Andrey Andreev | c5536aa | 2012-11-01 17:33:58 +0200 | [diff] [blame] | 1 | <?php |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 2 | /** |
| 3 | * CodeIgniter |
| 4 | * |
Phil Sturgeon | 07c1ac8 | 2012-03-09 17:03:37 +0000 | [diff] [blame] | 5 | * An open source application development framework for PHP 5.2.4 or newer |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 6 | * |
Derek Jones | f4a4bd8 | 2011-10-20 12:18:42 -0500 | [diff] [blame] | 7 | * NOTICE OF LICENSE |
Andrey Andreev | bb488dc | 2012-01-07 23:35:16 +0200 | [diff] [blame] | 8 | * |
Derek Jones | f4a4bd8 | 2011-10-20 12:18:42 -0500 | [diff] [blame] | 9 | * Licensed under the Open Software License version 3.0 |
Andrey Andreev | bb488dc | 2012-01-07 23:35:16 +0200 | [diff] [blame] | 10 | * |
Derek Jones | f4a4bd8 | 2011-10-20 12:18:42 -0500 | [diff] [blame] | 11 | * This source file is subject to the Open Software License (OSL 3.0) that is |
| 12 | * bundled with this package in the files license.txt / license.rst. It is |
| 13 | * also available through the world wide web at this URL: |
| 14 | * http://opensource.org/licenses/OSL-3.0 |
| 15 | * If you did not receive a copy of the license and are unable to obtain it |
| 16 | * through the world wide web, please send an email to |
| 17 | * licensing@ellislab.com so we can send you a copy immediately. |
| 18 | * |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 19 | * @package CodeIgniter |
Derek Jones | f4a4bd8 | 2011-10-20 12:18:42 -0500 | [diff] [blame] | 20 | * @author EllisLab Dev Team |
Andrey Andreev | 80500af | 2013-01-01 08:16:53 +0200 | [diff] [blame] | 21 | * @copyright Copyright (c) 2008 - 2013, EllisLab, Inc. (http://ellislab.com/) |
Derek Jones | f4a4bd8 | 2011-10-20 12:18:42 -0500 | [diff] [blame] | 22 | * @license http://opensource.org/licenses/OSL-3.0 Open Software License (OSL 3.0) |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 23 | * @link http://codeigniter.com |
| 24 | * @since Version 1.0 |
| 25 | * @filesource |
| 26 | */ |
Andrey Andreev | c5536aa | 2012-11-01 17:33:58 +0200 | [diff] [blame] | 27 | defined('BASEPATH') OR exit('No direct script access allowed'); |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 28 | |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 29 | /** |
| 30 | * Security Class |
| 31 | * |
| 32 | * @package CodeIgniter |
| 33 | * @subpackage Libraries |
| 34 | * @category Security |
Derek Jones | f4a4bd8 | 2011-10-20 12:18:42 -0500 | [diff] [blame] | 35 | * @author EllisLab Dev Team |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 36 | * @link http://codeigniter.com/user_guide/libraries/security.html |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 37 | */ |
| 38 | class CI_Security { |
Barry Mieny | dd67197 | 2010-10-04 16:33:58 +0200 | [diff] [blame] | 39 | |
David Behler | 07b5342 | 2011-08-15 00:25:06 +0200 | [diff] [blame] | 40 | /** |
Hunter Wu | a8d6d3b | 2013-08-03 23:17:45 +0800 | [diff] [blame] | 41 | * List of sanitize filename strings |
| 42 | * |
| 43 | * @var array |
| 44 | */ |
Hunter Wu | 4495cc7 | 2013-08-04 12:31:52 +0800 | [diff] [blame] | 45 | public $filename_bad_chars = array( |
Hunter Wu | a8d6d3b | 2013-08-03 23:17:45 +0800 | [diff] [blame] | 46 | '../', '<!--', '-->', '<', '>', |
| 47 | "'", '"', '&', '$', '#', |
| 48 | '{', '}', '[', ']', '=', |
| 49 | ';', '?', '%20', '%22', |
| 50 | '%3c', // < |
| 51 | '%253c', // < |
| 52 | '%3e', // > |
| 53 | '%0e', // > |
| 54 | '%28', // ( |
| 55 | '%29', // ) |
| 56 | '%2528', // ( |
| 57 | '%26', // & |
| 58 | '%24', // $ |
| 59 | '%3f', // ? |
| 60 | '%3b', // ; |
| 61 | '%3d' // = |
| 62 | ); |
| 63 | |
| 64 | /** |
Andrey Andreev | c67c3fb | 2014-01-22 13:26:00 +0200 | [diff] [blame] | 65 | * HTML5 entities |
| 66 | * |
| 67 | * @var array |
| 68 | */ |
| 69 | public $html5_entities = array( |
| 70 | ':' => ':', |
| 71 | '(' => '(', |
Andrey Andreev | d98cbb8 | 2014-01-24 18:34:27 +0200 | [diff] [blame] | 72 | ')' => ')', |
Andrey Andreev | ee7633c | 2014-01-24 18:47:20 +0200 | [diff] [blame] | 73 | '&newline;' => "\n", |
| 74 | '&tab;' => "\t" |
Andrey Andreev | c67c3fb | 2014-01-22 13:26:00 +0200 | [diff] [blame] | 75 | ); |
| 76 | |
| 77 | /** |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 78 | * XSS Hash |
David Behler | 07b5342 | 2011-08-15 00:25:06 +0200 | [diff] [blame] | 79 | * |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 80 | * Random Hash for protecting URLs. |
| 81 | * |
| 82 | * @var string |
David Behler | 07b5342 | 2011-08-15 00:25:06 +0200 | [diff] [blame] | 83 | */ |
Timothy Warren | 48a7fbb | 2012-04-23 11:58:16 -0400 | [diff] [blame] | 84 | protected $_xss_hash = ''; |
Andrey Andreev | 3d113bd | 2011-10-05 00:03:20 +0300 | [diff] [blame] | 85 | |
David Behler | 07b5342 | 2011-08-15 00:25:06 +0200 | [diff] [blame] | 86 | /** |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 87 | * CSRF Hash |
David Behler | 07b5342 | 2011-08-15 00:25:06 +0200 | [diff] [blame] | 88 | * |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 89 | * Random hash for Cross Site Request Forgery protection cookie |
| 90 | * |
| 91 | * @var string |
David Behler | 07b5342 | 2011-08-15 00:25:06 +0200 | [diff] [blame] | 92 | */ |
Timothy Warren | 48a7fbb | 2012-04-23 11:58:16 -0400 | [diff] [blame] | 93 | protected $_csrf_hash = ''; |
Andrey Andreev | 3d113bd | 2011-10-05 00:03:20 +0300 | [diff] [blame] | 94 | |
David Behler | 07b5342 | 2011-08-15 00:25:06 +0200 | [diff] [blame] | 95 | /** |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 96 | * CSRF Expire time |
David Behler | 07b5342 | 2011-08-15 00:25:06 +0200 | [diff] [blame] | 97 | * |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 98 | * Expiration time for Cross Site Request Forgery protection cookie. |
| 99 | * Defaults to two hours (in seconds). |
| 100 | * |
| 101 | * @var int |
David Behler | 07b5342 | 2011-08-15 00:25:06 +0200 | [diff] [blame] | 102 | */ |
Timothy Warren | 48a7fbb | 2012-04-23 11:58:16 -0400 | [diff] [blame] | 103 | protected $_csrf_expire = 7200; |
Andrey Andreev | 3d113bd | 2011-10-05 00:03:20 +0300 | [diff] [blame] | 104 | |
David Behler | 07b5342 | 2011-08-15 00:25:06 +0200 | [diff] [blame] | 105 | /** |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 106 | * CSRF Token name |
David Behler | 07b5342 | 2011-08-15 00:25:06 +0200 | [diff] [blame] | 107 | * |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 108 | * Token name for Cross Site Request Forgery protection cookie. |
| 109 | * |
| 110 | * @var string |
David Behler | 07b5342 | 2011-08-15 00:25:06 +0200 | [diff] [blame] | 111 | */ |
Timothy Warren | 48a7fbb | 2012-04-23 11:58:16 -0400 | [diff] [blame] | 112 | protected $_csrf_token_name = 'ci_csrf_token'; |
Andrey Andreev | 3d113bd | 2011-10-05 00:03:20 +0300 | [diff] [blame] | 113 | |
David Behler | 07b5342 | 2011-08-15 00:25:06 +0200 | [diff] [blame] | 114 | /** |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 115 | * CSRF Cookie name |
David Behler | 07b5342 | 2011-08-15 00:25:06 +0200 | [diff] [blame] | 116 | * |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 117 | * Cookie name for Cross Site Request Forgery protection cookie. |
| 118 | * |
| 119 | * @var string |
David Behler | 07b5342 | 2011-08-15 00:25:06 +0200 | [diff] [blame] | 120 | */ |
Timothy Warren | 48a7fbb | 2012-04-23 11:58:16 -0400 | [diff] [blame] | 121 | protected $_csrf_cookie_name = 'ci_csrf_token'; |
