blob: d0d3c0803bfe702795432af1ad12c6e44197b88a [file] [log] [blame]
Andrey Andreevbb488dc2012-01-07 23:35:16 +02001<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
Derek Jonese701d762010-03-02 18:17:01 -06002/**
3 * CodeIgniter
4 *
Greg Aker741de1c2010-11-10 14:52:57 -06005 * An open source application development framework for PHP 5.1.6 or newer
Derek Jonese701d762010-03-02 18:17:01 -06006 *
Derek Jonesf4a4bd82011-10-20 12:18:42 -05007 * NOTICE OF LICENSE
Andrey Andreevbb488dc2012-01-07 23:35:16 +02008 *
Derek Jonesf4a4bd82011-10-20 12:18:42 -05009 * Licensed under the Open Software License version 3.0
Andrey Andreevbb488dc2012-01-07 23:35:16 +020010 *
Derek Jonesf4a4bd82011-10-20 12:18:42 -050011 * This source file is subject to the Open Software License (OSL 3.0) that is
12 * bundled with this package in the files license.txt / license.rst. It is
13 * also available through the world wide web at this URL:
14 * http://opensource.org/licenses/OSL-3.0
15 * If you did not receive a copy of the license and are unable to obtain it
16 * through the world wide web, please send an email to
17 * licensing@ellislab.com so we can send you a copy immediately.
18 *
Derek Jonese701d762010-03-02 18:17:01 -060019 * @package CodeIgniter
Derek Jonesf4a4bd82011-10-20 12:18:42 -050020 * @author EllisLab Dev Team
Greg Aker0defe5d2012-01-01 18:46:41 -060021 * @copyright Copyright (c) 2008 - 2012, EllisLab, Inc. (http://ellislab.com/)
Derek Jonesf4a4bd82011-10-20 12:18:42 -050022 * @license http://opensource.org/licenses/OSL-3.0 Open Software License (OSL 3.0)
Derek Jonese701d762010-03-02 18:17:01 -060023 * @link http://codeigniter.com
24 * @since Version 1.0
25 * @filesource
26 */
27
28// ------------------------------------------------------------------------
29
30/**
31 * Security Class
32 *
33 * @package CodeIgniter
34 * @subpackage Libraries
35 * @category Security
Derek Jonesf4a4bd82011-10-20 12:18:42 -050036 * @author EllisLab Dev Team
Pascal Krietec9c045a2011-04-05 14:50:41 -040037 * @link http://codeigniter.com/user_guide/libraries/security.html
Derek Jonese701d762010-03-02 18:17:01 -060038 */
39class CI_Security {
Barry Mienydd671972010-10-04 16:33:58 +020040
David Behler07b53422011-08-15 00:25:06 +020041 /**
42 * Random Hash for protecting URLs
43 *
44 * @var string
David Behler07b53422011-08-15 00:25:06 +020045 */
46 protected $_xss_hash = '';
Andrey Andreev3d113bd2011-10-05 00:03:20 +030047
David Behler07b53422011-08-15 00:25:06 +020048 /**
49 * Random Hash for Cross Site Request Forgery Protection Cookie
50 *
51 * @var string
David Behler07b53422011-08-15 00:25:06 +020052 */
53 protected $_csrf_hash = '';
Andrey Andreev3d113bd2011-10-05 00:03:20 +030054
David Behler07b53422011-08-15 00:25:06 +020055 /**
56 * Expiration time for Cross Site Request Forgery Protection Cookie
57 * Defaults to two hours (in seconds)
58 *
59 * @var int
David Behler07b53422011-08-15 00:25:06 +020060 */
61 protected $_csrf_expire = 7200;
Andrey Andreev3d113bd2011-10-05 00:03:20 +030062
David Behler07b53422011-08-15 00:25:06 +020063 /**
64 * Token name for Cross Site Request Forgery Protection Cookie
65 *
66 * @var string
David Behler07b53422011-08-15 00:25:06 +020067 */
68 protected $_csrf_token_name = 'ci_csrf_token';
Andrey Andreev3d113bd2011-10-05 00:03:20 +030069
David Behler07b53422011-08-15 00:25:06 +020070 /**
71 * Cookie name for Cross Site Request Forgery Protection Cookie
72 *
73 * @var string
David Behler07b53422011-08-15 00:25:06 +020074 */
Andrey Andreevbb488dc2012-01-07 23:35:16 +020075 protected $_csrf_cookie_name = 'ci_csrf_token';
Andrey Andreev3d113bd2011-10-05 00:03:20 +030076
David Behler07b53422011-08-15 00:25:06 +020077 /**
78 * List of never allowed strings
79 *
80 * @var array
David Behler07b53422011-08-15 00:25:06 +020081 */
Pascal Krietec9c045a2011-04-05 14:50:41 -040082 protected $_never_allowed_str = array(
Andrey Andreevbb488dc2012-01-07 23:35:16 +020083 'document.cookie' => '[removed]',
84 'document.write' => '[removed]',
85 '.parentNode' => '[removed]',
86 '.innerHTML' => '[removed]',
87 'window.location' => '[removed]',
88 '-moz-binding' => '[removed]',
89 '<!--' => '&lt;!--',
90 '-->' => '--&gt;',
91 '<![CDATA[' => '&lt;![CDATA[',
92 '<comment>' => '&lt;comment&gt;'
93 );
Derek Jonese701d762010-03-02 18:17:01 -060094
David Behler07b53422011-08-15 00:25:06 +020095 /**
96 * List of never allowed regex replacement
97 *
98 * @var array
David Behler07b53422011-08-15 00:25:06 +020099 */
Pascal Krietec9c045a2011-04-05 14:50:41 -0400100 protected $_never_allowed_regex = array(
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200101 'javascript\s*:',
102 'expression\s*(\(|&\#40;)', // CSS and IE
103 'vbscript\s*:', // IE, surprise!
