirectUri, PHP_URL_FRAGMENT)) { |
|
79
|
|
|
return false; |
|
80
|
|
|
} |
|
81
|
|
|
|
|
82
|
|
|
return $redirectUri; |
|
83
|
|
|
} |
|
84
|
|
|
|
|
85
|
|
|
public static function scope($scope) |
|
86
|
|
|
{ |
|
87
|
|
|
// The "scope" element is defined in Section 3.3: |
|
88
|
|
|
// scope = scope-token *( SP scope-token ) |
|
89
|
|
|
// scope-token = 1*NQCHAR |
|
90
|
|
|
if (1 > strlen($scope)) { |
|
91
|
|
|
return false; |
|
92
|
|
|
} |
|
93
|
|
|
$scopeTokens = explode(' ', $scope); |
|
94
|
|
|
foreach ($scopeTokens as $scopeToken) { |
|
95
|
|
|
if (1 > strlen($scopeToken)) { |
|
96
|
|
|
return false; |
|
97
|
|
|
} |
|
98
|
|
|
if (1 !== preg_match(self::NQCHAR, $scopeToken)) { |
|
99
|
|
|
return false; |
|
100
|
|
|
} |
|
101
|
|
|
} |
|
102
|
|
|
|
|
103
|
|
|
return $scope; |
|
104
|
|
|
} |
|
105
|
|
|
|
|
106
|
|
|
public static function state($state) |
|
107
|
|
|
{ |
|
108
|
|
|
// The "state" element is defined in Sections 4.1.1, 4.1.2, 4.1.2.1, |
|
|
|
|
|
|
109
|
|
|
// 4.2.1, 4.2.2, and 4.2.2.1: |
|
|
|
|
|
|
110
|
|
|
// state = 1*VSCHAR |
|
111
|
|
|
return self::requireNonEmptyVsChar($state); |
|
112
|
|
|
} |
|
113
|
|
|
|
|
114
|
|
|
public static function code($code) |
|
115
|
|
|
{ |
|
116
|
|
|
// The "code" element is defined in Section 4.1.3: |
|
117
|
|
|
// code = 1*VSCHAR |
|
118
|
|
|
return self::requireNonEmptyVsChar($code); |
|
119
|
|
|
} |
|
120
|
|
|
|
|
121
|
|
|
public static function token($token) |
|
122
|
|
|
{ |
|
123
|
|
|
// The "access_token" element is defined in Sections 4.2.2 and 5.1: |
|
124
|
|
|
// access-token = 1*VSCHAR |
|
125
|
|
|
return self::requireNonEmptyVsChar($token); |
|
126
|
|
|
} |
|
127
|
|
|
|
|
128
|
|
|
public static function approval($approval) |
|
129
|
|
|
{ |
|
130
|
|
|
if ('yes' !== $approval && 'no' !== $approval) { |
|
131
|
|
|
return false; |
|
132
|
|
|
} |
|
133
|
|
|
|
|
134
|
|
|
return $approval; |
|
135
|
|
|
} |
|
136
|
|
|
|
|
137
|
|
|
public static function requireNonEmptyVsChar($str) |
|
138
|
|
|
{ |
|
139
|
|
|
if (1 > strlen($str)) { |
|
140
|
|
|
return false; |
|
141
|
|
|
} |
|
142
|
|
|
if (1 !== preg_match(self::VSCHAR, $str)) { |
|
143
|
|
|
return false; |
|
144
|
|
|
} |
|
145
|
|
|
|
|
146
|
|
|
return $str; |
|
147
|
|
|
} |
|
148
|
|
|
} |
|
149
|
|
|
|
fkooman /
php-remote-storage
Loading history...
Sometimes obsolete code just ends up commented out instead of removed. In this case it is better to remove the code once you have checked you do not need it.
The code might also have been commented out for debugging purposes. In this case it is vital that someone uncomments it again or your project may behave in very unexpected ways in production.
This check looks for comments that seem to be mostly valid code and reports them.