mirror of
https://github.com/gtbu/Typesetter-5.3-p8.git
synced 2025-08-27 23:33:15 +02:00
Update Nonce.php
This commit is contained in:
gtbu
parent
bdd07d6cb2
commit
9e79d225fa
1 changed files with 50 additions and 43 deletions
|
|
@ -4,88 +4,95 @@ namespace gp\tool;
|
|||
|
||||
defined('is_running') or die('Not an entry point...');
|
||||
|
||||
/**
|
||||
* A class for creating and verifying nonces (numbers used once) , self-contained and uses the secure HMAC method for hashing
|
||||
*/
|
||||
class Nonce{
|
||||
|
||||
/**
|
||||
* Hashing algorithm for the nonce.
|
||||
*/
|
||||
private const NONCE_ALGO = 'sha512';
|
||||
|
||||
|
||||
/**
|
||||
* Generate a nerw nonce
|
||||
* @param string $action Should be the same $action that is passed to Verify()
|
||||
* @param bool $anon True if the nonce is being used for anonymous users
|
||||
* @param int $factor Determines the length of time the generated nonce will be valid. The default 43200 will result in a 24hr period of time.
|
||||
* @return string
|
||||
*
|
||||
* Generate a new nonce.
|
||||
* @param string $action A string identifying the action.
|
||||
* @param bool $anon True if the nonce is for an anonymous user.
|
||||
* @param int $factor Determines the nonce's validity period.
|
||||
* @return string The generated nonce.
|
||||
*/
|
||||
public static function Create($action='none', $anon=false, $factor=43200){
|
||||
public static function Create($action = 'none', $anon = false, $factor = 43200){
|
||||
global $gpAdmin;
|
||||
|
||||
$nonce = $action;
|
||||
if( !$anon && !empty($gpAdmin['username']) ){
|
||||
$nonce .= $gpAdmin['username'];
|
||||
$nonce_base = $action;
|
||||
if (!$anon && !empty($gpAdmin['username'])) {
|
||||
$nonce_base .= $gpAdmin['username'];
|
||||
}
|
||||
|
||||
return self::Hash($nonce, 0, $factor);
|
||||
return self::Hash($nonce_base, 0, $factor);
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Verify a nonce ($check_nonce)
|
||||
*
|
||||
* @param string $action Should be the same $action that is passed to new_nonce()
|
||||
* @param mixed $check_nonce The user submitted nonce or false if $_REQUEST['_gpnonce'] can be used
|
||||
* @param bool $anon True if the nonce is being used for anonymous users
|
||||
* @param int $factor Determines the length of time the generated nonce will be valid. The default 43200 will result in a 24hr period of time.
|
||||
* @return bool Return false if the $check_nonce did not pass. true if passed
|
||||
* Verify a submitted nonce using a timing-attack-safe comparison.
|
||||
*
|
||||
* @param string $action A string identifying the action.
|
||||
* @param mixed $check_nonce The user-submitted nonce. If false, checks $_REQUEST['_gpnonce'].
|
||||
* @param bool $anon True if the nonce is for an anonymous user.
|
||||
* @param int $factor Determines the nonce's validity period.
|
||||
* @return bool Returns true if the nonce is valid, false otherwise.
|
||||
*/
|
||||
public static function Verify($action='none', $check_nonce=false, $anon=false, $factor=43200 ){
|
||||
public static function Verify($action = 'none', $check_nonce = false, $anon = false, $factor = 43200){
|
||||
global $gpAdmin;
|
||||
|
||||
if( $check_nonce === false ){
|
||||
$check_nonce =& $_REQUEST['_gpnonce'];
|
||||
if ($check_nonce === false) {
|
||||
$check_nonce = $_REQUEST['_gpnonce'] ?? '';
|
||||
}
|
||||
|
||||
if( empty($check_nonce) ){
|
||||
if (empty($check_nonce) || !is_string($check_nonce)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
$nonce = $action;
|
||||
if( !$anon ){
|
||||
if( empty($gpAdmin['username']) ){
|
||||
$nonce_base = $action;
|
||||
if (!$anon) {
|
||||
if (empty($gpAdmin['username'])) {
|
||||
return false;
|
||||
}
|
||||
$nonce .= $gpAdmin['username'];
|
||||
$nonce_base .= $gpAdmin['username'];
|
||||
}
|
||||
|
||||
// Nonce generated 0-12 hours ago
|
||||
if( self::Hash( $nonce, 0, $factor ) === $check_nonce ){
|
||||
|
||||
$expected_current = self::Hash($nonce_base, 0, $factor);
|
||||
if (hash_equals($expected_current, $check_nonce)) {
|
||||
return true;
|
||||
}
|
||||
|
||||
// Nonce generated 12-24 hours ago
|
||||
if( self::Hash( $nonce, 1, $factor ) === $check_nonce ){
|
||||
$expected_previous = self::Hash($nonce_base, 1, $factor);
|
||||
if (hash_equals($expected_previous, $check_nonce)) {
|
||||
return true;
|
||||
}
|
||||
|
||||
// Invalid nonce
|
||||
return false;
|
||||
}
|
||||
|
||||
|
||||
|
||||
/**
|
||||
* Generate a nonce hash
|
||||
*
|
||||
* @param string $nonce
|
||||
* @param int $tick_offset
|
||||
* @param int $factor Determines the length of time the generated nonce will be valid. The default 43200 will result in a 24hr period of time.
|
||||
* Generates a nonce hash now using the secure HMAC method instead of the global \gp\tool::hash().
|
||||
*
|
||||
* @param string $nonce_base The base string for the nonce.
|
||||
* @param int $tick_offset An offset for the time tick.
|
||||
* @param int $factor Determines the nonce's validity period.
|
||||
* @return string The calculated HMAC hash.
|
||||
*/
|
||||
public static function Hash($nonce, $tick_offset=0, $factor=43200){
|
||||
public static function Hash($nonce_base, $tick_offset = 0, $factor = 43200){
|
||||
global $config;
|
||||
|
||||
$nonce_tick = ceil(time() / $factor) - $tick_offset;
|
||||
$nonce = $nonce . $config['gpuniq'] . $nonce_tick;
|
||||
$nonce_tick = ceil(time() / $factor) - $tick_offset;
|
||||
|
||||
return \gp\tool::hash($nonce,gp_nonce_algo, 2);
|
||||
$key = $config['gpuniq'];
|
||||
|
||||
$data = $nonce_base . $nonce_tick;
|
||||
|
||||
return hash_hmac(self::NONCE_ALGO, $data, $key);
|
||||
}
|
||||
}
|
||||
}
|
||||
Loading…
Reference in a new issue