Blame - system/libraries/Input.php - code-igniter-v3-giggi

blob: cac05c71d18991246a313a28b07195228befdefc [file] [log] [blame]

Derek Jones	0b59f27	2008-05-13 04:22:33 +0000	[diff] [blame]	1	<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	2	/**
Derek Allard	d2df9bc	2007-04-15 17:41:17 +0000	[diff] [blame]	3	* CodeIgniter
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	4	*
				5	* An open source application development framework for PHP 4.3.2 or newer
				6	*
				7	* @package CodeIgniter
Derek Allard	3d879d5	2008-01-18 19:41:32 +0000	[diff] [blame]	8	* @author ExpressionEngine Dev Team
Derek Allard	d2df9bc	2007-04-15 17:41:17 +0000	[diff] [blame]	9	* @copyright Copyright (c) 2006, EllisLab, Inc.
Derek Jones	7a9193a	2008-01-21 18:39:20 +0000	[diff] [blame]	10	* @license http://codeigniter.com/user_guide/license.html
				11	* @link http://codeigniter.com
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	12	* @since Version 1.0
				13	* @filesource
				14	*/
				15
				16	// ------------------------------------------------------------------------
				17
				18	/**
				19	* Input Class
				20	*
				21	* Pre-processes global input data for security
				22	*
				23	* @package CodeIgniter
				24	* @subpackage Libraries
				25	* @category Input
Derek Allard	3d879d5	2008-01-18 19:41:32 +0000	[diff] [blame]	26	* @author ExpressionEngine Dev Team
Derek Jones	7a9193a	2008-01-21 18:39:20 +0000	[diff] [blame]	27	* @link http://codeigniter.com/user_guide/libraries/input.html
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	28	*/
				29	class CI_Input {
				30	var $use_xss_clean = FALSE;
Derek Jones	53437de	2008-05-12 18:07:08 +0000	[diff] [blame]	31	var $xss_hash = '';
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	32	var $ip_address = FALSE;
				33	var $user_agent = FALSE;
				34	var $allow_get_array = FALSE;
Derek Jones	e3332b0	2008-05-13 14:44:32 +0000	[diff] [blame]	35
				36	/* never allowed, string replacement */
				37	var $never_allowed_str = array(
				38	'document.cookie' => '[removed]',
				39	'document.write' => '[removed]',
				40	'.parentNode' => '[removed]',
				41	'.innerHTML' => '[removed]',
				42	'window.location' => '[removed]',
				43	'-moz-binding' => '[removed]',
				44	'<!--' => '<!--',
				45	'-->' => '-->',
				46	'<![CDATA[' => '<![CDATA['
				47	);
				48	/* never allowed, regex replacement */
				49	var $never_allowed_regex = array(
				50	"javascript\s*:" => '[removed]',
				51	"expression\s*\(" => '[removed]', // CSS and IE
				52	"Redirect\s+302" => '[removed]'
				53	);
				54
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	55	/**
				56	* Constructor
				57	*
				58	* Sets whether to globally enable the XSS processing
				59	* and whether to allow the $_GET array
				60	*
				61	* @access public
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	62	*/
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	63	function CI_Input()
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	64	{
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	65	log_message('debug', "Input Class Initialized");
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	66
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	67	$CFG =& load_class('Config');
				68	$this->use_xss_clean = ($CFG->item('global_xss_filtering') === TRUE) ? TRUE : FALSE;
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	69	$this->allow_get_array = ($CFG->item('enable_query_strings') === TRUE) ? TRUE : FALSE;
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	70	$this->_sanitize_globals();
				71	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	72
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	73	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	74
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	75	/**
				76	* Sanitize Globals
				77	*
				78	* This function does the following:
				79	*
				80	* Unsets $_GET data (if query strings are not enabled)
				81	*
				82	* Unsets all globals if register_globals is enabled
				83	*
				84	* Standardizes newline characters to \n
				85	*
				86	* @access private
				87	* @return void
				88	*/
				89	function _sanitize_globals()
				90	{
Derek Jones	d85a11e	2008-01-24 20:48:07 +0000	[diff] [blame]	91	// Would kind of be "wrong" to unset any of these GLOBALS
				92	$protected = array('_SERVER', '_GET', '_POST', '_FILES', '_REQUEST', '_SESSION', '_ENV', 'GLOBALS', 'HTTP_RAW_POST_DATA',
				93	'system_folder', 'application_folder', 'BM', 'EXT', 'CFG', 'URI', 'RTR', 'OUT', 'IN');
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	94
Derek Jones	0ea06fd	2008-02-05 15:23:51 +0000	[diff] [blame]	95	// Unset globals for security.