104 'Redirect\s+302'
105 );
David Behler07b53422011-08-15 00:25:06 +0200106
Greg Akera9263282010-11-10 15:26:43 -0600107 public function __construct()
Derek Jonese701d762010-03-02 18:17:01 -0600108 {
patworkef1a55a2011-04-09 13:04:06 +0200109 // CSRF config
110 foreach(array('csrf_expire', 'csrf_token_name', 'csrf_cookie_name') as $key)
111 {
112 if (FALSE !== ($val = config_item($key)))
113 {
114 $this->{'_'.$key} = $val;
115 }
116 }
117
patwork9e267982011-04-11 13:02:32 +0200118 // Append application specific cookie prefix
Greg Akerb3e614d2011-04-19 20:19:17 -0500119 if (config_item('cookie_prefix'))
120 {
patwork9e267982011-04-11 13:02:32 +0200121 $this->_csrf_cookie_name = config_item('cookie_prefix').$this->_csrf_cookie_name;
122 }
Derek Jonesb3f10a22010-07-25 19:11:26 -0500123
Derek Jonese701d762010-03-02 18:17:01 -0600124 // Set the CSRF hash
125 $this->_csrf_set_hash();
Derek Allard958543a2010-07-22 14:10:26 -0400126
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200127 log_message('debug', 'Security Class Initialized');
Derek Jonese701d762010-03-02 18:17:01 -0600128 }
129
130 // --------------------------------------------------------------------
Barry Mienydd671972010-10-04 16:33:58 +0200131
Derek Jonese701d762010-03-02 18:17:01 -0600132 /**
133 * Verify Cross Site Request Forgery Protection
134 *
Pascal Krietec9c045a2011-04-05 14:50:41 -0400135 * @return object
Derek Jonese701d762010-03-02 18:17:01 -0600136 */
Eric Barnes9805ecc2011-01-16 23:35:16 -0500137 public function csrf_verify()
Derek Allard958543a2010-07-22 14:10:26 -0400138 {
Derek Jonese701d762010-03-02 18:17:01 -0600139 // If no POST data exists we will set the CSRF cookie
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200140 if (count($_POST) === 0)
Derek Jonese701d762010-03-02 18:17:01 -0600141 {
142 return $this->csrf_set_cookie();
143 }
Andrey Andreev3d113bd2011-10-05 00:03:20 +0300144
Alex Bilbieaeb2c3e2011-08-21 16:14:54 +0100145 // Check if URI has been whitelisted from CSRF checks
146 if ($exclude_uris = config_item('csrf_exclude_uris'))
147 {
148 $uri = load_class('URI', 'core');
149 if (in_array($uri->uri_string(), $exclude_uris))
150 {
151 return $this;
152 }
153 }
Derek Jonese701d762010-03-02 18:17:01 -0600154
155 // Do the tokens exist in both the _POST and _COOKIE arrays?
David Behler07b53422011-08-15 00:25:06 +0200156 if ( ! isset($_POST[$this->_csrf_token_name]) OR
Pascal Krietec9c045a2011-04-05 14:50:41 -0400157 ! isset($_COOKIE[$this->_csrf_cookie_name]))
Derek Jonese701d762010-03-02 18:17:01 -0600158 {
159 $this->csrf_show_error();
160 }
161
162 // Do the tokens match?
Pascal Krietec9c045a2011-04-05 14:50:41 -0400163 if ($_POST[$this->_csrf_token_name] != $_COOKIE[$this->_csrf_cookie_name])
Derek Jonese701d762010-03-02 18:17:01 -0600164 {
165 $this->csrf_show_error();
166 }
167
David Behler07b53422011-08-15 00:25:06 +0200168 // We kill this since we're done and we don't want to
Pascal Krietec9c045a2011-04-05 14:50:41 -0400169 // polute the _POST array
170 unset($_POST[$this->_csrf_token_name]);
Barry Mienydd671972010-10-04 16:33:58 +0200171
Derek Jonesb3f10a22010-07-25 19:11:26 -0500172 // Nothing should last forever
Pascal Krietec9c045a2011-04-05 14:50:41 -0400173 unset($_COOKIE[$this->_csrf_cookie_name]);
Greg Aker03abee32011-12-25 00:31:29 -0600174 $this->_csrf_hash = '';
Derek Jonesb3f10a22010-07-25 19:11:26 -0500175 $this->_csrf_set_hash();
176 $this->csrf_set_cookie();
Andrey Andreev3d113bd2011-10-05 00:03:20 +0300177
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200178 log_message('debug', 'CSRF token verified');
Pascal Krietec9c045a2011-04-05 14:50:41 -0400179 return $this;
Derek Jonese701d762010-03-02 18:17:01 -0600180 }
Barry Mienydd671972010-10-04 16:33:58 +0200181
Derek Jonese701d762010-03-02 18:17:01 -0600182 // --------------------------------------------------------------------
Barry Mienydd671972010-10-04 16:33:58 +0200183
Derek Jonese701d762010-03-02 18:17:01 -0600184 /**
185 * Set Cross Site Request Forgery Protection Cookie
186 *
Pascal Krietec9c045a2011-04-05 14:50:41 -0400187 * @return object
Derek Jonese701d762010-03-02 18:17:01 -0600188 */
Eric Barnes9805ecc2011-01-16 23:35:16 -0500189 public function csrf_set_cookie()
Derek Jonese701d762010-03-02 18:17:01 -0600190 {
Pascal Krietec9c045a2011-04-05 14:50:41 -0400191 $expire = time() + $this->_csrf_expire;
Andrey Andreev3d113bd2011-10-05 00:03:20 +0300192 $secure_cookie = (bool) config_item('cookie_secure');
Derek Jonese701d762010-03-02 18:17:01 -0600193
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200194 if ($secure_cookie && ( ! isset($_SERVER['HTTPS']) OR $_SERVER['HTTPS'] == 'off' OR ! $_SERVER['HTTPS']))
Derek Jonese701d762010-03-02 18:17:01 -0600195 {
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200196 return FALSE;
Derek Jonese701d762010-03-02 18:17:01 -0600197 }
