Andrey Andreev | c5536aa | 2012-11-01 17:33:58 +0200 | [diff] [blame] | 1 | <?php |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 2 | /** |
| 3 | * CodeIgniter |
| 4 | * |
Phil Sturgeon | 07c1ac8 | 2012-03-09 17:03:37 +0000 | [diff] [blame] | 5 | * An open source application development framework for PHP 5.2.4 or newer |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 6 | * |
Derek Jones | f4a4bd8 | 2011-10-20 12:18:42 -0500 | [diff] [blame] | 7 | * NOTICE OF LICENSE |
Andrey Andreev | 64e98aa | 2012-01-07 20:29:10 +0200 | [diff] [blame] | 8 | * |
Derek Jones | f4a4bd8 | 2011-10-20 12:18:42 -0500 | [diff] [blame] | 9 | * Licensed under the Open Software License version 3.0 |
Andrey Andreev | 64e98aa | 2012-01-07 20:29:10 +0200 | [diff] [blame] | 10 | * |
Derek Jones | f4a4bd8 | 2011-10-20 12:18:42 -0500 | [diff] [blame] | 11 | * This source file is subject to the Open Software License (OSL 3.0) that is |
| 12 | * bundled with this package in the files license.txt / license.rst. It is |
| 13 | * also available through the world wide web at this URL: |
| 14 | * http://opensource.org/licenses/OSL-3.0 |
| 15 | * If you did not receive a copy of the license and are unable to obtain it |
| 16 | * through the world wide web, please send an email to |
| 17 | * licensing@ellislab.com so we can send you a copy immediately. |
| 18 | * |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 19 | * @package CodeIgniter |
Derek Jones | f4a4bd8 | 2011-10-20 12:18:42 -0500 | [diff] [blame] | 20 | * @author EllisLab Dev Team |
Andrey Andreev | 80500af | 2013-01-01 08:16:53 +0200 | [diff] [blame] | 21 | * @copyright Copyright (c) 2008 - 2013, EllisLab, Inc. (http://ellislab.com/) |
Derek Jones | f4a4bd8 | 2011-10-20 12:18:42 -0500 | [diff] [blame] | 22 | * @license http://opensource.org/licenses/OSL-3.0 Open Software License (OSL 3.0) |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 23 | * @link http://codeigniter.com |
| 24 | * @since Version 1.0 |
| 25 | * @filesource |
| 26 | */ |
Andrey Andreev | c5536aa | 2012-11-01 17:33:58 +0200 | [diff] [blame] | 27 | defined('BASEPATH') OR exit('No direct script access allowed'); |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 28 | |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 29 | /** |
| 30 | * Input Class |
| 31 | * |
| 32 | * Pre-processes global input data for security |
| 33 | * |
| 34 | * @package CodeIgniter |
| 35 | * @subpackage Libraries |
| 36 | * @category Input |
Derek Jones | f4a4bd8 | 2011-10-20 12:18:42 -0500 | [diff] [blame] | 37 | * @author EllisLab Dev Team |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 38 | * @link http://codeigniter.com/user_guide/libraries/input.html |
| 39 | */ |
| 40 | class CI_Input { |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 41 | |
David Behler | 9b5df59 | 2011-08-14 21:04:17 +0200 | [diff] [blame] | 42 | /** |
| 43 | * IP address of the current user |
| 44 | * |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 45 | * @var string |
David Behler | 9b5df59 | 2011-08-14 21:04:17 +0200 | [diff] [blame] | 46 | */ |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 47 | public $ip_address = FALSE; |
Andrey Andreev | 92ebfb6 | 2012-05-17 12:49:24 +0300 | [diff] [blame] | 48 | |
David Behler | 9b5df59 | 2011-08-14 21:04:17 +0200 | [diff] [blame] | 49 | /** |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 50 | * User agent strin |
David Behler | 9b5df59 | 2011-08-14 21:04:17 +0200 | [diff] [blame] | 51 | * |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 52 | * @var string |
David Behler | 9b5df59 | 2011-08-14 21:04:17 +0200 | [diff] [blame] | 53 | */ |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 54 | public $user_agent = FALSE; |
Andrey Andreev | 92ebfb6 | 2012-05-17 12:49:24 +0300 | [diff] [blame] | 55 | |
David Behler | 9b5df59 | 2011-08-14 21:04:17 +0200 | [diff] [blame] | 56 | /** |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 57 | * Allow GET array flag |
David Behler | 9b5df59 | 2011-08-14 21:04:17 +0200 | [diff] [blame] | 58 | * |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 59 | * If set to FALSE, then $_GET will be set to an empty array. |
David Behler | 9b5df59 | 2011-08-14 21:04:17 +0200 | [diff] [blame] | 60 | * |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 61 | * @var bool |
David Behler | 9b5df59 | 2011-08-14 21:04:17 +0200 | [diff] [blame] | 62 | */ |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 63 | protected $_allow_get_array = TRUE; |
Andrey Andreev | 92ebfb6 | 2012-05-17 12:49:24 +0300 | [diff] [blame] | 64 | |
David Behler | 9b5df59 | 2011-08-14 21:04:17 +0200 | [diff] [blame] | 65 | /** |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 66 | * Standartize new lines flag |
David Behler | 9b5df59 | 2011-08-14 21:04:17 +0200 | [diff] [blame] | 67 | * |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 68 | * If set to TRUE, then newlines are standardized. |
| 69 | * |
| 70 | * @var bool |
David Behler | 9b5df59 | 2011-08-14 21:04:17 +0200 | [diff] [blame] | 71 | */ |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 72 | protected $_standardize_newlines = TRUE; |
Andrey Andreev | 92ebfb6 | 2012-05-17 12:49:24 +0300 | [diff] [blame] | 73 | |
David Behler | 9b5df59 | 2011-08-14 21:04:17 +0200 | [diff] [blame] | 74 | /** |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 75 | * Enable XSS flag |
| 76 | * |
| 77 | * Determines whether the XSS filter is always active when |
| 78 | * GET, POST or COOKIE data is encountered. |
| 79 | * Set automatically based on config setting. |
| 80 | * |
| 81 | * @var bool |
| 82 | */ |
| 83 | protected $_enable_xss = FALSE; |
| 84 | |
| 85 | /** |
| 86 | * Enable CSRF flag |
| 87 | * |
David Behler | 9b5df59 | 2011-08-14 21:04:17 +0200 | [diff] [blame] | 88 | * Enables a CSRF cookie token to be set. |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 89 | * Set automatically based on config setting. |
David Behler | 9b5df59 | 2011-08-14 21:04:17 +0200 | [diff] [blame] | 90 | * |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 91 | * @var bool |
David Behler | 9b5df59 | 2011-08-14 21:04:17 +0200 | [diff] [blame] | 92 | */ |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 93 | protected $_enable_csrf = FALSE; |
Andrey Andreev | 92ebfb6 | 2012-05-17 12:49:24 +0300 | [diff] [blame] | 94 | |
David Behler | 9b5df59 | 2011-08-14 21:04:17 +0200 | [diff] [blame] | 95 | /** |
| 96 | * List of all HTTP request headers |
| 97 | * |
| 98 | * @var array |
