RanchiMall/php-mpos
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
e7bace5550
php-mpos/public/index.php
xisi e7bace5550 basic logging, adds logs folder to root dir 
htaccess to block access to the logs
by default, only log warnings
simple config check to see if that folder is writable

warning if changeNoFee is used
warning if setLocked is used
warning if changeAdmin is used
warning if when logging in that IP is different than saved IP
info if a login fails with bad user or password
warning if a user is locked via failed logins
info if an update/etc fails with bad pin
warning if a user is locked via failed pins
info when a pin request is sent
warning when a pin request email doesn't send
warning when trying to request pin reset and incorrect password
info when a twofactor token sent
warning if twofactor email doesn't send
warning when a user tries to request multiple of the same type of token
info when a twofactor token is deleted
warning if a twofactor token fails to delete
warning when an invalid change password token is used
info on successful account update
warning when reset password is called and IP doesn't match saved IP, info otherwise
warning if isAuthenticated falls through and kills a session
2014-01-31 13:11:38 -05:00

204 lines
8.6 KiB
PHP
Raw Blame History

<?php
/*
Copyright:: 2013, Sebastian Grewe
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Set a decently long SECURITY key with special chars etc
define('SECURITY', '*)WT#&YHfd');
// Whether or not to check SECHASH for validity, still checks if SECURITY defined as before if disabled
define('SECHASH_CHECK', false);
// Nothing below here to configure, move along...
// change SECHASH every second, we allow up to 3 sec back for slow servers
if (SECHASH_CHECK) {
function fip($tr=0) { return md5(SECURITY.(time()-$tr).SECURITY); }
define('SECHASH', fip());
function cfip() { return (fip()==SECHASH||fip(1)==SECHASH||fip(2)==SECHASH) ? 1 : 0; }
} else {
function cfip() { return (@defined('SECURITY')) ? 1 : 0; }
}
// This should be okay
// No but Its now, - Aim
define("BASEPATH", dirname(__FILE__) . "/");
// all our includes and config etc are now in bootstrap
include_once('include/bootstrap.php');
// switch to https if config option is enabled
$hts = ($config['https_only'] && (!empty($_SERVER['QUERY_STRING']))) ? "https://".$_SERVER['SERVER_NAME'].$_SERVER['SCRIPT_NAME']."?".$_SERVER['QUERY_STRING'] : "https://".$_SERVER['SERVER_NAME'].$_SERVER['SCRIPT_NAME'];
($config['https_only'] && @!$_SERVER['HTTPS']) ? exit(header("Location: ".$hts)):0;
if ($config['memcache']['enabled'] && $config['mc_antidos']['enabled']) {
if (PHP_OS == 'WINNT') {
require_once(CLASS_DIR . 'memcached.class.php');
}
// memcache antidos needs a memcache handle
$memcache = new Memcached();
$memcache->addServer($config['memcache']['host'], $config['memcache']['port']);
}
if ($config['memcache']['enabled'] && $config['mc_antidos']['enabled']) {
require_once(CLASS_DIR . '/memcache_ad.class.php');
}
$session_start = @session_start();
session_set_cookie_params(time()+$config['cookie']['duration'], $config['cookie']['path'], $config['cookie']['domain'], $config['cookie']['secure'], $config['cookie']['httponly']);
if (!$session_start) {
if ($this->config['logging']['enabled'] && $this->config['logging']['level'] > 0) {
$log->LogInfo("Forcing session id regeneration for ".$_SERVER['REMOTE_ADDR']." [hijack attempt?]");
}
session_destroy();
session_regenerate_id(true);
session_start();
}
@setcookie(session_name(), session_id(), time()+$config['cookie']['duration'], $config['cookie']['path'], $config['cookie']['domain'], $config['cookie']['secure'], $config['cookie']['httponly']);
// Rate limiting
if ($config['memcache']['enabled'] && $config['mc_antidos']['enabled']) {
$skip_check = false;
// if this is an api call we need to be careful not to time them out for those calls separately
$per_page = '';
$ajax_calls = array(
array('api', 'getuserbalance'),
array('api', 'getnavbardata'),
array('api', 'getdashboarddata'),
array('api', 'getuserworkers')
);
$iac = 0;
foreach ($ajax_calls as $ac) {
$iac = (@$_REQUEST['page'] == $ac[0] && @$_REQUEST['action'] == $ac[1]) ? $iac+=1 : $iac;
}
$is_ajax_call = ($iac > 0) ? true : false;
if ($is_ajax_call && $config['mc_antidos']['protect_ajax']) {
$per_page = 'api';
} else if ($is_ajax_call && !$config['mc_antidos']['protect_ajax']) {
// protect isn't on, we'll ignore it
$skip_check = true;
} else if ($config['mc_antidos']['ignore_admins'] && isset($_SESSION['USERDATA']['is_admin']) && $_SESSION['USERDATA']['is_admin']) {
$skip_check = true;
}
if (!$skip_check) {
$mcad = new MemcacheAntiDos($config, $memcache, $per_page);