Derek Allard958543a2010-07-22 14:10:26 -0400198
Pascal Krietec9c045a2011-04-05 14:50:41 -0400199 setcookie($this->_csrf_cookie_name, $this->_csrf_hash, $expire, config_item('cookie_path'), config_item('cookie_domain'), $secure_cookie);
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200200 log_message('debug', 'CRSF cookie Set');
David Behler07b53422011-08-15 00:25:06 +0200201
Pascal Krietec9c045a2011-04-05 14:50:41 -0400202 return $this;
Derek Jonese701d762010-03-02 18:17:01 -0600203 }
204
205 // --------------------------------------------------------------------
Barry Mienydd671972010-10-04 16:33:58 +0200206
Derek Jonese701d762010-03-02 18:17:01 -0600207 /**
208 * Show CSRF Error
209 *
Pascal Krietec9c045a2011-04-05 14:50:41 -0400210 * @return void
Derek Jonese701d762010-03-02 18:17:01 -0600211 */
Eric Barnes9805ecc2011-01-16 23:35:16 -0500212 public function csrf_show_error()
Derek Jonese701d762010-03-02 18:17:01 -0600213 {
214 show_error('The action you have requested is not allowed.');
215 }
216
217 // --------------------------------------------------------------------
Barry Mienydd671972010-10-04 16:33:58 +0200218
Derek Jonese701d762010-03-02 18:17:01 -0600219 /**
David Behler07b53422011-08-15 00:25:06 +0200220 * Get CSRF Hash
Pascal Krietec9c045a2011-04-05 14:50:41 -0400221 *
David Behler07b53422011-08-15 00:25:06 +0200222 * Getter Method
Pascal Krietec9c045a2011-04-05 14:50:41 -0400223 *
224 * @return string self::_csrf_hash
225 */
226 public function get_csrf_hash()
227 {
228 return $this->_csrf_hash;
229 }
230
231 // --------------------------------------------------------------------
232
233 /**
234 * Get CSRF Token Name
235 *
236 * Getter Method
237 *
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200238 * @return string self::_csrf_token_name
Pascal Krietec9c045a2011-04-05 14:50:41 -0400239 */
240 public function get_csrf_token_name()
241 {
242 return $this->_csrf_token_name;
243 }
244
245 // --------------------------------------------------------------------
246
247 /**
Derek Jonese701d762010-03-02 18:17:01 -0600248 * XSS Clean
249 *
250 * Sanitizes data so that Cross Site Scripting Hacks can be
Derek Jones37f4b9c2011-07-01 17:56:50 -0500251 * prevented. This function does a fair amount of work but
Derek Jonese701d762010-03-02 18:17:01 -0600252 * it is extremely thorough, designed to prevent even the
Derek Jones37f4b9c2011-07-01 17:56:50 -0500253 * most obscure XSS attempts. Nothing is ever 100% foolproof,
Derek Jonese701d762010-03-02 18:17:01 -0600254 * of course, but I haven't been able to get anything passed
255 * the filter.
256 *
257 * Note: This function should only be used to deal with data
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200258 * upon submission. It's not something that should
Derek Jonese701d762010-03-02 18:17:01 -0600259 * be used for general runtime processing.
260 *
261 * This function was based in part on some code and ideas I
262 * got from Bitflux: http://channel.bitflux.ch/wiki/XSS_Prevention
263 *
264 * To help develop this script I used this great list of
265 * vulnerabilities along with a few other hacks I've
266 * harvested from examining vulnerabilities in other programs:
267 * http://ha.ckers.org/xss.html
268 *
Derek Jonese701d762010-03-02 18:17:01 -0600269 * @param mixed string or array
David Behler07b53422011-08-15 00:25:06 +0200270 * @param bool
Derek Jonese701d762010-03-02 18:17:01 -0600271 * @return string
272 */
Eric Barnes9805ecc2011-01-16 23:35:16 -0500273 public function xss_clean($str, $is_image = FALSE)
Derek Jonese701d762010-03-02 18:17:01 -0600274 {
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200275 // Is the string an array?
Derek Jonese701d762010-03-02 18:17:01 -0600276 if (is_array($str))
277 {
278 while (list($key) = each($str))
279 {
280 $str[$key] = $this->xss_clean($str[$key]);
281 }
Barry Mienydd671972010-10-04 16:33:58 +0200282
Derek Jonese701d762010-03-02 18:17:01 -0600283 return $str;
284 }
285
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200286 // Remove Invisible Characters and validate entities in URLs
287 $str = $this->_validate_entities(remove_invisible_characters($str));
Derek Jonese701d762010-03-02 18:17:01 -0600288
289 /*
290 * URL Decode
291 *
292 * Just in case stuff like this is submitted:
293 *
294 * <a href="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">Google</a>
295 *
296 * Note: Use rawurldecode() so it does not remove plus signs
Derek Jonese701d762010-03-02 18:17:01 -0600297 */
298 $str = rawurldecode($str);
Barry Mienydd671972010-10-04 16:33:58 +0200299
Derek Jonese701d762010-03-02 18:17:01 -0600300 /*
Barry Mienydd671972010-10-04 16:33:58 +0200301 * Convert character entities to ASCII
Derek Jonese701d762010-03-02 18:17:01 -0600302 *
303 * This permits our tests below to work reliably.
