raspap-webgui-mirror/includes/functions.php
glaszig 0967a53152 validate token value from csrf token header
if supplied and not overridden by post request param
2019-08-06 20:55:16 +02:00

567 lines
21 KiB
PHP
Executable file
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<?php
/* Functions for Networking */
function mask2cidr($mask)
{
$long = ip2long($mask);
$base = ip2long('255.255.255.255');
return 32-log(($long ^ $base)+1, 2);
}
/* Functions to write ini files */
function write_php_ini($array, $file)
{
$res = array();
foreach ($array as $key => $val) {
if (is_array($val)) {
$res[] = "[$key]";
foreach ($val as $skey => $sval) {
$res[] = "$skey = $sval";
}
} else {
$res[] = "$key = $val";
}
}
if (safefilerewrite($file, implode(PHP_EOL, $res))) {
return true;
} else {
return false;
}
}
function safefilerewrite($fileName, $dataToSave)
{
if ($fp = fopen($fileName, 'w')) {
$startTime = microtime(true);
do {
$canWrite = flock($fp, LOCK_EX);
// If lock not obtained sleep for 0 - 100 milliseconds, to avoid collision and CPU load
if (!$canWrite) {
usleep(round(rand(0, 100)*1000));
}
} while ((!$canWrite)and((microtime(true)-$startTime) < 5));
//file was locked so now we can store information
if ($canWrite) {
fwrite($fp, $dataToSave.PHP_EOL);
flock($fp, LOCK_UN);
}
fclose($fp);
return true;
} else {
return false;
}
}
/**
*
* Add CSRF Token to form
*
*/
function CSRFToken()
{
?>
<input id="csrf_token" type="hidden" name="csrf_token" value="<?php echo htmlspecialchars($_SESSION['csrf_token'], ENT_QUOTES);
; ?>" />
<?php
}
/**
* Retuns a CSRF meta tag (for use with xhr, for example)
*/
function CSRFMetaTag()
{
$token = htmlspecialchars($_SESSION['csrf_token']);
return '<meta name="csrf_token" content="' . $token . '">';
}
/**
*
* Validate CSRF Token
*
*/
function CSRFValidate()
{
$post_token = $_POST['csrf_token'];
$header_token = $_SERVER['HTTP_X_CSRF_TOKEN'];
if (empty($post_token) && empty($header_token)) {
return false;
}
$request_token = $post_token;
if (empty($post_token)) {
$request_token = $header_token;
}
if (hash_equals($_SESSION['csrf_token'], $request_token)) {
return true;
} else {
error_log('CSRF violation');
return false;
}
}
/**
* Should the request be CSRF-validated?
*/
function csrfValidateRequest()
{
$request_method = strtolower($_SERVER['REQUEST_METHOD']);
return in_array($request_method, [ "post", "put", "patch", "delete" ]);
}
/**
* Handle invalid CSRF
*/
function handleInvalidCSRFToken()
{
header('HTTP/1.1 500 Internal Server Error');
header('Content-Type: text/plain');
echo 'Invalid CSRF token';
exit;
}
/**
* Test whether array is associative
*/
function isAssoc($arr)
{
return array_keys($arr) !== range(0, count($arr) - 1);
}
/**
*
* Display a selector field for a form. Arguments are:
* $name: Field name
* $options: Array of options
* $selected: Selected option (optional)
* If $options is an associative array this should be the key
*
*/
function SelectorOptions($name, $options, $selected = null, $id = null)
{
echo '<select class="form-control" name="'.htmlspecialchars($name, ENT_QUOTES).'"';
if (isset($id)) {
echo ' id="' . htmlspecialchars($id, ENT_QUOTES) .'"';
}
echo '>' , PHP_EOL;
foreach ($options as $opt => $label) {
$select = '';
$key = isAssoc($options) ? $opt : $label;
if ($key == $selected) {
$select = ' selected="selected"';
}
echo '<option value="'.htmlspecialchars($key, ENT_QUOTES).'"'.$select.'>'.