Rick Ellis	bb2041d	2007-06-09 00:16:13 +0000	[diff] [blame]	96	// This is effectively the same as register_globals = off
Derek Jones	0ea06fd	2008-02-05 15:23:51 +0000	[diff] [blame]	97	foreach (array($_GET, $_POST, $_COOKIE, $_SERVER, $_FILES, $_ENV, (isset($_SESSION) && is_array($_SESSION)) ? $_SESSION : array()) as $global)
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	98	{
Derek Jones	0b59f27	2008-05-13 04:22:33 +0000	[diff] [blame]	99	if ( ! is_array($global))
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	100	{
Derek Jones	0b59f27	2008-05-13 04:22:33 +0000	[diff] [blame]	101	if ( ! in_array($global, $protected))
paulburdick	8816aaa	2007-06-27 23:07:36 +0000	[diff] [blame]	102	{
Derek Jones	0ea06fd	2008-02-05 15:23:51 +0000	[diff] [blame]	103	unset($GLOBALS[$global]);
paulburdick	8816aaa	2007-06-27 23:07:36 +0000	[diff] [blame]	104	}
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	105	}
				106	else
				107	{
				108	foreach ($global as $key => $val)
				109	{
Derek Jones	0b59f27	2008-05-13 04:22:33 +0000	[diff] [blame]	110	if ( ! in_array($key, $protected))
paulburdick	8816aaa	2007-06-27 23:07:36 +0000	[diff] [blame]	111	{
Derek Jones	0ea06fd	2008-02-05 15:23:51 +0000	[diff] [blame]	112	unset($GLOBALS[$key]);
				113	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	114
Derek Jones	0ea06fd	2008-02-05 15:23:51 +0000	[diff] [blame]	115	if (is_array($val))
				116	{
				117	foreach($val as $k => $v)
				118	{
Derek Jones	0b59f27	2008-05-13 04:22:33 +0000	[diff] [blame]	119	if ( ! in_array($k, $protected))
Derek Jones	0ea06fd	2008-02-05 15:23:51 +0000	[diff] [blame]	120	{
				121	unset($GLOBALS[$k]);
				122	}
				123	}
paulburdick	8816aaa	2007-06-27 23:07:36 +0000	[diff] [blame]	124	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	125	}
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	126	}
				127	}
				128
				129	// Is $_GET data allowed? If not we'll set the $_GET to an empty array
				130	if ($this->allow_get_array == FALSE)
				131	{
				132	$_GET = array();
				133	}
Rick Ellis	112569d	2007-02-26 19:19:08 +0000	[diff] [blame]	134	else
				135	{
				136	if (is_array($_GET) AND count($_GET) > 0)
				137	{
				138	foreach($_GET as $key => $val)
				139	{
				140	$_GET[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
				141	}
				142	}
				143	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	144
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	145	// Clean $_POST Data
				146	if (is_array($_POST) AND count($_POST) > 0)
				147	{
				148	foreach($_POST as $key => $val)
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	149	{
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	150	$_POST[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	151	}
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	152	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	153
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	154	// Clean $_COOKIE Data
				155	if (is_array($_COOKIE) AND count($_COOKIE) > 0)
				156	{
				157	foreach($_COOKIE as $key => $val)
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	158	{
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	159	$_COOKIE[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	160	}
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	161	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	162
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	163	log_message('debug', "Global POST and COOKIE data sanitized");
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	164	}
				165
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	166	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	167
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	168	/**
				169	* Clean Input Data
				170	*
				171	* This is a helper function. It escapes data and
				172	* standardizes newline characters to \n
				173	*
				174	* @access private
				175	* @param string
				176	* @return string
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	177	*/
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	178	function _clean_input_data($str)
				179	{
				180	if (is_array($str))
				181	{
				182	$new_array = array();
				183	foreach ($str as $key => $val)
				184	{
				185	$new_array[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
				186	}
				187	return $new_array;
				188	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	189
Rick Ellis	bb2041d	2007-06-09 00:16:13 +0000	[diff] [blame]	190	// We strip slashes if magic quotes is on to keep things consistent
				191	if (get_magic_quotes_gpc())
				192	{
				193	$str = stripslashes($str);
				194	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	195
Rick Ellis	bb2041d	2007-06-09 00:16:13 +0000	[diff] [blame]	196	// Should we filter the input data?
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	197	if ($this->use_xss_clean === TRUE)
				198	{
				199	$str = $this->xss_clean($str);
				200	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	201
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	202	// Standardize newlines
Derek Jones	0b59f27	2008-05-13 04:22:33 +0000	[diff] [blame]	203	if (strpos($str, "\r") !== FALSE)
				204	{
				205	$str = str_replace(array("\r\n", "\r"), "\n", $str);
				206	}
				207
				208	return $str;
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	209	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	210
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	211	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	212
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	213	/**
				214	* Clean Keys
				215	*
				216	* This is a helper function. To prevent malicious users
				217	* from trying to exploit keys we make sure that keys are
				218	* only named with alpha-numeric text and a few other items.
				219	*
				220	* @access private
				221	* @param string
				222	* @return string
				223	*/
				224	function _clean_input_keys($str)
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	225	{
Derek Jones	0b59f27	2008-05-13 04:22:33 +0000	[diff] [blame]	226	if ( ! preg_match("/^[a-z0-9:_\/-]+$/i", $str))
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	227	{
				228	exit('Disallowed Key Characters.');
				229	}
Rick Ellis	bb2041d	2007-06-09 00:16:13 +0000	[diff] [blame]	230
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	231	return $str;
				232	}
Rick Ellis	112569d	2007-02-26 19:19:08 +0000	[diff] [blame]	233
				234	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	235
Rick Ellis	112569d	2007-02-26 19:19:08 +0000	[diff] [blame]	236	/**
				237	* Fetch an item from the GET array
				238	*
				239	* @access public
				240	* @param string
				241	* @param bool
				242	* @return string