304 * We only convert entities that are within tags since
305 * these are the ones that will pose security problems.
306 *
307 */
Derek Jonese701d762010-03-02 18:17:01 -0600308 $str = preg_replace_callback("/[a-z]+=([\'\"]).*?\\1/si", array($this, '_convert_attribute'), $str);
Derek Jonese701d762010-03-02 18:17:01 -0600309 $str = preg_replace_callback("/<\w+.*?(?=>|<|$)/si", array($this, '_decode_entity'), $str);
310
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200311 // Remove Invisible Characters Again!
Greg Aker757dda62010-04-14 19:06:19 -0500312 $str = remove_invisible_characters($str);
Barry Mienydd671972010-10-04 16:33:58 +0200313
Derek Jonese701d762010-03-02 18:17:01 -0600314 /*
315 * Convert all tabs to spaces
316 *
317 * This prevents strings like this: ja vascript
318 * NOTE: we deal with spaces between characters later.
David Behler07b53422011-08-15 00:25:06 +0200319 * NOTE: preg_replace was found to be amazingly slow here on
Pascal Krietec9c045a2011-04-05 14:50:41 -0400320 * large blocks of data, so we use str_replace.
Derek Jonese701d762010-03-02 18:17:01 -0600321 */
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200322 $str = str_replace("\t", ' ', $str);
Barry Mienydd671972010-10-04 16:33:58 +0200323
Derek Jonese701d762010-03-02 18:17:01 -0600324 /*
325 * Capture converted string for later comparison
326 */
327 $converted_string = $str;
Barry Mienydd671972010-10-04 16:33:58 +0200328
Pascal Krietec9c045a2011-04-05 14:50:41 -0400329 // Remove Strings that are never allowed
330 $str = $this->_do_never_allowed($str);
Derek Jonese701d762010-03-02 18:17:01 -0600331
332 /*
333 * Makes PHP tags safe
334 *
Pascal Krietec9c045a2011-04-05 14:50:41 -0400335 * Note: XML tags are inadvertently replaced too:
Derek Jonese701d762010-03-02 18:17:01 -0600336 *
Pascal Krietec9c045a2011-04-05 14:50:41 -0400337 * <?xml
Derek Jonese701d762010-03-02 18:17:01 -0600338 *
339 * But it doesn't seem to pose a problem.
Derek Jonese701d762010-03-02 18:17:01 -0600340 */
341 if ($is_image === TRUE)
342 {
David Behler07b53422011-08-15 00:25:06 +0200343 // Images have a tendency to have the PHP short opening and
344 // closing tags every so often so we skip those and only
Pascal Krietec9c045a2011-04-05 14:50:41 -0400345 // do the long opening tags.
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200346 $str = preg_replace('/<\?(php)/i', '&lt;?\\1', $str);
Derek Jonese701d762010-03-02 18:17:01 -0600347 }
348 else
349 {
Derek Jones37f4b9c2011-07-01 17:56:50 -0500350 $str = str_replace(array('<?', '?'.'>'), array('&lt;?', '?&gt;'), $str);
Derek Jonese701d762010-03-02 18:17:01 -0600351 }
Barry Mienydd671972010-10-04 16:33:58 +0200352
Derek Jonese701d762010-03-02 18:17:01 -0600353 /*
354 * Compact any exploded words
355 *
Derek Jones37f4b9c2011-07-01 17:56:50 -0500356 * This corrects words like: j a v a s c r i p t
Derek Jonese701d762010-03-02 18:17:01 -0600357 * These words are compacted back to their correct state.
Derek Jonese701d762010-03-02 18:17:01 -0600358 */
Pascal Krietec9c045a2011-04-05 14:50:41 -0400359 $words = array(
David Behler07b53422011-08-15 00:25:06 +0200360 'javascript', 'expression', 'vbscript', 'script',
Pascal Krietec9c045a2011-04-05 14:50:41 -0400361 'applet', 'alert', 'document', 'write', 'cookie', 'window'
362 );
David Behler07b53422011-08-15 00:25:06 +0200363
Derek Jonese701d762010-03-02 18:17:01 -0600364 foreach ($words as $word)
365 {
Andrey Andreev3d113bd2011-10-05 00:03:20 +0300366 $word = implode("\s*", str_split($word)) . "\s*";
Derek Jonese701d762010-03-02 18:17:01 -0600367
368 // We only want to do this when it is followed by a non-word character
369 // That way valid stuff like "dealer to" does not become "dealerto"
Andrey Andreev3d113bd2011-10-05 00:03:20 +0300370 $str = preg_replace_callback('#('.substr($word, 0, -3).')(\W)#is', array($this, '_compact_exploded_words'), $str);
Derek Jonese701d762010-03-02 18:17:01 -0600371 }
Barry Mienydd671972010-10-04 16:33:58 +0200372
Derek Jonese701d762010-03-02 18:17:01 -0600373 /*
374 * Remove disallowed Javascript in links or img tags
David Behler07b53422011-08-15 00:25:06 +0200375 * We used to do some version comparisons and use of stripos for PHP5,
376 * but it is dog slow compared to these simplified non-capturing
Pascal Krietec9c045a2011-04-05 14:50:41 -0400377 * preg_match(), especially if the pattern exists in the string
Derek Jonese701d762010-03-02 18:17:01 -0600378 */
379 do
380 {
381 $original = $str;
Barry Mienydd671972010-10-04 16:33:58 +0200382
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200383 if (preg_match('/<a/i', $str))
Derek Jonese701d762010-03-02 18:17:01 -0600384 {
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200385 $str = preg_replace_callback('#<a\s+([^>]*?)(>|$)#si', array($this, '_js_link_removal'), $str);
Derek Jonese701d762010-03-02 18:17:01 -0600386 }
Barry Mienydd671972010-10-04 16:33:58 +0200387
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200388 if (preg_match('/<img/i', $str))
Derek Jonese701d762010-03-02 18:17:01 -0600389 {
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200390 $str = preg_replace_callback('#<img\s+([^>]*?)(\s?/?>|$)#si', array($this, '_js_img_removal'), $str);
Derek Jonese701d762010-03-02 18:17:01 -0600391 }
