diff options
| -rw-r--r-- | system/core/Input.php | 168 | ||||
| -rw-r--r-- | tests/mocks/core/input.php | 19 | ||||
| -rw-r--r-- | user_guide_src/source/installation/upgrade_320.rst | 18 | ||||
| -rw-r--r-- | user_guide_src/source/libraries/input.rst | 28 |
4 files changed, 32 insertions, 201 deletions
diff --git a/system/core/Input.php b/system/core/Input.php index d4f79ee68..aefc3b7d8 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -93,8 +93,15 @@ class CI_Input { */ protected $_input_stream; + /** + * CI_Security instance + * + * Used for the optional $xss_filter parameter that most + * getter methods have here. + * + * @var CI_Security + */ protected $security; - protected $uni; // -------------------------------------------------------------------- @@ -112,15 +119,6 @@ class CI_Input { $this->security =& load_class('Security', 'core'); - // Do we need the UTF-8 class? - if (UTF8_ENABLED === TRUE) - { - $this->uni =& load_class('Utf8', 'core'); - } - - // Sanitize global arrays - $this->_sanitize_globals(); - // CSRF Protection check if ($this->_enable_csrf === TRUE && ! is_cli()) { @@ -555,156 +553,6 @@ class CI_Input { // -------------------------------------------------------------------- /** - * Sanitize Globals - * - * Internal method serving for the following purposes: - * - * - Unsets $_GET data, if query strings are not enabled - * - Cleans POST, COOKIE and SERVER data - * - * @return void - */ - protected function _sanitize_globals() - { - // Is $_GET data allowed? If not we'll set the $_GET to an empty array - if (is_array($_GET)) - { - foreach ($_GET as $key => $val) - { - $_GET[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); - } - } - - // Clean $_POST Data - if (is_array($_POST)) - { - foreach ($_POST as $key => $val) - { - $_POST[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); - } - } - - // Clean $_COOKIE Data - if (is_array($_COOKIE)) - { - // Also get rid of specially treated cookies that might be set by a server - // or silly application, that are of no use to a CI application anyway - // but that when present will trip our 'Disallowed Key Characters' alarm - // http://www.ietf.org/rfc/rfc2109.txt - // note that the key names below are single quoted strings, and are not PHP variables - unset( - $_COOKIE['$Version'], - $_COOKIE['$Path'], - $_COOKIE['$Domain'] - ); - - foreach ($_COOKIE as $key => $val) - { - if (($cookie_key = $this->_clean_input_keys($key)) !== FALSE) - { - $_COOKIE[$cookie_key] = $this->_clean_input_data($val); - } - else - { - unset($_COOKIE[$key]); - } - } - } - - // Sanitize PHP_SELF - $_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']); - - log_message('info', 'Global POST, GET and COOKIE data sanitized'); - } - - // -------------------------------------------------------------------- - - /** - * Clean Input Data - * - * Internal method that aids in escaping data and - * standardizing newline characters to PHP_EOL. - * - * @param string|string[] $str Input string(s) - * @return string - */ - protected function _clean_input_data($str) - { - if (is_array($str)) - { - $new_array = array(); - foreach (array_keys($str) as $key) - { - $new_array[$this->_clean_input_keys($key)] = $this->_clean_input_data($str[$key]); - } - return $new_array; - } - - /* We strip slashes if magic quotes is on to keep things consistent - - NOTE: In PHP 5.4 get_magic_quotes_gpc() will always return 0 and - it will probably not exist in future versions at all. - */ - if ( ! is_php('5.4') && get_magic_quotes_gpc()) - { - $str = stripslashes($str); - } - - // Clean UTF-8 if supported - if (UTF8_ENABLED === TRUE) - { - $str = $this->uni->clean_string($str); - } - - // Remove control characters - $str = remove_invisible_characters($str, FALSE); - - return $str; - } - - // -------------------------------------------------------------------- - - /** - * Clean Keys - * - * Internal method that helps to prevent malicious users - * from trying to exploit keys we make sure that keys are - * only named with alpha-numeric text and a few other items. - * - * @param string $str Input string - * @param bool $fatal Whether to terminate script exection - * or to return FALSE if an invalid - * key is encountered - * @return string|bool - */ - protected function _clean_input_keys($str, $fatal = TRUE) - { - if ( ! preg_match('/^[a-z0-9:_\/|-]+$/i', $str)) - { - if ($fatal === TRUE) - { - return