				243	*/
Derek Allard	87d1eeb	2007-03-01 13:20:43 +0000	[diff] [blame]	244	function get($index = '', $xss_clean = FALSE)
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	245	{
Derek Jones	0b59f27	2008-05-13 04:22:33 +0000	[diff] [blame]	246	if ( ! isset($_GET[$index]))
Rick Ellis	112569d	2007-02-26 19:19:08 +0000	[diff] [blame]	247	{
				248	return FALSE;
				249	}
				250
				251	if ($xss_clean === TRUE)
				252	{
				253	if (is_array($_GET[$index]))
				254	{
				255	foreach($_GET[$index] as $key => $val)
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	256	{
Rick Ellis	112569d	2007-02-26 19:19:08 +0000	[diff] [blame]	257	$_GET[$index][$key] = $this->xss_clean($val);
				258	}
				259	}
				260	else
				261	{
				262	return $this->xss_clean($_GET[$index]);
				263	}
				264	}
				265
				266	return $_GET[$index];
				267	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	268
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	269	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	270
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	271	/**
				272	* Fetch an item from the POST array
				273	*
				274	* @access public
				275	* @param string
				276	* @param bool
				277	* @return string
				278	*/
				279	function post($index = '', $xss_clean = FALSE)
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	280	{
Derek Jones	0b59f27	2008-05-13 04:22:33 +0000	[diff] [blame]	281	if ( ! isset($_POST[$index]))
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	282	{
				283	return FALSE;
				284	}
				285
				286	if ($xss_clean === TRUE)
				287	{
				288	if (is_array($_POST[$index]))
				289	{
				290	foreach($_POST[$index] as $key => $val)
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	291	{
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	292	$_POST[$index][$key] = $this->xss_clean($val);
				293	}
				294	}
				295	else
				296	{
				297	return $this->xss_clean($_POST[$index]);
				298	}
				299	}
				300
				301	return $_POST[$index];
				302	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	303
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	304	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	305
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	306	/**
				307	* Fetch an item from the COOKIE array
				308	*
				309	* @access public
				310	* @param string
				311	* @param bool
				312	* @return string
				313	*/
				314	function cookie($index = '', $xss_clean = FALSE)
				315	{
Derek Jones	0b59f27	2008-05-13 04:22:33 +0000	[diff] [blame]	316	if ( ! isset($_COOKIE[$index]))
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	317	{
				318	return FALSE;
				319	}
				320
				321	if ($xss_clean === TRUE)
				322	{
				323	if (is_array($_COOKIE[$index]))
				324	{
				325	$cookie = array();
				326	foreach($_COOKIE[$index] as $key => $val)
				327	{
				328	$cookie[$key] = $this->xss_clean($val);
				329	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	330
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	331	return $cookie;
				332	}
				333	else
				334	{
				335	return $this->xss_clean($_COOKIE[$index]);
				336	}
				337	}
				338	else
				339	{
				340	return $_COOKIE[$index];
				341	}
				342	}
				343
				344	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	345
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	346	/**
				347	* Fetch an item from the SERVER array
				348	*
				349	* @access public
				350	* @param string
				351	* @param bool
				352	* @return string
				353	*/
				354	function server($index = '', $xss_clean = FALSE)
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	355	{
Derek Jones	0b59f27	2008-05-13 04:22:33 +0000	[diff] [blame]	356	if ( ! isset($_SERVER[$index]))
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	357	{
				358	return FALSE;
				359	}
				360
				361	if ($xss_clean === TRUE)
				362	{
				363	return $this->xss_clean($_SERVER[$index]);
				364	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	365
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	366	return $_SERVER[$index];
				367	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	368
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	369	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	370
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	371	/**
				372	* Fetch the IP Address
				373	*
				374	* @access public
				375	* @return string
				376	*/
				377	function ip_address()
				378	{
				379	if ($this->ip_address !== FALSE)
				380	{
				381	return $this->ip_address;
				382	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	383
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	384	if ($this->server('REMOTE_ADDR') AND $this->server('HTTP_CLIENT_IP'))
				385	{
				386	$this->ip_address = $_SERVER['HTTP_CLIENT_IP'];
				387	}
				388	elseif ($this->server('REMOTE_ADDR'))
				389	{
				390	$this->ip_address = $_SERVER['REMOTE_ADDR'];
				391	}
				392	elseif ($this->server('HTTP_CLIENT_IP'))
				393	{
				394	$this->ip_address = $_SERVER['HTTP_CLIENT_IP'];
				395	}
				396	elseif ($this->server('HTTP_X_FORWARDED_FOR'))
				397	{
				398	$this->ip_address = $_SERVER['HTTP_X_FORWARDED_FOR'];
				399	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	400
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	401	if ($this->ip_address === FALSE)
				402	{
				403	$this->ip_address = '0.0.0.0';
				404	return $this->ip_address;
				405	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	406
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	407	if (strstr($this->ip_address, ','))
				408	{
				409	$x = explode(',', $this->ip_address);
				410	$this->ip_address = end($x);
				411	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	412
Derek Jones	0b59f27	2008-05-13 04:22:33 +0000	[diff] [blame]	413	if ( ! $this->valid_ip($this->ip_address))
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	414	{
				415	$this->ip_address = '0.0.0.0';
				416	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	417
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	418	return $this->ip_address;
				419	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	420
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	421	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	422
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	423	/**
				424	* Validate IP Address
				425	*
Rick Ellis	e666afc	2007-06-11 05:03:11 +0000	[diff] [blame]	426	* Updated version suggested by Geert De Deckere
				427	*
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	428	* @access public
				429	* @param string
				430	* @return string
				431	*/
				432	function valid_ip($ip)
				433	{
