Blame - system/libraries/Input.php - code-igniter-v3-giggi

blob: ff1dd9b159bc804211b3af540a4d7b0ba31fbee9 [file] [log] [blame]

Derek Jones	0b59f27	2008-05-13 04:22:33 +0000	[diff] [blame]	1	<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	2	/**
Derek Allard	d2df9bc	2007-04-15 17:41:17 +0000	[diff] [blame]	3	* CodeIgniter
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	4	*
				5	* An open source application development framework for PHP 4.3.2 or newer
				6	*
				7	* @package CodeIgniter
Derek Allard	3d879d5	2008-01-18 19:41:32 +0000	[diff] [blame]	8	* @author ExpressionEngine Dev Team
Derek Allard	d2df9bc	2007-04-15 17:41:17 +0000	[diff] [blame]	9	* @copyright Copyright (c) 2006, EllisLab, Inc.
Derek Jones	7a9193a	2008-01-21 18:39:20 +0000	[diff] [blame]	10	* @license http://codeigniter.com/user_guide/license.html
				11	* @link http://codeigniter.com
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	12	* @since Version 1.0
				13	* @filesource
				14	*/
				15
				16	// ------------------------------------------------------------------------
				17
				18	/**
				19	* Input Class
				20	*
				21	* Pre-processes global input data for security
				22	*
				23	* @package CodeIgniter
				24	* @subpackage Libraries
				25	* @category Input
Derek Allard	3d879d5	2008-01-18 19:41:32 +0000	[diff] [blame]	26	* @author ExpressionEngine Dev Team
Derek Jones	7a9193a	2008-01-21 18:39:20 +0000	[diff] [blame]	27	* @link http://codeigniter.com/user_guide/libraries/input.html
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	28	*/
				29	class CI_Input {
				30	var $use_xss_clean = FALSE;
Derek Jones	53437de	2008-05-12 18:07:08 +0000	[diff] [blame]	31	var $xss_hash = '';
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	32	var $ip_address = FALSE;
				33	var $user_agent = FALSE;
				34	var $allow_get_array = FALSE;
Derek Jones	e3332b0	2008-05-13 14:44:32 +0000	[diff] [blame]	35
				36	/* never allowed, string replacement */
				37	var $never_allowed_str = array(
				38	'document.cookie' => '[removed]',
				39	'document.write' => '[removed]',
				40	'.parentNode' => '[removed]',
				41	'.innerHTML' => '[removed]',
				42	'window.location' => '[removed]',
				43	'-moz-binding' => '[removed]',
				44	'<!--' => '<!--',
				45	'-->' => '-->',
				46	'<![CDATA[' => '<![CDATA['
				47	);
				48	/* never allowed, regex replacement */
				49	var $never_allowed_regex = array(
				50	"javascript\s*:" => '[removed]',
				51	"expression\s*\(" => '[removed]', // CSS and IE
				52	"Redirect\s+302" => '[removed]'
				53	);
				54
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	55	/**
				56	* Constructor
				57	*
				58	* Sets whether to globally enable the XSS processing
				59	* and whether to allow the $_GET array
				60	*
				61	* @access public
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	62	*/
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	63	function CI_Input()
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	64	{
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	65	log_message('debug', "Input Class Initialized");
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	66
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	67	$CFG =& load_class('Config');
				68	$this->use_xss_clean = ($CFG->item('global_xss_filtering') === TRUE) ? TRUE : FALSE;
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	69	$this->allow_get_array = ($CFG->item('enable_query_strings') === TRUE) ? TRUE : FALSE;
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	70	$this->_sanitize_globals();
				71	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	72
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	73	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	74
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	75	/**
				76	* Sanitize Globals
				77	*
				78	* This function does the following:
				79	*
				80	* Unsets $_GET data (if query strings are not enabled)
				81	*
				82	* Unsets all globals if register_globals is enabled
				83	*
				84	* Standardizes newline characters to \n
				85	*
				86	* @access private
				87	* @return void
				88	*/
				89	function _sanitize_globals()
				90	{
Derek Jones	d85a11e	2008-01-24 20:48:07 +0000	[diff] [blame]	91	// Would kind of be "wrong" to unset any of these GLOBALS
				92	$protected = array('_SERVER', '_GET', '_POST', '_FILES', '_REQUEST', '_SESSION', '_ENV', 'GLOBALS', 'HTTP_RAW_POST_DATA',
				93	'system_folder', 'application_folder', 'BM', 'EXT', 'CFG', 'URI', 'RTR', 'OUT', 'IN');
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	94
Derek Jones	0ea06fd	2008-02-05 15:23:51 +0000	[diff] [blame]	95	// Unset globals for security.