| 99 | */ |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 100 | protected $headers = array(); |
David Behler | 9b5df59 | 2011-08-14 21:04:17 +0200 | [diff] [blame] | 101 | |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 102 | /** |
Andrey Andreev | 303eef0 | 2012-11-06 14:55:48 +0200 | [diff] [blame] | 103 | * Input stream data |
| 104 | * |
| 105 | * Parsed from php://input at runtime |
| 106 | * |
| 107 | * @see CI_Input::input_stream() |
| 108 | * @var array |
| 109 | */ |
| 110 | protected $_input_stream = NULL; |
| 111 | |
| 112 | /** |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 113 | * Class constructor |
Greg Aker | a926328 | 2010-11-10 15:26:43 -0600 | [diff] [blame] | 114 | * |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 115 | * Determines whether to globally enable the XSS processing |
| 116 | * and whether to allow the $_GET array. |
Andrey Andreev | 92ebfb6 | 2012-05-17 12:49:24 +0300 | [diff] [blame] | 117 | * |
| 118 | * @return void |
Greg Aker | a926328 | 2010-11-10 15:26:43 -0600 | [diff] [blame] | 119 | */ |
| 120 | public function __construct() |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 121 | { |
Andrey Andreev | 1377497 | 2012-01-08 04:30:33 +0200 | [diff] [blame] | 122 | log_message('debug', 'Input Class Initialized'); |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 123 | |
Phil Sturgeon | c808915 | 2010-12-27 19:06:28 +0000 | [diff] [blame] | 124 | $this->_allow_get_array = (config_item('allow_get_array') === TRUE); |
Andrey Andreev | 64e98aa | 2012-01-07 20:29:10 +0200 | [diff] [blame] | 125 | $this->_enable_xss = (config_item('global_xss_filtering') === TRUE); |
| 126 | $this->_enable_csrf = (config_item('csrf_protection') === TRUE); |
Derek Jones | 69fc4fc | 2010-03-02 13:36:31 -0600 | [diff] [blame] | 127 | |
Pascal Kriete | 14a0ac6 | 2011-04-05 14:55:56 -0400 | [diff] [blame] | 128 | global $SEC; |
| 129 | $this->security =& $SEC; |
Derek Jones | 69fc4fc | 2010-03-02 13:36:31 -0600 | [diff] [blame] | 130 | |
Pascal Kriete | aaec1e4 | 2011-01-20 00:01:21 -0500 | [diff] [blame] | 131 | // Do we need the UTF-8 class? |
Derek Jones | 69fc4fc | 2010-03-02 13:36:31 -0600 | [diff] [blame] | 132 | if (UTF8_ENABLED === TRUE) |
| 133 | { |
| 134 | global $UNI; |
| 135 | $this->uni =& $UNI; |
| 136 | } |
| 137 | |
| 138 | // Sanitize global arrays |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 139 | $this->_sanitize_globals(); |
| 140 | } |
| 141 | |
| 142 | // -------------------------------------------------------------------- |
| 143 | |
| 144 | /** |
Greg Aker | a926328 | 2010-11-10 15:26:43 -0600 | [diff] [blame] | 145 | * Fetch from array |
| 146 | * |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 147 | * Internal method used to retrieve values from global arrays. |
Greg Aker | a926328 | 2010-11-10 15:26:43 -0600 | [diff] [blame] | 148 | * |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 149 | * @param array &$array $_GET, $_POST, $_COOKIE, $_SERVER, etc. |
| 150 | * @param string $index Index for item to be fetched from $array |
| 151 | * @param bool $xss_clean Whether to apply XSS filtering |
| 152 | * @return mixed |
Greg Aker | a926328 | 2010-11-10 15:26:43 -0600 | [diff] [blame] | 153 | */ |
Bo-Yi Wu | 4721379 | 2011-09-13 22:44:07 +0800 | [diff] [blame] | 154 | protected function _fetch_from_array(&$array, $index = '', $xss_clean = FALSE) |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 155 | { |
| 156 | if ( ! isset($array[$index])) |
| 157 | { |
Phil Sturgeon | 55a6ddb | 2012-05-23 18:37:24 +0100 | [diff] [blame] | 158 | return NULL; |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 159 | } |
| 160 | |
| 161 | if ($xss_clean === TRUE) |
| 162 | { |
Pascal Kriete | 14a0ac6 | 2011-04-05 14:55:56 -0400 | [diff] [blame] | 163 | return $this->security->xss_clean($array[$index]); |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 164 | } |
| 165 | |
| 166 | return $array[$index]; |
| 167 | } |
| 168 | |
| 169 | // -------------------------------------------------------------------- |
| 170 | |
| 171 | /** |
Timothy Warren | 40403d2 | 2012-04-19 16:38:50 -0400 | [diff] [blame] | 172 | * Fetch an item from the GET array |
| 173 | * |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 174 | * @param string $index Index for item to be fetched from $_GET |
| 175 | * @param bool $xss_clean Whether to apply XSS filtering |
| 176 | * @return mixed |
Timothy Warren | 40403d2 | 2012-04-19 16:38:50 -0400 | [diff] [blame] | 177 | */ |
Bo-Yi Wu | 4db872f | 2011-09-12 10:52:37 +0800 | [diff] [blame] | 178 | public function get($index = NULL, $xss_clean = FALSE) |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 179 | { |
Phil Sturgeon | 44f2105 | 2011-02-15 21:39:25 +0000 | [diff] [blame] | 180 | // Check if a field has been provided |
Andrey Andreev | 77bd21b | 2012-11-20 16:34:15 +0200 | [diff] [blame] | 181 | if ($index === NULL) |
vascopj | ff1cfa1 | 2011-02-13 21:30:19 +0000 | [diff] [blame] | 182 | { |
Andrey Andreev | 77bd21b | 2012-11-20 16:34:15 +0200 | [diff] [blame] | 183 | if (empty($_GET)) |
| 184 | { |
| 185 | return array(); |
| 186 | } |
| 187 | |
Phil Sturgeon | 44f2105 | 2011-02-15 21:39:25 +0000 | [diff] [blame] | 188 | $get = array(); |
vascopj | ff1cfa1 | 2011-02-13 21:30:19 +0000 | [diff] [blame] | 189 | |
| 190 | // loop through the full _GET array |
Phil Sturgeon | 44f2105 | 2011-02-15 21:39:25 +0000 | [diff] [blame] | 191 | foreach (array_keys($_GET) as $key) |
vascopj | ff1cfa1 | 2011-02-13 21:30:19 +0000 | [diff] [blame] | 192 | { |
Phil Sturgeon | 44f2105 | 2011-02-15 21:39:25 +0000 | [diff] [blame] | 193 | $get[$key] = $this->_fetch_from_array($_GET, $key, $xss_clean); |
vascopj | ff1cfa1 | 2011-02-13 21:30:19 +0000 | [diff] [blame] | 194 | } |
Phil Sturgeon | 44f2105 | 2011-02-15 21:39:25 +0000 | [diff] [blame] | 195 | return $get; |
vascopj | ff1cfa1 | 2011-02-13 21:30:19 +0000 | [diff] [blame] | 196 | } |
| 197 | |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 198 | return $this->_fetch_from_array($_GET, $index, $xss_clean); |
| 199 | } |
| 200 | |
| 201 | // -------------------------------------------------------------------- |
| 202 | |
| 203 | /** |
Timothy Warren | 40403d2 | 2012-04-19 16:38:50 -0400 | [diff] [blame] | 204 | * Fetch an item from the POST array |
| 205 | * |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 206 | * @param string $index Index for item to be fetched from $_POST |
| 207 | * @param bool $xss_clean Whether to apply XSS filtering |
| 208 | * @return mixed |
