bludit/bl-kernel/security.class.php

<?php defined('BLUDIT') or die('Bludit Badass CMS.');

class Security extends dbJSON
{
	protected $dbFields = array(
		'minutesBlocked'=>5,
		'numberFailuresAllowed'=>10,
		'blackList'=>array()
	);

	function __construct()
	{
		parent::__construct(DB_SECURITY);
	}

	// ====================================================
	// TOKEN FOR CSRF
	// ====================================================

	// Generate and save the token in Session
	public function generateTokenCSRF()
	{
		$token = sha1( uniqid().time() );
		Session::set('tokenCSRF', $token);
		Log::set(__METHOD__.LOG_SEP.'New Token CSRF ['.$token.']');
	}

	// Validate the token
	public function validateTokenCSRF($token)
	{
		$sessionToken = $this->getTokenCSRF();
		return ( !empty($sessionToken) && ($sessionToken===$token) );
	}

	// Returns the token
	public function getTokenCSRF()
	{
		return Session::get('tokenCSRF');
	}

	// ====================================================
	// BRUTE FORCE PROTECTION
	// ====================================================

	public function isBlocked()
	{
		$ip = $this->getUserIp();

		if (!isset($this->db['blackList'][$ip])) {
			return false;
		}

		$currentTime = time();
		$userBlack = $this->db['blackList'][$ip];
		$numberFailures = $userBlack['numberFailures'];
		$lastFailure = $userBlack['lastFailure'];

		// Check if the IP is expired, then is not blocked
		if ($currentTime > $lastFailure + ($this->db['minutesBlocked']*60)) {
			return false;
		}

		// The IP has more failures than number of failures, then the IP is blocked
		if ($numberFailures >= $this->db['numberFailuresAllowed']) {
			Log::set(__METHOD__.LOG_SEP.'IP Blocked:'.$ip);
			return true;
		}

		// Otherwise the IP is not blocked
		return false;
	}

	// Add or update the current client IP on the blacklist
	public function addToBlacklist()
	{
		$ip = $this->getUserIp();
		$currentTime = time();
		$numberFailures = 1;

		if (isset($this->db['blackList'][$ip])) {
			$userBlack = $this->db['blackList'][$ip];
			$lastFailure = $userBlack['lastFailure'];

			// Check if the IP is expired, then renew the number of failures
			if($currentTime <= $lastFailure + ($this->db['minutesBlocked']*60)) {
				$numberFailures = $userBlack['numberFailures'];
				$numberFailures = $numberFailures + 1;
			}
		}

		$this->db['blackList'][$ip] = array('lastFailure'=>$currentTime, 'numberFailures'=>$numberFailures);
		Log::set(__METHOD__.LOG_SEP.'Blacklist, IP:'.$ip.', Number of failures:'.$numberFailures);
		return $this->save();
	}

	public function getNumberFailures($ip=null)
	{
		if(empty($ip)) {
			$ip = $this->getUserIp();
		}

		if(isset($this->db['blackList'][$ip])) {
			$userBlack = $this->db['blackList'][$ip];
			return $userBlack['numberFailures'];
		}
	}

	public function getUserIp()
	{
		return getenv('REMOTE_ADDR');
	}
}
Login and Security improves 2017-07-16 00:42:37 +02:00			`<?php defined('BLUDIT') or die('Bludit Badass CMS.');`
Bug fixes 2015-08-08 02:39:10 +02:00
			`class Security extends dbJSON`
			`{`
Migrate private variables to protected to allow to extend classes 2019-01-26 12:50:48 +01:00			`protected $dbFields = array(`
Bug fixes 2015-08-08 02:39:10 +02:00			`'minutesBlocked'=>5,`
Bug fixes 2015-08-12 22:15:17 +02:00			`'numberFailuresAllowed'=>10,`
Bruteforce protection 2015-08-18 04:02:19 +02:00			`'blackList'=>array()`
Bug fixes 2015-08-08 02:39:10 +02:00			`);`

			`function __construct()`
			`{`
Login and Security improves 2017-07-16 00:42:37 +02:00			`parent::__construct(DB_SECURITY);`
Bug fixes 2015-08-08 02:39:10 +02:00			`}`

Updates 2015-09-08 02:51:48 +02:00			`// ====================================================`
			`// TOKEN FOR CSRF`
			`// ====================================================`

Login and Security improves 2017-07-16 00:42:37 +02:00			`// Generate and save the token in Session`
Opengraph, Admin panel responsive, Improves on Security tokens 2015-11-28 15:47:03 +01:00			`public function generateTokenCSRF()`
Updates 2015-09-08 02:51:48 +02:00			`{`
Login and Security improves 2017-07-16 00:42:37 +02:00			`$token = sha1( uniqid().time() );`
Login access code via email 2015-10-20 05:14:28 +02:00			`Session::set('tokenCSRF', $token);`
Bug fixes 2018-07-28 18:33:37 +02:00			`Log::set(__METHOD__.LOG_SEP.'New Token CSRF ['.$token.']');`
Updates 2015-09-08 02:51:48 +02:00			`}`