Andrey Andreev | 3d113bd | 2011-10-05 00:03:20 +0300 | [diff] [blame] | 122 | |
David Behler | 07b5342 | 2011-08-15 00:25:06 +0200 | [diff] [blame] | 123 | /** |
| 124 | * List of never allowed strings |
| 125 | * |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 126 | * @var array |
David Behler | 07b5342 | 2011-08-15 00:25:06 +0200 | [diff] [blame] | 127 | */ |
Timothy Warren | 48a7fbb | 2012-04-23 11:58:16 -0400 | [diff] [blame] | 128 | protected $_never_allowed_str = array( |
Timothy Warren | 40403d2 | 2012-04-19 16:38:50 -0400 | [diff] [blame] | 129 | 'document.cookie' => '[removed]', |
| 130 | 'document.write' => '[removed]', |
| 131 | '.parentNode' => '[removed]', |
| 132 | '.innerHTML' => '[removed]', |
Timothy Warren | 40403d2 | 2012-04-19 16:38:50 -0400 | [diff] [blame] | 133 | '-moz-binding' => '[removed]', |
| 134 | '<!--' => '<!--', |
| 135 | '-->' => '-->', |
| 136 | '<![CDATA[' => '<![CDATA[', |
| 137 | '<comment>' => '<comment>' |
| 138 | ); |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 139 | |
David Behler | 07b5342 | 2011-08-15 00:25:06 +0200 | [diff] [blame] | 140 | /** |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 141 | * List of never allowed regex replacements |
David Behler | 07b5342 | 2011-08-15 00:25:06 +0200 | [diff] [blame] | 142 | * |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 143 | * @var array |
David Behler | 07b5342 | 2011-08-15 00:25:06 +0200 | [diff] [blame] | 144 | */ |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 145 | protected $_never_allowed_regex = array( |
Timothy Warren | 40403d2 | 2012-04-19 16:38:50 -0400 | [diff] [blame] | 146 | 'javascript\s*:', |
Andrey Andreev | 1bbc564 | 2014-01-07 12:45:27 +0200 | [diff] [blame] | 147 | '(document|(document\.)?window)\.(location|on\w*)', |
Timothy Warren | 40403d2 | 2012-04-19 16:38:50 -0400 | [diff] [blame] | 148 | 'expression\s*(\(|&\#40;)', // CSS and IE |
| 149 | 'vbscript\s*:', // IE, surprise! |
Andrey Andreev | 4356806 | 2014-01-21 23:52:31 +0200 | [diff] [blame] | 150 | 'Redirect\s+30\d', |
Wes Baker | d348135 | 2012-05-07 16:49:33 -0400 | [diff] [blame] | 151 | "([\"'])?data\s*:[^\\1]*?base64[^\\1]*?,[^\\1]*?\\1?" |
Timothy Warren | 40403d2 | 2012-04-19 16:38:50 -0400 | [diff] [blame] | 152 | ); |
Andrey Andreev | 92ebfb6 | 2012-05-17 12:49:24 +0300 | [diff] [blame] | 153 | |
Timothy Warren | ad47505 | 2012-04-19 13:21:06 -0400 | [diff] [blame] | 154 | /** |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 155 | * Class constructor |
Andrey Andreev | 92ebfb6 | 2012-05-17 12:49:24 +0300 | [diff] [blame] | 156 | * |
| 157 | * @return void |
Timothy Warren | ad47505 | 2012-04-19 13:21:06 -0400 | [diff] [blame] | 158 | */ |
Greg Aker | a926328 | 2010-11-10 15:26:43 -0600 | [diff] [blame] | 159 | public function __construct() |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 160 | { |
Andrey Andreev | 67ccdc0 | 2012-02-27 23:57:58 +0200 | [diff] [blame] | 161 | // Is CSRF protection enabled? |
| 162 | if (config_item('csrf_protection') === TRUE) |
patwork | ef1a55a | 2011-04-09 13:04:06 +0200 | [diff] [blame] | 163 | { |
Andrey Andreev | 67ccdc0 | 2012-02-27 23:57:58 +0200 | [diff] [blame] | 164 | // CSRF config |
| 165 | foreach (array('csrf_expire', 'csrf_token_name', 'csrf_cookie_name') as $key) |
patwork | ef1a55a | 2011-04-09 13:04:06 +0200 | [diff] [blame] | 166 | { |
Andrey Andreev | 67ccdc0 | 2012-02-27 23:57:58 +0200 | [diff] [blame] | 167 | if (FALSE !== ($val = config_item($key))) |
| 168 | { |
| 169 | $this->{'_'.$key} = $val; |
| 170 | } |
patwork | ef1a55a | 2011-04-09 13:04:06 +0200 | [diff] [blame] | 171 | } |
patwork | ef1a55a | 2011-04-09 13:04:06 +0200 | [diff] [blame] | 172 | |
Andrey Andreev | 67ccdc0 | 2012-02-27 23:57:58 +0200 | [diff] [blame] | 173 | // Append application specific cookie prefix |
| 174 | if (config_item('cookie_prefix')) |
| 175 | { |
| 176 | $this->_csrf_cookie_name = config_item('cookie_prefix').$this->_csrf_cookie_name; |
| 177 | } |
Derek Jones | b3f10a2 | 2010-07-25 19:11:26 -0500 | [diff] [blame] | 178 | |
Andrey Andreev | 67ccdc0 | 2012-02-27 23:57:58 +0200 | [diff] [blame] | 179 | // Set the CSRF hash |
| 180 | $this->_csrf_set_hash(); |
| 181 | } |
Derek Allard | 958543a | 2010-07-22 14:10:26 -0400 | [diff] [blame] | 182 | |
Andrey Andreev | bb488dc | 2012-01-07 23:35:16 +0200 | [diff] [blame] | 183 | log_message('debug', 'Security Class Initialized'); |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 184 | } |
| 185 | |
| 186 | // -------------------------------------------------------------------- |
Barry Mieny | dd67197 | 2010-10-04 16:33:58 +0200 | [diff] [blame] | 187 | |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 188 | /** |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 189 | * CSRF Verify |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 190 | * |
Andrew Podner | 4296a65 | 2012-12-17 07:51:15 -0500 | [diff] [blame] | 191 | * @return CI_Security |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 192 | */ |
Eric Barnes | 9805ecc | 2011-01-16 23:35:16 -0500 | [diff] [blame] | 193 | public function csrf_verify() |
Derek Allard | 958543a | 2010-07-22 14:10:26 -0400 | [diff] [blame] | 194 | { |
Andrey Andreev | 5d27c43 | 2012-03-08 12:01:52 +0200 | [diff] [blame] | 195 | // If it's not a POST request we will set the CSRF cookie |
| 196 | if (strtoupper($_SERVER['REQUEST_METHOD']) !== 'POST') |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 197 | { |
| 198 | return $this->csrf_set_cookie(); |
| 199 | } |
Andrey Andreev | 3d113bd | 2011-10-05 00:03:20 +0300 | [diff] [blame] | 200 | |
Alex Bilbie | aeb2c3e | 2011-08-21 16:14:54 +0100 | [diff] [blame] | 201 | // Check if URI has been whitelisted from CSRF checks |
| 202 | if ($exclude_uris = config_item('csrf_exclude_uris')) |
| 203 | { |
| 204 | $uri = load_class('URI', 'core'); |
| 205 | if (in_array($uri->uri_string(), $exclude_uris)) |
| 206 | { |
| 207 | return $this; |
| 208 | } |
| 209 | } |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 210 | |
| 211 | // Do the tokens exist in both the _POST and _COOKIE arrays? |
Andrey Andreev | f795ab5 | 2012-10-24 21:28:25 +0300 | [diff] [blame] | 212 | if ( ! isset($_POST[$this->_csrf_token_name], $_COOKIE[$this->_csrf_cookie_name]) |
Alex Bilbie | ed944a3 | 2012-06-02 11:07:47 +0100 | [diff] [blame] | 213 | OR $_POST[$this->_csrf_token_name] !== $_COOKIE[$this->_csrf_cookie_name]) // Do the tokens match? |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 214 | { |
| 215 | $this->csrf_show_error(); |
| 216 | } |
| 217 | |
Andrey Andreev | 4562f2c | 2012-01-09 23:39:50 +0200 | [diff] [blame] | 218 | // We kill this since we're done and we don't want to polute the _POST array |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 219 | unset($_POST[$this->_csrf_token_name]); |
Barry Mieny | dd67197 | 2010-10-04 16:33:58 +0200 | [diff] [blame] | 220 | |
RS71 | 2be25a6 | 2011-12-31 16:02:04 -0200 | [diff] [blame] | 221 | // Regenerate on every submission? |
| 222 | if (config_item('csrf_regenerate')) |
| 223 | { |
| 224 | // Nothing should last forever |
| 225 | unset($_COOKIE[$this->_csrf_cookie_name]); |
| 226 | $this->_csrf_hash = ''; |
| 227 | } |
Andrey Andreev | 8a7d078 | 2012-01-08 05:43:42 +0200 | [diff] [blame] | 228 | |
Derek Jones | b3f10a2 | 2010-07-25 19:11:26 -0500 | [diff] [blame] | 229 | $this->_csrf_set_hash(); |
| 230 | $this->csrf_set_cookie(); |
Andrey Andreev | 3d113bd | 2011-10-05 00:03:20 +0300 | [diff] [blame] | 231 | |
