aboutsummaryrefslogtreecommitdiff
path: root/engine/lib
diff options
context:
space:
mode:
authoricewing <icewing@36083f99-b078-4883-b0ff-0f9b5a30f544>2008-05-29 14:20:10 +0000
committericewing <icewing@36083f99-b078-4883-b0ff-0f9b5a30f544>2008-05-29 14:20:10 +0000
commitd7bbb8c41ebdc3341237c1ca5fe7b39700f5fa6d (patch)
tree3434538780beeae4621125bf0f333a2587839421 /engine/lib
parentad54e40e2b2aede586f27efb94c9a29516c7f00f (diff)
downloadelgg-d7bbb8c41ebdc3341237c1ca5fe7b39700f5fa6d.tar.gz
elgg-d7bbb8c41ebdc3341237c1ca5fe7b39700f5fa6d.tar.bz2
Marcus Povey <marcus@dushka.co.uk>
* Introducing call_gatekeeper() git-svn-id: https://code.elgg.org/elgg/trunk@755 36083f99-b078-4883-b0ff-0f9b5a30f544
Diffstat (limited to 'engine/lib')
-rw-r--r--engine/lib/elgglib.php113
1 files changed, 112 insertions, 1 deletions
diff --git a/engine/lib/elgglib.php b/engine/lib/elgglib.php
index ada252dba..de723bd0d 100644
--- a/engine/lib/elgglib.php
+++ b/engine/lib/elgglib.php
@@ -954,5 +954,116 @@
return false;
}
}
-
+
+
+
+ /**
+ * Privilege elevation
+ */
+
+
+ /**
+ * Gatekeeper function which ensures that a we are being executed from
+ * a specified location.
+ *
+ * To use, call this function with the function name (and optional file location) that it has to be called
+ * from, it will either return true or false.
+ *
+ * e.g.
+ *
+ * function my_secure_function()
+ * {
+ * if (!call_gatekeeper("my_call_function"))
+ * return false;
+ *
+ * ... do secure stuff ...
+ * }
+ *
+ * function my_call_function()
+ * {
+ * // will work
+ * my_secure_function();
+ * }
+ *
+ * function bad_function()
+ * {
+ * // Will not work
+ * my_secure_function();
+ * }
+ *
+ * @param mixed $function The function that this function must have in its call stack,
+ * to test against a method pass an array containing a class and method name.
+ * @param string $file Optional file that the function must reside in.
+ */
+ function call_gatekeeper($function, $file = "")
+ {
+ // Sanity check
+ if (!$function)
+ return false;
+
+ // Check against call stack to see if this is being called from the correct location
+ $callstack = debug_backtrace();
+ $stack_element = false;
+
+ foreach ($callstack as $call)
+ {
+ if (is_array($function))
+ {
+ if (
+ (strcmp($call['class'], $function[0]) == 0) &&
+ (strcmp($call['function'], $function[1]) == 0)
+ )
+ $stack_element = $call;
+ }
+ else
+ {
+ if (strcmp($call['function'], $function) == 0)
+ $stack_element = $call;
+ }
+ }
+
+ if (!$stack_element)
+ return false;
+
+
+ // If file then check using regression that this it is being called from this function
+ if ($file)
+ {
+ $mirror = false;
+
+ if (is_array($function))
+ $mirror = new ReflectionMethod($stack_element['class'], $stack_element['function']);
+ else
+ $mirror = new ReflectionFunction($stack_element['function']);
+
+ // Sanity check
+ if (!$mirror) return false;
+
+ // Check file against function
+ if (!strcmp($file, $mirror->getFileName())==0)
+ return false;
+ }
+
+
+ return true;
+ }
+
+
+
+
+
+ // register privileged code block
+
+
+ // check for plugin function - use reflection to make sure that function is permitted to execute code as privileged
+ // Ensure that function can only be called from same dir tree -- compare where i'm called from to where function is.
+ // check for user function
+
+ // execute privileged code block
+ // trigger check event
+ // if ok then
+ // swap user
+ // execute
+ // swap user
+
?> \ No newline at end of file