Timothy Warren | 40403d2 | 2012-04-19 16:38:50 -0400 | [diff] [blame] | 209 | */ |
Bo-Yi Wu | 4db872f | 2011-09-12 10:52:37 +0800 | [diff] [blame] | 210 | public function post($index = NULL, $xss_clean = FALSE) |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 211 | { |
Phil Sturgeon | 44f2105 | 2011-02-15 21:39:25 +0000 | [diff] [blame] | 212 | // Check if a field has been provided |
Andrey Andreev | 77bd21b | 2012-11-20 16:34:15 +0200 | [diff] [blame] | 213 | if ($index === NULL) |
vascopj | 0ba58b8 | 2011-02-06 14:20:21 +0000 | [diff] [blame] | 214 | { |
Andrey Andreev | 77bd21b | 2012-11-20 16:34:15 +0200 | [diff] [blame] | 215 | if (empty($_POST)) |
| 216 | { |
| 217 | return array(); |
| 218 | } |
| 219 | |
Phil Sturgeon | 44f2105 | 2011-02-15 21:39:25 +0000 | [diff] [blame] | 220 | $post = array(); |
vascopj | 0ba58b8 | 2011-02-06 14:20:21 +0000 | [diff] [blame] | 221 | |
Phil Sturgeon | 44f2105 | 2011-02-15 21:39:25 +0000 | [diff] [blame] | 222 | // Loop through the full _POST array and return it |
| 223 | foreach (array_keys($_POST) as $key) |
vascopj | 0ba58b8 | 2011-02-06 14:20:21 +0000 | [diff] [blame] | 224 | { |
Phil Sturgeon | 44f2105 | 2011-02-15 21:39:25 +0000 | [diff] [blame] | 225 | $post[$key] = $this->_fetch_from_array($_POST, $key, $xss_clean); |
vascopj | 0ba58b8 | 2011-02-06 14:20:21 +0000 | [diff] [blame] | 226 | } |
Phil Sturgeon | 44f2105 | 2011-02-15 21:39:25 +0000 | [diff] [blame] | 227 | return $post; |
vascopj | 0ba58b8 | 2011-02-06 14:20:21 +0000 | [diff] [blame] | 228 | } |
David Behler | 9b5df59 | 2011-08-14 21:04:17 +0200 | [diff] [blame] | 229 | |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 230 | return $this->_fetch_from_array($_POST, $index, $xss_clean); |
| 231 | } |
| 232 | |
| 233 | // -------------------------------------------------------------------- |
| 234 | |
| 235 | /** |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 236 | * Fetch an item from POST data with fallback to GET |
Timothy Warren | 40403d2 | 2012-04-19 16:38:50 -0400 | [diff] [blame] | 237 | * |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 238 | * @param string $index Index for item to be fetched from $_POST or $_GET |
| 239 | * @param bool $xss_clean Whether to apply XSS filtering |
| 240 | * @return mixed |
Timothy Warren | 40403d2 | 2012-04-19 16:38:50 -0400 | [diff] [blame] | 241 | */ |
Bo-Yi Wu | 4db872f | 2011-09-12 10:52:37 +0800 | [diff] [blame] | 242 | public function get_post($index = '', $xss_clean = FALSE) |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 243 | { |
Andrey Andreev | 9448afb | 2012-02-08 19:49:19 +0200 | [diff] [blame] | 244 | return isset($_POST[$index]) |
| 245 | ? $this->post($index, $xss_clean) |
| 246 | : $this->get($index, $xss_clean); |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 247 | } |
| 248 | |
| 249 | // -------------------------------------------------------------------- |
| 250 | |
| 251 | /** |
Timothy Warren | 40403d2 | 2012-04-19 16:38:50 -0400 | [diff] [blame] | 252 | * Fetch an item from the COOKIE array |
| 253 | * |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 254 | * @param string $index Index for item to be fetched from $_COOKIE |
| 255 | * @param bool $xss_clean Whether to apply XSS filtering |
| 256 | * @return mixed |
Timothy Warren | 40403d2 | 2012-04-19 16:38:50 -0400 | [diff] [blame] | 257 | */ |
Bo-Yi Wu | 4db872f | 2011-09-12 10:52:37 +0800 | [diff] [blame] | 258 | public function cookie($index = '', $xss_clean = FALSE) |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 259 | { |
| 260 | return $this->_fetch_from_array($_COOKIE, $index, $xss_clean); |
| 261 | } |
| 262 | |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 263 | // -------------------------------------------------------------------- |
| 264 | |
| 265 | /** |
| 266 | * Fetch an item from the SERVER array |
| 267 | * |
| 268 | * @param string $index Index for item to be fetched from $_SERVER |
| 269 | * @param bool $xss_clean Whether to apply XSS filtering |
| 270 | * @return mixed |
| 271 | */ |
| 272 | public function server($index = '', $xss_clean = FALSE) |
| 273 | { |
| 274 | return $this->_fetch_from_array($_SERVER, $index, $xss_clean); |
| 275 | } |
| 276 | |
Derek Jones | 69fc4fc | 2010-03-02 13:36:31 -0600 | [diff] [blame] | 277 | // ------------------------------------------------------------------------ |
| 278 | |
| 279 | /** |
Andrey Andreev | 303eef0 | 2012-11-06 14:55:48 +0200 | [diff] [blame] | 280 | * Fetch an item from the php://input stream |
| 281 | * |
| 282 | * Useful when you need to access PUT, DELETE or PATCH request data. |
| 283 | * |
| 284 | * @param string $index Index for item to be fetched |
| 285 | * @param bool $xss_clean Whether to apply XSS filtering |
| 286 | * @return mixed |
| 287 | */ |
| 288 | public function input_stream($index = '', $xss_clean = FALSE) |
| 289 | { |
| 290 | // The input stream can only be read once, so we'll need to check |
| 291 | // if we have already done that first. |
| 292 | if (is_array($this->_input_stream)) |
| 293 | { |
| 294 | return $this->_fetch_from_array($this->_input_stream, $index, $xss_clean); |
| 295 | } |
| 296 | |
| 297 | // Parse the input stream in our cache var |
| 298 | parse_str(file_get_contents('php://input'), $this->_input_stream); |
| 299 | if ( ! is_array($this->_input_stream)) |
| 300 | { |
| 301 | $this->_input_stream = array(); |
| 302 | return NULL; |
| 303 | } |
| 304 | |
| 305 | return $this->_fetch_from_array($this->_input_stream, $index, $xss_clean); |
| 306 | } |
| 307 | |
| 308 | // ------------------------------------------------------------------------ |
| 309 | |
| 310 | /** |
Timothy Warren | 40403d2 | 2012-04-19 16:38:50 -0400 | [diff] [blame] | 311 | * Set cookie |
| 312 | * |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 313 | * Accepts an arbitrary number of parameters (up to 7) or an associative |
Timothy Warren | 40403d2 | 2012-04-19 16:38:50 -0400 | [diff] [blame] | 314 | * array in the first parameter containing all the values. |
| 315 | * |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 316 | * @param string|mixed[] $name Cookie name or an array containing parameters |
| 317 | * @param string $value Cookie value |
| 318 | * @param int $expire Cookie expiration time in seconds |
| 319 | * @param string $domain Cookie domain (e.g.: '.yourdomain.com') |
| 320 | * @param string $path Cookie path (default: '/') |
| 321 | * @param string $prefix Cookie name prefix |
| 322 | * @param bool $secure Whether to only transfer cookies via SSL |