htmlspecialchars($label, ENT_QUOTES).'</option>' , PHP_EOL;
}
echo '</select>' , PHP_EOL;
}
/**
*
* @param string $input
* @param string $string
* @param int $offset
* @param string $separator
* @return $string
*/
function GetDistString($input, $string, $offset, $separator)
{
$string = substr($input, strpos($input, $string)+$offset, strpos(substr($input, strpos($input, $string)+$offset), $separator));
return $string;
}
/**
*
* @param array $arrConfig
* @return $config
*/
function ParseConfig($arrConfig)
{
$config = array();
foreach ($arrConfig as $line) {
$line = trim($line);
if ($line == "" || $line[0] == "#") { continue; }
list($option, $value) = array_map("trim", explode("=", $line, 2));
if (empty($config[$option])) {
$config[$option] = $value ?: true;
} else {
if (!is_array($config[$option])) {
$config[$option] = [ $config[$option] ];
}
$config[$option][] = $value;
}
}
return $config;
}
/**
*
* @param string $freq
* @return $channel
*/
function ConvertToChannel($freq)
{
if ($freq >= 2412 && $freq <= 2484) {
$channel = ($freq - 2407)/5;
} elseif ($freq >= 4915 && $freq <= 4980) {
$channel = ($freq - 4910)/5 + 182;
} elseif ($freq >= 5035 && $freq <= 5865) {
$channel = ($freq - 5030)/5 + 6;
} else {
$channel = -1;
}
if ($channel >= 1 && $channel <= 196) {
return $channel;
} else {
return 'Invalid Channel';
}
}
/**
* Converts WPA security string to readable format
* @param string $security
* @return string
*/
function ConvertToSecurity($security)
{
$options = array();
preg_match_all('/\[([^\]]+)\]/s', $security, $matches);
foreach ($matches[1] as $match) {
if (preg_match('/^(WPA\d?)/', $match, $protocol_match)) {
$protocol = $protocol_match[1];
$matchArr = explode('-', $match);
if (count($matchArr) > 2) {
$options[] = htmlspecialchars($protocol . ' ('. $matchArr[2] .')', ENT_QUOTES);
} else {
$options[] = htmlspecialchars($protocol, ENT_QUOTES);
}
}
}
if (count($options) === 0) {
// This could also be WEP but wpa_supplicant doesn't have a way to determine
// this.
// And you shouldn't be using WEP these days anyway.
return 'Open';
} else {
return implode('<br />', $options);
}
}
/**
*
*
*/
function DisplayOpenVPNConfig()
{
exec('cat '. RASPI_OPENVPN_CLIENT_CONFIG, $returnClient);
exec('cat '. RASPI_OPENVPN_SERVER_CONFIG, $returnServer);
exec('pidof openvpn | wc -l', $openvpnstatus);
if ($openvpnstatus[0] == 0) {
$status = '<div class="alert alert-warning alert-dismissable">OpenVPN is not running
<button type="button" class="close" data-dismiss="alert" aria-hidden="true">×</button></div>';
} else {
$status = '<div class="alert alert-success alert-dismissable">OpenVPN is running
<button type="button" class="close" data-dismiss="alert" aria-hidden="true">×</button></div>';
}
// parse client settings
foreach ($returnClient as $a) {
if ($a[0] != "#") {
$arrLine = explode(" ", $a) ;
$arrClientConfig[$arrLine[0]]=$arrLine[1];
}
}
// parse server settings
foreach ($returnServer as $a) {
if ($a[0] != "#") {
$arrLine = explode(" ", $a) ;
$arrServerConfig[$arrLine[0]]=$arrLine[1];
}
}
?>
<div class="row">
<div class="col-lg-12">
<div class="panel panel-primary">
<div class="panel-heading"><i class="fa fa-lock fa-fw"></i> Configure OpenVPN </div>
<!-- /.panel-heading -->
<div class="panel-body">
<!-- Nav tabs -->
<ul class="nav nav-tabs">
<li class="active"><a href="#openvpnclient" data-toggle="tab">Client settings</a></li>
<li><a href="#openvpnserver" data-toggle="tab">Server settings</a></li>
</ul>
<!-- Tab panes -->
<div class="tab-content">
<p><?php echo $status; ?></p>
<div class="tab-pane fade in active" id="openvpnclient">
<h4>Client settings</h4>
<form role="form" action="?page=save_hostapd_conf" method="POST">
<div class="row">
<div class="form-group col-md-4">
<label>Select OpenVPN configuration file (.ovpn)</label>
<input type="file" name="openvpn-config">
</div>
</div>
<div class="row">
<div class="form-group col-md-4">
<label for="code">Client Log</label>
<input type="text" class="form-control" id="disabledInput" name="log-append" type="text" placeholder="<?php echo htmlspecialchars($arrClientConfig['log-append'], ENT_QUOTES); ?>" disabled="disabled" />
</div>
</div>
</div>
<div class="tab-pane fade" id="openvpnserver">
