diff --git a/webadvisor.php b/webadvisor.php new file mode 100644 --- /dev/null +++ b/webadvisor.php @@ -0,0 +1,237 @@ +. + */ + +require_once('inc/class.page.php'); + +/* + * Handle the scripts/webadvisor_tokenidx.js making a TOKENIDX + * callback, storing that TOKENIDX in our SESSION for later use. + */ +if (!empty($_GET['TOKENIDX'])) + { + page::session_start(); + + $_SESSION['webadvisor_TOKENIDX'] = $_GET['TOKENIDX']; + + $result = 'received ' . $_GET['TOKENIDX']; + + header('Content-Type: text/javascript; charset=utf-8'); + + if ($jsonp = !empty($_GET['callback'])) + echo $_GET['callback'] . '('; + echo json_encode($result); + if ($jsonp) + echo ");\n"; + exit; + } + +$page = page::page_create('WebAdvisor'); +$school = $page->get_school(); + +if (empty($school['webadvisor_url'])) + { + if (!empty($school['registration_url']) && preg_match(',(.*/WebAdvisor),', $school['registration_url'], $matches)) + $school['webadvisor_url'] = $matches[1]; + else + $school['webadvisor_url'] = $school['url'] . 'WebAdvisor'; + } + +/** + * \brief + * Calculate the URI necessary for logging into WebAdvisor. + * + * \param $school + * The school. + * \param $dest + * The URI to visit after the user has logged into WebAdvisor and + * the TOKENIDX has been communicated to $tokenidx_callback. + * \param $tokenidx_callback + * A JSONP-compatible callback which must be passed the TOKENIDX + * parameter the WebAdvisor is using. Treat as if is terminated with + * a `?' -- i.e., just append the querystring without the `?' to + * this URI when constructing the callback. To use, for example, in + * JavaScript you may create a DOMElement 'script' with attributes + * type="text/javascript" and + * src="$tokenidx_callback?callback=jsonp_callback&TOKENIDX=". When jsonp_callback gets called, your script knows + * that $dest may be returned to. Don't forget to allow the user to + * log in first. This is normally done by setting SP_CALLBACK GET + * variable to this value inserting the + * scripts/webadvisor_tokenidx.js script into the WebAdvisor login + * page using cross-site-scripting HTML injection such as through + * the ERROR GET parameter. + * \return + * Just ensure that $tokenidx_callback gets called; do not return + * except by redirecting to $dest. + */ +function webadvisor_login($page, array $school, $dest, $tokenidx_callback) +{ + if (strpos($dest, '?') !== FALSE) + $dest .= '&'; + else + $dest .= '?'; + $dest .= 'from_webadvisor'; + + $webadvisor_login_func = $school['id'] . '_webadvisor_login'; + if (function_exists($webadvisor_login_func)) + $webadvisor_login_func($school, $dest); + + /* + * The hack we are using is that somehow TOKENIDX=&SS=LGRQ&URL= + * will both initialize the user's browser with a token cookie and + * then redirect to URL. Trying to use the proper way of loading the + * LGRQ (using TYPE=P&PID=UT-LGRQ&PROCESS=-XUTAUTH01) doesn't work + * because it drops and ignores our URL parameter, leaving the user + * at the KV site. No other URL I've fiddled with seems to be able + * to do this combination of logging in and returning the user to us + * or a URI of our choosing. Once the user's browser has been + * initialized with a TOKENIDX, loading the page + * SS=LGRQ&URL=&ERROR= will preserve the ERROR= + * necessary for our XSS and insert it into the login page. + * + * HOWEVER, if the browser already has a TOKENIDX-related cookie, + * then visiting TOKENIDX=&SS=LGRQ&URL= will cause WebAdvisor + * to keep redirecting to itself infinitely. Similarly, if the + * browser does not yet have a TOKENIDX-related cookie, + * SS=LGRQ&URL= will redirect the user to URL without giving + * the user a cookie. Thus, our strategy is: + * + * 1. Send the user to + * SS=LGRQ&URL=&SP_CALLBACK=&ERROR=. In + * this case, the URL will be set to have `from_webadvisor' as a + * GET parameter and ERROR will be set to the appropriate XSS for + * the normal login form. Thus, if the user does not have a + * token, he will be directed here and sent to step #2 to get a + * token. Otherwise, the user