| 323 | * @param bool $httponly Whether to only makes the cookie accessible via HTTP (no javascript) |
Timothy Warren | 40403d2 | 2012-04-19 16:38:50 -0400 | [diff] [blame] | 324 | * @return void |
| 325 | */ |
freewil | 4ad0fd8 | 2012-03-13 22:37:42 -0400 | [diff] [blame] | 326 | public function set_cookie($name = '', $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = FALSE, $httponly = FALSE) |
Derek Jones | 69fc4fc | 2010-03-02 13:36:31 -0600 | [diff] [blame] | 327 | { |
| 328 | if (is_array($name)) |
| 329 | { |
tobiasbg | 9aa7dc9 | 2011-02-18 21:57:13 +0100 | [diff] [blame] | 330 | // always leave 'name' in last place, as the loop will break otherwise, due to $$item |
freewil | 4ad0fd8 | 2012-03-13 22:37:42 -0400 | [diff] [blame] | 331 | foreach (array('value', 'expire', 'domain', 'path', 'prefix', 'secure', 'httponly', 'name') as $item) |
Derek Jones | 69fc4fc | 2010-03-02 13:36:31 -0600 | [diff] [blame] | 332 | { |
| 333 | if (isset($name[$item])) |
| 334 | { |
| 335 | $$item = $name[$item]; |
| 336 | } |
| 337 | } |
| 338 | } |
| 339 | |
Alex Bilbie | ed944a3 | 2012-06-02 11:07:47 +0100 | [diff] [blame] | 340 | if ($prefix === '' && config_item('cookie_prefix') !== '') |
Derek Jones | 69fc4fc | 2010-03-02 13:36:31 -0600 | [diff] [blame] | 341 | { |
| 342 | $prefix = config_item('cookie_prefix'); |
| 343 | } |
Andrey Andreev | 9ba661b | 2012-06-04 14:44:34 +0300 | [diff] [blame] | 344 | |
| 345 | if ($domain == '' && config_item('cookie_domain') != '') |
Derek Jones | 69fc4fc | 2010-03-02 13:36:31 -0600 | [diff] [blame] | 346 | { |
| 347 | $domain = config_item('cookie_domain'); |
| 348 | } |
Andrey Andreev | 9ba661b | 2012-06-04 14:44:34 +0300 | [diff] [blame] | 349 | |
Alex Bilbie | ed944a3 | 2012-06-02 11:07:47 +0100 | [diff] [blame] | 350 | if ($path === '/' && config_item('cookie_path') !== '/') |
Derek Jones | 69fc4fc | 2010-03-02 13:36:31 -0600 | [diff] [blame] | 351 | { |
| 352 | $path = config_item('cookie_path'); |
| 353 | } |
Andrey Andreev | 9ba661b | 2012-06-04 14:44:34 +0300 | [diff] [blame] | 354 | |
Alex Bilbie | ed944a3 | 2012-06-02 11:07:47 +0100 | [diff] [blame] | 355 | if ($secure === FALSE && config_item('cookie_secure') !== FALSE) |
tobiasbg | 9aa7dc9 | 2011-02-18 21:57:13 +0100 | [diff] [blame] | 356 | { |
| 357 | $secure = config_item('cookie_secure'); |
| 358 | } |
Andrey Andreev | 9ba661b | 2012-06-04 14:44:34 +0300 | [diff] [blame] | 359 | |
Alex Bilbie | ed944a3 | 2012-06-02 11:07:47 +0100 | [diff] [blame] | 360 | if ($httponly === FALSE && config_item('cookie_httponly') !== FALSE) |
freewil | 4ad0fd8 | 2012-03-13 22:37:42 -0400 | [diff] [blame] | 361 | { |
| 362 | $httponly = config_item('cookie_httponly'); |
| 363 | } |
Derek Jones | 69fc4fc | 2010-03-02 13:36:31 -0600 | [diff] [blame] | 364 | |
| 365 | if ( ! is_numeric($expire)) |
| 366 | { |
| 367 | $expire = time() - 86500; |
| 368 | } |
| 369 | else |
| 370 | { |
Phil Sturgeon | c808915 | 2010-12-27 19:06:28 +0000 | [diff] [blame] | 371 | $expire = ($expire > 0) ? time() + $expire : 0; |
Derek Jones | 69fc4fc | 2010-03-02 13:36:31 -0600 | [diff] [blame] | 372 | } |
| 373 | |
freewil | 4ad0fd8 | 2012-03-13 22:37:42 -0400 | [diff] [blame] | 374 | setcookie($prefix.$name, $value, $expire, $path, $domain, $secure, $httponly); |
Derek Jones | 69fc4fc | 2010-03-02 13:36:31 -0600 | [diff] [blame] | 375 | } |
| 376 | |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 377 | // -------------------------------------------------------------------- |
| 378 | |
| 379 | /** |
Timothy Warren | 40403d2 | 2012-04-19 16:38:50 -0400 | [diff] [blame] | 380 | * Fetch the IP Address |
| 381 | * |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 382 | * Determines and validates the visitor's IP address. |
| 383 | * |
| 384 | * @return string IP address |
Timothy Warren | 40403d2 | 2012-04-19 16:38:50 -0400 | [diff] [blame] | 385 | */ |
Bo-Yi Wu | 4db872f | 2011-09-12 10:52:37 +0800 | [diff] [blame] | 386 | public function ip_address() |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 387 | { |
| 388 | if ($this->ip_address !== FALSE) |
| 389 | { |
| 390 | return $this->ip_address; |
| 391 | } |
Barry Mieny | dd67197 | 2010-10-04 16:33:58 +0200 | [diff] [blame] | 392 | |
Andrey Andreev | 9ac557f | 2012-10-06 20:27:57 +0300 | [diff] [blame] | 393 | $proxy_ips = config_item('proxy_ips'); |
Andrey Andreev | ea7a866 | 2012-10-09 13:36:31 +0300 | [diff] [blame] | 394 | if ( ! empty($proxy_ips) && ! is_array($proxy_ips)) |
Andrey Andreev | 9ac557f | 2012-10-06 20:27:57 +0300 | [diff] [blame] | 395 | { |
| 396 | $proxy_ips = explode(',', str_replace(' ', '', $proxy_ips)); |
| 397 | } |
Andrey Andreev | 5b92ae1 | 2012-10-04 13:05:03 +0300 | [diff] [blame] | 398 | |
Andrey Andreev | 9ac557f | 2012-10-06 20:27:57 +0300 | [diff] [blame] | 399 | $this->ip_address = $this->server('REMOTE_ADDR'); |
| 400 | |
| 401 | if ($proxy_ips) |
| 402 | { |
| 403 | foreach (array('HTTP_X_FORWARDED_FOR', 'HTTP_CLIENT_IP', 'HTTP_X_CLIENT_IP', 'HTTP_X_CLUSTER_CLIENT_IP') as $header) |
Jordan Pittman | 8960acf | 2012-07-23 09:05:49 -0300 | [diff] [blame] | 404 | { |
Andrey Andreev | 9ac557f | 2012-10-06 20:27:57 +0300 | [diff] [blame] | 405 | if (($spoof = $this->server($header)) !== NULL) |
Jordan Pittman | 8960acf | 2012-07-23 09:05:49 -0300 | [diff] [blame] | 406 | { |
Andrey Andreev | 9ac557f | 2012-10-06 20:27:57 +0300 | [diff] [blame] | 407 | // Some proxies typically list the whole chain of IP |
| 408 | // addresses through which the client has reached us. |
| 409 | // e.g. client_ip, proxy_ip1, proxy_ip2, etc. |
Andrey Andreev | e24eed7 | 2012-11-02 23:33:45 +0200 | [diff] [blame] | 410 | sscanf($spoof, '%[^,]', $spoof); |
Andrey Andreev | 9ac557f | 2012-10-06 20:27:57 +0300 | [diff] [blame] | 411 | |
| 412 | if ( ! $this->valid_ip($spoof)) |
| 413 | { |
| 414 | $spoof = NULL; |
| 415 | } |
| 416 | else |
| 417 | { |
Jordan Pittman | a5a7135 | 2012-07-20 19:36:43 -0300 | [diff] [blame] | 418 | break; |
| 419 | } |
| 420 | } |
Andrey Andreev | 5b92ae1 | 2012-10-04 13:05:03 +0300 | [diff] [blame] | 421 | } |
Andrey Andreev | 9ac557f | 2012-10-06 20:27:57 +0300 | [diff] [blame] | 422 | |
Andrey Andreev | e45ad2b | 2012-10-09 13:11:15 +0300 | [diff] [blame] | 423 | if ($spoof) |
Andrey Andreev | 5b92ae1 | 2012-10-04 13:05:03 +0300 | [diff] [blame] | 424 | { |
Andrey Andreev | 9df35b4 | 2012-10-09 13:37:58 +0300 | [diff] [blame] | 425 | for ($i = 0, $c = count($proxy_ips); $i < $c; $i++) |
Andrey Andreev | 9ac557f | 2012-10-06 20:27:57 +0300 | [diff] [blame] | 426 | { |