<h4>Server settings</h4>
<div class="row">
<div class="form-group col-md-4">
<label for="code">Port</label>
<input type="text" class="form-control" name="openvpn_port" value="<?php echo htmlspecialchars($arrServerConfig['port'], ENT_QUOTES); ?>" />
</div>
</div>
<div class="row">
<div class="form-group col-md-4">
<label for="code">Protocol</label>
<input type="text" class="form-control" name="openvpn_proto" value="<?php echo htmlspecialchars($arrServerConfig['proto'], ENT_QUOTES); ?>" />
</div>
</div>
<div class="row">
<div class="form-group col-md-4">
<label for="code">Root CA certificate</label>
<input type="text" class="form-control" name="openvpn_rootca" placeholder="<?php echo htmlspecialchars($arrServerConfig['ca'], ENT_QUOTES); ?>" disabled="disabled" />
</div>
</div>
<div class="row">
<div class="form-group col-md-4">
<label for="code">Server certificate</label>
<input type="text" class="form-control" name="openvpn_cert" placeholder="<?php echo htmlspecialchars($arrServerConfig['cert'], ENT_QUOTES); ?>" disabled="disabled" />
</div>
</div>
<div class="row">
<div class="form-group col-md-4">
<label for="code">Diffie Hellman parameters</label>
<input type="text" class="form-control" name="openvpn_dh" placeholder="<?php echo htmlspecialchars($arrServerConfig['dh'], ENT_QUOTES); ?>" disabled="disabled" />
</div>
</div>
<div class="row">
<div class="form-group col-md-4">
<label for="code">KeepAlive</label>
<input type="text" class="form-control" name="openvpn_keepalive" value="<?php echo htmlspecialchars($arrServerConfig['keepalive'], ENT_QUOTES); ?>" />
</div>
</div>
<div class="row">
<div class="form-group col-md-4">
<label for="code">Server log</label>
<input type="text" class="form-control" name="openvpn_status" placeholder="<?php echo htmlspecialchars($arrServerConfig['status'], ENT_QUOTES); ?>" disabled="disabled" />
</div>
</div>
</div>
<input type="submit" class="btn btn-outline btn-primary" name="SaveOpenVPNSettings" value="Save settings" />
<?php
if ($hostapdstatus[0] == 0) {
echo '<input type="submit" class="btn btn-success" name="StartOpenVPN" value="Start OpenVPN" />' , PHP_EOL;
} else {
echo '<input type="submit" class="btn btn-warning" name="StopOpenVPN" value="Stop OpenVPN" />' , PHP_EOL;
}
?>
</form>
</div><!-- /.panel-body -->
</div><!-- /.panel-primary -->
<div class="panel-footer"> Information provided by openvpn</div>
</div><!-- /.col-lg-12 -->
</div><!-- /.row -->
<?php
}
/**
*
*
*/
function DisplayTorProxyConfig()
{
exec('cat '. RASPI_TORPROXY_CONFIG, $return);
exec('pidof tor | wc -l', $torproxystatus);
if ($torproxystatus[0] == 0) {
$status = '<div class="alert alert-warning alert-dismissable">TOR is not running
<button type="button" class="close" data-dismiss="alert" aria-hidden="true">×</button></div>';
} else {
$status = '<div class="alert alert-success alert-dismissable">TOR is running
<button type="button" class="close" data-dismiss="alert" aria-hidden="true">×</button></div>';
}
$arrConfig = array();
foreach ($return as $a) {
if ($a[0] != "#") {
$arrLine = explode(" ", $a) ;
$arrConfig[$arrLine[0]]=$arrLine[1];
}
}
?>
<div class="row">
<div class="col-lg-12">
<div class="panel panel-primary">
<div class="panel-heading"><i class="fa fa-eye-slash fa-fw"></i> Configure TOR proxy</div>
<!-- /.panel-heading -->
<div class="panel-body">
<!-- Nav tabs -->
<ul class="nav nav-tabs">
<li class="active"><a href="#basic" data-toggle="tab">Basic</a>
</li>
<li><a href="#relay" data-toggle="tab">Relay</a>
</li>
</ul>
<!-- Tab panes -->
<div class="tab-content">
<p><?php echo $status; ?></p>
<div class="tab-pane fade in active" id="basic">
<h4>Basic settings</h4>
<form role="form" action="?page=save_hostapd_conf" method="POST">
<div class="row">
<div class="form-group col-md-4">
<label for="code">VirtualAddrNetwork</label>
<input type="text" class="form-control" name="virtualaddrnetwork" value="<?php echo htmlspecialchars($arrConfig['VirtualAddrNetwork'], ENT_QUOTES); ?>" />
</div>
</div>
<div class="row">
<div class="form-group col-md-4">
<label for="code">AutomapHostsSuffixes</label>
<input type="text" class="form-control" name="automaphostssuffixes" value="<?php echo htmlspecialchars($arrConfig['AutomapHostsSuffixes'], ENT_QUOTES); ?>" />