Rick Ellis	e666afc	2007-06-11 05:03:11 +0000	[diff] [blame]	434	$ip_segments = explode('.', $ip);
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	435
Rick Ellis	e666afc	2007-06-11 05:03:11 +0000	[diff] [blame]	436	// Always 4 segments needed
				437	if (count($ip_segments) != 4)
Rick Ellis	112569d	2007-02-26 19:19:08 +0000	[diff] [blame]	438	{
				439	return FALSE;
				440	}
Rick Ellis	65e8f0e	2007-06-12 03:53:21 +0000	[diff] [blame]	441	// IP can not start with 0
Rick Ellis	3921314	2007-06-12 03:53:12 +0000	[diff] [blame]	442	if (substr($ip_segments[0], 0, 1) == '0')
Rick Ellis	112569d	2007-02-26 19:19:08 +0000	[diff] [blame]	443	{
Rick Ellis	e666afc	2007-06-11 05:03:11 +0000	[diff] [blame]	444	return FALSE;
				445	}
				446	// Check each segment
				447	foreach ($ip_segments as $segment)
				448	{
				449	// IP segments must be digits and can not be
				450	// longer than 3 digits or greater then 255
Rick Ellis	ba64893	2007-06-12 03:39:38 +0000	[diff] [blame]	451	if (preg_match("/[^0-9]/", $segment) OR $segment > 255 OR strlen($segment) > 3)
Rick Ellis	112569d	2007-02-26 19:19:08 +0000	[diff] [blame]	452	{
Rick Ellis	e666afc	2007-06-11 05:03:11 +0000	[diff] [blame]	453	return FALSE;
Rick Ellis	112569d	2007-02-26 19:19:08 +0000	[diff] [blame]	454	}
				455	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	456
Rick Ellis	112569d	2007-02-26 19:19:08 +0000	[diff] [blame]	457	return TRUE;
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	458	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	459
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	460	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	461
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	462	/**
				463	* User Agent
				464	*
				465	* @access public
				466	* @return string
				467	*/
				468	function user_agent()
				469	{
				470	if ($this->user_agent !== FALSE)
				471	{
				472	return $this->user_agent;
				473	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	474
Derek Jones	0b59f27	2008-05-13 04:22:33 +0000	[diff] [blame]	475	$this->user_agent = ( ! isset($_SERVER['HTTP_USER_AGENT'])) ? FALSE : $_SERVER['HTTP_USER_AGENT'];
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	476
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	477	return $this->user_agent;
				478	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	479
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	480	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	481
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	482	/**
paulburdick	763064b	2007-06-27 23:25:55 +0000	[diff] [blame]	483	* Filename Security
				484	*
				485	* @access public
				486	* @param string
				487	* @return string
				488	*/
				489	function filename_security($str)
				490	{
				491	$bad = array(
				492	"../",
				493	"./",
				494	"<!--",
				495	"-->",
				496	"<",
				497	">",
				498	"'",
				499	'"',
				500	'&',
				501	'$',
				502	'#',
				503	'{',
				504	'}',
				505	'[',
				506	']',
				507	'=',
				508	';',
				509	'?',
paulburdick	763064b	2007-06-27 23:25:55 +0000	[diff] [blame]	510	"%20",
				511	"%22",
				512	"%3c", // <
				513	"%253c", // <
				514	"%3e", // >
				515	"%0e", // >
				516	"%28", // (
				517	"%29", // )
				518	"%2528", // (
				519	"%26", // &
				520	"%24", // $
				521	"%3f", // ?
				522	"%3b", // ;
				523	"%3d" // =
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	524	);
				525
				526	return stripslashes(str_replace($bad, '', $str));
paulburdick	763064b	2007-06-27 23:25:55 +0000	[diff] [blame]	527	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	528
paulburdick	763064b	2007-06-27 23:25:55 +0000	[diff] [blame]	529	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	530
paulburdick	763064b	2007-06-27 23:25:55 +0000	[diff] [blame]	531	/**
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	532	* XSS Clean
				533	*
				534	* Sanitizes data so that Cross Site Scripting Hacks can be
				535	* prevented. This function does a fair amount of work but
				536	* it is extremely thorough, designed to prevent even the
				537	* most obscure XSS attempts. Nothing is ever 100% foolproof,
				538	* of course, but I haven't been able to get anything passed
				539	* the filter.
				540	*
				541	* Note: This function should only be used to deal with data
				542	* upon submission. It's not something that should
				543	* be used for general runtime processing.
				544	*
				545	* This function was based in part on some code and ideas I
				546	* got from Bitflux: http://blog.bitflux.ch/wiki/XSS_Prevention
				547	*
				548	* To help develop this script I used this great list of
				549	* vulnerabilities along with a few other hacks I've
				550	* harvested from examining vulnerabilities in other programs:
				551	* http://ha.ckers.org/xss.html
				552	*
				553	* @access public
				554	* @param string
				555	* @return string
				556	*/
Derek Jones	908ecc6	2008-05-21 19:53:40 +0000	[diff] [blame^]	557	function xss_clean($str, $is_image = FALSE, $loops = 0, $looped_convert = '')
Derek Jones	53437de	2008-05-12 18:07:08 +0000	[diff] [blame]	558	{
				559	/*
				560	* Is the string an array?
				561	*
				562	*/
				563	if (is_array($str))
				564	{
				565	while (list($key) = each($str))
				566	{
				567	$str[$key] = $this->xss_clean($str[$key]);
				568	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	569
Derek Jones	53437de	2008-05-12 18:07:08 +0000	[diff] [blame]	570	return $str;
				571	}
Derek Jones	908ecc6	2008-05-21 19:53:40 +0000	[diff] [blame^]	572
Derek Jones	63fc5fe	2008-05-15 20:13:14 +0000	[diff] [blame]	573	/*
				574	* Runaway loop prevention. If the text has had to be examined this many times
				575	* I think it's safe to say that it is best to simply ignore it.
				576	*/
				577	if ($loops > 9)
				578	{
				579	return '';
				580	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	581
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	582	/*
				583	* Remove Null Characters
				584	*
				585	* This prevents sandwiching null characters
				586	* between ascii characters, like Java\0script.
				587	*
				588	*/
				589	$str = preg_replace('/\0+/', '', $str);
				590	$str = preg_replace('/(\\\\0)+/', '', $str);
				591
				592	/*
Derek Jones	53437de	2008-05-12 18:07:08 +0000	[diff] [blame]	593	* Protect GET variables in URLs
				594	*/
				595
				596	// 901119URL5918AMP18930PROTECT8198
				597
				598	$str = preg_replace('\|\&([a-z\_0-9]+)\=([a-z\_0-9]+)\|i', $this->xss_hash()."\\1=\\2", $str);
				599
				600	/*
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	601	* Validate standard character entities
				602	*
				603	* Add a semicolon if missing. We do this to enable
				604	* the conversion of entities to ASCII later.