Andrey Andreev | bb488dc | 2012-01-07 23:35:16 +0200 | [diff] [blame] | 232 | log_message('debug', 'CSRF token verified'); |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 233 | return $this; |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 234 | } |
Barry Mieny | dd67197 | 2010-10-04 16:33:58 +0200 | [diff] [blame] | 235 | |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 236 | // -------------------------------------------------------------------- |
Barry Mieny | dd67197 | 2010-10-04 16:33:58 +0200 | [diff] [blame] | 237 | |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 238 | /** |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 239 | * CSRF Set Cookie |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 240 | * |
Taufan Aditya | 6c7526c | 2012-05-27 13:51:27 +0700 | [diff] [blame] | 241 | * @codeCoverageIgnore |
Andrew Podner | 4296a65 | 2012-12-17 07:51:15 -0500 | [diff] [blame] | 242 | * @return CI_Security |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 243 | */ |
Eric Barnes | 9805ecc | 2011-01-16 23:35:16 -0500 | [diff] [blame] | 244 | public function csrf_set_cookie() |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 245 | { |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 246 | $expire = time() + $this->_csrf_expire; |
Andrey Andreev | 3d113bd | 2011-10-05 00:03:20 +0300 | [diff] [blame] | 247 | $secure_cookie = (bool) config_item('cookie_secure'); |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 248 | |
Andrey Andreev | 3fb0267 | 2012-10-22 16:48:01 +0300 | [diff] [blame] | 249 | if ($secure_cookie && ! is_https()) |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 250 | { |
Andrey Andreev | bb488dc | 2012-01-07 23:35:16 +0200 | [diff] [blame] | 251 | return FALSE; |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 252 | } |
Derek Allard | 958543a | 2010-07-22 14:10:26 -0400 | [diff] [blame] | 253 | |
freewil | 4ad0fd8 | 2012-03-13 22:37:42 -0400 | [diff] [blame] | 254 | setcookie( |
Andrey Andreev | 92ebfb6 | 2012-05-17 12:49:24 +0300 | [diff] [blame] | 255 | $this->_csrf_cookie_name, |
| 256 | $this->_csrf_hash, |
| 257 | $expire, |
| 258 | config_item('cookie_path'), |
| 259 | config_item('cookie_domain'), |
freewil | 4ad0fd8 | 2012-03-13 22:37:42 -0400 | [diff] [blame] | 260 | $secure_cookie, |
| 261 | config_item('cookie_httponly') |
| 262 | ); |
Andrey Andreev | bb488dc | 2012-01-07 23:35:16 +0200 | [diff] [blame] | 263 | log_message('debug', 'CRSF cookie Set'); |
David Behler | 07b5342 | 2011-08-15 00:25:06 +0200 | [diff] [blame] | 264 | |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 265 | return $this; |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 266 | } |
| 267 | |
| 268 | // -------------------------------------------------------------------- |
Barry Mieny | dd67197 | 2010-10-04 16:33:58 +0200 | [diff] [blame] | 269 | |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 270 | /** |
| 271 | * Show CSRF Error |
| 272 | * |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 273 | * @return void |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 274 | */ |
Eric Barnes | 9805ecc | 2011-01-16 23:35:16 -0500 | [diff] [blame] | 275 | public function csrf_show_error() |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 276 | { |
| 277 | show_error('The action you have requested is not allowed.'); |
| 278 | } |
| 279 | |
| 280 | // -------------------------------------------------------------------- |
Barry Mieny | dd67197 | 2010-10-04 16:33:58 +0200 | [diff] [blame] | 281 | |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 282 | /** |
David Behler | 07b5342 | 2011-08-15 00:25:06 +0200 | [diff] [blame] | 283 | * Get CSRF Hash |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 284 | * |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 285 | * @see CI_Security::$_csrf_hash |
| 286 | * @return string CSRF hash |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 287 | */ |
| 288 | public function get_csrf_hash() |
| 289 | { |
| 290 | return $this->_csrf_hash; |
| 291 | } |
| 292 | |
| 293 | // -------------------------------------------------------------------- |
| 294 | |
| 295 | /** |
| 296 | * Get CSRF Token Name |
| 297 | * |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 298 | * @see CI_Security::$_csrf_token_name |
| 299 | * @return string CSRF token name |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 300 | */ |
| 301 | public function get_csrf_token_name() |
| 302 | { |
| 303 | return $this->_csrf_token_name; |
| 304 | } |
| 305 | |
| 306 | // -------------------------------------------------------------------- |
| 307 | |
| 308 | /** |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 309 | * XSS Clean |
| 310 | * |
| 311 | * Sanitizes data so that Cross Site Scripting Hacks can be |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 312 | * prevented. This method does a fair amount of work but |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 313 | * it is extremely thorough, designed to prevent even the |
Derek Jones | 37f4b9c | 2011-07-01 17:56:50 -0500 | [diff] [blame] | 314 | * most obscure XSS attempts. Nothing is ever 100% foolproof, |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 315 | * of course, but I haven't been able to get anything passed |
| 316 | * the filter. |
| 317 | * |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 318 | * Note: Should only be used to deal with data upon submission. |
| 319 | * It's not something that should be used for general |
| 320 | * runtime processing. |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 321 | * |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 322 | * @link http://channel.bitflux.ch/wiki/XSS_Prevention |
| 323 | * Based in part on some code and ideas from Bitflux. |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 324 | * |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 325 | * @link http://ha.ckers.org/xss.html |
| 326 | * To help develop this script I used this great list of |
| 327 | * vulnerabilities along with a few other hacks I've |
| 328 | * harvested from examining vulnerabilities in other programs. |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 329 | * |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 330 | * @param string|string[] $str Input data |
| 331 | * @param bool $is_image Whether the input is an image |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 332 | * @return string |
| 333 | */ |
Eric Barnes | 9805ecc | 2011-01-16 23:35:16 -0500 | [diff] [blame] | 334 | public function xss_clean($str, $is_image = FALSE) |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 335 | { |
Andrey Andreev | bb488dc | 2012-01-07 23:35:16 +0200 | [diff] [blame] | 336 | // Is the string an array? |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 337 | if (is_array($str)) |
| 338 | { |
| 339 | while (list($key) = each($str)) |
| 340 | { |
| 341 | $str[$key] = $this->xss_clean($str[$key]); |
| 342 | } |
Barry Mieny | dd67197 | 2010-10-04 16:33:58 +0200 | [diff] [blame] | 343 | |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 344 | return $str; |
| 345 | } |
| 346 | |
Andrey Andreev | bb488dc | 2012-01-07 23:35:16 +0200 | [diff] [blame] | 347 | // Remove Invisible Characters and validate entities in URLs |
| 348 | $str = $this->_validate_entities(remove_invisible_characters($str)); |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 349 | |
