1
<?php
2
/**
3
 * This file is part of the Shieldon package.
4
 *
5
 * (c) Terry L. <contact@terryl.in>
6
 *
7
 * For the full copyright and license information, please view the LICENSE
8
 * file that was distributed with this source code.
9
 * 
10
 * php version 7.1.0
11
 * 
12
 * @category  Web-security
13
 * @package   Shieldon
14
 * @author    Terry Lin <contact@terryl.in>
15
 * @copyright 2019 terrylinooo
16
 * @license   https://github.com/terrylinooo/shieldon/blob/2.x/LICENSE MIT
17
 * @link      https://github.com/terrylinooo/shieldon
18
 * @see       https://shieldon.io
19
 */
20

21
declare(strict_types=1);
22

23
namespace Shieldon\Firewall\Panel;
24

25
use Psr\Http\Message\ResponseInterface;
26
use Shieldon\Firewall\Panel\BaseController;
27
use function Shieldon\Firewall\__;
28
use function Shieldon\Firewall\get_request;
29
use function Shieldon\Firewall\unset_superglobal;
30
use function array_push;
31
use function array_values;
32
use function ctype_alnum;
33
use function str_replace;
34

35
/**
36
 * Security
37
 */
38
class Security extends BaseController
39
{
40
    /**
41
     *   Public methods       | Desctiotion
42
     *  ----------------------|---------------------------------------------
43
     *   authentication       | The page for managing page authentication.
44
     *   actionLog            | The page for managing XSS protection.
45
     *  ----------------------|---------------------------------------------
46
     */
47

48
    /**
49
     * Constructor
50
     */
51 3
    public function __construct() 
52
    {
53 3
        parent::__construct();
54
    }
55

56
    /**
57
     * WWW-Authenticate.
58
     *
59
     * @return ResponseInterface
60
     */
61 3
    public function authentication(): ResponseInterface
62
    {
63 3
        $postParams = get_request()->getParsedBody();
64

65 3
        if ($this->checkPostParamsExist('url', 'user', 'pass', 'action')) {
66

67 3
            $url = $postParams['url'];
68 3
            $user = $postParams['user'];
69 3
            $pass = $postParams['pass'];
70 3
            $action = $postParams['action'];
71 3
            $order = (int) $postParams['order'];
72

73 3
            $authenticatedList = (array) $this->getConfig('www_authenticate');
74

75 3
            if ('add' === $action) {
76 3
                array_push(
77 2
                    $authenticatedList,
78
                    [
79 3
                        'url' => $url,
80 3
                        'user' => $user,
81 3
                        'pass' => password_hash($pass, PASSWORD_BCRYPT),
82
                    ]
83
                );
84

85 3
            } elseif ('remove' === $action) {
86 3
                unset($authenticatedList[$order]);
87 3
                $authenticatedList = array_values($authenticatedList);
88
            }
89

90 3
            $this->setConfig('www_authenticate', $authenticatedList);
91

92 3
            unset_superglobal('url', 'post');
93 3
            unset_superglobal('user', 'post');
94 3
            unset_superglobal('pass', 'post');
95 3
            unset_superglobal('action', 'post');
96 3
            unset_superglobal('order', 'post');
97

98 3
            $this->saveConfig();
99
        }
100

101 3
        $data = [];
102

103 3
        $data['authentication_list'] = $this->getConfig('www_authenticate');
104

105 3
        $data['title'] = __('panel', 'title_web_authentication', 'Web Page Authentication');
106

107 3
        return $this->renderPage('panel/authentication', $data);
108
    }
109

110
    /**
111
     * XSS Protection.
112
     *
113
     * @return ResponseInterface
114
     */
115 3
    public function xssProtection(): ResponseInterface
116
    {
117 3
        $postParams = get_request()->getParsedBody();
118

119 3
        if ($this->checkPostParamsExist('xss_form_1')) {
120 3
            unset_superglobal('xss_form_1', 'post');
121 3
            unset_superglobal('order', 'post');
122 3
            unset_superglobal('submit', 'post');
123

124 3
            $this->saveConfig();
125

126 3
        } elseif ($this->checkPostParamsExist('xss_form_2', 'type', 'action')) {
127

128 3
            $type     = $postParams['type'];
129 3
            $variable = $postParams['variable'];
130 3
            $action   = $postParams['action'];
131

132
            // The index number in the $xssProtectedList, see below.
133 3
            $order = (int) $postParams['order'];
134

135
            // Check variable name. Should be mixed with a-zA-Z and underscore.
136 3
            if (!ctype_alnum(str_replace('_', '', $variable))) {
137

138
                // @codeCoverageIgnoreStart
139
                // Ignore the `add` process.
140
                $action = 'undefined';
141
                // @codeCoverageIgnoreEnd
142
            }
143

144 3
            $xssProtectedList = (array) $this->getConfig('xss_protected_list');
145

146 3
            if ('add' === $action) {
147 3
                array_push(
148 2
                    $xssProtectedList, 
149
                    [
150 3
                        'type'     => $type,
151 3
                        'variable' => $variable
152
                    ]
153
                );
154
                
155 3
            } elseif ('remove' === $action) {
156 3
                unset($xssProtectedList[$order]);
157 3
                $xssProtectedList = array_values($xssProtectedList);
158
            }
159

160 3
            $this->setConfig('xss_protected_list', $xssProtectedList);
161

162 3
            unset_superglobal('xss_form_2', 'post');
163 3
            unset_superglobal('type', 'post');
164 3
            unset_superglobal('variable', 'post');
165 3
            unset_superglobal('action', 'post');
166 3
            unset_superglobal('order', 'post');
167 3
            unset_superglobal('submit', 'post');
168

169 3
            $this->saveConfig();
170
        }
171

172 3
        $data = [];
173

174 3
        $data['xss_protected_list'] = $this->getConfig('xss_protected_list');
175

176 3
        $data['title'] = __('panel', 'title_xss_protection', 'XSS Protection');
177

178 3
        return $this->renderPage('panel/xss_protection', $data);
179
    }
180
}

Read our documentation on viewing source code .

Loading