FALSE; - } - else - { - set_status_header(503); - echo 'Disallowed Key Characters.'; - exit(7); // EXIT_USER_INPUT - } - } - - // Clean UTF-8 if supported - if (UTF8_ENABLED === TRUE) - { - return $this->uni->clean_string($str); - } - - return $str; - } - - // -------------------------------------------------------------------- - - /** * Request Headers * * @param bool $xss_clean Whether to apply XSS filtering diff --git a/tests/mocks/core/input.php b/tests/mocks/core/input.php index 40e27441f..4d217a252 100644 --- a/tests/mocks/core/input.php +++ b/tests/mocks/core/input.php @@ -11,16 +11,10 @@ class Mock_Core_Input extends CI_Input { */ public function __construct($security, $utf8) { - $this->_allow_get_array = (config_item('allow_get_array') === TRUE); - $this->_enable_xss = (config_item('global_xss_filtering') === TRUE); $this->_enable_csrf = (config_item('csrf_protection') === TRUE); // Assign Security and Utf8 classes $this->security = $security; - $this->uni = $utf8; - - // Sanitize global arrays - $this->_sanitize_globals(); } public function fetch_from_array($array, $index = '', $xss_clean = FALSE) @@ -28,16 +22,6 @@ class Mock_Core_Input extends CI_Input { return parent::_fetch_from_array($array, $index, $xss_clean); } - /** - * Lie about being a CLI request - * - * We take advantage of this in libraries/Session_test - */ - public function is_cli_request() - { - return FALSE; - } - public function __set($name, $value) { if ($name === 'ip_address') @@ -45,5 +29,4 @@ class Mock_Core_Input extends CI_Input { $this->ip_address = $value; } } - -}
\ No newline at end of file +} diff --git a/user_guide_src/source/installation/upgrade_320.rst b/user_guide_src/source/installation/upgrade_320.rst index 6501f40db..8434172e7 100644 --- a/user_guide_src/source/installation/upgrade_320.rst +++ b/user_guide_src/source/installation/upgrade_320.rst @@ -159,3 +159,21 @@ CodeIgniter versions that have been removed in 3.2.0: - ``send_email()`` (use ``mail()`` instead) - The entire *Smiley Helper* (an archived version is available on GitHub: `bcit-ci/ci3-smiley-helper <https://github.com/bcit-ci/ci3-smiley-helper>`_) + +Step 8: Make sure you're validating all user inputs +=================================================== + +The :doc:`Input Library <../libraries/input>` used to (often +unconditionally) filter and/or sanitize user input in the ``$_GET``, +``$_POST`` and ``$_COOKIE`` superglobals. + +This was a legacy feature from older times, when things like +`register_globals <https://secure.php.net/register_globals>`_ and +`magic_quotes_gpc <https://secure.php.net/magic_quotes_gpc>`_ existed in +PHP. +It was a necessity back then, but this is no longer the case and reliance +on global filters is a bad practice, giving you a false sense of security. + +This functionality is now removed, and so if you've relied on it for +whatever reasons, you should double-check that you are properly validating +all user inputs in your application (as you always should do). diff --git a/user_guide_src/source/libraries/input.rst b/user_guide_src/source/libraries/input.rst index 1961e3e57..97460c2c5 100644 --- a/user_guide_src/source/libraries/input.rst +++ b/user_guide_src/source/libraries/input.rst @@ -2,10 +2,8 @@ Input Class ########### -The Input Class serves two purposes: - -#. It pre-processes global input data for security. -#. It provides some helper methods for fetching input data and pre-processing it. +The Input Class provides some helper methods for accessing input data +and pre-processing it. .. note:: This class is initialized automatically by the system so there is no need to do it manually. @@ -17,25 +15,9 @@ The Input Class serves two purposes: <div class="custom-index container"></div> -*************** -Input Filtering -*************** - -Security Filtering -================== - -The security filtering method is called automatically when a new -:doc:`controller <../general/controllers>` is invoked. It does the -following: - -- Destroys all global variables in the event register_globals is - turned on. -- Filters the GET/POST/COOKIE array keys, permitting only alpha-numeric - (and a few other) characters. - -******************* -Accessing form data -******************* +******************** +Accessing input data +******************** Using POST, GET, COOKIE, or SERVER Data ======================================= |