| 350 | /* |
| 351 | * URL Decode |
| 352 | * |
| 353 | * Just in case stuff like this is submitted: |
| 354 | * |
| 355 | * <a href="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">Google</a> |
| 356 | * |
| 357 | * Note: Use rawurldecode() so it does not remove plus signs |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 358 | */ |
| 359 | $str = rawurldecode($str); |
Barry Mieny | dd67197 | 2010-10-04 16:33:58 +0200 | [diff] [blame] | 360 | |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 361 | /* |
Barry Mieny | dd67197 | 2010-10-04 16:33:58 +0200 | [diff] [blame] | 362 | * Convert character entities to ASCII |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 363 | * |
| 364 | * This permits our tests below to work reliably. |
| 365 | * We only convert entities that are within tags since |
| 366 | * these are the ones that will pose security problems. |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 367 | */ |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 368 | $str = preg_replace_callback("/[a-z]+=([\'\"]).*?\\1/si", array($this, '_convert_attribute'), $str); |
brian978 | 07ccbe5 | 2012-12-11 20:24:12 +0200 | [diff] [blame] | 369 | $str = preg_replace_callback('/<\w+.*/si', array($this, '_decode_entity'), $str); |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 370 | |
Andrey Andreev | bb488dc | 2012-01-07 23:35:16 +0200 | [diff] [blame] | 371 | // Remove Invisible Characters Again! |
Greg Aker | 757dda6 | 2010-04-14 19:06:19 -0500 | [diff] [blame] | 372 | $str = remove_invisible_characters($str); |
Barry Mieny | dd67197 | 2010-10-04 16:33:58 +0200 | [diff] [blame] | 373 | |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 374 | /* |
| 375 | * Convert all tabs to spaces |
| 376 | * |
| 377 | * This prevents strings like this: ja vascript |
| 378 | * NOTE: we deal with spaces between characters later. |
David Behler | 07b5342 | 2011-08-15 00:25:06 +0200 | [diff] [blame] | 379 | * NOTE: preg_replace was found to be amazingly slow here on |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 380 | * large blocks of data, so we use str_replace. |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 381 | */ |
Andrey Andreev | bb488dc | 2012-01-07 23:35:16 +0200 | [diff] [blame] | 382 | $str = str_replace("\t", ' ', $str); |
Barry Mieny | dd67197 | 2010-10-04 16:33:58 +0200 | [diff] [blame] | 383 | |
Andrey Andreev | 4562f2c | 2012-01-09 23:39:50 +0200 | [diff] [blame] | 384 | // Capture converted string for later comparison |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 385 | $converted_string = $str; |
Barry Mieny | dd67197 | 2010-10-04 16:33:58 +0200 | [diff] [blame] | 386 | |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 387 | // Remove Strings that are never allowed |
| 388 | $str = $this->_do_never_allowed($str); |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 389 | |
| 390 | /* |
| 391 | * Makes PHP tags safe |
| 392 | * |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 393 | * Note: XML tags are inadvertently replaced too: |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 394 | * |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 395 | * <?xml |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 396 | * |
| 397 | * But it doesn't seem to pose a problem. |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 398 | */ |
| 399 | if ($is_image === TRUE) |
| 400 | { |
David Behler | 07b5342 | 2011-08-15 00:25:06 +0200 | [diff] [blame] | 401 | // Images have a tendency to have the PHP short opening and |
| 402 | // closing tags every so often so we skip those and only |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 403 | // do the long opening tags. |
Andrey Andreev | bb488dc | 2012-01-07 23:35:16 +0200 | [diff] [blame] | 404 | $str = preg_replace('/<\?(php)/i', '<?\\1', $str); |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 405 | } |
| 406 | else |
| 407 | { |
Andrey Andreev | 838a9d6 | 2012-12-03 14:37:47 +0200 | [diff] [blame] | 408 | $str = str_replace(array('<?', '?'.'>'), array('<?', '?>'), $str); |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 409 | } |
Barry Mieny | dd67197 | 2010-10-04 16:33:58 +0200 | [diff] [blame] | 410 | |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 411 | /* |
| 412 | * Compact any exploded words |
| 413 | * |
Derek Jones | 37f4b9c | 2011-07-01 17:56:50 -0500 | [diff] [blame] | 414 | * This corrects words like: j a v a s c r i p t |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 415 | * These words are compacted back to their correct state. |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 416 | */ |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 417 | $words = array( |
Wes Baker | d348135 | 2012-05-07 16:49:33 -0400 | [diff] [blame] | 418 | 'javascript', 'expression', 'vbscript', 'script', 'base64', |
Timothy Warren | 40403d2 | 2012-04-19 16:38:50 -0400 | [diff] [blame] | 419 | 'applet', 'alert', 'document', 'write', 'cookie', 'window' |
| 420 | ); |
David Behler | 07b5342 | 2011-08-15 00:25:06 +0200 | [diff] [blame] | 421 | |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 422 | foreach ($words as $word) |
| 423 | { |
Andrey Andreev | 67ccdc0 | 2012-02-27 23:57:58 +0200 | [diff] [blame] | 424 | $word = implode('\s*', str_split($word)).'\s*'; |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 425 | |
| 426 | // We only want to do this when it is followed by a non-word character |
| 427 | // That way valid stuff like "dealer to" does not become "dealerto" |
Andrey Andreev | 3d113bd | 2011-10-05 00:03:20 +0300 | [diff] [blame] | 428 | $str = preg_replace_callback('#('.substr($word, 0, -3).')(\W)#is', array($this, '_compact_exploded_words'), $str); |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 429 | } |
Barry Mieny | dd67197 | 2010-10-04 16:33:58 +0200 | [diff] [blame] | 430 | |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 431 | /* |
| 432 | * Remove disallowed Javascript in links or img tags |
David Behler | 07b5342 | 2011-08-15 00:25:06 +0200 | [diff] [blame] | 433 | * We used to do some version comparisons and use of stripos for PHP5, |
| 434 | * but it is dog slow compared to these simplified non-capturing |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 435 | * preg_match(), especially if the pattern exists in the string |
Andrey Andreev | 12445ca | 2014-01-25 01:55:52 +0200 | [diff] [blame] | 436 | * |
| 437 | * Note: It was reported that not only space characters, but all in |
| 438 | * the following pattern can be parsed as separators between a tag name |
| 439 | * and its attributes: [\d\s"\'`;,\/\=\(\x00\x0B\x09\x0C] |
| 440 | * ... however, remove_invisible_characters() above already strips the |
| 441 | * hex-encoded ones, so we'll skip them below. |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 442 | */ |
| 443 | do |
| 444 | { |
| 445 | $original = $str; |
Barry Mieny | dd67197 | 2010-10-04 16:33:58 +0200 | [diff] [blame] | 446 | |
Andrey Andreev | bb488dc | 2012-01-07 23:35:16 +0200 | [diff] [blame] | 447 | if (preg_match('/<a/i', $str)) |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 448 | { |
Andrey Andreev | 12445ca | 2014-01-25 01:55:52 +0200 | [diff] [blame] | 449 | $str = preg_replace_callback('#<a[\s\d"\'`;/=,\(]+([^>]*?)(?:>|$)#si', array($this, '_js_link_removal'), $str); |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 450 | } |
