Skip to content

Commit

Permalink
Security/API (beta) improvements
Browse files Browse the repository at this point in the history
  • Loading branch information
@nilsteampassnet
nilsteampassnet committed May 3, 2014
1 parent d801608 commit 8820c89
Show file tree
Hide file tree
Showing 17 changed files with 112 additions and 84 deletions.
2 changes: 0 additions & 2 deletions admin.php
View file
Expand Up @@ -42,8 +42,6 @@
<h3>Some instructions</h3>
<span class="ui-icon ui-icon-wrench" style="float: left; margin-right: .3em;">&nbsp;</span>
Access to <a target="_blank" href="http://www.teampass.net" style="font-weight:bold;font-style:italic;">TeamPass website</a><br />
<span class="ui-icon ui-icon-wrench" style="float: left; margin-right: .3em;">&nbsp;</span>
For any kind of Help and Support, please use the <a target="_blank" href="http://www.teampass.net/forum" style="font-weight:bold;font-style:italic;">Forum</a><br />
<span class="ui-icon ui-icon-wrench" style="float: left; margin-right: .3em;">&nbsp;</span>
You discovered a Bug or you have an improvement Proposal, please use the <a target="_blank" href="https://github.com/nilsteampassnet/TeamPass/issues" style="font-weight:bold;font-style:italic;">Github channel</a>. <i>If you are not sure, always use the Forum before to obtain a confirmation. This will prevent having to much open tickets at Github</i>.<br />
<div style="text-align:center;margin-top:10px;">
Expand Down
3 changes: 2 additions & 1 deletion admin.settings_api.php
View file
Expand Up @@ -230,7 +230,7 @@ function newIPDB()
function ip_update(id, value, ip)
{
$("#api_db_type").val("admin_action_api_save_key");
$("#api_db_type").val("admin_action_api_save_ip");
$("#api_db_id").val(id);
$("#api_db_action").val("update");
$("#div_key").show();
Expand Down Expand Up @@ -261,6 +261,7 @@ function ip_update(id, value, ip)
$("#api_db_message").html("'.$txt['error_too_long'].'");
exit;
}
$("#div_loading").show();
var $this = $(this);
// send query
Expand Down
9 changes: 0 additions & 9 deletions api/config.php
View file

This file was deleted.

50 changes: 23 additions & 27 deletions api/functions.php
View file
@@ -1,4 +1,19 @@
<?php
/**
*
* @file configapi.php
* @author Nils Laumaillé
* @version 2.1.20
* @copyright (c) 2009-2014 Nils Laumaillé
* @licensing GNU AFFERO GPL 3.0
* @link http://www.teampass.net
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/

$teampass_config_file = "../includes/settings.php";

function teampass_api_enabled() {
$bdd = teampass_connect();
Expand All @@ -9,7 +24,7 @@ function teampass_api_enabled() {
function teampass_whitelist() {
$bdd = teampass_connect();
$apiip_pool = teampass_get_ips();
if (count($apiip_pool) > 0 && !array_search($_SERVER['REMOTE_ADDR'], $apiip_pool)) {
if (count($apiip_pool) > 0 && array_search($_SERVER['REMOTE_ADDR'], $apiip_pool) === false) {
rest_error('IPWHITELIST');
}
}
Expand Down Expand Up @@ -169,36 +184,19 @@ function rest_get () {

if ($GLOBALS['request'][0] == "read") {
if($GLOBALS['request'][1] == "category") {
$array_category = explode(';',$GLOBALS['request'][2]);

foreach($array_category as $category) {
if(!preg_match_all("/^([\w\:\'\-\sàáâãäåçèéêëìíîïðòóôõöùúûüýÿ]+)$/i", $category,$result)) {
rest_error('CATEGORY_MALFORMED');
}
}