Rick Ellis	bb2041d	2007-06-09 00:16:13 +0000	[diff] [blame]	96	// This is effectively the same as register_globals = off
Derek Jones	0ea06fd	2008-02-05 15:23:51 +0000	[diff] [blame]	97	foreach (array($_GET, $_POST, $_COOKIE, $_SERVER, $_FILES, $_ENV, (isset($_SESSION) && is_array($_SESSION)) ? $_SESSION : array()) as $global)
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	98	{
Derek Jones	0b59f27	2008-05-13 04:22:33 +0000	[diff] [blame]	99	if ( ! is_array($global))
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	100	{
Derek Jones	0b59f27	2008-05-13 04:22:33 +0000	[diff] [blame]	101	if ( ! in_array($global, $protected))
paulburdick	8816aaa	2007-06-27 23:07:36 +0000	[diff] [blame]	102	{
Derek Jones	0ea06fd	2008-02-05 15:23:51 +0000	[diff] [blame]	103	unset($GLOBALS[$global]);
paulburdick	8816aaa	2007-06-27 23:07:36 +0000	[diff] [blame]	104	}
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	105	}
				106	else
				107	{
				108	foreach ($global as $key => $val)
				109	{
Derek Jones	0b59f27	2008-05-13 04:22:33 +0000	[diff] [blame]	110	if ( ! in_array($key, $protected))
paulburdick	8816aaa	2007-06-27 23:07:36 +0000	[diff] [blame]	111	{
Derek Jones	0ea06fd	2008-02-05 15:23:51 +0000	[diff] [blame]	112	unset($GLOBALS[$key]);
				113	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	114
Derek Jones	0ea06fd	2008-02-05 15:23:51 +0000	[diff] [blame]	115	if (is_array($val))
				116	{
				117	foreach($val as $k => $v)
				118	{
Derek Jones	0b59f27	2008-05-13 04:22:33 +0000	[diff] [blame]	119	if ( ! in_array($k, $protected))
Derek Jones	0ea06fd	2008-02-05 15:23:51 +0000	[diff] [blame]	120	{
				121	unset($GLOBALS[$k]);
				122	}
				123	}
paulburdick	8816aaa	2007-06-27 23:07:36 +0000	[diff] [blame]	124	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	125	}
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	126	}
				127	}
				128
				129	// Is $_GET data allowed? If not we'll set the $_GET to an empty array
				130	if ($this->allow_get_array == FALSE)
				131	{
				132	$_GET = array();
				133	}
Rick Ellis	112569d	2007-02-26 19:19:08 +0000	[diff] [blame]	134	else
				135	{
Derek Jones	144cb5b	2008-06-04 19:38:00 +0000	[diff] [blame]	136	$_GET = $this->_clean_input_data($_GET);
Rick Ellis	112569d	2007-02-26 19:19:08 +0000	[diff] [blame]	137	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	138
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	139	// Clean $_POST Data
Derek Jones	144cb5b	2008-06-04 19:38:00 +0000	[diff] [blame]	140	$_POST = $this->_clean_input_data($_POST);
				141
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	142	// Clean $_COOKIE Data
Derek Jones	144cb5b	2008-06-04 19:38:00 +0000	[diff] [blame]	143	$_COOKIE = $this->_clean_input_data($_COOKIE);
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	144
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	145	log_message('debug', "Global POST and COOKIE data sanitized");
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	146	}
				147
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	148	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	149
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	150	/**
				151	* Clean Input Data
				152	*
				153	* This is a helper function. It escapes data and
				154	* standardizes newline characters to \n
				155	*
				156	* @access private
				157	* @param string
				158	* @return string
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	159	*/
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	160	function _clean_input_data($str)
				161	{
				162	if (is_array($str))
				163	{
				164	$new_array = array();
				165	foreach ($str as $key => $val)
				166	{
				167	$new_array[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
				168	}
				169	return $new_array;
				170	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	171
Rick Ellis	bb2041d	2007-06-09 00:16:13 +0000	[diff] [blame]	172	// We strip slashes if magic quotes is on to keep things consistent
				173	if (get_magic_quotes_gpc())
				174	{
				175	$str = stripslashes($str);
				176	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	177
Rick Ellis	bb2041d	2007-06-09 00:16:13 +0000	[diff] [blame]	178	// Should we filter the input data?
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	179	if ($this->use_xss_clean === TRUE)
				180	{
				181	$str = $this->xss_clean($str);
				182	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	183
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	184	// Standardize newlines
Derek Jones	0b59f27	2008-05-13 04:22:33 +0000	[diff] [blame]	185	if (strpos($str, "\r") !== FALSE)
				186	{
				187	$str = str_replace(array("\r\n", "\r"), "\n", $str);
				188	}
				189
				190	return $str;
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	191	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	192
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	193	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	194
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	195	/**
				196	* Clean Keys
				197	*
				198	* This is a helper function. To prevent malicious users
				199	* from trying to exploit keys we make sure that keys are
				200	* only named with alpha-numeric text and a few other items.
				201	*
				202	* @access private
				203	* @param string
				204	* @return string
				205	*/
				206	function _clean_input_keys($str)
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	207	{
Derek Jones	0b59f27	2008-05-13 04:22:33 +0000	[diff] [blame]	208	if ( ! preg_match("/^[a-z0-9:_\/-]+$/i", $str))
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	209	{
				210	exit('Disallowed Key Characters.');
				211	}
Rick Ellis	bb2041d	2007-06-09 00:16:13 +0000	[diff] [blame]	212
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	213	return $str;
				214	}
Rick Ellis	112569d	2007-02-26 19:19:08 +0000	[diff] [blame]	215
				216	// --------------------------------------------------------------------
Derek Jones	144cb5b	2008-06-04 19:38:00 +0000	[diff] [blame]	217
				218	/**
				219	* Fetch from array
				220	*
				221	* This is a helper function to retrieve values from global arrays
				222	*
				223	* @access private
				224	* @param array
				225	* @param string
				226	* @param bool
				227	* @return string
				228	*/
				229	function _fetch_from_array(&$array, $index = '', $xss_clean = FALSE)
				230	{
				231	if ( ! isset($array[$index]))
				232	{
				233	return FALSE;
				234	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	235
Derek Jones	144cb5b	2008-06-04 19:38:00 +0000	[diff] [blame]	236	if ($xss_clean === TRUE)
				237	{
				238	return $this->xss_clean($array[$index]);
				239	}
				240
				241	return $array[$index];
				242	}
				243
				244	// --------------------------------------------------------------------
				245
Rick Ellis	112569d	2007-02-26 19:19:08 +0000	[diff] [blame]	246	/**
				247	* Fetch an item from the GET array
				248	*
				249	* @access public
				250	* @param string
				251	* @param bool
				252	* @return string
				253	*/
Derek Allard	87d1eeb	2007-03-01 13:20:43 +0000	[diff] [blame]	254	function get($index = '', $xss_clean = FALSE)
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	255	{
Derek Jones	144cb5b	2008-06-04 19:38:00 +0000	[diff] [blame]	256	return $this->_fetch_from_array($_GET, $index, $xss_clean);
Rick Ellis	112569d	2007-02-26 19:19:08 +0000	[diff] [blame]	257	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	258
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	259	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	260
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	261	/**
				262	* Fetch an item from the POST array
				263	*
				264	* @access public
				265	* @param string
				266	* @param bool
				267	* @return string
				268	*/
				269	function post($index = '', $xss_clean = FALSE)
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	270	{
Derek Jones	144cb5b	2008-06-04 19:38:00 +0000	[diff] [blame]	271	return $this->_fetch_from_array($_POST, $index, $xss_clean);