Barry Mienydd671972010-10-04 16:33:58 +0200392
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200393 if (preg_match('/(script|xss)/i', $str))
Derek Jonese701d762010-03-02 18:17:01 -0600394 {
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200395 $str = preg_replace('#<(/*)(script|xss)(.*?)\>#si', '[removed]', $str);
Derek Jonese701d762010-03-02 18:17:01 -0600396 }
397 }
Pascal Krietec9c045a2011-04-05 14:50:41 -0400398 while($original != $str);
Derek Jonese701d762010-03-02 18:17:01 -0600399
400 unset($original);
401
Pascal Krietec9c045a2011-04-05 14:50:41 -0400402 // Remove evil attributes such as style, onclick and xmlns
403 $str = $this->_remove_evil_attributes($str, $is_image);
Barry Mienydd671972010-10-04 16:33:58 +0200404
Derek Jonese701d762010-03-02 18:17:01 -0600405 /*
406 * Sanitize naughty HTML elements
407 *
408 * If a tag containing any of the words in the list
409 * below is found, the tag gets converted to entities.
410 *
411 * So this: <blink>
412 * Becomes: &lt;blink&gt;
Derek Jonese701d762010-03-02 18:17:01 -0600413 */
414 $naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|isindex|layer|link|meta|object|plaintext|style|script|textarea|title|video|xml|xss';
415 $str = preg_replace_callback('#<(/*\s*)('.$naughty.')([^><]*)([><]*)#is', array($this, '_sanitize_naughty_html'), $str);
416
417 /*
418 * Sanitize naughty scripting elements
419 *
420 * Similar to above, only instead of looking for
421 * tags it looks for PHP and JavaScript commands
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200422 * that are disallowed. Rather than removing the
Derek Jonese701d762010-03-02 18:17:01 -0600423 * code, it simply converts the parenthesis to entities
424 * rendering the code un-executable.
425 *
426 * For example: eval('some code')
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200427 * Becomes: eval&#40;'some code'&#41;
Derek Jonese701d762010-03-02 18:17:01 -0600428 */
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200429 $str = preg_replace('#(alert|cmd|passthru|eval|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)\((.*?)\)#si',
430 '\\1\\2&#40;\\3&#41;',
431 $str);
Barry Mienydd671972010-10-04 16:33:58 +0200432
Barry Mienydd671972010-10-04 16:33:58 +0200433
Pascal Krietec9c045a2011-04-05 14:50:41 -0400434 // Final clean up
435 // This adds a bit of extra precaution in case
436 // something got through the above filters
437 $str = $this->_do_never_allowed($str);
Derek Jonese701d762010-03-02 18:17:01 -0600438
439 /*
Pascal Krietec9c045a2011-04-05 14:50:41 -0400440 * Images are Handled in a Special Way
David Behler07b53422011-08-15 00:25:06 +0200441 * - Essentially, we want to know that after all of the character
442 * conversion is done whether any unwanted, likely XSS, code was found.
Pascal Krietec9c045a2011-04-05 14:50:41 -0400443 * If not, we return TRUE, as the image is clean.
David Behler07b53422011-08-15 00:25:06 +0200444 * However, if the string post-conversion does not matched the
445 * string post-removal of XSS, then it fails, as there was unwanted XSS
Pascal Krietec9c045a2011-04-05 14:50:41 -0400446 * code found and removed/changed during processing.
Derek Jonese701d762010-03-02 18:17:01 -0600447 */
Derek Jonese701d762010-03-02 18:17:01 -0600448 if ($is_image === TRUE)
449 {
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200450 return ($str === $converted_string);
Derek Jonese701d762010-03-02 18:17:01 -0600451 }
Barry Mienydd671972010-10-04 16:33:58 +0200452
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200453 log_message('debug', 'XSS Filtering completed');
Derek Jonese701d762010-03-02 18:17:01 -0600454 return $str;
455 }
456
457 // --------------------------------------------------------------------
Barry Mienydd671972010-10-04 16:33:58 +0200458
Derek Jonese701d762010-03-02 18:17:01 -0600459 /**
460 * Random Hash for protecting URLs
461 *
Derek Jonese701d762010-03-02 18:17:01 -0600462 * @return string
463 */
Eric Barnes9805ecc2011-01-16 23:35:16 -0500464 public function xss_hash()
Barry Mienydd671972010-10-04 16:33:58 +0200465 {
Pascal Krietec9c045a2011-04-05 14:50:41 -0400466 if ($this->_xss_hash == '')
Derek Jonese701d762010-03-02 18:17:01 -0600467 {
Pascal Krietec38e3b62011-11-14 13:55:00 -0500468 mt_srand();
Pascal Krietec9c045a2011-04-05 14:50:41 -0400469 $this->_xss_hash = md5(time() + mt_rand(0, 1999999999));
Derek Jonese701d762010-03-02 18:17:01 -0600470 }
471
Pascal Krietec9c045a2011-04-05 14:50:41 -0400472 return $this->_xss_hash;
Derek Jonese701d762010-03-02 18:17:01 -0600473 }
474
475 // --------------------------------------------------------------------
476
477 /**
Derek Jonesa0911472010-03-30 10:33:09 -0500478 * HTML Entities Decode
479 *
480 * This function is a replacement for html_entity_decode()
481 *
Pascal Krietec38e3b62011-11-14 13:55:00 -0500482 * The reason we are not using html_entity_decode() by itself is because
483 * while it is not technically correct to leave out the semicolon
484 * at the end of an entity most browsers will still interpret the entity
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200485 * correctly. html_entity_decode() does not convert entities without
Pascal Krietec38e3b62011-11-14 13:55:00 -0500486 * semicolons, so we are left with our own little solution here. Bummer.