Barry Mieny | dd67197 | 2010-10-04 16:33:58 +0200 | [diff] [blame] | 451 | |
Andrey Andreev | bb488dc | 2012-01-07 23:35:16 +0200 | [diff] [blame] | 452 | if (preg_match('/<img/i', $str)) |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 453 | { |
Andrey Andreev | 12445ca | 2014-01-25 01:55:52 +0200 | [diff] [blame] | 454 | $str = preg_replace_callback('#<img[\s\d"\'`;/=,\(]+([^>]*?)(?:\s?/?>|$)#si', array($this, '_js_img_removal'), $str); |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 455 | } |
Barry Mieny | dd67197 | 2010-10-04 16:33:58 +0200 | [diff] [blame] | 456 | |
vlakoff | a81f60c | 2012-07-02 15:20:11 +0200 | [diff] [blame] | 457 | if (preg_match('/script|xss/i', $str)) |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 458 | { |
vlakoff | a81f60c | 2012-07-02 15:20:11 +0200 | [diff] [blame] | 459 | $str = preg_replace('#</*(?:script|xss).*?>#si', '[removed]', $str); |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 460 | } |
| 461 | } |
vlakoff | a81f60c | 2012-07-02 15:20:11 +0200 | [diff] [blame] | 462 | while ($original !== $str); |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 463 | |
| 464 | unset($original); |
| 465 | |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 466 | // Remove evil attributes such as style, onclick and xmlns |
| 467 | $str = $this->_remove_evil_attributes($str, $is_image); |
Barry Mieny | dd67197 | 2010-10-04 16:33:58 +0200 | [diff] [blame] | 468 | |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 469 | /* |
| 470 | * Sanitize naughty HTML elements |
| 471 | * |
| 472 | * If a tag containing any of the words in the list |
| 473 | * below is found, the tag gets converted to entities. |
| 474 | * |
| 475 | * So this: <blink> |
| 476 | * Becomes: <blink> |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 477 | */ |
Andrey Andreev | c53a178 | 2014-01-24 19:32:48 +0200 | [diff] [blame] | 478 | $naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|button|select|isindex|layer|link|meta|keygen|object|plaintext|style|script|textarea|title|video|svg|xml|xss'; |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 479 | $str = preg_replace_callback('#<(/*\s*)('.$naughty.')([^><]*)([><]*)#is', array($this, '_sanitize_naughty_html'), $str); |
| 480 | |
| 481 | /* |
| 482 | * Sanitize naughty scripting elements |
| 483 | * |
| 484 | * Similar to above, only instead of looking for |
| 485 | * tags it looks for PHP and JavaScript commands |
Andrey Andreev | bb488dc | 2012-01-07 23:35:16 +0200 | [diff] [blame] | 486 | * that are disallowed. Rather than removing the |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 487 | * code, it simply converts the parenthesis to entities |
| 488 | * rendering the code un-executable. |
| 489 | * |
| 490 | * For example: eval('some code') |
Andrey Andreev | bb488dc | 2012-01-07 23:35:16 +0200 | [diff] [blame] | 491 | * Becomes: eval('some code') |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 492 | */ |
Andrey Andreev | bb488dc | 2012-01-07 23:35:16 +0200 | [diff] [blame] | 493 | $str = preg_replace('#(alert|cmd|passthru|eval|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)\((.*?)\)#si', |
| 494 | '\\1\\2(\\3)', |
| 495 | $str); |
Barry Mieny | dd67197 | 2010-10-04 16:33:58 +0200 | [diff] [blame] | 496 | |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 497 | // Final clean up |
| 498 | // This adds a bit of extra precaution in case |
| 499 | // something got through the above filters |
| 500 | $str = $this->_do_never_allowed($str); |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 501 | |
| 502 | /* |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 503 | * Images are Handled in a Special Way |
David Behler | 07b5342 | 2011-08-15 00:25:06 +0200 | [diff] [blame] | 504 | * - Essentially, we want to know that after all of the character |
| 505 | * conversion is done whether any unwanted, likely XSS, code was found. |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 506 | * If not, we return TRUE, as the image is clean. |
David Behler | 07b5342 | 2011-08-15 00:25:06 +0200 | [diff] [blame] | 507 | * However, if the string post-conversion does not matched the |
| 508 | * string post-removal of XSS, then it fails, as there was unwanted XSS |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 509 | * code found and removed/changed during processing. |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 510 | */ |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 511 | if ($is_image === TRUE) |
| 512 | { |
Andrey Andreev | bb488dc | 2012-01-07 23:35:16 +0200 | [diff] [blame] | 513 | return ($str === $converted_string); |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 514 | } |
Barry Mieny | dd67197 | 2010-10-04 16:33:58 +0200 | [diff] [blame] | 515 | |
Andrey Andreev | bb488dc | 2012-01-07 23:35:16 +0200 | [diff] [blame] | 516 | log_message('debug', 'XSS Filtering completed'); |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 517 | return $str; |
| 518 | } |
| 519 | |
| 520 | // -------------------------------------------------------------------- |
Barry Mieny | dd67197 | 2010-10-04 16:33:58 +0200 | [diff] [blame] | 521 | |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 522 | /** |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 523 | * XSS Hash |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 524 | * |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 525 | * Generates the XSS hash if needed and returns it. |
| 526 | * |
| 527 | * @see CI_Security::$_xss_hash |
| 528 | * @return string XSS hash |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 529 | */ |
Eric Barnes | 9805ecc | 2011-01-16 23:35:16 -0500 | [diff] [blame] | 530 | public function xss_hash() |
Barry Mieny | dd67197 | 2010-10-04 16:33:58 +0200 | [diff] [blame] | 531 | { |
Alex Bilbie | ed944a3 | 2012-06-02 11:07:47 +0100 | [diff] [blame] | 532 | if ($this->_xss_hash === '') |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 533 | { |
vlakoff | 0612756 | 2013-03-30 00:06:39 +0100 | [diff] [blame] | 534 | $this->_xss_hash = md5(uniqid(mt_rand())); |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 535 | } |
| 536 | |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 537 | return $this->_xss_hash; |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 538 | } |
| 539 | |
| 540 | // -------------------------------------------------------------------- |
| 541 | |
| 542 | /** |
Derek Jones | a091147 | 2010-03-30 10:33:09 -0500 | [diff] [blame] | 543 | * HTML Entities Decode |
| 544 | * |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 545 | * A replacement for html_entity_decode() |
Derek Jones | a091147 | 2010-03-30 10:33:09 -0500 | [diff] [blame] | 546 | * |
Pascal Kriete | c38e3b6 | 2011-11-14 13:55:00 -0500 | [diff] [blame] | 547 | * The reason we are not using html_entity_decode() by itself is because |
| 548 | * while it is not technically correct to leave out the semicolon |
| 549 | * at the end of an entity most browsers will still interpret the entity |
Andrey Andreev | bb488dc | 2012-01-07 23:35:16 +0200 | [diff] [blame] | 550 | * correctly. html_entity_decode() does not convert entities without |
Pascal Kriete | c38e3b6 | 2011-11-14 13:55:00 -0500 | [diff] [blame] | 551 | * semicolons, so we are left with our own little solution here. Bummer. |
Derek Jones | a091147 | 2010-03-30 10:33:09 -0500 | [diff] [blame] | 552 | * |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 553 | * @link http://php.net/html-entity-decode |