if(count($array_category) > 1 && count($array_category) < 5) {
for ($i = count($array_category); $i > 0; $i--) {
$slot = $i - 1;
if (!$slot) {
$category_query .= "select id from ".$GLOBALS['pre']."nested_tree where title LIKE '".$array_category[$slot]."' AND parent_id = 0";
} else {
$category_query .= "select id from ".$GLOBALS['pre']."nested_tree where title LIKE '".$array_category[$slot]."' AND parent_id = (";
}
}
for ($i = 1; $i < count($array_category); $i++) { $category_query .= ")"; }
} elseif (count($array_category) == 1) {
$category_query = "select id from ".$GLOBALS['pre']."nested_tree where title LIKE '".$array_category[0]."' AND parent_id = 0";
// get ids
if (strpos($GLOBALS['request'][2],",") > 0) {
$condition = "id_tree IN (".$GLOBALS['request'][2].")";
} else {
rest_error ('NO_CATEGORY');
$condition = "id_tree = '".$GLOBALS['request'][2]."'";
}
$response = $bdd->query("select id,label,login,pw from ".$GLOBALS['pre']."items where id_tree = (".$category_query.")");
$response = $bdd->query("select id,label,login,pw from ".$GLOBALS['pre']."items where ".$condition);
while ($data = $response->fetch())
{
$id = $data['id'];
$json[$id]['label'] = utf8_encode($data['label']);
$json[$id]['login'] = utf8_encode($data['login']);
// $json[$id]['pw'] = teampass_decrypt_pw($data['pw'],SALT,$rand_key);
$json[$id]['pw'] = teampass_decrypt_pw($data['pw'],SALT,$rand_key);
}
} elseif($GLOBALS['request'][1] == "item") {
$array_category = explode(';',$GLOBALS['request'][2]);
Expand Down Expand Up @@ -325,6 +323,4 @@ function teampass_decrypt_pw($encrypted, $salt, $rand_key, $itcount = 2072)
$encrypted = substr($encrypted, 0, -64);
if ($mac !== hash_hmac('sha256', $encrypted, $salt)) return null;
return substr(rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $encrypted, 'ctr', $iv), "\0\4"), strlen($rand_key));
}

?>
}
15 changes: 14 additions & 1 deletion api/index.php
View file
@@ -1,6 +1,19 @@
<?php
/**
*
* @file indexapi.php
* @author Nils Laumaillé
* @version 2.1.20
* @copyright (c) 2009-2014 Nils Laumaillé
* @licensing GNU AFFERO GPL 3.0
* @link http://www.teampass.net
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/

require_once('config.php');
//require_once('config.php');
require_once('functions.php');