				605	*
				606	*/
Derek Jones	48bb32a	2007-07-12 13:10:42 +0000	[diff] [blame]	607	$str = preg_replace('#(&\#?[0-9a-z]+)[\x00-\x20]*;?#i', "\\1;", $str);
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	608
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	609	/*
Derek Jones	48bb32a	2007-07-12 13:10:42 +0000	[diff] [blame]	610	* Validate UTF16 two byte encoding (x00)
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	611	*
				612	* Just as above, adds a semicolon if missing.
				613	*
				614	*/
Derek Jones	48bb32a	2007-07-12 13:10:42 +0000	[diff] [blame]	615	$str = preg_replace('#(&\#x?)([0-9A-F]+);?#i',"\\1\\2;",$str);
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	616
				617	/*
Derek Jones	53437de	2008-05-12 18:07:08 +0000	[diff] [blame]	618	* Un-Protect GET variables in URLs
				619	*/
Derek Jones	53437de	2008-05-12 18:07:08 +0000	[diff] [blame]	620	$str = str_replace($this->xss_hash(), '&', $str);
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	621
Derek Jones	53437de	2008-05-12 18:07:08 +0000	[diff] [blame]	622	/*
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	623	* URL Decode
				624	*
				625	* Just in case stuff like this is submitted:
				626	*
				627	* <a href="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">Google</a>
				628	*
Derek Jones	ab32a42	2008-02-04 22:02:11 +0000	[diff] [blame]	629	* Note: Use rawurldecode() so it does not remove plus signs
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	630	*
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	631	*/
Derek Jones	ab32a42	2008-02-04 22:02:11 +0000	[diff] [blame]	632	$str = rawurldecode($str);
Derek Jones	63fc5fe	2008-05-15 20:13:14 +0000	[diff] [blame]	633
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	634	/*
Derek Jones	303c9cb	2007-07-12 19:12:37 +0000	[diff] [blame]	635	* Convert character entities to ASCII
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	636	*
				637	* This permits our tests below to work reliably.
				638	* We only convert entities that are within tags since
				639	* these are the ones that will pose security problems.
				640	*
				641	*/
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	642
Derek Jones	908ecc6	2008-05-21 19:53:40 +0000	[diff] [blame^]	643	$str = preg_replace_callback("/[a-z]+=([\'\"]).*?\\1/si", array($this, '_convert_attribute'), $str);
				644
Derek Jones	63fc5fe	2008-05-15 20:13:14 +0000	[diff] [blame]	645	$str = preg_replace_callback("/<\w+.*?(?=>\|<\|$)/si", array($this, '_html_entity_decode_callback'), $str);
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	646
Derek Jones	48bb32a	2007-07-12 13:10:42 +0000	[diff] [blame]	647	/*
				648	* Convert all tabs to spaces
				649	*
				650	* This prevents strings like this: ja vascript
				651	* NOTE: we deal with spaces between characters later.
				652	* NOTE: preg_replace was found to be amazingly slow here on large blocks of data,
				653	* so we use str_replace.
				654	*
				655	*/
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	656
Derek Jones	0b59f27	2008-05-13 04:22:33 +0000	[diff] [blame]	657	if (strpos($str, "\t") !== FALSE)
				658	{
				659	$str = str_replace("\t", ' ', $str);
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	660	}
Derek Jones	48bb32a	2007-07-12 13:10:42 +0000	[diff] [blame]	661
Derek Jones	908ecc6	2008-05-21 19:53:40 +0000	[diff] [blame^]	662	/*
				663	* Check and set converted string
				664	*/
				665	if ($looped_convert != '' && $looped_convert == $str)
				666	{
				667	// if we are in a loop, and the converted string is the same as the last pass,
				668	// then this is going to repeat until we hit the runaway loop prevention,
				669	// so we might as well stop now.
				670	return '';
				671	}
				672	else
				673	{
				674	$converted_string = $str;
				675	}
Derek Jones	63fc5fe	2008-05-15 20:13:14 +0000	[diff] [blame]	676
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	677	/*
				678	* Not Allowed Under Any Conditions
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	679	*/
Derek Jones	e3332b0	2008-05-13 14:44:32 +0000	[diff] [blame]	680
				681	foreach ($this->never_allowed_str as $key => $val)
Derek Jones	48bb32a	2007-07-12 13:10:42 +0000	[diff] [blame]	682	{
				683	$str = str_replace($key, $val, $str);
				684	}
Derek Jones	e3332b0	2008-05-13 14:44:32 +0000	[diff] [blame]	685
				686	foreach ($this->never_allowed_regex as $key => $val)
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	687	{
				688	$str = preg_replace("#".$key."#i", $val, $str);
				689	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	690
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	691	/*
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	692	* Makes PHP tags safe
				693	*
				694	* Note: XML tags are inadvertently replaced too:
				695	*
				696	* <?xml
				697	*
				698	* But it doesn't seem to pose a problem.
				699	*
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	700	*/
Derek Jones	48bb32a	2007-07-12 13:10:42 +0000	[diff] [blame]	701	$str = str_replace(array('<?php', '<?PHP', '<?', '?'.'>'), array('<?php', '<?PHP', '<?', '?>'), $str);
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	702
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	703	/*
				704	* Compact any exploded words
				705	*
				706	* This corrects words like: j a v a s c r i p t
				707	* These words are compacted back to their correct state.