</div>
</div>
<div class="row">
<div class="form-group col-md-4">
<label for="code">AutomapHostsOnResolve</label>
<input type="text" class="form-control" name="automaphostsonresolve" value="<?php echo htmlspecialchars($arrConfig['AutomapHostsOnResolve'], ENT_QUOTES); ?>" />
</div>
</div>
<div class="row">
<div class="form-group col-md-4">
<label for="code">TransListenAddress</label>
<input type="text" class="form-control" name="translistenaddress" value="<?php echo htmlspecialchars($arrConfig['TransListenAddress'], ENT_QUOTES); ?>" />
</div>
</div>
<div class="row">
<div class="form-group col-md-4">
<label for="code">DNSPort</label>
<input type="text" class="form-control" name="dnsport" value="<?php echo htmlspecialchars($arrConfig['DNSPort'], ENT_QUOTES); ?>" />
</div>
</div>
<div class="row">
<div class="form-group col-md-4">
<label for="code">DNSListenAddress</label>
<input type="text" class="form-control" name="dnslistenaddress" value="<?php echo htmlspecialchars($arrConfig['DNSListenAddress'], ENT_QUOTES); ?>" />
</div>
</div>
</div>
<div class="tab-pane fade" id="relay">
<h4>Relay settings</h4>
<div class="row">
<div class="form-group col-md-4">
<label for="code">ORPort</label>
<input type="text" class="form-control" name="orport" value="<?php echo htmlspecialchars($arrConfig['ORPort'], ENT_QUOTES); ?>" />
</div>
</div>
<div class="row">
<div class="form-group col-md-4">
<label for="code">ORListenAddress</label>
<input type="text" class="form-control" name="orlistenaddress" value="<?php echo htmlspecialchars($arrConfig['ORListenAddress'], ENT_QUOTES); ?>" />
</div>
</div>
<div class="row">
<div class="form-group col-md-4">
<label for="code">Nickname</label>
<input type="text" class="form-control" name="nickname" value="<?php echo htmlspecialchars($arrConfig['Nickname'], ENT_QUOTES); ?>" />
</div>
</div>
<div class="row">
<div class="form-group col-md-4">
<label for="code">Address</label>
<input type="text" class="form-control" name="address" value="<?php echo htmlspecialchars($arrConfig['Address'], ENT_QUOTES); ?>" />
</div>
</div>
<div class="row">
<div class="form-group col-md-4">
<label for="code">RelayBandwidthRate</label>
<input type="text" class="form-control" name="relaybandwidthrate" value="<?php echo htmlspecialchars($arrConfig['RelayBandwidthRate'], ENT_QUOTES); ?>" />
</div>
</div>
<div class="row">
<div class="form-group col-md-4">
<label for="code">RelayBandwidthBurst</label>
<input type="text" class="form-control" name="relaybandwidthburst" value="<?php echo htmlspecialchars($arrConfig['RelayBandwidthBurst'], ENT_QUOTES); ?>" />
</div>
</div>
</div>
<input type="submit" class="btn btn-outline btn-primary" name="SaveTORProxySettings" value="Save settings" />
<?php
if ($torproxystatus[0] == 0) {
echo '<input type="submit" class="btn btn-success" name="StartTOR" value="Start TOR" />' , PHP_EOL;
} else {
echo '<input type="submit" class="btn btn-warning" name="StopTOR" value="Stop TOR" />' , PHP_EOL;
};
?>
</form>
</div><!-- /.tab-content -->
</div><!-- /.panel-body -->
<div class="panel-footer"> Information provided by tor</div>
</div><!-- /.panel-primary -->
</div><!-- /.col-lg-12 -->
</div><!-- /.row -->
<?php
}
/**
*
*
*/
function SaveTORAndVPNConfig()
{
if (isset($_POST['SaveOpenVPNSettings'])) {
// TODO
} elseif (isset($_POST['SaveTORProxySettings'])) {
// TODO
} elseif (isset($_POST['StartOpenVPN'])) {
echo "Attempting to start openvpn";
exec('sudo /etc/init.d/openvpn start', $return);
foreach ($return as $line) {
echo htmlspecialchars($line, ENT_QUOTES).'<br />' , PHP_EOL;
}
} elseif (isset($_POST['StopOpenVPN'])) {
echo "Attempting to stop openvpn";
exec('sudo /etc/init.d/openvpn stop', $return);
foreach ($return as $line) {
echo htmlspecialchars($line, ENT_QUOTES).'<br />' , PHP_EOL;
}
} elseif (isset($_POST['StartTOR'])) {
echo "Attempting to start TOR";
exec('sudo /etc/init.d/tor start', $return);
foreach ($return as $line) {
echo htmlspecialchars($line, ENT_QUOTES).'<br />' , PHP_EOL;
}
} elseif (isset($_POST['StopTOR'])) {
echo "Attempting to stop TOR";
exec('sudo /etc/init.d/tor stop', $return);
foreach ($return as $line) {
echo htmlspecialchars($line, ENT_QUOTES).'<br />' , PHP_EOL;
}
}
}