Derek Jonesa0911472010-03-30 10:33:09 -0500487 *
Derek Jonesa0911472010-03-30 10:33:09 -0500488 * @param string
489 * @param string
490 * @return string
491 */
freewil8cc0cfe2011-08-27 21:53:00 -0400492 public function entity_decode($str, $charset = NULL)
Derek Jonesa0911472010-03-30 10:33:09 -0500493 {
Andrey Andreev3d113bd2011-10-05 00:03:20 +0300494 if (strpos($str, '&') === FALSE)
freewil5c9b0d12011-08-28 12:15:23 -0400495 {
496 return $str;
497 }
Andrey Andreev3d113bd2011-10-05 00:03:20 +0300498
freewil5c9b0d12011-08-28 12:15:23 -0400499 if (empty($charset))
500 {
501 $charset = config_item('charset');
502 }
Barry Mienydd671972010-10-04 16:33:58 +0200503
Andrey Andreev3d113bd2011-10-05 00:03:20 +0300504 $str = html_entity_decode($str, ENT_COMPAT, $charset);
505 $str = preg_replace('~&#x(0*[0-9a-f]{2,5})~ei', 'chr(hexdec("\\1"))', $str);
506 return preg_replace('~&#([0-9]{2,4})~e', 'chr(\\1)', $str);
Derek Jonesa0911472010-03-30 10:33:09 -0500507 }
Barry Mienydd671972010-10-04 16:33:58 +0200508
Derek Jonesa0911472010-03-30 10:33:09 -0500509 // --------------------------------------------------------------------
Barry Mienydd671972010-10-04 16:33:58 +0200510
Derek Jonesa0911472010-03-30 10:33:09 -0500511 /**
Derek Jonese701d762010-03-02 18:17:01 -0600512 * Filename Security
513 *
Derek Jonese701d762010-03-02 18:17:01 -0600514 * @param string
David Behler07b53422011-08-15 00:25:06 +0200515 * @param bool
Derek Jonese701d762010-03-02 18:17:01 -0600516 * @return string
517 */
Eric Barnes9805ecc2011-01-16 23:35:16 -0500518 public function sanitize_filename($str, $relative_path = FALSE)
Derek Jonese701d762010-03-02 18:17:01 -0600519 {
520 $bad = array(
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200521 '../', '<!--', '-->', '<', '>',
522 "'", '"', '&', '$', '#',
523 '{', '}', '[', ']', '=',
524 ';', '?', '%20', '%22',
525 '%3c', // <
526 '%253c', // <
527 '%3e', // >
528 '%0e', // >
529 '%28', // (
530 '%29', // )
531 '%2528', // (
532 '%26', // &
533 '%24', // $
534 '%3f', // ?
535 '%3b', // ;
536 '%3d' // =
537 );
David Behler07b53422011-08-15 00:25:06 +0200538
Derek Jones2ef37592010-10-06 17:51:59 -0500539 if ( ! $relative_path)
540 {
541 $bad[] = './';
542 $bad[] = '/';
543 }
Derek Jonese701d762010-03-02 18:17:01 -0600544
Pascal Krietec9c045a2011-04-05 14:50:41 -0400545 $str = remove_invisible_characters($str, FALSE);
Derek Jonese701d762010-03-02 18:17:01 -0600546 return stripslashes(str_replace($bad, '', $str));
547 }
548
Pascal Krietec9c045a2011-04-05 14:50:41 -0400549 // ----------------------------------------------------------------
550
551 /**
552 * Compact Exploded Words
553 *
554 * Callback function for xss_clean() to remove whitespace from
555 * things like j a v a s c r i p t
556 *
557 * @param type
558 * @return type
559 */
560 protected function _compact_exploded_words($matches)
561 {
562 return preg_replace('/\s+/s', '', $matches[1]).$matches[2];
563 }
564
565 // --------------------------------------------------------------------
David Behler07b53422011-08-15 00:25:06 +0200566
Pascal Krietec9c045a2011-04-05 14:50:41 -0400567 /*
568 * Remove Evil HTML Attributes (like evenhandlers and style)
569 *
570 * It removes the evil attribute and either:
571 * - Everything up until a space
572 * For example, everything between the pipes:
573 * <a |style=document.write('hello');alert('world');| class=link>
David Behler07b53422011-08-15 00:25:06 +0200574 * - Everything inside the quotes
Pascal Krietec9c045a2011-04-05 14:50:41 -0400575 * For example, everything between the pipes:
576 * <a |style="document.write('hello'); alert('world');"| class="link">
577 *
578 * @param string $str The string to check
579 * @param boolean $is_image TRUE if this is an image
580 * @return string The string with the evil attributes removed
581 */
582 protected function _remove_evil_attributes($str, $is_image)
583 {
584 // All javascript event handlers (e.g. onload, onclick, onmouseover), style, and xmlns
Pascal Krietec38e3b62011-11-14 13:55:00 -0500585 $evil_attributes = array('on\w*', 'style', 'xmlns', 'formaction');
Pascal Krietec9c045a2011-04-05 14:50:41 -0400586
587 if ($is_image === TRUE)
588 {
589 /*
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200590 * Adobe Photoshop puts XML metadata into JFIF images,
Pascal Krietec9c045a2011-04-05 14:50:41 -0400591 * including namespacing, so we have to allow this for images.