Login and Security improves 2017-07-16 00:42:37 +02:00			`// Validate the token`
Opengraph, Admin panel responsive, Improves on Security tokens 2015-11-28 15:47:03 +01:00			`public function validateTokenCSRF($token)`
Updates 2015-09-08 02:51:48 +02:00			`{`
Login and Security improves 2017-07-16 00:42:37 +02:00			`$sessionToken = $this->getTokenCSRF();`
Updates 2015-09-08 02:51:48 +02:00			`return ( !empty($sessionToken) && ($sessionToken===$token) );`
			`}`

Login and Security improves 2017-07-16 00:42:37 +02:00			`// Returns the token`
Opengraph, Admin panel responsive, Improves on Security tokens 2015-11-28 15:47:03 +01:00			`public function getTokenCSRF()`
Updates 2015-09-08 02:51:48 +02:00			`{`
Login access code via email 2015-10-20 05:14:28 +02:00			`return Session::get('tokenCSRF');`
Updates 2015-09-08 02:51:48 +02:00			`}`

			`// ====================================================`
			`// BRUTE FORCE PROTECTION`
			`// ====================================================`

Bug fixes 2015-08-12 22:15:17 +02:00			`public function isBlocked()`
			`{`
			`$ip = $this->getUserIp();`

Login and Security improves 2017-07-16 00:42:37 +02:00			`if (!isset($this->db['blackList'][$ip])) {`
Bug fixes 2015-08-12 22:15:17 +02:00			`return false;`
			`}`

			`$currentTime = time();`
			`$userBlack = $this->db['blackList'][$ip];`
			`$numberFailures = $userBlack['numberFailures'];`
			`$lastFailure = $userBlack['lastFailure'];`
Bug fixes 2015-08-08 02:39:10 +02:00
Login and Security improves 2017-07-16 00:42:37 +02:00			`// Check if the IP is expired, then is not blocked`
			`if ($currentTime > $lastFailure + ($this->db['minutesBlocked']*60)) {`
Bug fixes 2015-08-12 22:15:17 +02:00			`return false;`
			`}`

Login and Security improves 2017-07-16 00:42:37 +02:00			`// The IP has more failures than number of failures, then the IP is blocked`
			`if ($numberFailures >= $this->db['numberFailuresAllowed']) {`
Bruteforce protection 2015-08-18 04:02:19 +02:00			`Log::set(__METHOD__.LOG_SEP.'IP Blocked:'.$ip);`
Bug fixes 2015-08-12 22:15:17 +02:00			`return true;`
			`}`

Login and Security improves 2017-07-16 00:42:37 +02:00			`// Otherwise the IP is not blocked`
Bug fixes 2015-08-12 22:15:17 +02:00			`return false;`
			`}`
Bug fixes 2015-08-08 02:39:10 +02:00
Login and Security improves 2017-07-16 00:42:37 +02:00			`// Add or update the current client IP on the blacklist`
			`public function addToBlacklist()`
Bug fixes 2015-08-08 02:39:10 +02:00			`{`
			`$ip = $this->getUserIp();`
Bug fixes 2015-08-12 22:15:17 +02:00			`$currentTime = time();`
			`$numberFailures = 1;`

Login and Security improves 2017-07-16 00:42:37 +02:00			`if (isset($this->db['blackList'][$ip])) {`
Bruteforce protection 2015-08-18 04:02:19 +02:00			`$userBlack = $this->db['blackList'][$ip];`
			`$lastFailure = $userBlack['lastFailure'];`

Login and Security improves 2017-07-16 00:42:37 +02:00			`// Check if the IP is expired, then renew the number of failures`
			`if($currentTime <= $lastFailure + ($this->db['minutesBlocked']*60)) {`
Bruteforce protection 2015-08-18 04:02:19 +02:00			`$numberFailures = $userBlack['numberFailures'];`
			`$numberFailures = $numberFailures + 1;`
			`}`
Bug fixes 2015-08-12 22:15:17 +02:00			`}`

			`$this->db['blackList'][$ip] = array('lastFailure'=>$currentTime, 'numberFailures'=>$numberFailures);`
Bruteforce protection 2015-08-18 04:02:19 +02:00			`Log::set(__METHOD__.LOG_SEP.'Blacklist, IP:'.$ip.', Number of failures:'.$numberFailures);`
Login and Security improves 2017-07-16 00:42:37 +02:00			`return $this->save();`
Bug fixes 2015-08-08 02:39:10 +02:00			`}`

Bruteforce protection 2015-08-18 04:18:57 +02:00			`public function getNumberFailures($ip=null)`
			`{`
			`if(empty($ip)) {`
			`$ip = $this->getUserIp();`
			`}`

			`if(isset($this->db['blackList'][$ip])) {`
			`$userBlack = $this->db['blackList'][$ip];`
			`return $userBlack['numberFailures'];`
			`}`
			`}`

Bug fixes 2015-08-08 02:39:10 +02:00			`public function getUserIp()`
			`{`
Remove use of headers that can be used to bypass anti-brute force controls 2019-10-05 19:21:28 +02:00			`return getenv('REMOTE_ADDR');`
Bug fixes 2015-08-08 02:39:10 +02:00			`}`
Opengraph, Admin panel responsive, Improves on Security tokens 2015-11-28 15:47:03 +01:00			`}`