| 427 | // Check if we have an IP address or a subnet |
| 428 | if (strpos($proxy_ips[$i], '/') === FALSE) |
| 429 | { |
| 430 | // An IP address (and not a subnet) is specified. |
| 431 | // We can compare right away. |
| 432 | if ($proxy_ips[$i] === $this->ip_address) |
| 433 | { |
| 434 | $this->ip_address = $spoof; |
| 435 | break; |
| 436 | } |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 437 | |
Andrey Andreev | 9ac557f | 2012-10-06 20:27:57 +0300 | [diff] [blame] | 438 | continue; |
| 439 | } |
| 440 | |
| 441 | // We have a subnet ... now the heavy lifting begins |
| 442 | isset($separator) OR $separator = $this->valid_ip($this->ip_address, 'ipv6') ? ':' : '.'; |
| 443 | |
| 444 | // If the proxy entry doesn't match the IP protocol - skip it |
| 445 | if (strpos($proxy_ips[$i], $separator) === FALSE) |
| 446 | { |
| 447 | continue; |
| 448 | } |
| 449 | |
| 450 | // Convert the REMOTE_ADDR IP address to binary, if needed |
Andrey Andreev | 82d2cf1 | 2012-10-13 12:38:42 +0300 | [diff] [blame] | 451 | if ( ! isset($ip, $sprintf)) |
Andrey Andreev | 9ac557f | 2012-10-06 20:27:57 +0300 | [diff] [blame] | 452 | { |
| 453 | if ($separator === ':') |
| 454 | { |
| 455 | // Make sure we're have the "full" IPv6 format |
Andrey Andreev | 82d2cf1 | 2012-10-13 12:38:42 +0300 | [diff] [blame] | 456 | $ip = explode(':', |
| 457 | str_replace('::', |
| 458 | str_repeat(':', 9 - substr_count($this->ip_address, ':')), |
| 459 | $this->ip_address |
| 460 | ) |
| 461 | ); |
| 462 | |
| 463 | for ($i = 0; $i < 8; $i++) |
| 464 | { |
| 465 | $ip[$i] = intval($ip[$i], 16); |
| 466 | } |
| 467 | |
| 468 | $sprintf = '%016b%016b%016b%016b%016b%016b%016b%016b'; |
Andrey Andreev | 9ac557f | 2012-10-06 20:27:57 +0300 | [diff] [blame] | 469 | } |
| 470 | else |
| 471 | { |
Andrey Andreev | 82d2cf1 | 2012-10-13 12:38:42 +0300 | [diff] [blame] | 472 | $ip = explode('.', $this->ip_address); |
| 473 | $sprintf = '%08b%08b%08b%08b'; |
Andrey Andreev | 9ac557f | 2012-10-06 20:27:57 +0300 | [diff] [blame] | 474 | } |
| 475 | |
Andrey Andreev | 82d2cf1 | 2012-10-13 12:38:42 +0300 | [diff] [blame] | 476 | $ip = vsprintf($sprintf, $ip); |
Andrey Andreev | 9ac557f | 2012-10-06 20:27:57 +0300 | [diff] [blame] | 477 | } |
| 478 | |
| 479 | // Split the netmask length off the network address |
Andrey Andreev | e24eed7 | 2012-11-02 23:33:45 +0200 | [diff] [blame] | 480 | sscanf($proxy_ips[$i], '%[^/]/%d', $netaddr, $masklen); |
Andrey Andreev | 9ac557f | 2012-10-06 20:27:57 +0300 | [diff] [blame] | 481 | |
| 482 | // Again, an IPv6 address is most likely in a compressed form |
| 483 | if ($separator === ':') |
| 484 | { |
Andrey Andreev | 82d2cf1 | 2012-10-13 12:38:42 +0300 | [diff] [blame] | 485 | $netaddr = explode(':', str_replace('::', str_repeat(':', 9 - substr_count($netaddr, ':')), $netaddr)); |
| 486 | for ($i = 0; $i < 8; $i++) |
| 487 | { |
| 488 | $netaddr[$i] = intval($netaddr[$i], 16); |
| 489 | } |
| 490 | } |
| 491 | else |
| 492 | { |
| 493 | $netaddr = explode('.', $netaddr); |
Andrey Andreev | 9ac557f | 2012-10-06 20:27:57 +0300 | [diff] [blame] | 494 | } |
| 495 | |
Andrey Andreev | 82d2cf1 | 2012-10-13 12:38:42 +0300 | [diff] [blame] | 496 | // Convert to binary and finally compare |
| 497 | if (strncmp($ip, vsprintf($sprintf, $netaddr), $masklen) === 0) |
Andrey Andreev | 9ac557f | 2012-10-06 20:27:57 +0300 | [diff] [blame] | 498 | { |
| 499 | $this->ip_address = $spoof; |
| 500 | break; |
| 501 | } |
| 502 | } |
| 503 | } |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 504 | } |
| 505 | |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 506 | if ( ! $this->valid_ip($this->ip_address)) |
| 507 | { |
Andrey Andreev | 64e98aa | 2012-01-07 20:29:10 +0200 | [diff] [blame] | 508 | return $this->ip_address = '0.0.0.0'; |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 509 | } |
| 510 | |
| 511 | return $this->ip_address; |
| 512 | } |
| 513 | |
| 514 | // -------------------------------------------------------------------- |
| 515 | |
| 516 | /** |
Timothy Warren | 40403d2 | 2012-04-19 16:38:50 -0400 | [diff] [blame] | 517 | * Validate IP Address |
| 518 | * |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 519 | * @param string $ip IP address |
| 520 | * @param string $which IP protocol: 'ipv4' or 'ipv6' |
Timothy Warren | 40403d2 | 2012-04-19 16:38:50 -0400 | [diff] [blame] | 521 | * @return bool |
| 522 | */ |
Andrey Andreev | 5a25718 | 2012-06-10 06:18:14 +0300 | [diff] [blame] | 523 | public function valid_ip($ip, $which = '') |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 524 | { |
Andrey Andreev | 5a25718 | 2012-06-10 06:18:14 +0300 | [diff] [blame] | 525 | switch (strtolower($which)) |
| 526 | { |
| 527 | case 'ipv4': |
| 528 | $which = FILTER_FLAG_IPV4; |
| 529 | break; |
| 530 | case 'ipv6': |
| 531 | $which = FILTER_FLAG_IPV6; |
| 532 | break; |
| 533 | default: |
| 534 | $which = NULL; |
| 535 | break; |
| 536 | } |
| 537 | |
| 538 | return (bool) filter_var($ip, FILTER_VALIDATE_IP, $which); |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 539 | } |
| 540 | |
| 541 | // -------------------------------------------------------------------- |
| 542 | |
| 543 | /** |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 544 | * Fetch User Agent string |
Timothy Warren | 40403d2 | 2012-04-19 16:38:50 -0400 | [diff] [blame] | 545 | * |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 546 | * @return string|null User Agent string or NULL if it doesn't exist |
Timothy Warren | 40403d2 | 2012-04-19 16:38:50 -0400 | [diff] [blame] | 547 | */ |
Bo-Yi Wu | 4db872f | 2011-09-12 10:52:37 +0800 | [diff] [blame] | 548 | public function user_agent() |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 549 | { |
| 550 | if ($this->user_agent !== FALSE) |
| 551 | { |
| 552 | return $this->user_agent; |
| 553 | } |
| 554 | |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 555 | return $this->user_agent = isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : NULL; |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 556 | } |
| 557 | |
| 558 | // -------------------------------------------------------------------- |
| 559 | |
| 560 | /** |
Timothy Warren | 40403d2 | 2012-04-19 16:38:50 -0400 | [diff] [blame] | 561 | * Sanitize Globals |
| 562 | * |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 563 | * Internal method serving for the following purposes: |