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	272	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	273
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	274	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	275
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	276	/**
Derek Allard	d3ee041	2008-06-20 05:39:18 +0000	[diff] [blame]	277	* Fetch an item from either the GET array or the POST
				278	*
				279	* @access public
				280	* @param string The index key
				281	* @param bool XSS cleaning
				282	* @return string
				283	*/
				284	function get_post($index = '', $xss_clean = FALSE)
				285	{
				286	if ( ! isset($_POST[$index]) )
				287	{
				288	return $this->get($index, $xss_clean);
				289	}
				290	else
				291	{
				292	return $this->post($index, $xss_clean);
				293	}
				294	}
				295
				296	// --------------------------------------------------------------------
				297
				298	/**
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	299	* Fetch an item from the COOKIE array
				300	*
				301	* @access public
				302	* @param string
				303	* @param bool
				304	* @return string
				305	*/
				306	function cookie($index = '', $xss_clean = FALSE)
				307	{
Derek Jones	144cb5b	2008-06-04 19:38:00 +0000	[diff] [blame]	308	return $this->_fetch_from_array($_COOKIE, $index, $xss_clean);
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	309	}
				310
				311	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	312
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	313	/**
				314	* Fetch an item from the SERVER array
				315	*
				316	* @access public
				317	* @param string
				318	* @param bool
				319	* @return string
				320	*/
				321	function server($index = '', $xss_clean = FALSE)
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	322	{
Derek Jones	144cb5b	2008-06-04 19:38:00 +0000	[diff] [blame]	323	return $this->_fetch_from_array($_SERVER, $index, $xss_clean);
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	324	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	325
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	326	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	327
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	328	/**
				329	* Fetch the IP Address
				330	*
				331	* @access public
				332	* @return string
				333	*/
				334	function ip_address()
				335	{
				336	if ($this->ip_address !== FALSE)
				337	{
				338	return $this->ip_address;
				339	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	340
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	341	if ($this->server('REMOTE_ADDR') AND $this->server('HTTP_CLIENT_IP'))
				342	{
				343	$this->ip_address = $_SERVER['HTTP_CLIENT_IP'];
				344	}
				345	elseif ($this->server('REMOTE_ADDR'))
				346	{
				347	$this->ip_address = $_SERVER['REMOTE_ADDR'];
				348	}
				349	elseif ($this->server('HTTP_CLIENT_IP'))
				350	{
				351	$this->ip_address = $_SERVER['HTTP_CLIENT_IP'];
				352	}
				353	elseif ($this->server('HTTP_X_FORWARDED_FOR'))
				354	{
				355	$this->ip_address = $_SERVER['HTTP_X_FORWARDED_FOR'];
				356	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	357
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	358	if ($this->ip_address === FALSE)
				359	{
				360	$this->ip_address = '0.0.0.0';
				361	return $this->ip_address;
				362	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	363
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	364	if (strstr($this->ip_address, ','))
				365	{
				366	$x = explode(',', $this->ip_address);
				367	$this->ip_address = end($x);
				368	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	369
Derek Jones	0b59f27	2008-05-13 04:22:33 +0000	[diff] [blame]	370	if ( ! $this->valid_ip($this->ip_address))
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	371	{
				372	$this->ip_address = '0.0.0.0';
				373	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	374
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	375	return $this->ip_address;
				376	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	377
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	378	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	379
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	380	/**
				381	* Validate IP Address
				382	*
Rick Ellis	e666afc	2007-06-11 05:03:11 +0000	[diff] [blame]	383	* Updated version suggested by Geert De Deckere
				384	*
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	385	* @access public
				386	* @param string
				387	* @return string
				388	*/
				389	function valid_ip($ip)
				390	{
Rick Ellis	e666afc	2007-06-11 05:03:11 +0000	[diff] [blame]	391	$ip_segments = explode('.', $ip);
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	392
Rick Ellis	e666afc	2007-06-11 05:03:11 +0000	[diff] [blame]	393	// Always 4 segments needed
				394	if (count($ip_segments) != 4)
Rick Ellis	112569d	2007-02-26 19:19:08 +0000	[diff] [blame]	395	{
				396	return FALSE;
				397	}
Rick Ellis	65e8f0e	2007-06-12 03:53:21 +0000	[diff] [blame]	398	// IP can not start with 0
Rick Ellis	3921314	2007-06-12 03:53:12 +0000	[diff] [blame]	399	if (substr($ip_segments[0], 0, 1) == '0')
Rick Ellis	112569d	2007-02-26 19:19:08 +0000	[diff] [blame]	400	{
Rick Ellis	e666afc	2007-06-11 05:03:11 +0000	[diff] [blame]	401	return FALSE;
				402	}
				403	// Check each segment
				404	foreach ($ip_segments as $segment)
				405	{
				406	// IP segments must be digits and can not be
				407	// longer than 3 digits or greater then 255
Rick Ellis	ba64893	2007-06-12 03:39:38 +0000	[diff] [blame]	408	if (preg_match("/[^0-9]/", $segment) OR $segment > 255 OR strlen($segment) > 3)
Rick Ellis	112569d	2007-02-26 19:19:08 +0000	[diff] [blame]	409	{
Rick Ellis	e666afc	2007-06-11 05:03:11 +0000	[diff] [blame]	410	return FALSE;
Rick Ellis	112569d	2007-02-26 19:19:08 +0000	[diff] [blame]	411	}
				412	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	413
Rick Ellis	112569d	2007-02-26 19:19:08 +0000	[diff] [blame]	414	return TRUE;
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	415	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	416
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	417	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	418
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	419	/**
				420	* User Agent
				421	*
				422	* @access public
				423	* @return string
				424	*/
				425	function user_agent()
				426	{
				427	if ($this->user_agent !== FALSE)
				428	{
				429	return $this->user_agent;
				430	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	431
Derek Jones	0b59f27	2008-05-13 04:22:33 +0000	[diff] [blame]	432	$this->user_agent = ( ! isset($_SERVER['HTTP_USER_AGENT'])) ? FALSE : $_SERVER['HTTP_USER_AGENT'];
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	433
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	434	return $this->user_agent;
				435	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	436
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	437	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	438
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	439	/**
paulburdick	763064b	2007-06-27 23:25:55 +0000	[diff] [blame]	440	* Filename Security
				441	*
				442	* @access public
				443	* @param string
				444	* @return string
				445	*/
				446	function filename_security($str)
				447	{
				448	$bad = array(
				449	"../",
				450	"./",
				451	"<!--",
				452	"-->",
				453	"<",
				454	">",
				455	"'",
				456	'"',
				457	'&',
				458	'$',
				459	'#',
				460	'{',
				461	'}',
				462	'[',
				463	']',
				464	'=',
				465	';',
				466	'?',
paulburdick	763064b	2007-06-27 23:25:55 +0000	[diff] [blame]	467	"%20",
				468	"%22",
				469	"%3c", // <
				470	"%253c", // <
				471	"%3e", // >
				472	"%0e", // >
				473	"%28", // (
				474	"%29", // )
				475	"%2528", // (
				476	"%26", // &
				477	"%24", // $
				478	"%3f", // ?