header('Content-Type: application/json');
Expand Down
2 changes: 1 addition & 1 deletion includes/include.php
View file
Expand Up @@ -39,4 +39,4 @@
'manage_views' => 'views.php',
'manage_main' => 'admin.php',
'manage_settings' => 'admin.settings.php'
);
);
1 change: 1 addition & 0 deletions items.load.php
View file
Expand Up @@ -2617,6 +2617,7 @@ function prepareOneTimeView()
function(data) {
//check if format error
if (data[0].error == "") {
$("#div_dialog_message").dialog({minHeight:500,minWidth:750});
$("#div_dialog_message").dialog('open');
$("#div_dialog_message_text").html(data[0].url);
} else {
Expand Down
18 changes: 9 additions & 9 deletions items.php
View file
Expand Up @@ -96,13 +96,13 @@
<input type="hidden" id="pf_selected" />';
// Hidden objects for Item search
if (isset($_GET['group']) && isset($_GET['id'])) {
echo '<input type="hidden" name="open_folder" id="open_folder" value="'.$_GET['group'].'" />';
echo '<input type="hidden" name="open_id" id="open_id" value="'.$_GET['id'].'" />';
echo '<input type="hidden" name="recherche_group_pf" id="recherche_group_pf" value="', in_array($_GET['group'], $_SESSION['personal_visible_groups']) ? '1' : '', '" />';
echo '<input type="hidden" name="open_folder" id="open_folder" value="'.htmlspecialchars($_GET['group']).'" />';
echo '<input type="hidden" name="open_id" id="open_id" value="'.htmlspecialchars($_GET['id']).'" />';
echo '<input type="hidden" name="recherche_group_pf" id="recherche_group_pf" value="', in_array(htmlspecialchars($_GET['group']), $_SESSION['personal_visible_groups']) ? '1' : '', '" />';
} elseif (isset($_GET['group']) && !isset($_GET['id'])) {
echo '<input type="hidden" name="open_folder" id="open_folder" value="'.$_GET['group'].'" />';
echo '<input type="hidden" name="open_folder" id="open_folder" value="'.htmlspecialchars($_GET['group']).'" />';
echo '<input type="hidden" name="open_id" id="open_id" value="" />';
echo '<input type="hidden" name="recherche_group_pf" id="recherche_group_pf" value="', in_array($_GET['group'], $_SESSION['personal_visible_groups']) ? '1' : '', '" />';
echo '<input type="hidden" name="recherche_group_pf" id="recherche_group_pf" value="', in_array(htmlspecialchars($_GET['group']), $_SESSION['personal_visible_groups']) ? '1' : '', '" />';
} else {
echo '<input type="hidden" name="open_folder" id="open_folder" value="" />';
echo '<input type="hidden" name="open_id" id="open_id" value="" />';
Expand Down Expand Up @@ -230,7 +230,7 @@
}
// Prepare folder
$folderTxt = '
<li class="jstreeopen" id="li_'.$folder->id.'">';
<li class="jstreeopen" id="li_'.$folder->id.'" title="ID ['.$folder->id.']">';
if (in_array($folder->id, $_SESSION['groupes_visibles'])) {
$folderTxt .= '
<a id="fld_'.$folder->id.'" class="folder" onclick="ListerItems(\''.$folder->id.'\', \'\', 0);">'.$fldTitle.' (<span class="items_count" id="itcount_'.$folder->id.'">'.$itemsNb.'</span>';
Expand Down Expand Up @@ -358,7 +358,7 @@
<tr>
<td valign="top" class="td_title"><span class="ui-icon ui-icon-carat-1-e" style="float: left; margin-right: .3em;">&nbsp;</span>'.$txt['label'].' :</td>
<td>
<input type="hidden" id="hid_label" value="', isset($dataItem) ? $dataItem['label'] : '', '" />
<input type="hidden" id="hid_label" value="', isset($dataItem) ? htmlspecialchars($dataItem['label']) : '', '" />
<div id="id_label" style="display:inline;"></div>
</td>
</tr>';
Expand All @@ -367,7 +367,7 @@
<tr>
<td valign="top" class="td_title"><span class="ui-icon ui-icon-carat-1-e" style="float: left; margin-right: .3em;">&nbsp;</span>'.$txt['description'].' :</td>
<td>
<div id="id_desc" style="font-style:italic;display:inline;"></div><input type="hidden" id="hid_desc" value="', isset($dataItem) ? $dataItem['description'] : '', '" />
<div id="id_desc" style="font-style:italic;display:inline;"></div><input type="hidden" id="hid_desc" value="', isset($dataItem) ? htmlspecialchars($dataItem['description']) : '', '" />
</td>
</tr>';
// Line for PW
Expand Down Expand Up @@ -455,7 +455,7 @@
<tr class="tr_fields itemCatName_'.$itemCatName.'">
<td valign="top" class="td_title">&nbsp;&nbsp;<span class="ui-icon ui-icon-carat-1-e" style="float: left; margin: 0 .3em 0 15px; font-size:9px;">&nbsp;</span><i>'.$field[1].'</i> :</td>
<td>
<div id="id_field_'.$field[0].'" style="display:inline;" class="fields_div"></div><input type="hidden" id="hid_field_'.$field[0].'" class="fields" />
<div id="id_field_'.$field[0].'" style="display:inline;" class="fields_div"></div><input type="hidden" id="hid_field_'.htmlspecialchars($field[0]).'" class="fields" />
</td>
</tr>';
}
Expand Down
7 changes: 7 additions & 0 deletions otv.php
View file
Expand Up @@ -70,6 +70,13 @@

// get data
$pw = decrypt($dataItem['pw']);

// get key for original pw
$originalKey = $db->queryFirst('SELECT rand_key FROM `'.$pre.'keys` WHERE `table` LIKE "items" AND `id` ='.intval($_GET['item_id']));
// unsalt previous pw
$pw = substr(decrypt($dataItem['pw']), strlen($originalKey['rand_key']));


$label = $dataItem['label'];
$email = $dataItem['email'];
$url = $dataItem['url'];
Expand Down
1 change: 1 addition & 0 deletions sources/admin.queries.php
View file
Expand Up @@ -919,6 +919,7 @@
'api',
array(
'label' => $_POST['label'],
'value' => $_POST['key'],
'timestamp' => time()
),
"id='".intval($_POST['id'])."'"
Expand Down
18 changes: 15 additions & 3 deletions sources/datatable/datatable.item_edition.php
View file
Expand Up @@ -31,6 +31,7 @@

//Columns name
$aColumns = array('e.timestamp', 'u.login', 'i.label', 'u.name', 'u.lastname');
$aSortTypes = array('ASC', 'DESC');

//init SQL variables
$sOrder = $sLimit = $sWhere = "";
Expand All @@ -39,19 +40,30 @@
//Paging
$sLimit = "";
if (isset($_GET['iDisplayStart']) && $_GET['iDisplayLength'] != '-1') {
$sLimit = "LIMIT ". $_GET['iDisplayStart'] .", ". $_GET['iDisplayLength'] ;
$sLimit = "LIMIT ". filter_var($_GET['iDisplayStart'], FILTER_SANITIZE_NUMBER_INT) .", ". filter_var($_GET['iDisplayLength'], FILTER_SANITIZE_NUMBER_INT)."";
}