592 */
593 unset($evil_attributes[array_search('xmlns', $evil_attributes)]);
594 }
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200595
Pascal Krietec9c045a2011-04-05 14:50:41 -0400596 do {
Pascal Krietec38e3b62011-11-14 13:55:00 -0500597 $count = 0;
598 $attribs = array();
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200599
Pascal Krietec38e3b62011-11-14 13:55:00 -0500600 // find occurrences of illegal attribute strings without quotes
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200601 preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*([^\s]*)/is', $str, $matches, PREG_SET_ORDER);
602
Pascal Krietec38e3b62011-11-14 13:55:00 -0500603 foreach ($matches as $attr)
604 {
605 $attribs[] = preg_quote($attr[0], '/');
606 }
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200607
Pascal Krietec38e3b62011-11-14 13:55:00 -0500608 // find occurrences of illegal attribute strings with quotes (042 and 047 are octal quotes)
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200609 preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*(\042|\047)([^\\2]*?)(\\2)/is', $str, $matches, PREG_SET_ORDER);
David Behler07b53422011-08-15 00:25:06 +0200610
Pascal Krietec38e3b62011-11-14 13:55:00 -0500611 foreach ($matches as $attr)
612 {
613 $attribs[] = preg_quote($attr[0], '/');
614 }
615
616 // replace illegal attribute strings that are inside an html tag
617 if (count($attribs) > 0)
618 {
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200619 $str = preg_replace('/<(\/?[^><]+?)([^A-Za-z\-])('.implode('|', $attribs).')([\s><])([><]*)/i', '<$1$2$4$5', $str, -1, $count);
Pascal Krietec38e3b62011-11-14 13:55:00 -0500620 }
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200621
Pascal Krietec38e3b62011-11-14 13:55:00 -0500622 } while ($count);
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200623
Pascal Krietec9c045a2011-04-05 14:50:41 -0400624 return $str;
625 }
David Behler07b53422011-08-15 00:25:06 +0200626
Pascal Krietec9c045a2011-04-05 14:50:41 -0400627 // --------------------------------------------------------------------
628
629 /**
630 * Sanitize Naughty HTML
631 *
632 * Callback function for xss_clean() to remove naughty HTML elements
633 *
634 * @param array
635 * @return string
636 */
637 protected function _sanitize_naughty_html($matches)
638 {
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200639 return '&lt;'.$matches[1].$matches[2].$matches[3] // encode opening brace
640 // encode captured opening or closing brace to prevent recursive vectors:
641 . str_replace(array('>', '<'), array('&gt;', '&lt;'), $matches[4]);
Pascal Krietec9c045a2011-04-05 14:50:41 -0400642 }
643
644 // --------------------------------------------------------------------
645
646 /**
647 * JS Link Removal
648 *
649 * Callback function for xss_clean() to sanitize links
650 * This limits the PCRE backtracks, making it more performance friendly
651 * and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in
652 * PHP 5.2+ on link-heavy strings
653 *
654 * @param array
655 * @return string
656 */
657 protected function _js_link_removal($match)
658 {
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200659 return str_replace($match[1],
660 preg_replace('#href=.*?(alert\(|alert&\#40;|javascript\:|livescript\:|mocha\:|charset\=|window\.|document\.|\.cookie|<script|<xss|base64\s*,)#si',
661 '',
662 $this->_filter_attributes(str_replace(array('<', '>'), '', $match[1]))
663 ),
664 $match[0]);
Pascal Krietec9c045a2011-04-05 14:50:41 -0400665 }
666
667 // --------------------------------------------------------------------
668
669 /**
670 * JS Image Removal
671 *
672 * Callback function for xss_clean() to sanitize image tags
673 * This limits the PCRE backtracks, making it more performance friendly
674 * and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in
675 * PHP 5.2+ on image tag heavy strings
676 *
677 * @param array
678 * @return string
679 */
680 protected function _js_img_removal($match)
681 {
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200682 return str_replace($match[1],
683 preg_replace('#src=.*?(alert\(|alert&\#40;|javascript\:|livescript\:|mocha\:|charset\=|window\.|document\.|\.cookie|<script|<xss|base64\s*,)#si',
684 '',
685 $this->_filter_attributes(str_replace(array('<', '>'), '', $match[1]))
686 ),
687 $match[0]);
Pascal Krietec9c045a2011-04-05 14:50:41 -0400688 }
689
690 // --------------------------------------------------------------------
691
692 /**
693 * Attribute Conversion
694 *
695 * Used as a callback for XSS Clean
696 *
697 * @param array
698 * @return string
699 */
700 protected function _convert_attribute($match)
701 {
702 return str_replace(array('>', '<', '\\'), array('&gt;', '&lt;', '\\\\'), $match[0]);
703 }
704
705 // --------------------------------------------------------------------
706
707 /**
708 * Filter Attributes
709 *
