Nigel Williams
2c133de5f3
Re-indent everything according to PEAR standard
2020-03-03 11:07:04 +11:00
James Alseth
d0e4db3245
Enhanced data validation to address YSA-2020-01
...
Co-authored-by: Marissa Nishimoto <marissa.nishimoto@yubico.com>
Co-authored-by: Gabriel Kihlman <g.kihlman@yubico.com>
Co-authored-by: Benno Rice <benno.rice@yubico.com>
Co-authored-by: Nigel Williams <nigel.williams@yubico.com>
2020-03-03 11:07:00 +11:00
Klas Lindfors
aaef07083a
make getHttpVal() take the array to extract from
...
refactor so verify early finds out which of $_GET and $_POST to use and
then stick to using only that for the entire flow.
sync only works with GET anyways so use $_GET directly.
2016-04-29 15:42:37 +02:00
Jean Paul Galea
4433285c33
Refactor.
2015-09-10 20:58:04 +02:00
Jean Paul Galea
ad167cd38a
Modified log messages.
...
- avoid doing what is already handled by the Log class.
- the log name is appended automatically,
so don't append it again in the invocation.
i.e. "ykval-verify"
- the log level name is also appended automatically,
so don't append it manually, especially when it doesn't match the log priority!
i.e. LOG_WARNING -> ":notice:"
- fix whitespace in some messages.
2015-09-10 20:53:56 +02:00
Jean Paul Galea
e6e379762a
Fix bug.
...
- fix fatal error when an empty sync request is sent to the server.
- logging boilerplate must be initiated before we start validating the request.
2015-09-09 15:17:01 +02:00
Jean Paul Galea
b417759932
Update copyright year.
2015-07-20 20:01:16 +00:00
Jean Paul Galea
ed169f49c5
Refactor.
...
- getLocalParams() returns array or bool false on failure.
2015-07-17 23:17:28 +02:00
Jean Paul Galea
d61acc2a71
Remove broken link.
2015-07-17 00:22:38 +02:00
Jean Paul Galea
c09908f111
Cosmetic changes.
...
- brackets, comment blocks.
2015-07-17 00:21:16 +02:00
Jean Paul Galea
cc4eba8a56
Cosmetic changes.
2015-07-17 00:11:07 +02:00
Jean Paul Galea
f4bb4d317e
Refactor.
...
- use variable substitution rather than concatenation.
- use single quotes where possible.
2015-07-17 00:10:28 +02:00
Jean Paul Galea
7d4a2940d6
Refactor.
...
- parse request before opening up a database connection
and init'ing synclib.
2015-07-17 00:03:41 +02:00
Jean Paul Galea
552c3f8939
Cosmetic changes.
...
- more consistency with comment style.
2015-07-16 23:56:12 +02:00
Jean Paul Galea
365636e34a
Cosmetic changes.
...
- spaces -> tabs
2015-07-16 23:53:08 +02:00
Jean Paul Galea
f5099b682d
Cosmetic changes.
2015-07-16 23:49:59 +02:00
Jean Paul Galea
3a344668d0
Refactor.
...
- move further down, easier to read, but no real benefit resource wise.
2015-07-16 23:46:59 +02:00
Jean Paul Galea
d8e5a1324b
Refactor.
...
- check for empty request first,
before opening up syslog.
2015-07-16 23:44:35 +02:00
Jean Paul Galea
ea97dbf73d
Refactor.
...
- before opening up a database connection (and init synclib),
verify request comes from whitelisted address first.
2015-07-16 23:41:22 +02:00
Jean Paul Galea
2196310a0b
Refactor.
...
- $apiKey is always '' and sendResp() $apiKey argument defaults to ''
2015-07-16 23:34:35 +02:00
Jean Paul Galea
dd4cb68b41
Refactor.
...
- $allowed is easier on the eyes.
- enabled in_array(, , TRUE) for strict comparision.
2015-07-16 23:29:11 +02:00
Jean Paul Galea
1d331555c5
Cosmetic changes.
...
- readability at the expense of long lines.
2015-07-16 23:28:20 +02:00
Jean Paul Galea
12e58b1dd0
Refactor.
...
- merge validation into one block.