Timothy Warren | 40403d2 | 2012-04-19 16:38:50 -0400 | [diff] [blame] | 564 | * |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 565 | * - Unsets $_GET data (if query strings are not enabled) |
| 566 | * - Unsets all globals if register_globals is enabled |
| 567 | * - Cleans POST, COOKIE and SERVER data |
| 568 | * - Standardizes newline characters to PHP_EOL |
Timothy Warren | 40403d2 | 2012-04-19 16:38:50 -0400 | [diff] [blame] | 569 | * |
| 570 | * @return void |
| 571 | */ |
Andrey Andreev | 90cfe14 | 2012-01-08 04:46:42 +0200 | [diff] [blame] | 572 | protected function _sanitize_globals() |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 573 | { |
Derek Jones | 69fc4fc | 2010-03-02 13:36:31 -0600 | [diff] [blame] | 574 | // It would be "wrong" to unset any of these GLOBALS. |
Timothy Warren | 40403d2 | 2012-04-19 16:38:50 -0400 | [diff] [blame] | 575 | $protected = array( |
| 576 | '_SERVER', |
| 577 | '_GET', |
| 578 | '_POST', |
| 579 | '_FILES', |
| 580 | '_REQUEST', |
| 581 | '_SESSION', |
| 582 | '_ENV', |
| 583 | 'GLOBALS', |
| 584 | 'HTTP_RAW_POST_DATA', |
| 585 | 'system_folder', |
| 586 | 'application_folder', |
| 587 | 'BM', |
| 588 | 'EXT', |
| 589 | 'CFG', |
| 590 | 'URI', |
| 591 | 'RTR', |
Timothy Warren | 67cb3ee | 2012-04-19 16:41:52 -0400 | [diff] [blame] | 592 | 'OUT', |
Timothy Warren | 40403d2 | 2012-04-19 16:38:50 -0400 | [diff] [blame] | 593 | 'IN' |
| 594 | ); |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 595 | |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 596 | // Unset globals for security. |
Derek Jones | 69fc4fc | 2010-03-02 13:36:31 -0600 | [diff] [blame] | 597 | // This is effectively the same as register_globals = off |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 598 | // PHP 5.4 no longer has the register_globals functionality. |
| 599 | if ( ! is_php('5.4')) |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 600 | { |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 601 | foreach (array($_GET, $_POST, $_COOKIE) as $global) |
Derek Jones | 69fc4fc | 2010-03-02 13:36:31 -0600 | [diff] [blame] | 602 | { |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 603 | if (is_array($global)) |
Derek Jones | 69fc4fc | 2010-03-02 13:36:31 -0600 | [diff] [blame] | 604 | { |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 605 | foreach ($global as $key => $val) |
Derek Jones | 69fc4fc | 2010-03-02 13:36:31 -0600 | [diff] [blame] | 606 | { |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 607 | if ( ! in_array($key, $protected)) |
| 608 | { |
| 609 | global $$key; |
| 610 | $$key = NULL; |
| 611 | } |
Derek Jones | 69fc4fc | 2010-03-02 13:36:31 -0600 | [diff] [blame] | 612 | } |
| 613 | } |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 614 | elseif ( ! in_array($global, $protected)) |
| 615 | { |
| 616 | global $$global; |
| 617 | $$global = NULL; |
| 618 | } |
Andrey Andreev | 92ebfb6 | 2012-05-17 12:49:24 +0300 | [diff] [blame] | 619 | } |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 620 | } |
| 621 | |
Derek Jones | 69fc4fc | 2010-03-02 13:36:31 -0600 | [diff] [blame] | 622 | // Is $_GET data allowed? If not we'll set the $_GET to an empty array |
Alex Bilbie | ed944a3 | 2012-06-02 11:07:47 +0100 | [diff] [blame] | 623 | if ($this->_allow_get_array === FALSE) |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 624 | { |
Derek Jones | 69fc4fc | 2010-03-02 13:36:31 -0600 | [diff] [blame] | 625 | $_GET = array(); |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 626 | } |
Andrey Andreev | 9448afb | 2012-02-08 19:49:19 +0200 | [diff] [blame] | 627 | elseif (is_array($_GET) && count($_GET) > 0) |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 628 | { |
Andrey Andreev | 9448afb | 2012-02-08 19:49:19 +0200 | [diff] [blame] | 629 | foreach ($_GET as $key => $val) |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 630 | { |
Andrey Andreev | 9448afb | 2012-02-08 19:49:19 +0200 | [diff] [blame] | 631 | $_GET[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 632 | } |
| 633 | } |
| 634 | |
Derek Jones | 69fc4fc | 2010-03-02 13:36:31 -0600 | [diff] [blame] | 635 | // Clean $_POST Data |
Andrey Andreev | 9448afb | 2012-02-08 19:49:19 +0200 | [diff] [blame] | 636 | if (is_array($_POST) && count($_POST) > 0) |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 637 | { |
Pascal Kriete | 5d5895f | 2011-02-14 13:27:07 -0500 | [diff] [blame] | 638 | foreach ($_POST as $key => $val) |
Derek Jones | 69fc4fc | 2010-03-02 13:36:31 -0600 | [diff] [blame] | 639 | { |
| 640 | $_POST[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); |
| 641 | } |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 642 | } |
| 643 | |
Derek Jones | 69fc4fc | 2010-03-02 13:36:31 -0600 | [diff] [blame] | 644 | // Clean $_COOKIE Data |
Andrey Andreev | 9448afb | 2012-02-08 19:49:19 +0200 | [diff] [blame] | 645 | if (is_array($_COOKIE) && count($_COOKIE) > 0) |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 646 | { |
Derek Jones | 69fc4fc | 2010-03-02 13:36:31 -0600 | [diff] [blame] | 647 | // Also get rid of specially treated cookies that might be set by a server |
| 648 | // or silly application, that are of no use to a CI application anyway |
| 649 | // but that when present will trip our 'Disallowed Key Characters' alarm |
| 650 | // http://www.ietf.org/rfc/rfc2109.txt |
| 651 | // note that the key names below are single quoted strings, and are not PHP variables |
| 652 | unset($_COOKIE['$Version']); |
| 653 | unset($_COOKIE['$Path']); |
| 654 | unset($_COOKIE['$Domain']); |
| 655 | |
Pascal Kriete | 5d5895f | 2011-02-14 13:27:07 -0500 | [diff] [blame] | 656 | foreach ($_COOKIE as $key => $val) |
Derek Jones | 69fc4fc | 2010-03-02 13:36:31 -0600 | [diff] [blame] | 657 | { |
| 658 | $_COOKIE[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); |
| 659 | } |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 660 | } |
| 661 | |
Derek Jones | 69fc4fc | 2010-03-02 13:36:31 -0600 | [diff] [blame] | 662 | // Sanitize PHP_SELF |
| 663 | $_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']); |
| 664 | |
Derek Jones | 69fc4fc | 2010-03-02 13:36:31 -0600 | [diff] [blame] | 665 | // CSRF Protection check |
Andrey Andreev | e45ad2b | 2012-10-09 13:11:15 +0300 | [diff] [blame] | 666 | if ($this->_enable_csrf === TRUE && ! $this->is_cli_request()) |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 667 | { |
Derek Jones | 69fc4fc | 2010-03-02 13:36:31 -0600 | [diff] [blame] | 668 | $this->security->csrf_verify(); |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 669 | } |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 670 | |