				479	"%3b", // ;
				480	"%3d" // =
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	481	);
				482
				483	return stripslashes(str_replace($bad, '', $str));
paulburdick	763064b	2007-06-27 23:25:55 +0000	[diff] [blame]	484	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	485
paulburdick	763064b	2007-06-27 23:25:55 +0000	[diff] [blame]	486	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	487
paulburdick	763064b	2007-06-27 23:25:55 +0000	[diff] [blame]	488	/**
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	489	* XSS Clean
				490	*
				491	* Sanitizes data so that Cross Site Scripting Hacks can be
				492	* prevented. This function does a fair amount of work but
				493	* it is extremely thorough, designed to prevent even the
				494	* most obscure XSS attempts. Nothing is ever 100% foolproof,
				495	* of course, but I haven't been able to get anything passed
				496	* the filter.
				497	*
				498	* Note: This function should only be used to deal with data
				499	* upon submission. It's not something that should
				500	* be used for general runtime processing.
				501	*
				502	* This function was based in part on some code and ideas I
				503	* got from Bitflux: http://blog.bitflux.ch/wiki/XSS_Prevention
				504	*
				505	* To help develop this script I used this great list of
				506	* vulnerabilities along with a few other hacks I've
				507	* harvested from examining vulnerabilities in other programs:
				508	* http://ha.ckers.org/xss.html
				509	*
				510	* @access public
				511	* @param string
				512	* @return string
				513	*/
Derek Jones	7aae905	2008-06-25 16:02:06 +0000	[diff] [blame]	514	function xss_clean($str, $is_image = FALSE)
Derek Jones	53437de	2008-05-12 18:07:08 +0000	[diff] [blame]	515	{
				516	/*
				517	* Is the string an array?
				518	*
				519	*/
				520	if (is_array($str))
				521	{
				522	while (list($key) = each($str))
				523	{
				524	$str[$key] = $this->xss_clean($str[$key]);
				525	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	526
Derek Jones	53437de	2008-05-12 18:07:08 +0000	[diff] [blame]	527	return $str;
				528	}
Derek Jones	908ecc6	2008-05-21 19:53:40 +0000	[diff] [blame]	529
Derek Jones	63fc5fe	2008-05-15 20:13:14 +0000	[diff] [blame]	530	/*
Derek Jones	7aae905	2008-06-25 16:02:06 +0000	[diff] [blame]	531	* Remove Invisible Characters
Derek Jones	63fc5fe	2008-05-15 20:13:14 +0000	[diff] [blame]	532	*/
Derek Jones	7aae905	2008-06-25 16:02:06 +0000	[diff] [blame]	533	$str = $this->_remove_invisible_characters($str);
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	534
				535	/*
Derek Jones	53437de	2008-05-12 18:07:08 +0000	[diff] [blame]	536	* Protect GET variables in URLs
				537	*/
				538
				539	// 901119URL5918AMP18930PROTECT8198
				540
				541	$str = preg_replace('\|\&([a-z\_0-9]+)\=([a-z\_0-9]+)\|i', $this->xss_hash()."\\1=\\2", $str);
				542
				543	/*
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	544	* Validate standard character entities
				545	*
				546	* Add a semicolon if missing. We do this to enable
				547	* the conversion of entities to ASCII later.
				548	*
				549	*/
Derek Jones	cbde3f0	2008-08-14 22:13:05 +0000	[diff] [blame]	550	$str = preg_replace('#(&\#?[0-9a-z]{2,})[\x00-\x20]*;?#i', "\\1;", $str);
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	551
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	552	/*
Derek Jones	48bb32a	2007-07-12 13:10:42 +0000	[diff] [blame]	553	* Validate UTF16 two byte encoding (x00)
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	554	*
				555	* Just as above, adds a semicolon if missing.
				556	*
				557	*/
Derek Jones	48bb32a	2007-07-12 13:10:42 +0000	[diff] [blame]	558	$str = preg_replace('#(&\#x?)([0-9A-F]+);?#i',"\\1\\2;",$str);
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	559
				560	/*
Derek Jones	53437de	2008-05-12 18:07:08 +0000	[diff] [blame]	561	* Un-Protect GET variables in URLs
				562	*/
Derek Jones	53437de	2008-05-12 18:07:08 +0000	[diff] [blame]	563	$str = str_replace($this->xss_hash(), '&', $str);
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	564
Derek Jones	53437de	2008-05-12 18:07:08 +0000	[diff] [blame]	565	/*
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	566	* URL Decode
				567	*
				568	* Just in case stuff like this is submitted:
				569	*
				570	* <a href="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">Google</a>
				571	*
Derek Jones	ab32a42	2008-02-04 22:02:11 +0000	[diff] [blame]	572	* Note: Use rawurldecode() so it does not remove plus signs
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	573	*
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	574	*/
Derek Jones	ab32a42	2008-02-04 22:02:11 +0000	[diff] [blame]	575	$str = rawurldecode($str);
Derek Jones	63fc5fe	2008-05-15 20:13:14 +0000	[diff] [blame]	576
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	577	/*
Derek Jones	303c9cb	2007-07-12 19:12:37 +0000	[diff] [blame]	578	* Convert character entities to ASCII
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	579	*
				580	* This permits our tests below to work reliably.
				581	* We only convert entities that are within tags since
				582	* these are the ones that will pose security problems.