//Ordering

if (isset($_GET['iSortCol_0'])) {
if (isset($_GET['iSortCol_0']) && in_array($_GET['iSortCol_0'], $aSortTypes)) {
$sOrder = "ORDER BY ";
for ($i=0; $i<intval($_GET['iSortingCols']); $i++) {
/*
for ($i=0; $i<intval($_GET['iSortingCols']); $i++) {
if ($_GET[ 'bSortable_'.intval($_GET['iSortCol_'.$i]) ] == "true") {
$sOrder .= $aColumns[ intval(mysql_real_escape_string($_GET['iSortCol_'.$i])) ]."
".mysql_real_escape_string($_GET['sSortDir_'.$i]) .", ";
}
}
*/
for ($i=0; $i<intval($_GET['iSortingCols']); $i++) {
if (
$_GET[ 'bSortable_'.filter_var($_GET['iSortCol_'.$i], FILTER_SANITIZE_NUMBER_INT)] == "true" &&
preg_match("#^(asc|desc)\$#i", $_GET['sSortDir_'.$i])
) {
$sOrder .= "".$aColumns[ filter_var($_GET['iSortCol_'.$i], FILTER_SANITIZE_NUMBER_INT) ]." "
.mysql_real_escape_string($_GET['sSortDir_'.$i]) .", ";
}
}

$sOrder = substr_replace($sOrder, "", -2);
if ($sOrder == "ORDER BY") {
Expand Down
21 changes: 12 additions & 9 deletions sources/datatable/datatable.kb.php
View file
Expand Up @@ -31,6 +31,7 @@

//Columns name
$aColumns = array('id', 'category_id', 'label', 'description', 'author_id');
$aSortTypes = array('ASC', 'DESC');

//init SQL variables
$sWhere = $sOrder = $sLimit = "";
Expand All @@ -39,20 +40,22 @@
//Paging
$sLimit = "";
if (isset($_GET['iDisplayStart']) && $_GET['iDisplayLength'] != '-1') {
$sLimit = "LIMIT ". mysql_real_escape_string($_GET['iDisplayStart']) .", "
. mysql_real_escape_string($_GET['iDisplayLength']) ;
$sLimit = "LIMIT ". filter_var($_GET['iDisplayStart'], FILTER_SANITIZE_NUMBER_INT) .", ". filter_var($_GET['iDisplayLength'], FILTER_SANITIZE_NUMBER_INT)."";
}

//Ordering

if (isset($_GET['iSortCol_0'])) {
if (isset($_GET['iSortCol_0']) && in_array($_GET['iSortCol_0'], $aSortTypes)) {
$sOrder = "ORDER BY ";
for ($i=0; $i<intval($_GET['iSortingCols']); $i++) {
if ($_GET[ 'bSortable_'.intval($_GET['iSortCol_'.$i]) ] == "true") {
$sOrder .= $aColumns[ intval(mysql_real_escape_string($_GET['iSortCol_'.$i])) ]."
".mysql_real_escape_string($_GET['sSortDir_'.$i]) .", ";
}
}
for ($i=0; $i<intval($_GET['iSortingCols']); $i++) {
if (
$_GET[ 'bSortable_'.filter_var($_GET['iSortCol_'.$i], FILTER_SANITIZE_NUMBER_INT)] == "true" &&
preg_match("#^(asc|desc)\$#i", $_GET['sSortDir_'.$i])
) {
$sOrder .= "".$aColumns[ filter_var($_GET['iSortCol_'.$i], FILTER_SANITIZE_NUMBER_INT) ]." "
.mysql_real_escape_string($_GET['sSortDir_'.$i]) .", ";
}
}

$sOrder = substr_replace($sOrder, "", -2);
if ($sOrder == "ORDER BY") {
Expand Down
21 changes: 12 additions & 9 deletions sources/datatable/datatable.logs.php
View file
Expand Up @@ -33,6 +33,7 @@
if (isset($_GET['action']) && $_GET['action'] == "connections") {
//Columns name
$aColumns = array('l.date', 'l.label', 'l.qui', 'u.login');
$aSortTypes = array('ASC', 'DESC');

//init SQL variables
$sWhere = $sOrder = $sLimit = "";
Expand All @@ -41,20 +42,22 @@
//Paging
$sLimit = "";
if (isset($_GET['iDisplayStart']) && $_GET['iDisplayLength'] != '-1') {
$sLimit = "LIMIT ". mysql_real_escape_string($_GET['iDisplayStart']) .", "
. mysql_real_escape_string($_GET['iDisplayLength']) ;
$sLimit = "LIMIT ". filter_var($_GET['iDisplayStart'], FILTER_SANITIZE_NUMBER_INT) .", ". filter_var($_GET['iDisplayLength'], FILTER_SANITIZE_NUMBER_INT)."";
}