| 554 | * |
| 555 | * @param string $str Input |
| 556 | * @param string $charset Character set |
Derek Jones | a091147 | 2010-03-30 10:33:09 -0500 | [diff] [blame] | 557 | * @return string |
| 558 | */ |
freewil | 8cc0cfe | 2011-08-27 21:53:00 -0400 | [diff] [blame] | 559 | public function entity_decode($str, $charset = NULL) |
Derek Jones | a091147 | 2010-03-30 10:33:09 -0500 | [diff] [blame] | 560 | { |
Andrey Andreev | 3d113bd | 2011-10-05 00:03:20 +0300 | [diff] [blame] | 561 | if (strpos($str, '&') === FALSE) |
freewil | 5c9b0d1 | 2011-08-28 12:15:23 -0400 | [diff] [blame] | 562 | { |
| 563 | return $str; |
| 564 | } |
Andrey Andreev | 3d113bd | 2011-10-05 00:03:20 +0300 | [diff] [blame] | 565 | |
freewil | 5c9b0d1 | 2011-08-28 12:15:23 -0400 | [diff] [blame] | 566 | if (empty($charset)) |
| 567 | { |
| 568 | $charset = config_item('charset'); |
| 569 | } |
Barry Mieny | dd67197 | 2010-10-04 16:33:58 +0200 | [diff] [blame] | 570 | |
brian978 | 638a9d2 | 2012-12-18 13:25:54 +0200 | [diff] [blame] | 571 | do |
| 572 | { |
Andrey Andreev | 99e2f8e | 2014-01-19 00:04:44 +0200 | [diff] [blame] | 573 | $m1 = $m2 = 0; |
brian978 | 07ccbe5 | 2012-12-11 20:24:12 +0200 | [diff] [blame] | 574 | |
Andrey Andreev | 99e2f8e | 2014-01-19 00:04:44 +0200 | [diff] [blame] | 575 | $str = preg_replace('/(�*[0-9a-f]{2,5})(?![0-9a-f;])/iS', '$1;', $str, -1, $m1); |
| 576 | $str = preg_replace('/(&#\d{2,4})(?![0-9;])/S', '$1;', $str, -1, $m2); |
brian978 | 638a9d2 | 2012-12-18 13:25:54 +0200 | [diff] [blame] | 577 | $str = html_entity_decode($str, ENT_COMPAT, $charset); |
brian978 | 638a9d2 | 2012-12-18 13:25:54 +0200 | [diff] [blame] | 578 | } |
Andrey Andreev | 99e2f8e | 2014-01-19 00:04:44 +0200 | [diff] [blame] | 579 | while ($m1 OR $m2); |
brian978 | f50fc73 | 2012-12-08 23:22:26 +0200 | [diff] [blame] | 580 | |
brian978 | 638a9d2 | 2012-12-18 13:25:54 +0200 | [diff] [blame] | 581 | return $str; |
Derek Jones | a091147 | 2010-03-30 10:33:09 -0500 | [diff] [blame] | 582 | } |
Barry Mieny | dd67197 | 2010-10-04 16:33:58 +0200 | [diff] [blame] | 583 | |
Derek Jones | a091147 | 2010-03-30 10:33:09 -0500 | [diff] [blame] | 584 | // -------------------------------------------------------------------- |
Barry Mieny | dd67197 | 2010-10-04 16:33:58 +0200 | [diff] [blame] | 585 | |
Derek Jones | a091147 | 2010-03-30 10:33:09 -0500 | [diff] [blame] | 586 | /** |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 587 | * Sanitize Filename |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 588 | * |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 589 | * @param string $str Input file name |
| 590 | * @param bool $relative_path Whether to preserve paths |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 591 | * @return string |
| 592 | */ |
Hunter Wu | 8df3352 | 2013-08-03 22:36:05 +0800 | [diff] [blame] | 593 | public function sanitize_filename($str, $relative_path = FALSE) |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 594 | { |
Hunter Wu | 4495cc7 | 2013-08-04 12:31:52 +0800 | [diff] [blame] | 595 | $bad = $this->filename_bad_chars; |
David Behler | 07b5342 | 2011-08-15 00:25:06 +0200 | [diff] [blame] | 596 | |
Derek Jones | 2ef3759 | 2010-10-06 17:51:59 -0500 | [diff] [blame] | 597 | if ( ! $relative_path) |
| 598 | { |
| 599 | $bad[] = './'; |
| 600 | $bad[] = '/'; |
| 601 | } |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 602 | |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 603 | $str = remove_invisible_characters($str, FALSE); |
Andrey Andreev | 7e55977 | 2013-01-29 15:38:33 +0200 | [diff] [blame] | 604 | |
| 605 | do |
| 606 | { |
| 607 | $old = $str; |
| 608 | $str = str_replace($bad, '', $str); |
| 609 | } |
| 610 | while ($old !== $str); |
| 611 | |
| 612 | return stripslashes($str); |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 613 | } |
| 614 | |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 615 | // ---------------------------------------------------------------- |
| 616 | |
| 617 | /** |
Andrey Andreev | 1a24a9d | 2012-06-27 00:52:47 +0300 | [diff] [blame] | 618 | * Strip Image Tags |
| 619 | * |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 620 | * @param string $str |
Andrey Andreev | 1a24a9d | 2012-06-27 00:52:47 +0300 | [diff] [blame] | 621 | * @return string |
| 622 | */ |
| 623 | public function strip_image_tags($str) |
| 624 | { |
David Cox Jr | 46e77e0 | 2013-10-03 16:56:04 -0400 | [diff] [blame] | 625 | return preg_replace(array('#<img[\s/]+.*?src\s*=\s*["\'](.+?)["\'].*?\>#', '#<img[\s/]+.*?src\s*=\s*(.+?).*?\>#'), '\\1', $str); |
Andrey Andreev | 1a24a9d | 2012-06-27 00:52:47 +0300 | [diff] [blame] | 626 | } |
| 627 | |
| 628 | // ---------------------------------------------------------------- |
| 629 | |
| 630 | /** |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 631 | * Compact Exploded Words |
| 632 | * |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 633 | * Callback method for xss_clean() to remove whitespace from |
| 634 | * things like 'j a v a s c r i p t'. |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 635 | * |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 636 | * @used-by CI_Security::xss_clean() |
| 637 | * @param array $matches |
Timothy Warren | ad47505 | 2012-04-19 13:21:06 -0400 | [diff] [blame] | 638 | * @return string |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 639 | */ |
| 640 | protected function _compact_exploded_words($matches) |
| 641 | { |
| 642 | return preg_replace('/\s+/s', '', $matches[1]).$matches[2]; |
| 643 | } |
| 644 | |
| 645 | // -------------------------------------------------------------------- |
David Behler | 07b5342 | 2011-08-15 00:25:06 +0200 | [diff] [blame] | 646 | |
Timothy Warren | ad47505 | 2012-04-19 13:21:06 -0400 | [diff] [blame] | 647 | /** |
| 648 | * Remove Evil HTML Attributes (like event handlers and style) |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 649 | * |
| 650 | * It removes the evil attribute and either: |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 651 | * |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 652 | * - Everything up until a space. For example, everything between the pipes: |
| 653 | * |
| 654 | * <code> |
| 655 | * <a |style=document.write('hello');alert('world');| class=link> |
| 656 | * </code> |
| 657 | * |
| 658 | * - Everything inside the quotes. For example, everything between the pipes: |
| 659 | * |
| 660 | * <code> |
| 661 | * <a |style="document.write('hello'); alert('world');"| class="link"> |
| 662 | * </code> |
| 663 | * |
| 664 | * @param string $str The string to check |
| 665 | * @param bool $is_image Whether the input is an image |
| 666 | * @return string The string with the evil attributes removed |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 667 | */ |
| 668 | protected function _remove_evil_attributes($str, $is_image) |
| 669 | { |
Andrey Andreev | adf3bde | 2014-01-25 16:59:17 +0200 | [diff] [blame^] | 670 | $evil_attributes = array('on\w*', 'style', 'xmlns', 'formaction', 'form', 'xlink:href'); |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 671 | |
| 672 | if ($is_image === TRUE) |
| 673 | { |
| 674 | /* |
Andrey Andreev | bb488dc | 2012-01-07 23:35:16 +0200 | [diff] [blame] | 675 | * Adobe Photoshop puts XML metadata into JFIF images, |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 676 | * including namespacing, so we have to allow this for images. |