2015-07-16 23:17:29 +02:00
Jean Paul Galea
742a0d73c2
Refactor.
...
- use simple comparisons and ctype for validation,
less resource intensive than regex.
2015-07-16 23:10:48 +02:00
Jean Paul Galea
dedfa0a149
Refactor.
...
- $ipaddr is easier on the eyes.
2015-07-16 23:00:29 +02:00
Jean Paul Galea
43e3585a49
Cosmetic changes.
2015-07-16 22:54:31 +02:00
Jean Paul Galea
291bd32bae
Refactor.
...
- after each sendResp() we had an exit;
- move exit; inside sendResp() function instead.
2015-07-16 22:47:16 +02:00
Jean Paul Galea
2ff2a7e42f
Cosmetic changes.
...
- remove tabs/space mix.
- use single quotes where possible.
2015-07-15 15:38:22 +02:00
Jean Paul Galea
e76c5002f2
Drop php closing tags.
2015-07-15 15:14:25 +02:00
Simon Josefsson
92297d3c4d
Drop log level of useless messages.
2014-09-24 13:05:09 +02:00
Klas Lindfors
ecd49aca59
change wiki links
2014-09-23 10:36:39 +02:00
Simon Josefsson
276616d871
Use LF as EOL consistently.
2013-04-17 17:24:50 +02:00
Dain Nilsson
807cab0f6d
Nitpicking
2013-02-13 12:50:18 +01:00
Dain Nilsson
ee1f040b00
Updated copyright headers.
2013-02-04 17:39:36 +01:00
Dain Nilsson
ad88ccdb1f
Updated references to old Google Code project.
2013-02-04 17:06:32 +01:00
Fredrik Thulin
54d7110036
Less verbose logging when verifying remote IP.
2012-06-18 12:42:39 +02:00
Fredrik Thulin
38185be07d
Fix errors with our new logging code :(
2012-06-15 11:59:42 +02:00
Klas Lindfors
0f0a23694a
Merge branch 'master' of github.com:Yubico/yubikey-val-server-php
2012-06-14 16:44:54 +02:00
Klas Lindfors
9ac5741e6c
only warn about replays if the delta is more than 1 (or less than -1)
2012-06-14 16:44:19 +02:00
Fredrik Thulin
765620f17b
Merge branch 'master' of github.com:Yubico/yubikey-val-server-php into devel/refactor_retrieveURLasync
2012-06-14 15:19:19 +02:00
Klas Lindfors
6c9edb0db2
instead of passing context to sendResp, give it a logger.
2012-06-14 15:15:47 +02:00
Fredrik Thulin
46180c9de9
Merge branch 'master' of github.com:Yubico/yubikey-val-server-php into devel/refactor_retrieveURLasync
2012-06-14 15:00:47 +02:00
Klas Lindfors
01969a279e
let sendResp take one more parameter $context
...
use for logging if it's a response to sync or verify.
2012-06-14 14:55:50 +02:00
Fredrik Thulin
0fe0be9980
Restore responding BAD_OTP if YubiKey is disabled.
...
It seems that we might get into problems if responding OK - the other
sync client validation server would think we approved of the OTP.
2012-06-14 13:30:04 +02:00
Fredrik Thulin
a852e860db
Don't refuse sync for disabled YubiKeys.
...
It is better to consume any OTPs produced by a YubiKey, so if -
for some reason - another validation server has accepted an OTP
we'd better bump our counter values accordingly.
2012-06-14 12:56:05 +02:00
Fredrik Thulin
283c34b0e4
Downgrade 'Sync request unnecessarily sent' to INFO.
...
Also add comment explaining that this is not an error (and why).
2012-06-13 10:10:04 +02:00
Klas Lindfors
d2bceb62b1
if the sync request is empty, drop it as early as possible.
2012-06-13 09:32:38 +02:00
Fredrik Thulin
af292fbcd6
Spelling, and more informational logging.
2012-06-12 14:50:31 +02:00
Fredrik Thulin
57866dc829
More explanatory logging.
2012-06-12 14:21:56 +02:00
Fredrik Thulin
22841cce43
Slightly less verbose log for remote IP check.
2012-05-29 15:36:02 +02:00