				583	*
				584	*/
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	585
Derek Jones	908ecc6	2008-05-21 19:53:40 +0000	[diff] [blame]	586	$str = preg_replace_callback("/[a-z]+=([\'\"]).*?\\1/si", array($this, '_convert_attribute'), $str);
				587
Derek Jones	63fc5fe	2008-05-15 20:13:14 +0000	[diff] [blame]	588	$str = preg_replace_callback("/<\w+.*?(?=>\|<\|$)/si", array($this, '_html_entity_decode_callback'), $str);
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	589
Derek Jones	48bb32a	2007-07-12 13:10:42 +0000	[diff] [blame]	590	/*
Derek Jones	7aae905	2008-06-25 16:02:06 +0000	[diff] [blame]	591	* Remove Invisible Characters Again!
				592	*/
				593	$str = $this->_remove_invisible_characters($str);
				594
				595	/*
Derek Jones	48bb32a	2007-07-12 13:10:42 +0000	[diff] [blame]	596	* Convert all tabs to spaces
				597	*
				598	* This prevents strings like this: ja vascript
				599	* NOTE: we deal with spaces between characters later.
				600	* NOTE: preg_replace was found to be amazingly slow here on large blocks of data,
				601	* so we use str_replace.
				602	*
				603	*/
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	604
Derek Jones	0b59f27	2008-05-13 04:22:33 +0000	[diff] [blame]	605	if (strpos($str, "\t") !== FALSE)
				606	{
				607	$str = str_replace("\t", ' ', $str);
Derek Jones	908ecc6	2008-05-21 19:53:40 +0000	[diff] [blame]	608	}
Derek Jones	63fc5fe	2008-05-15 20:13:14 +0000	[diff] [blame]	609
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	610	/*
Derek Jones	d6c6998	2008-06-25 17:29:23 +0000	[diff] [blame]	611	* Capture converted string for later comparison
				612	*/
				613	$converted_string = $str;
				614
				615	/*
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	616	* Not Allowed Under Any Conditions
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	617	*/
Derek Jones	e3332b0	2008-05-13 14:44:32 +0000	[diff] [blame]	618
				619	foreach ($this->never_allowed_str as $key => $val)
Derek Jones	48bb32a	2007-07-12 13:10:42 +0000	[diff] [blame]	620	{
				621	$str = str_replace($key, $val, $str);
				622	}
Derek Jones	e3332b0	2008-05-13 14:44:32 +0000	[diff] [blame]	623
				624	foreach ($this->never_allowed_regex as $key => $val)
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	625	{
				626	$str = preg_replace("#".$key."#i", $val, $str);
				627	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	628
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	629	/*
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	630	* Makes PHP tags safe
				631	*
				632	* Note: XML tags are inadvertently replaced too:
				633	*
				634	* <?xml
				635	*
				636	* But it doesn't seem to pose a problem.
				637	*
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	638	*/
Derek Jones	fc18b00	2008-06-25 16:12:35 +0000	[diff] [blame]	639	if ($is_image === TRUE)
				640	{
				641	// Images have a tendency to have the PHP short opening and closing tags every so often
				642	// so we skip those and only do the long opening tags.
				643	$str = str_replace(array('<?php', '<?PHP'), array('<?php', '<?PHP'), $str);
				644	}
				645	else
				646	{
				647	$str = str_replace(array('<?php', '<?PHP', '<?', '?'.'>'), array('<?php', '<?PHP', '<?', '?>'), $str);
				648	}
				649
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	650	/*
				651	* Compact any exploded words
				652	*
				653	* This corrects words like: j a v a s c r i p t
				654	* These words are compacted back to their correct state.
				655	*
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	656	*/
paulburdick	b614d39	2007-06-26 21:58:56 +0000	[diff] [blame]	657	$words = array('javascript', 'expression', 'vbscript', 'script', 'applet', 'alert', 'document', 'write', 'cookie', 'window');
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	658	foreach ($words as $word)
				659	{
				660	$temp = '';
Derek Allard	c1acb41	2008-06-04 20:58:03 +0000	[diff] [blame]	661
Derek Jones	7a3b96e	2008-06-04 21:01:56 +0000	[diff] [blame]	662	for ($i = 0, $wordlen = strlen($word); $i < $wordlen; $i++)
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	663	{
				664	$temp .= substr($word, $i, 1)."\s*";
				665	}
Derek Jones	9f23e7c	2008-05-30 20:00:11 +0000	[diff] [blame]	666
Derek Jones	01f72ca	2007-05-04 18:19:17 +0000	[diff] [blame]	667	// We only want to do this when it is followed by a non-word character
				668	// That way valid stuff like "dealer to" does not become "dealerto"
Derek Jones	9f23e7c	2008-05-30 20:00:11 +0000	[diff] [blame]	669	$str = preg_replace_callback('#('.substr($temp, 0, -3).')(\W)#is', array($this, '_compact_exploded_words'), $str);
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	670	}
Derek Jones	7aae905	2008-06-25 16:02:06 +0000	[diff] [blame]	671
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	672	/*
				673	* Remove disallowed Javascript in links or img tags
Derek Jones	bd08d84	2008-05-20 15:07:27 +0000	[diff] [blame]	674	* We used to do some version comparisons and use of stripos for PHP5, but it is dog slow compared
				675	* to these simplified non-capturing preg_match(), especially if the pattern exists in the string
paulburdick	391eb03	2007-06-27 22:58:24 +0000	[diff] [blame]	676	*/
				677	do
				678	{
				679	$original = $str;
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	680
Derek Jones	bd08d84	2008-05-20 15:07:27 +0000	[diff] [blame]	681	if (preg_match("/<a/i", $str))
Derek Jones	48bb32a	2007-07-12 13:10:42 +0000	[diff] [blame]	682	{
Derek Jones	68d7bd6	2008-07-03 20:50:21 +0000	[diff] [blame]	683	$str = preg_replace_callback("#<a\s+([^>]*?)(>\|$)#si", array($this, '_js_link_removal'), $str);
Derek Jones	48bb32a	2007-07-12 13:10:42 +0000	[diff] [blame]	684	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	685
Derek Jones	bd08d84	2008-05-20 15:07:27 +0000	[diff] [blame]	686	if (preg_match("/<img/i", $str))
Derek Jones	48bb32a	2007-07-12 13:10:42 +0000	[diff] [blame]	687	{
Derek Jones	68d7bd6	2008-07-03 20:50:21 +0000	[diff] [blame]	688	$str = preg_replace_callback("#<img\s+([^>]*?)(>\|$)#si", array($this, '_js_img_removal'), $str);
Derek Jones	48bb32a	2007-07-12 13:10:42 +0000	[diff] [blame]	689	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	690
Derek Jones	bd08d84	2008-05-20 15:07:27 +0000	[diff] [blame]	691	if (preg_match("/script/i", $str) OR preg_match("/xss/i", $str))
Derek Jones	48bb32a	2007-07-12 13:10:42 +0000	[diff] [blame]	692	{
Derek Jones	7aae905	2008-06-25 16:02:06 +0000	[diff] [blame]	693	$str = preg_replace("#<(/)(script\|xss)(.?)\>#si", '[removed]', $str);
Derek Jones	48bb32a	2007-07-12 13:10:42 +0000	[diff] [blame]	694	}
paulburdick	391eb03	2007-06-27 22:58:24 +0000	[diff] [blame]	695	}
				696	while($original != $str);
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	697
paulburdick	391eb03	2007-06-27 22:58:24 +0000	[diff] [blame]	698	unset($original);
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	699
				700	/*
				701	* Remove JavaScript Event Handlers
				702	*
				703	* Note: This code is a little blunt. It removes
				704	* the event handler and anything up to the closing >,
				705	* but it's unlikely to be a problem.