| 677 | */ |
| 678 | unset($evil_attributes[array_search('xmlns', $evil_attributes)]); |
| 679 | } |
Andrey Andreev | bb488dc | 2012-01-07 23:35:16 +0200 | [diff] [blame] | 680 | |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 681 | do { |
Pascal Kriete | c38e3b6 | 2011-11-14 13:55:00 -0500 | [diff] [blame] | 682 | $count = 0; |
| 683 | $attribs = array(); |
Andrey Andreev | bb488dc | 2012-01-07 23:35:16 +0200 | [diff] [blame] | 684 | |
brian978 | 160c7d1 | 2012-12-03 21:18:20 +0200 | [diff] [blame] | 685 | // find occurrences of illegal attribute strings with quotes (042 and 047 are octal quotes) |
| 686 | preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*(\042|\047)([^\\2]*?)(\\2)/is', $str, $matches, PREG_SET_ORDER); |
Andrey Andreev | bb488dc | 2012-01-07 23:35:16 +0200 | [diff] [blame] | 687 | |
Pascal Kriete | c38e3b6 | 2011-11-14 13:55:00 -0500 | [diff] [blame] | 688 | foreach ($matches as $attr) |
| 689 | { |
| 690 | $attribs[] = preg_quote($attr[0], '/'); |
| 691 | } |
Andrey Andreev | bb488dc | 2012-01-07 23:35:16 +0200 | [diff] [blame] | 692 | |
brian978 | 160c7d1 | 2012-12-03 21:18:20 +0200 | [diff] [blame] | 693 | // find occurrences of illegal attribute strings without quotes |
| 694 | preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*([^\s>]*)/is', $str, $matches, PREG_SET_ORDER); |
David Behler | 07b5342 | 2011-08-15 00:25:06 +0200 | [diff] [blame] | 695 | |
Pascal Kriete | c38e3b6 | 2011-11-14 13:55:00 -0500 | [diff] [blame] | 696 | foreach ($matches as $attr) |
| 697 | { |
| 698 | $attribs[] = preg_quote($attr[0], '/'); |
| 699 | } |
| 700 | |
| 701 | // replace illegal attribute strings that are inside an html tag |
| 702 | if (count($attribs) > 0) |
| 703 | { |
brian978 | 160c7d1 | 2012-12-03 21:18:20 +0200 | [diff] [blame] | 704 | $str = preg_replace('/(<?)(\/?[^><]+?)([^A-Za-z<>\-])(.*?)('.implode('|', $attribs).')(.*?)([\s><]?)([><]*)/i', '$1$2 $4$6$7$8', $str, -1, $count); |
Pascal Kriete | c38e3b6 | 2011-11-14 13:55:00 -0500 | [diff] [blame] | 705 | } |
Andrey Andreev | 72ed4c3 | 2012-12-19 17:07:54 +0200 | [diff] [blame] | 706 | } |
| 707 | while ($count); |
Andrey Andreev | bb488dc | 2012-01-07 23:35:16 +0200 | [diff] [blame] | 708 | |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 709 | return $str; |
| 710 | } |
David Behler | 07b5342 | 2011-08-15 00:25:06 +0200 | [diff] [blame] | 711 | |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 712 | // -------------------------------------------------------------------- |
| 713 | |
| 714 | /** |
| 715 | * Sanitize Naughty HTML |
| 716 | * |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 717 | * Callback method for xss_clean() to remove naughty HTML elements. |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 718 | * |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 719 | * @used-by CI_Security::xss_clean() |
| 720 | * @param array $matches |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 721 | * @return string |
| 722 | */ |
| 723 | protected function _sanitize_naughty_html($matches) |
| 724 | { |
Andrey Andreev | bb488dc | 2012-01-07 23:35:16 +0200 | [diff] [blame] | 725 | return '<'.$matches[1].$matches[2].$matches[3] // encode opening brace |
| 726 | // encode captured opening or closing brace to prevent recursive vectors: |
Andrey Andreev | 67ccdc0 | 2012-02-27 23:57:58 +0200 | [diff] [blame] | 727 | .str_replace(array('>', '<'), array('>', '<'), $matches[4]); |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 728 | } |
| 729 | |
| 730 | // -------------------------------------------------------------------- |
| 731 | |
| 732 | /** |
| 733 | * JS Link Removal |
| 734 | * |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 735 | * Callback method for xss_clean() to sanitize links. |
| 736 | * |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 737 | * This limits the PCRE backtracks, making it more performance friendly |
| 738 | * and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 739 | * PHP 5.2+ on link-heavy strings. |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 740 | * |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 741 | * @used-by CI_Security::xss_clean() |
| 742 | * @param array $match |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 743 | * @return string |
| 744 | */ |
| 745 | protected function _js_link_removal($match) |
| 746 | { |
Andrey Andreev | bb488dc | 2012-01-07 23:35:16 +0200 | [diff] [blame] | 747 | return str_replace($match[1], |
vlakoff | a81f60c | 2012-07-02 15:20:11 +0200 | [diff] [blame] | 748 | preg_replace('#href=.*?(?:alert\(|alert&\#40;|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|<script|<xss|data\s*:)#si', |
Andrey Andreev | bb488dc | 2012-01-07 23:35:16 +0200 | [diff] [blame] | 749 | '', |
| 750 | $this->_filter_attributes(str_replace(array('<', '>'), '', $match[1])) |
| 751 | ), |
| 752 | $match[0]); |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 753 | } |
| 754 | |
| 755 | // -------------------------------------------------------------------- |
| 756 | |
| 757 | /** |
| 758 | * JS Image Removal |
| 759 | * |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 760 | * Callback method for xss_clean() to sanitize image tags. |
| 761 | * |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 762 | * This limits the PCRE backtracks, making it more performance friendly |
| 763 | * and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 764 | * PHP 5.2+ on image tag heavy strings. |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 765 | * |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 766 | * @used-by CI_Security::xss_clean() |
| 767 | * @param array $match |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 768 | * @return string |
| 769 | */ |
| 770 | protected function _js_img_removal($match) |
| 771 | { |
Andrey Andreev | bb488dc | 2012-01-07 23:35:16 +0200 | [diff] [blame] | 772 | return str_replace($match[1], |
vlakoff | a81f60c | 2012-07-02 15:20:11 +0200 | [diff] [blame] | 773 | preg_replace('#src=.*?(?:alert\(|alert&\#40;|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|<script|<xss|base64\s*,)#si', |
Andrey Andreev | bb488dc | 2012-01-07 23:35:16 +0200 | [diff] [blame] | 774 | '', |
| 775 | $this->_filter_attributes(str_replace(array('<', '>'), '', $match[1])) |
| 776 | ), |
| 777 | $match[0]); |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 778 | } |
| 779 | |
| 780 | // -------------------------------------------------------------------- |
| 781 | |
| 782 | /** |
| 783 | * Attribute Conversion |
| 784 | * |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 785 | * @used-by CI_Security::xss_clean() |
| 786 | * @param array $match |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 787 | * @return string |
| 788 | */ |
| 789 | protected function _convert_attribute($match) |
| 790 | { |
| 791 | return str_replace(array('>', '<', '\\'), array('>', '<', '\\\\'), $match[0]); |
| 792 | } |
| 793 | |
| 794 | // -------------------------------------------------------------------- |
| 795 | |
| 796 | /** |
| 797 | * Filter Attributes |
| 798 | * |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 799 | * Filters tag attributes for consistency and safety. |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 800 | * |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 801 | * @used-by CI_Security::_js_img_removal() |