if ($config['mc_antidos']['protect_ajax'] && $is_ajax_call && $mcad->rate_limit_api_request) {
exit(header('HTTP/1.1 401 Unauthorized'));
}
$error_page = $config['mc_antidos']['error_push_page'];
if ($mcad->rate_limit_site_request) {
if (!is_array($error_page) || count($error_page) < 1 || (empty($error_page['page']) && empty($error_page['action']))) {
die("You are sending too many requests too fast!");
} else {
$_REQUEST['page'] = $error_page['page'];
$_REQUEST['action'] = (isset($error_page['action']) && !empty($error_page['action'])) ? $error_page['action'] : $_REQUEST['action'];
}
}
}
}
// Got past rate limiter and session manager
// show last logged in popup if it's still set
if (@$_GET['clp'] == 1 && @$_SESSION['last_ip_pop']) unset($_SESSION['last_ip_pop']);
if (count(@$_SESSION['last_ip_pop']) == 2) {
$data = $_SESSION['last_ip_pop'];
$ip = filter_var($data[0], FILTER_VALIDATE_IP);
$time = date("l, F jS \a\\t g:i a", $data[1]);
$closelink = "<a href='index.php?page=dashboard&clp=1' style='float:right;padding-right:14px;'>Close</a>";
if (@$_SESSION['AUTHENTICATED'] && $_SESSION['last_ip_pop'][0] !== $_SERVER['REMOTE_ADDR']) {
$_SESSION['POPUP'][] = array('CONTENT' => "You last logged in from <b>$ip</b> on $time $closelink", 'TYPE' => 'warning');
} else {
$_SESSION['POPUP'][] = array('CONTENT' => "You last logged in from <b>$ip</b> on $time $closelink", 'TYPE' => 'info');
}
}
// version check and config check if not disabled
if (@$_SESSION['USERDATA']['is_admin'] && $user->isAdmin(@$_SESSION['USERDATA']['id'])) {
require_once(INCLUDE_DIR . '/version.inc.php');
if (!@$config['skip_config_tests']) {
require_once(INCLUDE_DIR . '/admin_checks.php');
}
}
// Create our pages array from existing files
if (is_dir(INCLUDE_DIR . '/pages/')) {
foreach (glob(INCLUDE_DIR . '/pages/*.inc.php') as $filepath) {
$filename = basename($filepath);
$pagename = substr($filename, 0, strlen($filename) - 8);
$arrPages[$pagename] = $filename;
$debug->append("Adding $pagename as " . $filename . " to accessible pages", 4);
}
}
// Set a default action here if no page has been requested
@$_REQUEST['page'] = (is_array($_REQUEST['page']) || !isset($_REQUEST['page'])) ? 'home' : $_REQUEST['page'];
if (isset($_REQUEST['page']) && isset($arrPages[$_REQUEST['page']])) {
$page = $_REQUEST['page'];
} else if (isset($_REQUEST['page']) && ! isset($arrPages[$_REQUEST['page']])) {
$page = 'error';
} else {
$page = 'home';
}
// Create our pages array from existing files
if (is_dir(INCLUDE_DIR . '/pages/' . $page)) {
foreach (glob(INCLUDE_DIR . '/pages/' . $page . '/*.inc.php') as $filepath) {
$filename = basename($filepath);
$pagename = substr($filename, 0, strlen($filename) - 8);
$arrActions[$pagename] = $filename;
$debug->append("Adding $pagename as " . $filename . ".inc.php to accessible actions", 4);
}
}
// Default to empty (nothing) if nothing set or not known
$action = (isset($_REQUEST['action']) && !is_array($_REQUEST['action'])) && isset($arrActions[$_REQUEST['action']]) ? $_REQUEST['action'] : "";
// Check csrf token validity if necessary
if ($config['csrf']['enabled'] && isset($_POST['ctoken']) && !empty($_POST['ctoken']) && !is_array($_POST['ctoken'])) {
$csrftoken->valid = ($csrftoken->checkBasic($user->getCurrentIP(), $arrPages[$page], $_POST['ctoken'])) ? 1 : 0;
} else if ($config['csrf']['enabled'] && (!@$_POST['ctoken'] || empty($_POST['ctoken']))) {
$csrftoken->valid = 0;
}
if ($config['csrf']['enabled']) $smarty->assign('CTOKEN', $csrftoken->getBasic($user->getCurrentIP(), $arrPages[$page]));
// Load the page code setting the content for the page OR the page action instead if set
if (!empty($action)) {
$debug->append('Loading Action: ' . $action . ' -> ' . $arrActions[$action], 1);
require_once(PAGES_DIR . '/' . $page . '/' . $arrActions[$action]);
} else {
$debug->append('Loading Page: ' . $page . ' -> ' . $arrPages[$page], 1);
require_once(PAGES_DIR . '/' . $arrPages[$page]);
}
define('PAGE', $page);
define('ACTION', $action);
// For our content inclusion
$smarty->assign("PAGE", $page);
$smarty->assign("ACTION", $action);
// Now with all loaded and processed, setup some globals we need for smarty templates
if ($page != 'api') require_once(INCLUDE_DIR . '/smarty_globals.inc.php');
// Load debug information into template
$debug->append("Loading debug information into template", 4);
$smarty->assign('DebuggerInfo', $debug->getDebugInfo());
$smarty->assign('RUNTIME', (microtime(true) - $dStartTime) * 1000);
// Display our page
if (!@$supress_master) $smarty->display($master_template, $smarty_cache_key);
// Unset any temporary values here
unset($_SESSION['POPUP']);
?>
Reference in New Issue View Git Blame Copy Permalink