2017-07-16 00:42:37 +02:00
|
|
|
<?php defined('BLUDIT') or die('Bludit Badass CMS.');
|
2015-08-08 02:39:10 +02:00
|
|
|
|
|
|
|
class Security extends dbJSON
|
|
|
|
{
|
|
|
|
private $dbFields = array(
|
|
|
|
'minutesBlocked'=>5,
|
2015-08-12 22:15:17 +02:00
|
|
|
'numberFailuresAllowed'=>10,
|
2015-08-18 04:02:19 +02:00
|
|
|
'blackList'=>array()
|
2015-08-08 02:39:10 +02:00
|
|
|
);
|
|
|
|
|
|
|
|
function __construct()
|
|
|
|
{
|
2017-07-16 00:42:37 +02:00
|
|
|
parent::__construct(DB_SECURITY);
|
2015-08-08 02:39:10 +02:00
|
|
|
}
|
|
|
|
|
2015-09-08 02:51:48 +02:00
|
|
|
// ====================================================
|
|
|
|
// TOKEN FOR CSRF
|
|
|
|
// ====================================================
|
|
|
|
|
2017-07-16 00:42:37 +02:00
|
|
|
// Generate and save the token in Session
|
2015-11-28 15:47:03 +01:00
|
|
|
public function generateTokenCSRF()
|
2015-09-08 02:51:48 +02:00
|
|
|
{
|
2017-07-16 00:42:37 +02:00
|
|
|
$token = sha1( uniqid().time() );
|
2015-10-20 05:14:28 +02:00
|
|
|
Session::set('tokenCSRF', $token);
|
2015-09-08 02:51:48 +02:00
|
|
|
}
|
|
|
|
|
2017-07-16 00:42:37 +02:00
|
|
|
// Validate the token
|
2015-11-28 15:47:03 +01:00
|
|
|
public function validateTokenCSRF($token)
|
2015-09-08 02:51:48 +02:00
|
|
|
{
|
2017-07-16 00:42:37 +02:00
|
|
|
$sessionToken = $this->getTokenCSRF();
|
2015-09-08 02:51:48 +02:00
|
|
|
return ( !empty($sessionToken) && ($sessionToken===$token) );
|
|
|
|
}
|
|
|
|
|
2017-07-16 00:42:37 +02:00
|
|
|
// Returns the token
|
2015-11-28 15:47:03 +01:00
|
|
|
public function getTokenCSRF()
|
2015-09-08 02:51:48 +02:00
|
|
|
{
|
2015-10-20 05:14:28 +02:00
|
|
|
return Session::get('tokenCSRF');
|
2015-09-08 02:51:48 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// ====================================================
|
|
|
|
// BRUTE FORCE PROTECTION
|
|
|
|
// ====================================================
|
|
|
|
|
2015-08-12 22:15:17 +02:00
|
|
|
public function isBlocked()
|
|
|
|
{
|
|
|
|
$ip = $this->getUserIp();
|
|
|
|
|
2017-07-16 00:42:37 +02:00
|
|
|
if (!isset($this->db['blackList'][$ip])) {
|
2015-08-12 22:15:17 +02:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
$currentTime = time();
|
|
|
|
$userBlack = $this->db['blackList'][$ip];
|
|
|
|
$numberFailures = $userBlack['numberFailures'];
|
|
|
|
$lastFailure = $userBlack['lastFailure'];
|
2015-08-08 02:39:10 +02:00
|
|
|
|
2017-07-16 00:42:37 +02:00
|
|
|
// Check if the IP is expired, then is not blocked
|
|
|
|
if ($currentTime > $lastFailure + ($this->db['minutesBlocked']*60)) {
|
2015-08-12 22:15:17 +02:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2017-07-16 00:42:37 +02:00
|
|
|
// The IP has more failures than number of failures, then the IP is blocked
|
|
|
|
if ($numberFailures >= $this->db['numberFailuresAllowed']) {
|
2015-08-18 04:02:19 +02:00
|
|
|
Log::set(__METHOD__.LOG_SEP.'IP Blocked:'.$ip);
|
2015-08-12 22:15:17 +02:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2017-07-16 00:42:37 +02:00
|
|
|
// Otherwise the IP is not blocked
|
2015-08-12 22:15:17 +02:00
|
|
|
return false;
|
|
|
|
}
|
2015-08-08 02:39:10 +02:00
|
|
|
|
2017-07-16 00:42:37 +02:00
|
|
|
// Add or update the current client IP on the blacklist
|
|
|
|
public function addToBlacklist()
|
2015-08-08 02:39:10 +02:00
|
|
|
{
|
|
|
|
$ip = $this->getUserIp();
|
2015-08-12 22:15:17 +02:00
|
|
|
$currentTime = time();
|
|
|
|
$numberFailures = 1;
|
|
|
|
|
2017-07-16 00:42:37 +02:00
|
|
|
if (isset($this->db['blackList'][$ip])) {
|
2015-08-18 04:02:19 +02:00
|
|
|
$userBlack = $this->db['blackList'][$ip];
|
|
|
|
$lastFailure = $userBlack['lastFailure'];
|
|
|
|
|
2017-07-16 00:42:37 +02:00
|
|
|
// Check if the IP is expired, then renew the number of failures
|
|
|
|
if($currentTime <= $lastFailure + ($this->db['minutesBlocked']*60)) {
|
2015-08-18 04:02:19 +02:00
|
|
|
$numberFailures = $userBlack['numberFailures'];
|
|
|
|
$numberFailures = $numberFailures + 1;
|
|
|
|
}
|
2015-08-12 22:15:17 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
$this->db['blackList'][$ip] = array('lastFailure'=>$currentTime, 'numberFailures'=>$numberFailures);
|
2015-08-18 04:02:19 +02:00
|
|
|
Log::set(__METHOD__.LOG_SEP.'Blacklist, IP:'.$ip.', Number of failures:'.$numberFailures);
|
2017-07-16 00:42:37 +02:00
|
|
|
return $this->save();
|
2015-08-08 02:39:10 +02:00
|
|
|
}
|
|
|
|
|
2015-08-18 04:18:57 +02:00
|
|
|
public function getNumberFailures($ip=null)
|
|
|
|
{
|
|
|
|
if(empty($ip)) {
|
|
|
|
$ip = $this->getUserIp();
|
|
|
|
}
|
|
|
|
|
|
|
|
if(isset($this->db['blackList'][$ip])) {
|
|
|
|
$userBlack = $this->db['blackList'][$ip];
|
|
|
|
return $userBlack['numberFailures'];
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-08-08 02:39:10 +02:00
|
|
|
public function getUserIp()
|
|
|
|
{
|
2017-07-16 00:42:37 +02:00
|
|
|
if (getenv('HTTP_X_FORWARDED_FOR')) {
|
2015-08-08 02:39:10 +02:00
|
|
|
$ip = getenv('HTTP_X_FORWARDED_FOR');
|
2017-07-16 00:42:37 +02:00
|
|
|
} elseif (getenv('HTTP_CLIENT_IP')) {
|
2015-08-08 02:39:10 +02:00
|
|
|
$ip = getenv('HTTP_CLIENT_IP');
|
2017-07-16 00:42:37 +02:00
|
|
|
} else {
|
2015-08-08 02:39:10 +02:00
|
|
|
$ip = getenv('REMOTE_ADDR');
|
2017-07-16 00:42:37 +02:00
|
|
|
}
|
2015-08-08 02:39:10 +02:00
|
|
|
return $ip;
|
|
|
|
}
|
2015-11-28 15:47:03 +01:00
|
|
|
}
|