				706	*
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	707	*/
Derek Jones	68d7bd6	2008-07-03 20:50:21 +0000	[diff] [blame]	708	$event_handlers = array('[^a-z_\-]on\w*','xmlns');
Derek Jones	245038d	2008-05-15 21:58:07 +0000	[diff] [blame]	709
				710	if ($is_image === TRUE)
				711	{
				712	/*
				713	* Adobe Photoshop puts XML metadata into JFIF images, including namespacing,
				714	* so we have to allow this for images. -Paul
				715	*/
				716	unset($event_handlers[array_search('xmlns', $event_handlers)]);
				717	}
Derek Jones	e8e18fe	2008-06-30 23:27:31 +0000	[diff] [blame]	718
				719	$str = preg_replace("#<([^><]+?)(".implode('\|', $event_handlers).")(\s=\s[^><])([><])#i", "<\\1\\4", $str);
				720
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	721	/*
				722	* Sanitize naughty HTML elements
				723	*
				724	* If a tag containing any of the words in the list
				725	* below is found, the tag gets converted to entities.
				726	*
				727	* So this: <blink>
				728	* Becomes: <blink>
				729	*
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	730	*/
Derek Jones	bd08d84	2008-05-20 15:07:27 +0000	[diff] [blame]	731	$naughty = 'alert\|applet\|audio\|basefont\|base\|behavior\|bgsound\|blink\|body\|embed\|expression\|form\|frameset\|frame\|head\|html\|ilayer\|iframe\|input\|layer\|link\|meta\|object\|plaintext\|style\|script\|textarea\|title\|video\|xml\|xss';
Derek Jones	e3332b0	2008-05-13 14:44:32 +0000	[diff] [blame]	732	$str = preg_replace_callback('#<(/\s)('.$naughty.')([^><])([><])#is', array($this, '_sanitize_naughty_html'), $str);
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	733
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	734	/*
				735	* Sanitize naughty scripting elements
				736	*
				737	* Similar to above, only instead of looking for
				738	* tags it looks for PHP and JavaScript commands
				739	* that are disallowed. Rather than removing the
				740	* code, it simply converts the parenthesis to entities
				741	* rendering the code un-executable.
				742	*
				743	* For example: eval('some code')
				744	* Becomes: eval('some code')
				745	*
				746	*/
paulburdick	033ef02	2007-06-26 21:52:52 +0000	[diff] [blame]	747	$str = preg_replace('#(alert\|cmd\|passthru\|eval\|exec\|expression\|system\|fopen\|fsockopen\|file\|file_get_contents\|readfile\|unlink)(\s)$(.?)$#si', "\\1\\2(\\3)", $str);
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	748
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	749	/*
				750	* Final clean up
				751	*
				752	* This adds a bit of extra precaution in case
				753	* something got through the above filters
				754	*
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	755	*/
Derek Jones	000ab69	2008-05-13 14:46:38 +0000	[diff] [blame]	756	foreach ($this->never_allowed_str as $key => $val)
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	757	{
Derek Jones	48bb32a	2007-07-12 13:10:42 +0000	[diff] [blame]	758	$str = str_replace($key, $val, $str);
				759	}
Derek Jones	000ab69	2008-05-13 14:46:38 +0000	[diff] [blame]	760
				761	foreach ($this->never_allowed_regex as $key => $val)
Derek Jones	48bb32a	2007-07-12 13:10:42 +0000	[diff] [blame]	762	{
Derek Jones	63fc5fe	2008-05-15 20:13:14 +0000	[diff] [blame]	763	$str = preg_replace("#".$key."#i", $val, $str);
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	764	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	765
Derek Jones	63fc5fe	2008-05-15 20:13:14 +0000	[diff] [blame]	766	/*
				767	* Images are Handled in a Special Way
				768	* - Essentially, we want to know that after all of the character conversion is done whether
				769	* any unwanted, likely XSS, code was found. If not, we return TRUE, as the image is clean.
				770	* However, if the string post-conversion does not matched the string post-removal of XSS,
				771	* then it fails, as there was unwanted XSS code found and removed/changed during processing.