				708	*
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	709	*/
paulburdick	b614d39	2007-06-26 21:58:56 +0000	[diff] [blame]	710	$words = array('javascript', 'expression', 'vbscript', 'script', 'applet', 'alert', 'document', 'write', 'cookie', 'window');
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	711	foreach ($words as $word)
				712	{
				713	$temp = '';
				714	for ($i = 0; $i < strlen($word); $i++)
				715	{
				716	$temp .= substr($word, $i, 1)."\s*";
				717	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	718
Derek Jones	01f72ca	2007-05-04 18:19:17 +0000	[diff] [blame]	719	// We only want to do this when it is followed by a non-word character
				720	// That way valid stuff like "dealer to" does not become "dealerto"
				721	$str = preg_replace('#('.substr($temp, 0, -3).')(\W)#ise', "preg_replace('/\s+/s', '', '\\1').'\\2'", $str);
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	722	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	723
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	724	/*
				725	* Remove disallowed Javascript in links or img tags
Derek Jones	bd08d84	2008-05-20 15:07:27 +0000	[diff] [blame]	726	* We used to do some version comparisons and use of stripos for PHP5, but it is dog slow compared
				727	* to these simplified non-capturing preg_match(), especially if the pattern exists in the string
paulburdick	391eb03	2007-06-27 22:58:24 +0000	[diff] [blame]	728	*/
				729	do
				730	{
				731	$original = $str;
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	732
Derek Jones	bd08d84	2008-05-20 15:07:27 +0000	[diff] [blame]	733	if (preg_match("/<a/i", $str))
Derek Jones	48bb32a	2007-07-12 13:10:42 +0000	[diff] [blame]	734	{
Derek Jones	908ecc6	2008-05-21 19:53:40 +0000	[diff] [blame^]	735	$str = preg_replace_callback("#<a.*(>\|<\|$)#si", array($this, '_js_link_removal'), $str);
Derek Jones	48bb32a	2007-07-12 13:10:42 +0000	[diff] [blame]	736	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	737
Derek Jones	bd08d84	2008-05-20 15:07:27 +0000	[diff] [blame]	738	if (preg_match("/<img/i", $str))
Derek Jones	48bb32a	2007-07-12 13:10:42 +0000	[diff] [blame]	739	{
Derek Jones	908ecc6	2008-05-21 19:53:40 +0000	[diff] [blame^]	740	$str = preg_replace_callback("#<img.*(>\|<\|$)#si", array($this, '_js_img_removal'), $str);
Derek Jones	48bb32a	2007-07-12 13:10:42 +0000	[diff] [blame]	741	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	742
Derek Jones	bd08d84	2008-05-20 15:07:27 +0000	[diff] [blame]	743	if (preg_match("/script/i", $str) OR preg_match("/xss/i", $str))
Derek Jones	48bb32a	2007-07-12 13:10:42 +0000	[diff] [blame]	744	{
				745	$str = preg_replace("#</(script\|xss).?\>#si", "", $str);
				746	}
paulburdick	391eb03	2007-06-27 22:58:24 +0000	[diff] [blame]	747	}
				748	while($original != $str);
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	749
paulburdick	391eb03	2007-06-27 22:58:24 +0000	[diff] [blame]	750	unset($original);
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	751
				752	/*
				753	* Remove JavaScript Event Handlers
				754	*
				755	* Note: This code is a little blunt. It removes
				756	* the event handler and anything up to the closing >,
				757	* but it's unlikely to be a problem.
				758	*
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	759	*/
Derek Jones	bd08d84	2008-05-20 15:07:27 +0000	[diff] [blame]	760	$event_handlers = array('onblur','onchange','onclick','onended','onerror','onfocus','onkeydown','onkeypress','onkeyup','onload','onmousedown','onmouseover','onmouseup','onresize','onselect','onsubmit','onunload','xmlns');
Derek Jones	245038d	2008-05-15 21:58:07 +0000	[diff] [blame]	761
				762	if ($is_image === TRUE)
				763	{
				764	/*
				765	* Adobe Photoshop puts XML metadata into JFIF images, including namespacing,
				766	* so we have to allow this for images. -Paul
				767	*/
				768	unset($event_handlers[array_search('xmlns', $event_handlers)]);
				769	}
				770
Derek Jones	bd08d84	2008-05-20 15:07:27 +0000	[diff] [blame]	771	$str = preg_replace("#<([^><]+)(".implode('\|', $event_handlers).")(\s=\s[^><])([><])#i", "<\\1\\4", $str);
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	772
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	773	/*
				774	* Sanitize naughty HTML elements
				775	*
				776	* If a tag containing any of the words in the list
				777	* below is found, the tag gets converted to entities.
				778	*
				779	* So this: <blink>
				780	* Becomes: <blink>
				781	*
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	782	*/
Derek Jones	bd08d84	2008-05-20 15:07:27 +0000	[diff] [blame]	783	$naughty = 'alert\|applet\|audio\|basefont\|base\|behavior\|bgsound\|blink\|body\|embed\|expression\|form\|frameset\|frame\|head\|html\|ilayer\|iframe\|input\|layer\|link\|meta\|object\|plaintext\|style\|script\|textarea\|title\|video\|xml\|xss';
Derek Jones	e3332b0	2008-05-13 14:44:32 +0000	[diff] [blame]	784	$str = preg_replace_callback('#<(/\s)('.$naughty.')([^><])([><])#is', array($this, '_sanitize_naughty_html'), $str);
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	785
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	786	/*
				787	* Sanitize naughty scripting elements
				788	*
				789	* Similar to above, only instead of looking for
				790	* tags it looks for PHP and JavaScript commands
				791	* that are disallowed. Rather than removing the
				792	* code, it simply converts the parenthesis to entities
				793	* rendering the code un-executable.