Andrey Andreev | 90cfe14 | 2012-01-08 04:46:42 +0200 | [diff] [blame] | 671 | log_message('debug', 'Global POST and COOKIE data sanitized'); |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 672 | } |
| 673 | |
| 674 | // -------------------------------------------------------------------- |
| 675 | |
| 676 | /** |
Timothy Warren | 40403d2 | 2012-04-19 16:38:50 -0400 | [diff] [blame] | 677 | * Clean Input Data |
| 678 | * |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 679 | * Internal method that aids in escaping data and |
| 680 | * standardizing newline characters to PHP_EOL. |
Timothy Warren | 40403d2 | 2012-04-19 16:38:50 -0400 | [diff] [blame] | 681 | * |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 682 | * @param string|string[] $str Input string(s) |
Timothy Warren | 40403d2 | 2012-04-19 16:38:50 -0400 | [diff] [blame] | 683 | * @return string |
| 684 | */ |
Andrey Andreev | 90cfe14 | 2012-01-08 04:46:42 +0200 | [diff] [blame] | 685 | protected function _clean_input_data($str) |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 686 | { |
Derek Jones | 69fc4fc | 2010-03-02 13:36:31 -0600 | [diff] [blame] | 687 | if (is_array($str)) |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 688 | { |
Derek Jones | 69fc4fc | 2010-03-02 13:36:31 -0600 | [diff] [blame] | 689 | $new_array = array(); |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 690 | foreach (array_keys($str) as $key) |
Derek Jones | 69fc4fc | 2010-03-02 13:36:31 -0600 | [diff] [blame] | 691 | { |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 692 | $new_array[$this->_clean_input_keys($key)] = $this->_clean_input_data($str[$key]); |
Derek Jones | 69fc4fc | 2010-03-02 13:36:31 -0600 | [diff] [blame] | 693 | } |
| 694 | return $new_array; |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 695 | } |
| 696 | |
Andrey Andreev | af72862 | 2011-10-20 10:11:59 +0300 | [diff] [blame] | 697 | /* We strip slashes if magic quotes is on to keep things consistent |
| 698 | |
| 699 | NOTE: In PHP 5.4 get_magic_quotes_gpc() will always return 0 and |
| 700 | it will probably not exist in future versions at all. |
| 701 | */ |
| 702 | if ( ! is_php('5.4') && get_magic_quotes_gpc()) |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 703 | { |
Derek Jones | 69fc4fc | 2010-03-02 13:36:31 -0600 | [diff] [blame] | 704 | $str = stripslashes($str); |
| 705 | } |
| 706 | |
| 707 | // Clean UTF-8 if supported |
| 708 | if (UTF8_ENABLED === TRUE) |
| 709 | { |
| 710 | $str = $this->uni->clean_string($str); |
| 711 | } |
David Behler | 9b5df59 | 2011-08-14 21:04:17 +0200 | [diff] [blame] | 712 | |
Pascal Kriete | 14a0ac6 | 2011-04-05 14:55:56 -0400 | [diff] [blame] | 713 | // Remove control characters |
| 714 | $str = remove_invisible_characters($str); |
Derek Jones | 69fc4fc | 2010-03-02 13:36:31 -0600 | [diff] [blame] | 715 | |
| 716 | // Should we filter the input data? |
| 717 | if ($this->_enable_xss === TRUE) |
| 718 | { |
| 719 | $str = $this->security->xss_clean($str); |
| 720 | } |
| 721 | |
| 722 | // Standardize newlines if needed |
Eric Roberts | b75e13d | 2013-01-27 20:10:09 -0600 | [diff] [blame^] | 723 | if ($this->_standardize_newlines === TRUE) |
Derek Jones | 69fc4fc | 2010-03-02 13:36:31 -0600 | [diff] [blame] | 724 | { |
Eric Roberts | b75e13d | 2013-01-27 20:10:09 -0600 | [diff] [blame^] | 725 | return preg_replace('/(?:\r\n|[\r\n])/', PHP_EOL, $str); |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 726 | } |
| 727 | |
| 728 | return $str; |
| 729 | } |
| 730 | |
| 731 | // -------------------------------------------------------------------- |
| 732 | |
| 733 | /** |
Timothy Warren | 40403d2 | 2012-04-19 16:38:50 -0400 | [diff] [blame] | 734 | * Clean Keys |
| 735 | * |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 736 | * Internal method that helps to prevent malicious users |
Timothy Warren | 40403d2 | 2012-04-19 16:38:50 -0400 | [diff] [blame] | 737 | * from trying to exploit keys we make sure that keys are |
| 738 | * only named with alpha-numeric text and a few other items. |
| 739 | * |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 740 | * @param string $str Input string |
Timothy Warren | 40403d2 | 2012-04-19 16:38:50 -0400 | [diff] [blame] | 741 | * @return string |
| 742 | */ |
Andrey Andreev | 90cfe14 | 2012-01-08 04:46:42 +0200 | [diff] [blame] | 743 | protected function _clean_input_keys($str) |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 744 | { |
bigCat | 3c0846b | 2012-08-21 00:20:20 +0800 | [diff] [blame] | 745 | if ( ! preg_match('/^[a-z0-9:_\/|-]+$/i', $str)) |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 746 | { |
Kevin Cupp | d63e401 | 2012-02-05 14:14:32 -0500 | [diff] [blame] | 747 | set_status_header(503); |
Derek Jones | 69fc4fc | 2010-03-02 13:36:31 -0600 | [diff] [blame] | 748 | exit('Disallowed Key Characters.'); |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 749 | } |
| 750 | |
Derek Jones | 69fc4fc | 2010-03-02 13:36:31 -0600 | [diff] [blame] | 751 | // Clean UTF-8 if supported |
| 752 | if (UTF8_ENABLED === TRUE) |
| 753 | { |
Andrey Andreev | 64e98aa | 2012-01-07 20:29:10 +0200 | [diff] [blame] | 754 | return $this->uni->clean_string($str); |
Derek Jones | 69fc4fc | 2010-03-02 13:36:31 -0600 | [diff] [blame] | 755 | } |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 756 | |
Derek Jones | 69fc4fc | 2010-03-02 13:36:31 -0600 | [diff] [blame] | 757 | return $str; |
| 758 | } |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 759 | |
Greg Aker | ec2f571 | 2010-11-15 16:22:12 -0600 | [diff] [blame] | 760 | // -------------------------------------------------------------------- |
| 761 | |
| 762 | /** |
| 763 | * Request Headers |
| 764 | * |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 765 | * @param bool $xss_clean Whether to apply XSS filtering |
Andrey Andreev | 64e98aa | 2012-01-07 20:29:10 +0200 | [diff] [blame] | 766 | * @return array |
Greg Aker | ec2f571 | 2010-11-15 16:22:12 -0600 | [diff] [blame] | 767 | */ |
| 768 | public function request_headers($xss_clean = FALSE) |
| 769 | { |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 770 | // In Apache, you can simply call apache_request_headers() |
Greg Aker | ec2f571 | 2010-11-15 16:22:12 -0600 | [diff] [blame] | 771 | if (function_exists('apache_request_headers')) |
| 772 | { |
| 773 | $headers = apache_request_headers(); |
| 774 | } |
| 775 | else |
| 776 | { |