710 * Filters tag attributes for consistency and safety
711 *
712 * @param string
713 * @return string
714 */
715 protected function _filter_attributes($str)
716 {
717 $out = '';
718
719 if (preg_match_all('#\s*[a-z\-]+\s*=\s*(\042|\047)([^\\1]*?)\\1#is', $str, $matches))
720 {
721 foreach ($matches[0] as $match)
722 {
723 $out .= preg_replace("#/\*.*?\*/#s", '', $match);
724 }
725 }
726
727 return $out;
728 }
729
730 // --------------------------------------------------------------------
731
732 /**
733 * HTML Entity Decode Callback
734 *
735 * Used as a callback for XSS Clean
736 *
737 * @param array
738 * @return string
739 */
740 protected function _decode_entity($match)
741 {
742 return $this->entity_decode($match[0], strtoupper(config_item('charset')));
743 }
744
745 // --------------------------------------------------------------------
David Behler07b53422011-08-15 00:25:06 +0200746
Pascal Krietec9c045a2011-04-05 14:50:41 -0400747 /**
748 * Validate URL entities
749 *
750 * Called by xss_clean()
751 *
David Behler07b53422011-08-15 00:25:06 +0200752 * @param string
Pascal Krietec9c045a2011-04-05 14:50:41 -0400753 * @return string
754 */
755 protected function _validate_entities($str)
756 {
757 /*
758 * Protect GET variables in URLs
759 */
David Behler07b53422011-08-15 00:25:06 +0200760
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200761 // 901119URL5918AMP18930PROTECT8198
762 $str = preg_replace('|\&([a-z\_0-9\-]+)\=([a-z\_0-9\-]+)|i', $this->xss_hash().'\\1=\\2', $str);
Pascal Krietec9c045a2011-04-05 14:50:41 -0400763
764 /*
765 * Validate standard character entities
766 *
Derek Jones37f4b9c2011-07-01 17:56:50 -0500767 * Add a semicolon if missing. We do this to enable
Pascal Krietec9c045a2011-04-05 14:50:41 -0400768 * the conversion of entities to ASCII later.
Pascal Krietec9c045a2011-04-05 14:50:41 -0400769 */
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200770 $str = preg_replace('#(&\#?[0-9a-z]{2,})([\x00-\x20])*;?#i', '\\1;\\2', $str);
Pascal Krietec9c045a2011-04-05 14:50:41 -0400771
772 /*
773 * Validate UTF16 two byte encoding (x00)
774 *
775 * Just as above, adds a semicolon if missing.
Pascal Krietec9c045a2011-04-05 14:50:41 -0400776 */
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200777 $str = preg_replace('#(&\#x?)([0-9A-F]+);?#i', '\\1\\2;', $str);
Pascal Krietec9c045a2011-04-05 14:50:41 -0400778
779 /*
780 * Un-Protect GET variables in URLs
781 */
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200782 return str_replace($this->xss_hash(), '&', $str);
Pascal Krietec9c045a2011-04-05 14:50:41 -0400783 }
784
785 // ----------------------------------------------------------------------
786
787 /**
788 * Do Never Allowed
789 *
790 * A utility function for xss_clean()
791 *
792 * @param string
793 * @return string
794 */
795 protected function _do_never_allowed($str)
796 {
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200797 $str = str_replace(array_keys($this->_never_allowed_str), $this->_never_allowed_str, $str);
Pascal Krietec9c045a2011-04-05 14:50:41 -0400798
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200799 foreach ($this->_never_allowed_regex as $regex)
Pascal Krietec9c045a2011-04-05 14:50:41 -0400800 {
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200801 $str = preg_replace('#'.$regex.'#i', '[removed]', $str);
Pascal Krietec9c045a2011-04-05 14:50:41 -0400802 }
David Behler07b53422011-08-15 00:25:06 +0200803
Pascal Krietec9c045a2011-04-05 14:50:41 -0400804 return $str;
805 }
806
807 // --------------------------------------------------------------------
808
809 /**
810 * Set Cross Site Request Forgery Protection Cookie
811 *
812 * @return string
813 */
814 protected function _csrf_set_hash()
815 {
816 if ($this->_csrf_hash == '')
817 {
David Behler07b53422011-08-15 00:25:06 +0200818 // If the cookie exists we will use it's value.
Pascal Krietec9c045a2011-04-05 14:50:41 -0400819 // We don't necessarily want to regenerate it with
David Behler07b53422011-08-15 00:25:06 +0200820 // each page load since a page could contain embedded
Pascal Krietec9c045a2011-04-05 14:50:41 -0400821 // sub-pages causing this feature to fail
David Behler07b53422011-08-15 00:25:06 +0200822 if (isset($_COOKIE[$this->_csrf_cookie_name]) &&
Pascal Krietec9c045a2011-04-05 14:50:41 -0400823 $_COOKIE[$this->_csrf_cookie_name] != '')
824 {
825 return $this->_csrf_hash = $_COOKIE[$this->_csrf_cookie_name];
826 }
David Behler07b53422011-08-15 00:25:06 +0200827
Chris Berthed93e6f32011-09-25 10:33:25 -0400828 $this->_csrf_hash = md5(uniqid(rand(), TRUE));
829 $this->csrf_set_cookie();
Pascal Krietec9c045a2011-04-05 14:50:41 -0400830 }
831
832 return $this->_csrf_hash;
833 }
834
Derek Jonese701d762010-03-02 18:17:01 -0600835}
Derek Jonese701d762010-03-02 18:17:01 -0600836
837/* End of file Security.php */
Andrey Andreevbb488dc2012-01-07 23:35:16 +0200838/* Location: ./system/core/Security.php */