				772	*/
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	773
Derek Jones	63fc5fe	2008-05-15 20:13:14 +0000	[diff] [blame]	774	if ($is_image === TRUE)
				775	{
				776	if ($str == $converted_string)
				777	{
				778	return TRUE;
				779	}
				780	else
				781	{
				782	return FALSE;
				783	}
				784	}
Derek Jones	63fc5fe	2008-05-15 20:13:14 +0000	[diff] [blame]	785
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	786	log_message('debug', "XSS Filtering completed");
				787	return $str;
				788	}
				789
				790	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	791
Derek Jones	01f72ca	2007-05-04 18:19:17 +0000	[diff] [blame]	792	/**
Derek Jones	53437de	2008-05-12 18:07:08 +0000	[diff] [blame]	793	* Random Hash for protecting URLs
				794	*
				795	* @access public
				796	* @return string
				797	*/
				798	function xss_hash()
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	799	{
Derek Jones	53437de	2008-05-12 18:07:08 +0000	[diff] [blame]	800	if ($this->xss_hash == '')
				801	{
				802	if (phpversion() >= 4.2)
				803	mt_srand();
				804	else
				805	mt_srand(hexdec(substr(md5(microtime()), -8)) & 0x7fffffff);
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	806
Derek Jones	53437de	2008-05-12 18:07:08 +0000	[diff] [blame]	807	$this->xss_hash = md5(time() + mt_rand(0, 1999999999));
				808	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	809
Derek Jones	53437de	2008-05-12 18:07:08 +0000	[diff] [blame]	810	return $this->xss_hash;
				811	}
				812
				813	// --------------------------------------------------------------------
Derek Jones	e3332b0	2008-05-13 14:44:32 +0000	[diff] [blame]	814
				815	/**
Derek Jones	7aae905	2008-06-25 16:02:06 +0000	[diff] [blame]	816	* Remove Invisible Characters
				817	*
				818	* This prevents sandwiching null characters
				819	* between ascii characters, like Java\0script.
				820	*
				821	* @access public
				822	* @param string
				823	* @return string
				824	*/
				825	function _remove_invisible_characters($str)
				826	{
				827	static $non_displayables;
				828
				829	if ( ! isset($non_displayables))
				830	{
Derek Jones	dd7f4a9	2008-07-03 21:58:15 +0000	[diff] [blame]	831	// every control character except newline (dec 10), carriage return (dec 13), and horizontal tab (dec 09),
Derek Jones	7aae905	2008-06-25 16:02:06 +0000	[diff] [blame]	832	$non_displayables = array(
Derek Jones	dd7f4a9	2008-07-03 21:58:15 +0000	[diff] [blame]	833	'/%0[0-8bcef]/', // url encoded 00-08, 11, 12, 14, 15
				834	'/%1[0-9a-f]/', // url encoded 16-31
Derek Jones	40f38f1	2008-06-30 17:23:25 +0000	[diff] [blame]	835	'/[\x00-\x08]/', // 00-08
				836	'/\x0b/', '/\x0c/', // 11, 12
				837	'/[\x0e-\x1f]/' // 14-31
				838	);
Derek Jones	7aae905	2008-06-25 16:02:06 +0000	[diff] [blame]	839	}
				840
				841	do
				842	{
				843	$cleaned = $str;
				844	$str = preg_replace($non_displayables, '', $str);
				845	}
				846	while ($cleaned != $str);
				847
				848	return $str;
				849	}
				850
				851	// --------------------------------------------------------------------
				852
				853	/**
Derek Jones	9f23e7c	2008-05-30 20:00:11 +0000	[diff] [blame]	854	* Compact Exploded Words
				855	*
				856	* Callback function for xss_clean() to remove whitespace from
				857	* things like j a v a s c r i p t
				858	*
				859	* @access public
				860	* @param type
				861	* @return type
				862	*/
				863	function _compact_exploded_words($matches)
				864	{
				865	return preg_replace('/\s+/s', '', $matches[1]).$matches[2];
				866	}
				867
				868	// --------------------------------------------------------------------
				869
				870	/**
Derek Jones	e3332b0	2008-05-13 14:44:32 +0000	[diff] [blame]	871	* Sanitize Naughty HTML
				872	*
				873	* Callback function for xss_clean() to remove naughty HTML elements
				874	*
				875	* @access private
				876	* @param array
				877	* @return string
				878	*/
				879	function _sanitize_naughty_html($matches)
				880	{
				881	// encode opening brace
				882	$str = '<'.$matches[1].$matches[2].$matches[3];
				883
				884	// encode captured opening or closing brace to prevent recursive vectors
Derek Jones	908ecc6	2008-05-21 19:53:40 +0000	[diff] [blame]	885	$str .= str_replace(array('>', '<'), array('>', '<'), $matches[4]);
Derek Jones	bd08d84	2008-05-20 15:07:27 +0000	[diff] [blame]	886
Derek Jones	e3332b0	2008-05-13 14:44:32 +0000	[diff] [blame]	887	return $str;
				888	}
				889
				890	// --------------------------------------------------------------------
				891
Derek Jones	53437de	2008-05-12 18:07:08 +0000	[diff] [blame]	892	/**
Derek Jones	01f72ca	2007-05-04 18:19:17 +0000	[diff] [blame]	893	* JS Link Removal
				894	*
				895	* Callback function for xss_clean() to sanitize links
				896	* This limits the PCRE backtracks, making it more performance friendly
				897	* and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in
				898	* PHP 5.2+ on link-heavy strings
				899	*
				900	* @access private
				901	* @param array
				902	* @return string
				903	*/
				904	function _js_link_removal($match)
				905	{
Derek Jones	7aae905	2008-06-25 16:02:06 +0000	[diff] [blame]	906	$attributes = $this->_filter_attributes(str_replace(array('<', '>'), '', $match[1]));
				907	return str_replace($match[1], preg_replace("#href=.?(alert\(\|alert&\#40;\|javascript\:\|charset\=\|window\.\|document\.\|\.cookie\|<script\|<xss\|base64\s,)#si", "", $attributes), $match[0]);
Derek Jones	01f72ca	2007-05-04 18:19:17 +0000	[diff] [blame]	908	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	909
Derek Jones	01f72ca	2007-05-04 18:19:17 +0000	[diff] [blame]	910	/**
				911	* JS Image Removal
				912	*
				913	* Callback function for xss_clean() to sanitize image tags
				914	* This limits the PCRE backtracks, making it more performance friendly
				915	* and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in
				916	* PHP 5.2+ on image tag heavy strings
				917	*
				918	* @access private
				919	* @param array
				920	* @return string
				921	*/
				922	function _js_img_removal($match)
				923	{
Derek Jones	7aae905	2008-06-25 16:02:06 +0000	[diff] [blame]	924	$attributes = $this->_filter_attributes(str_replace(array('<', '>'), '', $match[1]));