will have a jump start (already + * having TOKENIDX cookies) and communicate his token to us while + * logging in. + * + * 2. If webadvisor.php is called with from_webadvisor, that means + * one of two things. It might mean that webadvisor_tokenidx.js + * was called successfully and we have the webadvisor TOKENIDX + * stored in our session. In that case, the user's browser + * already had a WebAdvisor TOKENIDX before we did #1; also, this + * function won't be called in that case because this function is + * only called if TOKENIDX is unknown. Thus, we don't know the + * TOKENIDX, meaning that we need to request that the WebAdvisor + * installation allocate a TOKENIDX for the user and _then_ + * proceed directly to the login page to send us TOKENIDX. + */ + + $login_form_uri = $school['webadvisor_url'] . '?SS=LGRQ&URL=' . rawurlencode($dest) + . '&SP_CALLBACK=' . rawurlencode($tokenidx_callback) + . '&ERROR=' . rawurlencode(''); + + if (isset($_GET['from_webadvisor'])) + /* + * Case 2, infer that browser needs TOKENIDX cookies _and_ that + * the following URI won't cause endless looping + * (hopefully). Unfortunately, this process is not reentrant. + */ + redir($school['webadvisor_url'] . '?TOKENIDX=&SS=LGRQ&URL=' . rawurlencode($login_form_uri)); + + /* + * Case 1, assume that the user has a TOKENIDX cookie _but_ make + * provisions ($dest has from_webadvisor in it) for needing to + * allocate that cookie. + */ + redir($login_form_uri); + + return array( + /* 'preload' => $school['webadvisor_url'] . '?TYPE=P&PID=UT-LGRQ&PROCESS=-XUTAUTH01&URL=', */ + 'uri' => $school['webadvisor_url'] . '?SS=LGRQ&URL=' . rawurlencode($login_form_uri), + ); +} + +function redir($dest) +{ + header('HTTP/1.1 302 Found'); + header('Location: ' . $dest); + header('Content-Type: text/plain; charset=utf-8'); + echo 'Location: ' . $dest; + exit; +} + +/* + * If the page load was not a redirection from webadvisor, we must + * clear our local cache of TOKENIDX's value. We need to get a new + * token because we can't guess what SS= value the ST-WERG form will + * take unless if we start with a new TOKENIDX which doesn't have any + * SSes yet. Also, the old token may have (very likely) expired + * because of the short login timeout. + */ +if (!isset($_GET['from_webadvisor'])) + unset($_SESSION['webadvisor_TOKENIDX']); + +if (empty($_SESSION['webadvisor_TOKENIDX'])) + { + /* + * Get a token for the ST-WERG form and have the user perform the + * WebAdmin-specific login. This can only be done after the login form + * has an SS allocated for it. + */ + webadvisor_login($page, $school, page::uri_resolve('webadvisor.php') . '?r=' . rand() + . '§ions=' . rawurlencode(empty($_GET['sections']) ? '' : $_GET['sections']) + . '&school=' . rawurlencode($school['id']), + page::uri_resolve('webadvisor.php?')); + } + +/* + * Use the hopefully-still-valid TOKENIDX to initialize an ST-WERG + * (STudent Web[A]dvisor Express ReGistration) form. When that form is + * iniailized, assume that it has SS=1 and submit the form. &APP=ST + */ +$TOKENIDX = $_SESSION['webadvisor_TOKENIDX']; +$page->head(); +echo '
' . PHP_EOL; +echo '

'; + +$uri = $school['webadvisor_url'] . '?TOKENIDX=' . $TOKENIDX . '&TYPE=P&PID=ST-WERG'; +$onload_html = '="' . htmlentities('javascript:document.getElementById(\'sp-webadvisor-form\').submit()', ENT_QUOTES) . '"'; +echo ' Loading WebAdvisor Express Registration form (ST-WERG)…' . PHP_EOL; +echo ' If you are not redirected after 16 seconds, you may try: ' . PHP_EOL; + +$sections = explode(',', empty($_GET['sections']) ? '' : $_GET['sections']); +echo ' ' . PHP_EOL; +echo ' ' . PHP_EOL; +for ($i = 1; $i <= 5; $i ++) + echo //' ' . PHP_EOL; + ' ' . PHP_EOL; +$course_num = 1; +foreach ($sections as $course) + { + echo ' ' . PHP_EOL; + for ($i = 2; $i <= 5; $i ++) + echo ' ' . PHP_EOL; + $course_num ++; + } +while ($course_num < 10) + { + for ($i = 1; $i <= 5; $i ++) + echo ' ' . PHP_EOL; + $course_num ++; + } +echo ' ' . PHP_EOL; +echo ' ' . PHP_EOL; +echo '

'; +echo '
'; + +$page->foot();