//Ordering

if (isset($_GET['iSortCol_0'])) {
if (isset($_GET['iSortCol_0']) && in_array($_GET['iSortCol_0'], $aSortTypes)) {
$sOrder = "ORDER BY ";
for ($i=0; $i<intval($_GET['iSortingCols']); $i++) {
if ($_GET[ 'bSortable_'.intval($_GET['iSortCol_'.$i]) ] == "true") {
$sOrder .= $aColumns[ intval(mysql_real_escape_string($_GET['iSortCol_'.$i])) ]."
".mysql_real_escape_string($_GET['sSortDir_'.$i]) .", ";
}
}
for ($i=0; $i<intval($_GET['iSortingCols']); $i++) {
if (
$_GET[ 'bSortable_'.filter_var($_GET['iSortCol_'.$i], FILTER_SANITIZE_NUMBER_INT)] == "true" &&
preg_match("#^(asc|desc)\$#i", $_GET['sSortDir_'.$i])
) {
$sOrder .= "".$aColumns[ filter_var($_GET['iSortCol_'.$i], FILTER_SANITIZE_NUMBER_INT) ]." "
.mysql_real_escape_string($_GET['sSortDir_'.$i]) .", ";
}
}

$sOrder = substr_replace($sOrder, "", -2);
if ($sOrder == "ORDER BY") {
Expand Down
21 changes: 12 additions & 9 deletions sources/datatable/datatable.users_logged.php
View file
Expand Up @@ -33,6 +33,7 @@

//Columns name
$aColumns = array('login', 'name', 'lastname', 'timestamp', 'last_connexion');
$aSortTypes = array('ASC', 'DESC');

//init SQL variables
$sOrder = $sLimit = "";
Expand All @@ -41,20 +42,22 @@
//Paging
$sLimit = "";
if (isset($_GET['iDisplayStart']) && $_GET['iDisplayLength'] != '-1') {
$sLimit = "LIMIT ". mysql_real_escape_string($_GET['iDisplayStart']) .", "
. mysql_real_escape_string($_GET['iDisplayLength']);
$sLimit = "LIMIT ". filter_var($_GET['iDisplayStart'], FILTER_SANITIZE_NUMBER_INT) .", ". filter_var($_GET['iDisplayLength'], FILTER_SANITIZE_NUMBER_INT)."";
}

//Ordering

if (isset($_GET['iSortCol_0'])) {
if (isset($_GET['iSortCol_0']) && in_array($_GET['iSortCol_0'], $aSortTypes)) {
$sOrder = "ORDER BY ";
for ($i=0; $i<intval($_GET['iSortingCols']); $i++) {
if ($_GET[ 'bSortable_'.intval($_GET['iSortCol_'.$i]) ] == "true") {
$sOrder .= $aColumns[ intval(mysql_real_escape_string($_GET['iSortCol_'.$i])) ]."
".mysql_real_escape_string($_GET['sSortDir_'.$i]) .", ";
}
}
for ($i=0; $i<intval($_GET['iSortingCols']); $i++) {
if (
$_GET[ 'bSortable_'.filter_var($_GET['iSortCol_'.$i], FILTER_SANITIZE_NUMBER_INT)] == "true" &&
preg_match("#^(asc|desc)\$#i", $_GET['sSortDir_'.$i])
) {
$sOrder .= "".$aColumns[ filter_var($_GET['iSortCol_'.$i], FILTER_SANITIZE_NUMBER_INT) ]." "
.mysql_real_escape_string($_GET['sSortDir_'.$i]) .", ";
}
}

$sOrder = substr_replace($sOrder, "", -2);
if ($sOrder == "ORDER BY") {
Expand Down
1 change: 0 additions & 1 deletion sources/find.queries.php
View file
Expand Up @@ -84,7 +84,6 @@
if (isset($_GET['iSortCol_0']) && in_array($_GET['iSortCol_0'], $aSortTypes)) {
$sOrder = "ORDER BY ";
for ($i=0; $i<intval($_GET['iSortingCols']); $i++) {

if (
$_GET[ 'bSortable_'.filter_var($_GET['iSortCol_'.$i], FILTER_SANITIZE_NUMBER_INT)] == "true" &&
preg_match("#^(asc|desc)\$#i", $_GET['sSortDir_'.$i])
Expand Down

0 comments on commit 8820c89

Please sign in to comment.