summaryrefslogtreecommitdiffstats
path: root/system/core/Security.php
diff options
context:
space:
mode:
authorWes Baker <wes@wesbaker.com>2012-05-07 22:49:33 +0200
committerWes Baker <wes@wesbaker.com>2012-05-07 22:49:33 +0200
commitd348135ed2131e5fa41dfa0ea7254d2f6759f3e0 (patch)
tree14cfc61c47686b895acd9e49b45c559d311195cc /system/core/Security.php
parentbb2c83bddbf51c42815be3de60eab24fd87ae392 (diff)
parentd207c9218531afe666168c1f5f59abd1bc19a8aa (diff)
Merge branch 'develop' of github.com:EllisLab/CodeIgniter into develop
Conflicts: system/core/Security.php
Diffstat (limited to 'system/core/Security.php')
-rwxr-xr-xsystem/core/Security.php100
1 files changed, 52 insertions, 48 deletions
diff --git a/system/core/Security.php b/system/core/Security.php
index 65746637b..c82b69ff9 100755
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -41,14 +41,14 @@ class CI_Security {
*
* @var string
*/
- protected $_xss_hash = '';
+ protected $_xss_hash = '';
/**
* Random Hash for Cross Site Request Forgery Protection Cookie
*
* @var string
*/
- protected $_csrf_hash = '';
+ protected $_csrf_hash = '';
/**
* Expiration time for Cross Site Request Forgery Protection Cookie
@@ -56,39 +56,39 @@ class CI_Security {
*
* @var int
*/
- protected $_csrf_expire = 7200;
+ protected $_csrf_expire = 7200;
/**
* Token name for Cross Site Request Forgery Protection Cookie
*
* @var string
*/
- protected $_csrf_token_name = 'ci_csrf_token';
+ protected $_csrf_token_name = 'ci_csrf_token';
/**
* Cookie name for Cross Site Request Forgery Protection Cookie
*
* @var string
*/
- protected $_csrf_cookie_name = 'ci_csrf_token';
+ protected $_csrf_cookie_name = 'ci_csrf_token';
/**
* List of never allowed strings
*
* @var array
*/
- protected $_never_allowed_str = array(
- 'document.cookie' => '[removed]',
- 'document.write' => '[removed]',
- '.parentNode' => '[removed]',
- '.innerHTML' => '[removed]',
- 'window.location' => '[removed]',
- '-moz-binding' => '[removed]',
- '<!--' => '&lt;!--',
- '-->' => '--&gt;',
- '<![CDATA[' => '&lt;![CDATA[',
- '<comment>' => '&lt;comment&gt;'
- );
+ protected $_never_allowed_str = array(
+ 'document.cookie' => '[removed]',
+ 'document.write' => '[removed]',
+ '.parentNode' => '[removed]',
+ '.innerHTML' => '[removed]',
+ 'window.location' => '[removed]',
+ '-moz-binding' => '[removed]',
+ '<!--' => '&lt;!--',
+ '-->' => '--&gt;',
+ '<![CDATA[' => '&lt;![CDATA[',
+ '<comment>' => '&lt;comment&gt;'
+ );
/**
* List of never allowed regex replacement
@@ -96,13 +96,16 @@ class CI_Security {
* @var array
*/
protected $_never_allowed_regex = array(
- 'javascript\s*:',
- 'expression\s*(\(|&\#40;)', // CSS and IE
- 'vbscript\s*:', // IE, surprise!
- 'Redirect\s+302',
- "([\"'])?data\s*:[^\\1]*?base64[^\\1]*?,[^\\1]*?\\1?"
- );
-
+ 'javascript\s*:',
+ 'expression\s*(\(|&\#40;)', // CSS and IE
+ 'vbscript\s*:', // IE, surprise!
+ 'Redirect\s+302',
+ "([\"'])?data\s*:[^\\1]*?base64[^\\1]*?,[^\\1]*?\\1?"
+ );
+
+ /**
+ * Initialize security class
+ */
public function __construct()
{
// Is CSRF protection enabled?
@@ -363,9 +366,10 @@ class CI_Security {
* These words are compacted back to their correct state.
*/
$words = array(
- 'javascript', 'expression', 'vbscript', 'script', 'base64',
- 'applet', 'alert', 'document', 'write', 'cookie', 'window'
- );
+ 'javascript', 'expression', 'vbscript', 'script', 'base64',
+ 'applet', 'alert', 'document', 'write', 'cookie', 'window'
+ );
+
foreach ($words as $word)
{
@@ -523,23 +527,23 @@ class CI_Security {
public function sanitize_filename($str, $relative_path = FALSE)
{
$bad = array(
- '../', '<!--', '-->', '<', '>',
- "'", '"', '&', '$', '#',
- '{', '}', '[', ']', '=',
- ';', '?', '%20', '%22',
- '%3c', // <
- '%253c', // <
- '%3e', // >
- '%0e', // >
- '%28', // (
- '%29', // )
- '%2528', // (
- '%26', // &
- '%24', // $
- '%3f', // ?
- '%3b', // ;
- '%3d' // =
- );
+ '../', '<!--', '-->', '<', '>',
+ "'", '"', '&', '$', '#',
+ '{', '}', '[', ']', '=',
+ ';', '?', '%20', '%22',
+ '%3c', // <
+ '%253c', // <
+ '%3e', // >
+ '%0e', // >
+ '%28', // (
+ '%29', // )
+ '%2528', // (
+ '%26', // &
+ '%24', // $
+ '%3f', // ?
+ '%3b', // ;
+ '%3d' // =
+ );
if ( ! $relative_path)
{
@@ -559,8 +563,8 @@ class CI_Security {
* Callback function for xss_clean() to remove whitespace from
* things like j a v a s c r i p t
*
- * @param type
- * @return type
+ * @param array
+ * @return string
*/
protected function _compact_exploded_words($matches)
{
@@ -569,8 +573,8 @@ class CI_Security {
// --------------------------------------------------------------------
- /*
- * Remove Evil HTML Attributes (like evenhandlers and style)
+ /**
+ * Remove Evil HTML Attributes (like event handlers and style)
*
* It removes the evil attribute and either:
* - Everything up until a space