				925	return str_replace($match[1], preg_replace("#src=.?(alert\(\|alert&\#40;\|javascript\:\|charset\=\|window\.\|document\.\|\.cookie\|<script\|<xss\|base64\s,)#si", "", $attributes), $match[0]);
Derek Jones	01f72ca	2007-05-04 18:19:17 +0000	[diff] [blame]	926	}
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	927
Derek Jones	01f72ca	2007-05-04 18:19:17 +0000	[diff] [blame]	928	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	929
Derek Jones	303c9cb	2007-07-12 19:12:37 +0000	[diff] [blame]	930	/**
				931	* Attribute Conversion
				932	*
				933	* Used as a callback for XSS Clean
				934	*
				935	* @access public
				936	* @param array
				937	* @return string
				938	*/
Derek Jones	908ecc6	2008-05-21 19:53:40 +0000	[diff] [blame]	939	function _convert_attribute($match)
Derek Jones	303c9cb	2007-07-12 19:12:37 +0000	[diff] [blame]	940	{
Derek Jones	908ecc6	2008-05-21 19:53:40 +0000	[diff] [blame]	941	return str_replace(array('>', '<'), array('>', '<'), $match[0]);
Derek Jones	303c9cb	2007-07-12 19:12:37 +0000	[diff] [blame]	942	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	943
Derek Jones	303c9cb	2007-07-12 19:12:37 +0000	[diff] [blame]	944	// --------------------------------------------------------------------
				945
				946	/**
				947	* HTML Entity Decode Callback
				948	*
				949	* Used as a callback for XSS Clean
				950	*
				951	* @access public
				952	* @param array
				953	* @return string
				954	*/
				955	function _html_entity_decode_callback($match)
				956	{
Derek Jones	6159d1d	2007-07-16 13:04:46 +0000	[diff] [blame]	957	global $CFG;
				958	$charset = $CFG->item('charset');
Derek Jones	303c9cb	2007-07-12 19:12:37 +0000	[diff] [blame]	959
				960	return $this->_html_entity_decode($match[0], strtoupper($charset));
				961	}
				962
				963	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	964
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	965	/**
				966	* HTML Entities Decode
				967	*
				968	* This function is a replacement for html_entity_decode()
				969	*
				970	* In some versions of PHP the native function does not work
				971	* when UTF-8 is the specified character set, so this gives us
				972	* a work-around. More info here:
				973	* http://bugs.php.net/bug.php?id=25670
				974	*
				975	* @access private
				976	* @param string
				977	* @param string
				978	* @return string
				979	*/
				980	/* -------------------------------------------------
				981	/* Replacement for html_entity_decode()
				982	/* -------------------------------------------------*/
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	983
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	984	/*
				985	NOTE: html_entity_decode() has a bug in some PHP versions when UTF-8 is the
				986	character set, and the PHP developers said they were not back porting the
				987	fix to versions other than PHP 5.x.
				988	*/
Derek Jones	303c9cb	2007-07-12 19:12:37 +0000	[diff] [blame]	989	function _html_entity_decode($str, $charset='UTF-8')
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	990	{
				991	if (stristr($str, '&') === FALSE) return $str;
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	992
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	993	// The reason we are not using html_entity_decode() by itself is because
				994	// while it is not technically correct to leave out the semicolon
				995	// at the end of an entity most browsers will still interpret the entity
				996	// correctly. html_entity_decode() does not convert entities without
				997	// semicolons, so we are left with our own little solution here. Bummer.
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	998
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	999	if (function_exists('html_entity_decode') && (strtolower($charset) != 'utf-8' OR version_compare(phpversion(), '5.0.0', '>=')))
				1000	{
				1001	$str = html_entity_decode($str, ENT_COMPAT, $charset);
Derek Jones	63fc5fe	2008-05-15 20:13:14 +0000	[diff] [blame]	1002	$str = preg_replace('~&#x(0*[0-9a-f]{2,5})~ei', 'chr(hexdec("\\1"))', $str);
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	1003	return preg_replace('~&#([0-9]{2,4})~e', 'chr(\\1)', $str);
				1004	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	1005
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	1006	// Numeric Entities
Derek Jones	63fc5fe	2008-05-15 20:13:14 +0000	[diff] [blame]	1007	$str = preg_replace('~&#x(0*[0-9a-f]{2,5});{0,1}~ei', 'chr(hexdec("\\1"))', $str);
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	1008	$str = preg_replace('~&#([0-9]{2,4});{0,1}~e', 'chr(\\1)', $str);
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	1009
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	1010	// Literal Entities - Slightly slow so we do another check
				1011	if (stristr($str, '&') === FALSE)
				1012	{
				1013	$str = strtr($str, array_flip(get_html_translation_table(HTML_ENTITIES)));
				1014	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	1015
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	1016	return $str;
				1017	}
				1018
Derek Jones	7aae905	2008-06-25 16:02:06 +0000	[diff] [blame]	1019	// --------------------------------------------------------------------
				1020
				1021	/**
				1022	* Filter Attributes
				1023	*
				1024	* Filters tag attributes for consistency and safety
				1025	*
				1026	* @access public
				1027	* @param string
				1028	* @return string
				1029	*/
				1030	function _filter_attributes($str)
				1031	{
				1032	$out = '';
				1033
				1034	if (preg_match_all('#\s[a-z\-]+\s=\s(\042\|\047)([^\\1]?)\\1#is', $str, $matches))
				1035	{
				1036	foreach ($matches[0] as $match)
				1037	{
				1038	$out .= "{$match}";
				1039	}
				1040	}
				1041
				1042	return $out;
				1043	}
				1044
				1045	// --------------------------------------------------------------------
				1046
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	1047	}
				1048	// END Input class
Derek Jones	53437de	2008-05-12 18:07:08 +0000	[diff] [blame]	1049
				1050	/* End of file Input.php */
Derek Jones	a3ffbbb	2008-05-11 18:18:29 +0000	[diff] [blame]	1051	/* Location: ./system/libraries/Input.php */