Andrey Andreev | 9448afb | 2012-02-08 19:49:19 +0200 | [diff] [blame] | 777 | $headers['Content-Type'] = isset($_SERVER['CONTENT_TYPE']) ? $_SERVER['CONTENT_TYPE'] : @getenv('CONTENT_TYPE'); |
Greg Aker | ec2f571 | 2010-11-15 16:22:12 -0600 | [diff] [blame] | 778 | |
| 779 | foreach ($_SERVER as $key => $val) |
| 780 | { |
Andrey Andreev | 7a7ad78 | 2012-11-12 17:21:01 +0200 | [diff] [blame] | 781 | if (sscanf($key, 'HTTP_%s', $header) === 1) |
Greg Aker | ec2f571 | 2010-11-15 16:22:12 -0600 | [diff] [blame] | 782 | { |
Andrey Andreev | 7a7ad78 | 2012-11-12 17:21:01 +0200 | [diff] [blame] | 783 | $headers[$header] = $this->_fetch_from_array($_SERVER, $key, $xss_clean); |
Greg Aker | ec2f571 | 2010-11-15 16:22:12 -0600 | [diff] [blame] | 784 | } |
| 785 | } |
| 786 | } |
| 787 | |
| 788 | // take SOME_HEADER and turn it into Some-Header |
| 789 | foreach ($headers as $key => $val) |
| 790 | { |
Daniel Hunsaker | c82b57b | 2012-12-31 09:22:07 -0700 | [diff] [blame] | 791 | $key = str_replace(array('_', '-'), ' ', strtolower($key)); |
Greg Aker | ec2f571 | 2010-11-15 16:22:12 -0600 | [diff] [blame] | 792 | $key = str_replace(' ', '-', ucwords($key)); |
David Behler | 9b5df59 | 2011-08-14 21:04:17 +0200 | [diff] [blame] | 793 | |
Greg Aker | ec2f571 | 2010-11-15 16:22:12 -0600 | [diff] [blame] | 794 | $this->headers[$key] = $val; |
| 795 | } |
David Behler | 9b5df59 | 2011-08-14 21:04:17 +0200 | [diff] [blame] | 796 | |
Greg Aker | ec2f571 | 2010-11-15 16:22:12 -0600 | [diff] [blame] | 797 | return $this->headers; |
| 798 | } |
| 799 | |
| 800 | // -------------------------------------------------------------------- |
| 801 | |
| 802 | /** |
| 803 | * Get Request Header |
| 804 | * |
| 805 | * Returns the value of a single member of the headers class member |
| 806 | * |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 807 | * @param string $index Header name |
| 808 | * @param bool $xss_clean Whether to apply XSS filtering |
| 809 | * @return string|bool The requested header on success or FALSE on failure |
Greg Aker | ec2f571 | 2010-11-15 16:22:12 -0600 | [diff] [blame] | 810 | */ |
| 811 | public function get_request_header($index, $xss_clean = FALSE) |
| 812 | { |
| 813 | if (empty($this->headers)) |
| 814 | { |
| 815 | $this->request_headers(); |
| 816 | } |
David Behler | 9b5df59 | 2011-08-14 21:04:17 +0200 | [diff] [blame] | 817 | |
Greg Aker | ec2f571 | 2010-11-15 16:22:12 -0600 | [diff] [blame] | 818 | if ( ! isset($this->headers[$index])) |
| 819 | { |
Phil Sturgeon | 55a6ddb | 2012-05-23 18:37:24 +0100 | [diff] [blame] | 820 | return NULL; |
Greg Aker | ec2f571 | 2010-11-15 16:22:12 -0600 | [diff] [blame] | 821 | } |
| 822 | |
Andrey Andreev | 9448afb | 2012-02-08 19:49:19 +0200 | [diff] [blame] | 823 | return ($xss_clean === TRUE) |
| 824 | ? $this->security->xss_clean($this->headers[$index]) |
| 825 | : $this->headers[$index]; |
Greg Aker | ec2f571 | 2010-11-15 16:22:12 -0600 | [diff] [blame] | 826 | } |
| 827 | |
Greg Aker | 081ac9d | 2010-11-22 14:42:53 -0600 | [diff] [blame] | 828 | // -------------------------------------------------------------------- |
Phil Sturgeon | c382871 | 2011-01-19 12:31:47 +0000 | [diff] [blame] | 829 | |
Greg Aker | 081ac9d | 2010-11-22 14:42:53 -0600 | [diff] [blame] | 830 | /** |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 831 | * Is AJAX request? |
Greg Aker | 081ac9d | 2010-11-22 14:42:53 -0600 | [diff] [blame] | 832 | * |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 833 | * Test to see if a request contains the HTTP_X_REQUESTED_WITH header. |
Greg Aker | 081ac9d | 2010-11-22 14:42:53 -0600 | [diff] [blame] | 834 | * |
Andrey Andreev | 9448afb | 2012-02-08 19:49:19 +0200 | [diff] [blame] | 835 | * @return bool |
Greg Aker | 081ac9d | 2010-11-22 14:42:53 -0600 | [diff] [blame] | 836 | */ |
| 837 | public function is_ajax_request() |
| 838 | { |
Andrey Andreev | 9448afb | 2012-02-08 19:49:19 +0200 | [diff] [blame] | 839 | return ( ! empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) === 'xmlhttprequest'); |
Greg Aker | 081ac9d | 2010-11-22 14:42:53 -0600 | [diff] [blame] | 840 | } |
| 841 | |
Phil Sturgeon | c382871 | 2011-01-19 12:31:47 +0000 | [diff] [blame] | 842 | // -------------------------------------------------------------------- |
| 843 | |
| 844 | /** |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 845 | * Is CLI request? |
Phil Sturgeon | c382871 | 2011-01-19 12:31:47 +0000 | [diff] [blame] | 846 | * |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 847 | * Test to see if a request was made from the command line. |
Phil Sturgeon | c382871 | 2011-01-19 12:31:47 +0000 | [diff] [blame] | 848 | * |
Andrey Andreev | 9448afb | 2012-02-08 19:49:19 +0200 | [diff] [blame] | 849 | * @return bool |
Phil Sturgeon | c382871 | 2011-01-19 12:31:47 +0000 | [diff] [blame] | 850 | */ |
| 851 | public function is_cli_request() |
| 852 | { |
Andrey Andreev | 9448afb | 2012-02-08 19:49:19 +0200 | [diff] [blame] | 853 | return (php_sapi_name() === 'cli' OR defined('STDIN')); |
Phil Sturgeon | c382871 | 2011-01-19 12:31:47 +0000 | [diff] [blame] | 854 | } |
| 855 | |
Michiel Vugteveen | be0ca26 | 2012-03-07 19:09:51 +0100 | [diff] [blame] | 856 | // -------------------------------------------------------------------- |
| 857 | |
| 858 | /** |
| 859 | * Get Request Method |
| 860 | * |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 861 | * Return the request method |
Michiel Vugteveen | be0ca26 | 2012-03-07 19:09:51 +0100 | [diff] [blame] | 862 | * |
Andrey Andreev | 1887ec6 | 2012-10-27 16:22:07 +0300 | [diff] [blame] | 863 | * @param bool $upper Whether to return in upper or lower case |
| 864 | * (default: FALSE) |
| 865 | * @return string |
Michiel Vugteveen | be0ca26 | 2012-03-07 19:09:51 +0100 | [diff] [blame] | 866 | */ |
Michiel Vugteveen | 704fb16 | 2012-03-07 20:42:33 +0100 | [diff] [blame] | 867 | public function method($upper = FALSE) |
Michiel Vugteveen | be0ca26 | 2012-03-07 19:09:51 +0100 | [diff] [blame] | 868 | { |
Michiel Vugteveen | dc900df | 2012-03-07 20:41:37 +0100 | [diff] [blame] | 869 | return ($upper) |
| 870 | ? strtoupper($this->server('REQUEST_METHOD')) |
| 871 | : strtolower($this->server('REQUEST_METHOD')); |
Michiel Vugteveen | be0ca26 | 2012-03-07 19:09:51 +0100 | [diff] [blame] | 872 | } |
| 873 | |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 874 | } |
Derek Allard | 2067d1a | 2008-11-13 22:59:24 +0000 | [diff] [blame] | 875 | |
| 876 | /* End of file Input.php */ |
Timothy Warren | 40403d2 | 2012-04-19 16:38:50 -0400 | [diff] [blame] | 877 | /* Location: ./system/core/Input.php */ |