diff options
-rw-r--r-- | system/libraries/Input.php | 116 | ||||
-rw-r--r-- | user_guide/general/changelog.html | 1 |
2 files changed, 52 insertions, 65 deletions
diff --git a/system/libraries/Input.php b/system/libraries/Input.php index 41d77a97a..98c2cbd55 100644 --- a/system/libraries/Input.php +++ b/system/libraries/Input.php @@ -42,14 +42,13 @@ class CI_Input { */ function CI_Input() { + log_message('debug', "Input Class Initialized"); + $CFG =& _load_class('Config'); $this->use_xss_clean = ($CFG->item('global_xss_filtering') === TRUE) ? TRUE : FALSE; - $this->allow_get_array = ($CFG->item('enable_query_strings') === TRUE) ? TRUE : FALSE; - - log_message('debug', "Input Class Initialized"); + $this->allow_get_array = ($CFG->item('enable_query_strings') === TRUE) ? TRUE : FALSE; $this->_sanitize_globals(); } - // END CI_Input() // -------------------------------------------------------------------- @@ -81,11 +80,11 @@ class CI_Input { foreach ($global as $key => $val) { unset($$key); - } + } } } - // Is $_GET data allowed? + // Is $_GET data allowed? If not we'll set the $_GET to an empty array if ($this->allow_get_array == FALSE) { $_GET = array(); @@ -95,33 +94,22 @@ class CI_Input { if (is_array($_POST) AND count($_POST) > 0) { foreach($_POST as $key => $val) - { - if (is_array($val)) - { - foreach($val as $k => $v) - { - $_POST[$this->_clean_input_keys($key)][$this->_clean_input_keys($k)] = $this->_clean_input_data($v); - } - } - else - { - $_POST[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); - } - } + { + $_POST[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); + } } // Clean $_COOKIE Data if (is_array($_COOKIE) AND count($_COOKIE) > 0) { foreach($_COOKIE as $key => $val) - { + { $_COOKIE[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); - } + } } log_message('debug', "Global POST and COOKIE data sanitized"); } - // END _sanitize_globals() // -------------------------------------------------------------------- @@ -142,7 +130,7 @@ class CI_Input { $new_array = array(); foreach ($str as $key => $val) { - $new_array[$key] = $this->_clean_input_data($val); + $new_array[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); } return $new_array; } @@ -152,9 +140,9 @@ class CI_Input { $str = $this->xss_clean($str); } + // Standardize newlines return preg_replace("/\015\012|\015|\012/", "\n", $str); } - // END _clean_input_data() // -------------------------------------------------------------------- @@ -170,7 +158,7 @@ class CI_Input { * @return string */ function _clean_input_keys($str) - { + { if ( ! preg_match("/^[a-z0-9:_\/-]+$/i", $str)) { exit('Disallowed Key Characters: '.$str); @@ -183,7 +171,6 @@ class CI_Input { return $str; } - // END _clean_input_keys() // -------------------------------------------------------------------- @@ -200,19 +187,24 @@ class CI_Input { { return FALSE; } - else + + if ($xss_clean === TRUE) { - if ($xss_clean === TRUE) + if (is_array($_POST[$index])) { - return $this->xss_clean($_POST[$index]); + foreach($_POST[$index] as $key => $val) + { + $_POST[$index][$key] = $this->xss_clean($val); + } } else { - return $_POST[$index]; + return $this->xss_clean($_POST[$index]); } } + + return $_POST[$index]; } - // END post() // -------------------------------------------------------------------- @@ -229,32 +221,29 @@ class CI_Input { { return FALSE; } - else - { - if ($xss_clean === TRUE) + + if ($xss_clean === TRUE) + { + if (is_array($_COOKIE[$index])) { - if (is_array($_COOKIE[$index])) - { - $cookie = array(); - foreach($_COOKIE[$index] as $key => $val) - { - $cookie[$key] = $this->xss_clean($val); - } - - return $cookie; - } - else + $cookie = array(); + foreach($_COOKIE[$index] as $key => $val) { - return $this->xss_clean($_COOKIE[$index]); + $cookie[$key] = $this->xss_clean($val); } + + return $cookie; } else { - return $_COOKIE[$index]; + return $this->xss_clean($_COOKIE[$index]); } } + else + { + return $_COOKIE[$index]; + } } - // END cookie() // -------------------------------------------------------------------- @@ -297,7 +286,6 @@ class CI_Input { return $this->ip_address; } - // END ip_address() // -------------------------------------------------------------------- @@ -312,7 +300,6 @@ class CI_Input { { return ( ! preg_match( "/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/", $ip)) ? FALSE : TRUE; } - // END valid_ip() // -------------------------------------------------------------------- @@ -333,7 +320,6 @@ class CI_Input { return $this->user_agent; } - // END user_agent() // -------------------------------------------------------------------- @@ -403,8 +389,8 @@ class CI_Input { * */ $str = preg_replace("/%u0([a-z0-9]{3})/i", "&#x\\1;", $str); - $str = preg_replace("/%([a-z0-9]{2})/i", "&#x\\1;", $str); - + $str = preg_replace("/%([a-z0-9]{2})/i", "&#x\\1;", $str); + /* * Convert character entities to ASCII * @@ -414,8 +400,8 @@ class CI_Input { * */ - if (preg_match_all("/<(.+?)>/si", $str, $matches)) - { + if (preg_match_all("/<(.+?)>/si", $str, $matches)) + { for ($i = 0; $i < count($matches['0']); $i++) { $str = str_replace($matches['1'][$i], @@ -532,12 +518,12 @@ class CI_Input { $str = preg_replace("#".$key."#i", $val, $str); } - + log_message('debug', "XSS Filtering completed"); return $str; } - // END xss_clean() + // -------------------------------------------------------------------- /** * HTML Entities Decode @@ -555,14 +541,14 @@ class CI_Input { * @return string */ /* ------------------------------------------------- - /* Replacement for html_entity_decode() - /* -------------------------------------------------*/ - - /* - NOTE: html_entity_decode() has a bug in some PHP versions when UTF-8 is the - character set, and the PHP developers said they were not back porting the - fix to versions other than PHP 5.x. - */ + /* Replacement for html_entity_decode() + /* -------------------------------------------------*/ + + /* + NOTE: html_entity_decode() has a bug in some PHP versions when UTF-8 is the + character set, and the PHP developers said they were not back porting the + fix to versions other than PHP 5.x. + */ function _html_entity_decode($str, $charset='ISO-8859-1') { if (stristr($str, '&') === FALSE) return $str; diff --git a/user_guide/general/changelog.html b/user_guide/general/changelog.html index b8fceaa6d..4373de76d 100644 --- a/user_guide/general/changelog.html +++ b/user_guide/general/changelog.html @@ -79,6 +79,7 @@ Change Log <li>Added <a href="../database/queries.html">simple_query()</a> function to the database classes</li>
<li>Added <a href="../helpers/date_helper.html">standard_date()</a> function to the Date Helper.</li>
<li>Updated the DB Result class to return an empty array when $query->result() doesn't produce a result.</li>
+<li>Updated the <dfn>input->cookie()</dfn> and <dfn>input->post()</dfn> functions in <a href="../libraries/input.html">Input Class</a> to permit arrays contained cookies that are arrays to be run through the XSS filter.</li>
<li>Added $query->free_result();</li>
<li>Added $query->field_names() function</li>
|