diff options
| -rw-r--r-- | system/libraries/Email.php | 2 | ||||
| -rw-r--r-- | system/libraries/Form_validation.php | 12 | ||||
| -rw-r--r-- | system/libraries/Session/Session.php | 8 | ||||
| -rw-r--r-- | tests/codeigniter/core/Security_test.php | 143 | ||||
| -rw-r--r-- | user_guide_src/source/libraries/encryption.rst | 5 |
5 files changed, 126 insertions, 44 deletions
diff --git a/system/libraries/Email.php b/system/libraries/Email.php index 45c5c09b9..66b5803dd 100644 --- a/system/libraries/Email.php +++ b/system/libraries/Email.php @@ -405,7 +405,7 @@ class CI_Email { * @param array $config = array() * @return void */ - public function __construct($config = array()) + public function __construct(array $config = array()) { $this->charset = config_item('charset'); diff --git a/system/libraries/Form_validation.php b/system/libraries/Form_validation.php index f161b40e7..9d1660258 100644 --- a/system/libraries/Form_validation.php +++ b/system/libraries/Form_validation.php @@ -1151,9 +1151,7 @@ class CI_Form_validation { return FALSE; } - return (MB_ENABLED === TRUE) - ? ($val <= mb_strlen($str)) - : ($val <= strlen($str)); + return ($val <= mb_strlen($str)); } // -------------------------------------------------------------------- @@ -1172,9 +1170,7 @@ class CI_Form_validation { return FALSE; } - return (MB_ENABLED === TRUE) - ? ($val >= mb_strlen($str)) - : ($val >= strlen($str)); + return ($val >= mb_strlen($str)); } // -------------------------------------------------------------------- @@ -1193,9 +1189,7 @@ class CI_Form_validation { return FALSE; } - return (MB_ENABLED === TRUE) - ? (mb_strlen($str) === (int) $val) - : (strlen($str) === (int) $val); + return (mb_strlen($str) === (int) $val); } // -------------------------------------------------------------------- diff --git a/system/libraries/Session/Session.php b/system/libraries/Session/Session.php index f3b819af9..54d31ee1a 100644 --- a/system/libraries/Session/Session.php +++ b/system/libraries/Session/Session.php @@ -94,10 +94,7 @@ class CI_Session { $this->_driver = 'database'; } - if (($class = $this->_ci_load_classes($this->_driver)) === FALSE) - { - return; - } + $class = $this->_ci_load_classes($this->_driver); // Configuration ... $this->_configure($params); @@ -230,8 +227,7 @@ class CI_Session { if ( ! class_exists('CI_'.$class, FALSE) && ! class_exists($class, FALSE)) { - log_message('error', "Session: Configured driver '".$driver."' was not found. Aborting."); - return FALSE; + throw new \UnexpectedValueException("Session: Configured driver '".$driver."' was not found. Aborting."); } } diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php index c96eecf02..7f467fb1b 100644 --- a/tests/codeigniter/core/Security_test.php +++ b/tests/codeigniter/core/Security_test.php @@ -71,6 +71,47 @@ class Security_test extends CI_TestCase { $this->assertEquals("Hello, i try to [removed]alert('Hack');[removed] your site", $harmless_string); } + // -------------------------------------------------------------------- + + public function test_xss_clean_string_array() + { + $harm_strings = array( + "Hello, i try to <script>alert('Hack');</script> your site", + "Simple clean string", + "Hello, i try to <script>alert('Hack');</script> your site" + ); + + $harmless_strings = $this->security->xss_clean($harm_strings); + + $this->assertEquals("Hello, i try to [removed]alert('Hack');[removed] your site", $harmless_strings[0]); + $this->assertEquals("Simple clean string", $harmless_strings[1]); + $this->assertEquals("Hello, i try to [removed]alert('Hack');[removed] your site", $harmless_strings[2]); + } + + // -------------------------------------------------------------------- + + public function test_xss_clean_image_valid() + { + $harm_string = '<img src="test.png">'; + + $xss_clean_return = $this->security->xss_clean($harm_string, TRUE); + + $this->assertTrue($xss_clean_return); + } + + // -------------------------------------------------------------------- + + public function test_xss_clean_image_invalid() + { + $harm_string = '<img src=javascript:alert(String.fromCharCode(88,83,83))>'; + + $xss_clean_return = $this->security->xss_clean($harm_string, TRUE); + + $this->assertFalse($xss_clean_return); + } + + // -------------------------------------------------------------------- + public function test_xss_clean_entity_double_encoded() { $input = '<a href="&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#99&#111&#110&#102&#105&#114&#109&#40&#49&#41">Clickhere</a>'; @@ -79,6 +120,22 @@ class Security_test extends CI_TestCase { // -------------------------------------------------------------------- + public function test_xss_clean_js_img_removal() + { + $input = '<img src="&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#99&#111&#110&#102&#105&#114&#109&#40&#49&#41">Clickhere'; + $this->assertEquals('<img >', $this->security->xss_clean($input)); + } + + // -------------------------------------------------------------------- + + public function test_xss_clean_sanitize_naughty_html() + { + $input = '<blink>'; + $this->assertEquals('<blink>', $this->security->xss_clean($input)); + } + + // -------------------------------------------------------------------- + public function test_remove_evil_attributes() { $this->assertEquals('<foo [removed]>', $this->security->remove_evil_attributes('<foo onAttribute="bar">', false)); @@ -103,6 +160,17 @@ class Security_test extends CI_TestCase { // -------------------------------------------------------------------- + public function test_get_random_bytes() + { + $length = "invalid"; + $this->assertFalse($this->security->get_random_bytes($length)); + + $length = 10; + $this->assertNotEmpty($this->security->get_random_bytes($length)); + } + + // -------------------------------------------------------------------- + public function test_entity_decode() { $encoded = '<div>Hello <b>Booya</b></div>'; @@ -126,36 +194,55 @@ class Security_test extends CI_TestCase { $this->assertEquals('foo', $safe_filename); } - - // -------------------------------------------------------------------- + + // -------------------------------------------------------------------- public function test_strip_image_tags() { - $imgtags = Array( - '<img src="smiley.gif" alt="Smiley face" height="42" width="42">', - '<img alt="Smiley face" height="42" width="42" src="smiley.gif">', - '<img src="http://www.w3schools.com/images/w3schools_green.jpg">', - '<img src="/img/sunset.gif" height="100%" width="100%">', - '<img src="mdn-logo-sm.png" alt="MD Logo" srcset="mdn-logo-HD.png 2x, mdn-logo-small.png 15w, mdn-banner-HD.png 100w 2x" />', - '<img sqrc="/img/sunset.gif" height="100%" width="100%">', - '<img srqc="/img/sunset.gif" height="100%" width="100%">', - '<img srcq="/img/sunset.gif" height="100%" width="100%">' - ); - - $urls = Array( - 'smiley.gif', - 'smiley.gif', - 'http://www.w3schools.com/images/w3schools_green.jpg', - '/img/sunset.gif', - 'mdn-logo-sm.png', - '<img sqrc="/img/sunset.gif" height="100%" width="100%">', - '<img srqc="/img/sunset.gif" height="100%" width="100%">', - '<img srcq="/img/sunset.gif" height="100%" width="100%">' - ); - - for($i = 0; $i < count($imgtags); $i++) - { - $this->assertEquals($urls[$i], $this->security->strip_image_tags($imgtags[$i])); - } + $imgtags = Array( + '<img src="smiley.gif" alt="Smiley face" height="42" width="42">', + '<img alt="Smiley face" height="42" width="42" src="smiley.gif">', + '<img src="http://www.w3schools.com/images/w3schools_green.jpg">', + '<img src="/img/sunset.gif" height="100%" width="100%">', + '<img src="mdn-logo-sm.png" alt="MD Logo" srcset="mdn-logo-HD.png 2x, mdn-logo-small.png 15w, mdn-banner-HD.png 100w 2x" />', + '<img sqrc="/img/sunset.gif" height="100%" width="100%">', + '<img srqc="/img/sunset.gif" height="100%" width="100%">', + '<img srcq="/img/sunset.gif" height="100%" width="100%">' + ); + + $urls = Array( + 'smiley.gif', + 'smiley.gif', + 'http://www.w3schools.com/images/w3schools_green.jpg', + '/img/sunset.gif', + 'mdn-logo-sm.png', + '<img sqrc="/img/sunset.gif" height="100%" width="100%">', + '<img srqc="/img/sunset.gif" height="100%" width="100%">', + '<img srcq="/img/sunset.gif" height="100%" width="100%">' + ); + + for($i = 0; $i < count($imgtags); $i++) + { + $this->assertEquals($urls[$i], $this->security->strip_image_tags($imgtags[$i])); + } + } + + // -------------------------------------------------------------------- + + public function test_csrf_set_hash() + { + // Set cookie for security test + $_COOKIE['ci_csrf_cookie'] = md5(uniqid(mt_rand(), TRUE)); + + // Set config for Security class + $this->ci_set_config('csrf_protection', TRUE); + $this->ci_set_config('csrf_token_name', 'ci_csrf_token'); + + // leave csrf_cookie_name as blank to test _csrf_set_hash function + $this->ci_set_config('csrf_cookie_name', ''); + + $this->security = new Mock_Core_Security(); + + $this->assertNotEmpty($this->security->get_csrf_hash()); } }
\ No newline at end of file diff --git a/user_guide_src/source/libraries/encryption.rst b/user_guide_src/source/libraries/encryption.rst index 5f0979da7..0c347604c 100644 --- a/user_guide_src/source/libraries/encryption.rst +++ b/user_guide_src/source/libraries/encryption.rst @@ -2,6 +2,11 @@ Encryption Library ################## +.. important:: DO NOT use this or any other *encryption* library for + user password storage! Passwords must be *hashed* instead, and you + should do that via PHP's own `Password Hashing extension + <http://php.net/password>`_. + The Encryption Library provides two-way data encryption. To do so in a cryptographically secure way, it utilizes PHP extensions that are unfortunately not always available on all systems. |