				794	*
				795	* For example: eval('some code')
				796	* Becomes: eval('some code')
				797	*
				798	*/
paulburdick	033ef02	2007-06-26 21:52:52 +0000	[diff] [blame]	799	$str = preg_replace('#(alert\|cmd\|passthru\|eval\|exec\|expression\|system\|fopen\|fsockopen\|file\|file_get_contents\|readfile\|unlink)(\s)$(.?)$#si', "\\1\\2(\\3)", $str);
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	800
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	801	/*
				802	* Final clean up
				803	*
				804	* This adds a bit of extra precaution in case
				805	* something got through the above filters
				806	*
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	807	*/
Derek Jones	000ab69	2008-05-13 14:46:38 +0000	[diff] [blame]	808	foreach ($this->never_allowed_str as $key => $val)
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	809	{
Derek Jones	48bb32a	2007-07-12 13:10:42 +0000	[diff] [blame]	810	$str = str_replace($key, $val, $str);
				811	}
Derek Jones	000ab69	2008-05-13 14:46:38 +0000	[diff] [blame]	812
				813	foreach ($this->never_allowed_regex as $key => $val)
Derek Jones	48bb32a	2007-07-12 13:10:42 +0000	[diff] [blame]	814	{
Derek Jones	63fc5fe	2008-05-15 20:13:14 +0000	[diff] [blame]	815	$str = preg_replace("#".$key."#i", $val, $str);
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	816	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	817
Derek Jones	63fc5fe	2008-05-15 20:13:14 +0000	[diff] [blame]	818	/*
				819	* Images are Handled in a Special Way
				820	* - Essentially, we want to know that after all of the character conversion is done whether
				821	* any unwanted, likely XSS, code was found. If not, we return TRUE, as the image is clean.
				822	* However, if the string post-conversion does not matched the string post-removal of XSS,
				823	* then it fails, as there was unwanted XSS code found and removed/changed during processing.
				824	*/
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	825
Derek Jones	63fc5fe	2008-05-15 20:13:14 +0000	[diff] [blame]	826	if ($is_image === TRUE)
				827	{
				828	if ($str == $converted_string)
				829	{
				830	return TRUE;
				831	}
				832	else
				833	{
				834	return FALSE;
				835	}
				836	}
Derek Jones	908ecc6	2008-05-21 19:53:40 +0000	[diff] [blame^]	837
Derek Jones	63fc5fe	2008-05-15 20:13:14 +0000	[diff] [blame]	838	/*
				839	* If something changed after character conversion, we can be fairly confident that something
				840	* malicious was removed, so let's take no chances that the attacker is counting on specific
				841	* mutations taking place to allow a new attack to reveal itself. So say we all.
				842	*/
				843	if ($converted_string != $str)
				844	{
Derek Jones	908ecc6	2008-05-21 19:53:40 +0000	[diff] [blame^]	845	$str = $this->xss_clean($str, $is_image, ++$loops, $converted_string);
Derek Jones	63fc5fe	2008-05-15 20:13:14 +0000	[diff] [blame]	846	}
				847
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	848	log_message('debug', "XSS Filtering completed");
				849	return $str;
				850	}
				851
				852	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	853
Derek Jones	01f72ca	2007-05-04 18:19:17 +0000	[diff] [blame]	854	/**
Derek Jones	53437de	2008-05-12 18:07:08 +0000	[diff] [blame]	855	* Random Hash for protecting URLs
				856	*
				857	* @access public
				858	* @return string
				859	*/
				860	function xss_hash()
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	861	{
Derek Jones	53437de	2008-05-12 18:07:08 +0000	[diff] [blame]	862	if ($this->xss_hash == '')
				863	{
				864	if (phpversion() >= 4.2)
				865	mt_srand();
				866	else
				867	mt_srand(hexdec(substr(md5(microtime()), -8)) & 0x7fffffff);
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	868
Derek Jones	53437de	2008-05-12 18:07:08 +0000	[diff] [blame]	869	$this->xss_hash = md5(time() + mt_rand(0, 1999999999));
				870	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	871
Derek Jones	53437de	2008-05-12 18:07:08 +0000	[diff] [blame]	872	return $this->xss_hash;
				873	}
				874
				875	// --------------------------------------------------------------------
Derek Jones	e3332b0	2008-05-13 14:44:32 +0000	[diff] [blame]	876
				877	/**
				878	* Sanitize Naughty HTML
				879	*
				880	* Callback function for xss_clean() to remove naughty HTML elements
				881	*
				882	* @access private
				883	* @param array
				884	* @return string
				885	*/
				886	function _sanitize_naughty_html($matches)
				887	{
				888	// encode opening brace
				889	$str = '<'.$matches[1].$matches[2].$matches[3];
				890
				891	// encode captured opening or closing brace to prevent recursive vectors
Derek Jones	908ecc6	2008-05-21 19:53:40 +0000	[diff] [blame^]	892	$str .= str_replace(array('>', '<'), array('>', '<'), $matches[4]);
Derek Jones	bd08d84	2008-05-20 15:07:27 +0000	[diff] [blame]	893
Derek Jones	e3332b0	2008-05-13 14:44:32 +0000	[diff] [blame]	894	return $str;
				895	}
				896
				897	// --------------------------------------------------------------------
				898
Derek Jones	53437de	2008-05-12 18:07:08 +0000	[diff] [blame]	899	/**
Derek Jones	01f72ca	2007-05-04 18:19:17 +0000	[diff] [blame]	900	* JS Link Removal
				901	*
				902	* Callback function for xss_clean() to sanitize links
				903	* This limits the PCRE backtracks, making it more performance friendly
				904	* and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in
				905	* PHP 5.2+ on link-heavy strings
				906	*
				907	* @access private
				908	* @param array
				909	* @return string
				910	*/
				911	function _js_link_removal($match)
				912	{
Derek Jones	bd08d84	2008-05-20 15:07:27 +0000	[diff] [blame]	913	return preg_replace("#href=.?(alert\(\|alert&\#40;\|javascript\:\|charset\=\|window\.\|document\.\|\.cookie\|<script\|<xss\|base64\s,)#si", "", $match[0]);
Derek Jones	01f72ca	2007-05-04 18:19:17 +0000	[diff] [blame]	914	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	915