| 802 | * @used-by CI_Security::_js_link_removal() |
| 803 | * @param string $str |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 804 | * @return string |
| 805 | */ |
| 806 | protected function _filter_attributes($str) |
| 807 | { |
| 808 | $out = ''; |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 809 | if (preg_match_all('#\s*[a-z\-]+\s*=\s*(\042|\047)([^\\1]*?)\\1#is', $str, $matches)) |
| 810 | { |
| 811 | foreach ($matches[0] as $match) |
| 812 | { |
Andrey Andreev | 4562f2c | 2012-01-09 23:39:50 +0200 | [diff] [blame] | 813 | $out .= preg_replace('#/\*.*?\*/#s', '', $match); |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 814 | } |
| 815 | } |
| 816 | |
| 817 | return $out; |
| 818 | } |
| 819 | |
| 820 | // -------------------------------------------------------------------- |
| 821 | |
| 822 | /** |
| 823 | * HTML Entity Decode Callback |
| 824 | * |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 825 | * @used-by CI_Security::xss_clean() |
| 826 | * @param array $match |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 827 | * @return string |
| 828 | */ |
| 829 | protected function _decode_entity($match) |
| 830 | { |
Andrey Andreev | c67c3fb | 2014-01-22 13:26:00 +0200 | [diff] [blame] | 831 | // entity_decode() won't convert dangerous HTML5 entities |
| 832 | // (it could, but ENT_HTML5 is only available since PHP 5.4), |
| 833 | // so we'll do that here |
| 834 | return str_ireplace( |
| 835 | array_keys($this->html5_entities), |
| 836 | array_values($this->html5_entities), |
| 837 | $this->entity_decode($match[0], strtoupper(config_item('charset'))) |
| 838 | ); |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 839 | } |
| 840 | |
| 841 | // -------------------------------------------------------------------- |
David Behler | 07b5342 | 2011-08-15 00:25:06 +0200 | [diff] [blame] | 842 | |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 843 | /** |
| 844 | * Validate URL entities |
| 845 | * |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 846 | * @used-by CI_Security::xss_clean() |
| 847 | * @param string $str |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 848 | * @return string |
| 849 | */ |
| 850 | protected function _validate_entities($str) |
| 851 | { |
| 852 | /* |
| 853 | * Protect GET variables in URLs |
| 854 | */ |
David Behler | 07b5342 | 2011-08-15 00:25:06 +0200 | [diff] [blame] | 855 | |
Andrey Andreev | bb488dc | 2012-01-07 23:35:16 +0200 | [diff] [blame] | 856 | // 901119URL5918AMP18930PROTECT8198 |
| 857 | $str = preg_replace('|\&([a-z\_0-9\-]+)\=([a-z\_0-9\-]+)|i', $this->xss_hash().'\\1=\\2', $str); |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 858 | |
| 859 | /* |
| 860 | * Validate standard character entities |
| 861 | * |
Derek Jones | 37f4b9c | 2011-07-01 17:56:50 -0500 | [diff] [blame] | 862 | * Add a semicolon if missing. We do this to enable |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 863 | * the conversion of entities to ASCII later. |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 864 | */ |
Andrey Andreev | 4d05716 | 2014-01-20 11:17:34 +0200 | [diff] [blame] | 865 | $str = preg_replace('/(&#\d{2,4})(?![0-9;])/', '$1;', $str); |
| 866 | $str = preg_replace('/(&[a-z]{2,})(?![a-z;])/i', '$1;', $str); |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 867 | |
| 868 | /* |
| 869 | * Validate UTF16 two byte encoding (x00) |
| 870 | * |
| 871 | * Just as above, adds a semicolon if missing. |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 872 | */ |
Andrey Andreev | 4d05716 | 2014-01-20 11:17:34 +0200 | [diff] [blame] | 873 | $str = preg_replace('/(�*[0-9a-f]{2,5})(?![0-9a-f;])/i', '$1;', $str); |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 874 | |
| 875 | /* |
| 876 | * Un-Protect GET variables in URLs |
| 877 | */ |
Andrey Andreev | bb488dc | 2012-01-07 23:35:16 +0200 | [diff] [blame] | 878 | return str_replace($this->xss_hash(), '&', $str); |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 879 | } |
| 880 | |
| 881 | // ---------------------------------------------------------------------- |
| 882 | |
| 883 | /** |
| 884 | * Do Never Allowed |
| 885 | * |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 886 | * @used-by CI_Security::xss_clean() |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 887 | * @param string |
| 888 | * @return string |
| 889 | */ |
| 890 | protected function _do_never_allowed($str) |
| 891 | { |
Andrey Andreev | bb488dc | 2012-01-07 23:35:16 +0200 | [diff] [blame] | 892 | $str = str_replace(array_keys($this->_never_allowed_str), $this->_never_allowed_str, $str); |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 893 | |
Andrey Andreev | bb488dc | 2012-01-07 23:35:16 +0200 | [diff] [blame] | 894 | foreach ($this->_never_allowed_regex as $regex) |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 895 | { |
Wes Baker | 5335bc3 | 2012-04-24 15:17:14 -0400 | [diff] [blame] | 896 | $str = preg_replace('#'.$regex.'#is', '[removed]', $str); |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 897 | } |
David Behler | 07b5342 | 2011-08-15 00:25:06 +0200 | [diff] [blame] | 898 | |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 899 | return $str; |
| 900 | } |
| 901 | |
| 902 | // -------------------------------------------------------------------- |
| 903 | |
| 904 | /** |
Andrey Andreev | 6435410 | 2012-10-28 14:16:02 +0200 | [diff] [blame] | 905 | * Set CSRF Hash and Cookie |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 906 | * |
| 907 | * @return string |
| 908 | */ |
| 909 | protected function _csrf_set_hash() |
| 910 | { |
Alex Bilbie | ed944a3 | 2012-06-02 11:07:47 +0100 | [diff] [blame] | 911 | if ($this->_csrf_hash === '') |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 912 | { |
vlakoff | 3a3d5f6 | 2013-10-17 22:22:16 +0200 | [diff] [blame] | 913 | // If the cookie exists we will use its value. |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 914 | // We don't necessarily want to regenerate it with |
David Behler | 07b5342 | 2011-08-15 00:25:06 +0200 | [diff] [blame] | 915 | // each page load since a page could contain embedded |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 916 | // sub-pages causing this feature to fail |
David Behler | 07b5342 | 2011-08-15 00:25:06 +0200 | [diff] [blame] | 917 | if (isset($_COOKIE[$this->_csrf_cookie_name]) && |
Alexander Hofstede | e2c374f | 2012-05-17 00:28:08 +0200 | [diff] [blame] | 918 | preg_match('#^[0-9a-f]{32}$#iS', $_COOKIE[$this->_csrf_cookie_name]) === 1) |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 919 | { |
| 920 | return $this->_csrf_hash = $_COOKIE[$this->_csrf_cookie_name]; |
| 921 | } |
David Behler | 07b5342 | 2011-08-15 00:25:06 +0200 | [diff] [blame] | 922 | |
vlakoff | 3a3d5f6 | 2013-10-17 22:22:16 +0200 | [diff] [blame] | 923 | $this->_csrf_hash = md5(uniqid(mt_rand(), TRUE)); |
Chris Berthe | d93e6f3 | 2011-09-25 10:33:25 -0400 | [diff] [blame] | 924 | $this->csrf_set_cookie(); |
Pascal Kriete | c9c045a | 2011-04-05 14:50:41 -0400 | [diff] [blame] | 925 | } |
| 926 | |
| 927 | return $this->_csrf_hash; |
| 928 | } |
| 929 | |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 930 | } |
Derek Jones | e701d76 | 2010-03-02 18:17:01 -0600 | [diff] [blame] | 931 | |
| 932 | /* End of file Security.php */ |
Andrey Andreev | 9ba661b | 2012-06-04 14:44:34 +0300 | [diff] [blame] | 933 | /* Location: ./system/core/Security.php */ |