Derek Jones	01f72ca	2007-05-04 18:19:17 +0000	[diff] [blame]	916	/**
				917	* JS Image Removal
				918	*
				919	* Callback function for xss_clean() to sanitize image tags
				920	* This limits the PCRE backtracks, making it more performance friendly
				921	* and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in
				922	* PHP 5.2+ on image tag heavy strings
				923	*
				924	* @access private
				925	* @param array
				926	* @return string
				927	*/
				928	function _js_img_removal($match)
				929	{
Derek Jones	bd08d84	2008-05-20 15:07:27 +0000	[diff] [blame]	930	return preg_replace("#src=.?(alert\(\|alert&\#40;\|javascript\:\|charset\=\|window\.\|document\.\|\.cookie\|<script\|<xss\|base64\s,)#si", "", $match[0]);
Derek Jones	01f72ca	2007-05-04 18:19:17 +0000	[diff] [blame]	931	}
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	932
Derek Jones	01f72ca	2007-05-04 18:19:17 +0000	[diff] [blame]	933	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	934
Derek Jones	303c9cb	2007-07-12 19:12:37 +0000	[diff] [blame]	935	/**
				936	* Attribute Conversion
				937	*
				938	* Used as a callback for XSS Clean
				939	*
				940	* @access public
				941	* @param array
				942	* @return string
				943	*/
Derek Jones	908ecc6	2008-05-21 19:53:40 +0000	[diff] [blame^]	944	function _convert_attribute($match)
Derek Jones	303c9cb	2007-07-12 19:12:37 +0000	[diff] [blame]	945	{
Derek Jones	908ecc6	2008-05-21 19:53:40 +0000	[diff] [blame^]	946	return str_replace(array('>', '<'), array('>', '<'), $match[0]);
Derek Jones	303c9cb	2007-07-12 19:12:37 +0000	[diff] [blame]	947	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	948
Derek Jones	303c9cb	2007-07-12 19:12:37 +0000	[diff] [blame]	949	// --------------------------------------------------------------------
				950
				951	/**
				952	* HTML Entity Decode Callback
				953	*
				954	* Used as a callback for XSS Clean
				955	*
				956	* @access public
				957	* @param array
				958	* @return string
				959	*/
				960	function _html_entity_decode_callback($match)
				961	{
Derek Jones	6159d1d	2007-07-16 13:04:46 +0000	[diff] [blame]	962	global $CFG;
				963	$charset = $CFG->item('charset');
Derek Jones	303c9cb	2007-07-12 19:12:37 +0000	[diff] [blame]	964
				965	return $this->_html_entity_decode($match[0], strtoupper($charset));
				966	}
				967
				968	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	969
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	970	/**
				971	* HTML Entities Decode
				972	*
				973	* This function is a replacement for html_entity_decode()
				974	*
				975	* In some versions of PHP the native function does not work
				976	* when UTF-8 is the specified character set, so this gives us
				977	* a work-around. More info here:
				978	* http://bugs.php.net/bug.php?id=25670
				979	*
				980	* @access private
				981	* @param string
				982	* @param string
				983	* @return string
				984	*/
				985	/* -------------------------------------------------
				986	/* Replacement for html_entity_decode()
				987	/* -------------------------------------------------*/
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	988
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	989	/*
				990	NOTE: html_entity_decode() has a bug in some PHP versions when UTF-8 is the
				991	character set, and the PHP developers said they were not back porting the
				992	fix to versions other than PHP 5.x.
				993	*/
Derek Jones	303c9cb	2007-07-12 19:12:37 +0000	[diff] [blame]	994	function _html_entity_decode($str, $charset='UTF-8')
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	995	{
				996	if (stristr($str, '&') === FALSE) return $str;
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	997
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	998	// The reason we are not using html_entity_decode() by itself is because
				999	// while it is not technically correct to leave out the semicolon
				1000	// at the end of an entity most browsers will still interpret the entity
				1001	// correctly. html_entity_decode() does not convert entities without
				1002	// semicolons, so we are left with our own little solution here. Bummer.
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	1003
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	1004	if (function_exists('html_entity_decode') && (strtolower($charset) != 'utf-8' OR version_compare(phpversion(), '5.0.0', '>=')))
				1005	{
				1006	$str = html_entity_decode($str, ENT_COMPAT, $charset);
Derek Jones	63fc5fe	2008-05-15 20:13:14 +0000	[diff] [blame]	1007	$str = preg_replace('~&#x(0*[0-9a-f]{2,5})~ei', 'chr(hexdec("\\1"))', $str);
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	1008	return preg_replace('~&#([0-9]{2,4})~e', 'chr(\\1)', $str);
				1009	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	1010
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	1011	// Numeric Entities
Derek Jones	63fc5fe	2008-05-15 20:13:14 +0000	[diff] [blame]	1012	$str = preg_replace('~&#x(0*[0-9a-f]{2,5});{0,1}~ei', 'chr(hexdec("\\1"))', $str);
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	1013	$str = preg_replace('~&#([0-9]{2,4});{0,1}~e', 'chr(\\1)', $str);
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	1014
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	1015	// Literal Entities - Slightly slow so we do another check
				1016	if (stristr($str, '&') === FALSE)
				1017	{
				1018	$str = strtr($str, array_flip(get_html_translation_table(HTML_ENTITIES)));
				1019	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	1020
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	1021	return $str;
				1022	}
				1023
				1024	}
				1025	// END Input class
Derek Jones	53437de	2008-05-12 18:07:08 +0000	[diff] [blame]	1026
				1027	/* End of file Input.php */
Derek Jones	a3ffbbb	2008-05-11 18:18:29 +0000	[diff] [blame]	1028	/* Location: ./system/libraries/Input.php */