diff options
Diffstat (limited to 'system/core/Input.php')
| -rw-r--r-- | system/core/Input.php | 275 |
1 files changed, 22 insertions, 253 deletions
diff --git a/system/core/Input.php b/system/core/Input.php index 143babf5c..97a6be78f 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -58,45 +58,6 @@ class CI_Input { protected $ip_address = FALSE; /** - * Allow GET array flag - * - * If set to FALSE, then $_GET will be set to an empty array. - * - * @var bool - */ - protected $_allow_get_array = TRUE; - - /** - * Standardize new lines flag - * - * If set to TRUE, then newlines are standardized. - * - * @var bool - */ - protected $_standardize_newlines; - - /** - * Enable XSS flag - * - * Determines whether the XSS filter is always active when - * GET, POST or COOKIE data is encountered. - * Set automatically based on config setting. - * - * @var bool - */ - protected $_enable_xss = FALSE; - - /** - * Enable CSRF flag - * - * Enables a CSRF cookie token to be set. - * Set automatically based on config setting. - * - * @var bool - */ - protected $_enable_csrf = FALSE; - - /** * List of all HTTP request headers * * @var array @@ -122,8 +83,15 @@ class CI_Input { */ protected $_input_stream; + /** + * CI_Security instance + * + * Used for the optional $xss_filter parameter that most + * getter methods have here. + * + * @var CI_Security + */ protected $security; - protected $uni; // -------------------------------------------------------------------- @@ -135,30 +103,9 @@ class CI_Input { * * @return void */ - public function __construct() + public function __construct(CI_Security &$security) { - $this->_allow_get_array = (config_item('allow_get_array') !== FALSE); - $this->_enable_xss = (config_item('global_xss_filtering') === TRUE); - $this->_enable_csrf = (config_item('csrf_protection') === TRUE); - $this->_standardize_newlines = (bool) config_item('standardize_newlines'); - - $this->security =& load_class('Security', 'core'); - - // Do we need the UTF-8 class? - if (UTF8_ENABLED === TRUE) - { - $this->uni =& load_class('Utf8', 'core'); - } - - // Sanitize global arrays - $this->_sanitize_globals(); - - // CSRF Protection check - if ($this->_enable_csrf === TRUE && ! is_cli()) - { - $this->security->csrf_verify(); - } - + $this->security = $security; log_message('info', 'Input Class Initialized'); } @@ -174,10 +121,8 @@ class CI_Input { * @param bool $xss_clean Whether to apply XSS filtering * @return mixed */ - protected function _fetch_from_array(&$array, $index = NULL, $xss_clean = NULL) + protected function _fetch_from_array(&$array, $index = NULL, $xss_clean = FALSE) { - is_bool($xss_clean) OR $xss_clean = $this->_enable_xss; - // If $index is NULL, it means that the whole $array is requested isset($index) OR $index = array_keys($array); @@ -237,7 +182,7 @@ class CI_Input { * @param bool $xss_clean Whether to apply XSS filtering * @return mixed */ - public function get($index = NULL, $xss_clean = NULL) + public function get($index = NULL, $xss_clean = FALSE) { return $this->_fetch_from_array($_GET, $index, $xss_clean); } @@ -251,7 +196,7 @@ class CI_Input { * @param bool $xss_clean Whether to apply XSS filtering * @return mixed */ - public function post($index = NULL, $xss_clean = NULL) + public function post($index = NULL, $xss_clean = FALSE) { return $this->_fetch_from_array($_POST, $index, $xss_clean); } @@ -265,7 +210,7 @@ class CI_Input { * @param bool $xss_clean Whether to apply XSS filtering * @return mixed */ - public function post_get($index, $xss_clean = NULL) + public function post_get($index, $xss_clean = FALSE) { return isset($_POST[$index]) ? $this->post($index, $xss_clean) @@ -281,7 +226,7 @@ class CI_Input { * @param bool $xss_clean Whether to apply XSS filtering * @return mixed */ - public function get_post($index, $xss_clean = NULL) + public function get_post($index, $xss_clean = FALSE) { return isset($_GET[$index]) ? $this->get($index, $xss_clean) @@ -297,7 +242,7 @@ class CI_Input { * @param bool $xss_clean Whether to apply XSS filtering * @return mixed */ - public function cookie($index = NULL, $xss_clean = NULL) + public function cookie($index = NULL, $xss_clean = FALSE) { return $this->_fetch_from_array($_COOKIE, $index, $xss_clean); } @@ -311,7 +256,7 @@ class CI_Input { * @param bool $xss_clean Whether to apply XSS filtering * @return mixed */ - public function server($index, $xss_clean = NULL) + public function server($index, $xss_clean = FALSE) { return $this->_fetch_from_array($_SERVER, $index, $xss_clean); } @@ -327,7 +272,7 @@ class CI_Input { * @param bool $xss_clean Whether to apply XSS filtering * @return mixed */ - public function input_stream($index = NULL, $xss_clean = NULL) + public function input_stream($index = NULL, $xss_clean = FALSE) { // Prior to PHP 5.6, the input stream can only be read once, // so we'll need to check if we have already done that first. @@ -359,7 +304,7 @@ class CI_Input { * @param bool $httponly Whether to only makes the cookie accessible via HTTP (no javascript) * @return void */ - public function set_cookie($name, $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = NULL, $httponly = NULL) + public function set_cookie($name, $value = '', $expire = 0, $domain = '', $path = '/', $prefix = '', $secure = NULL, $httponly = NULL) { if (is_array($name)) { @@ -396,9 +341,9 @@ class CI_Input { ? (bool) config_item('cookie_httponly') : (bool) $httponly; - if ( ! is_numeric($expire)) + if ( ! is_numeric($expire) OR $expire < 0) { - $expire = time() - 86500; + $expire = 1; } else { @@ -579,7 +524,7 @@ class CI_Input { * * @return string|null User Agent string or NULL if it doesn't exist */ - public function user_agent($xss_clean = NULL) + public function user_agent($xss_clean = FALSE) { return $this->_fetch_from_array($_SERVER, 'HTTP_USER_AGENT', $xss_clean); } @@ -587,167 +532,6 @@ class CI_Input { // -------------------------------------------------------------------- /** - * Sanitize Globals - * - * Internal method serving for the following purposes: - * - * - Unsets $_GET data, if query strings are not enabled - * - Cleans POST, COOKIE and SERVER data - * - Standardizes newline characters to PHP_EOL - * - * @return void - */ - protected function _sanitize_globals() - { - // Is $_GET data allowed? If not we'll set the $_GET to an empty array - if ($this->_allow_get_array === FALSE) - { - $_GET = array(); - } - elseif (is_array($_GET)) - { - foreach ($_GET as $key => $val) - { - $_GET[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); - } - } - - // Clean $_POST Data - if (is_array($_POST)) - { - foreach ($_POST as $key => $val) - { - $_POST[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); - } - } - - // Clean $_COOKIE Data - if (is_array($_COOKIE)) - { - // Also get rid of specially treated cookies that might be set by a server - // or silly application, that are of no use to a CI application anyway - // but that when present will trip our 'Disallowed Key Characters' alarm - // http://www.ietf.org/rfc/rfc2109.txt - // note that the key names below are single quoted strings, and are not PHP variables - unset( - $_COOKIE['$Version'], - $_COOKIE['$Path'], - $_COOKIE['$Domain'] - ); - - foreach ($_COOKIE as $key => $val) - { - if (($cookie_key = $this->_clean_input_keys($key)) !== FALSE) - { - $_COOKIE[$cookie_key] = $this->_clean_input_data($val); - } - else - { - unset($_COOKIE[$key]); - } - } - } - - // Sanitize PHP_SELF - $_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']); - - log_message('debug', 'Global POST, GET and COOKIE data sanitized'); - } - - // -------------------------------------------------------------------- - - /** - * Clean Input Data - * - * Internal method that aids in escaping data and - * standardizing newline characters to PHP_EOL. - * - * @param string|string[] $str Input string(s) - * @return string - */ - protected function _clean_input_data($str) - { - if (is_array($str)) - { - $new_array = array(); - foreach (array_keys($str) as $key) - { - $new_array[$this->_clean_input_keys($key)] = $this->_clean_input_data($str[$key]); - } - return $new_array; - } - - /* We strip slashes if magic quotes is on to keep things consistent - - NOTE: In PHP 5.4 get_magic_quotes_gpc() will always return 0 and - it will probably not exist in future versions at all. - */ - if ( ! is_php('5.4') && get_magic_quotes_gpc()) - { - $str = stripslashes($str); - } - - // Clean UTF-8 if supported - if (UTF8_ENABLED === TRUE) - { - $str = $this->uni->clean_string($str); - } - - // Remove control characters - $str = remove_invisible_characters($str, FALSE); - - // Standardize newlines if needed - if ($this->_standardize_newlines === TRUE) - { - return preg_replace('/(?:\r\n|[\r\n])/', PHP_EOL, $str); - } - - return $str; - } - - // -------------------------------------------------------------------- - - /** - * Clean Keys - * - * Internal method that helps to prevent malicious users - * from trying to exploit keys we make sure that keys are - * only named with alpha-numeric text and a few other items. - * - * @param string $str Input string - * @param bool $fatal Whether to terminate script exection - * or to return FALSE if an invalid - * key is encountered - * @return string|bool - */ - protected function _clean_input_keys($str, $fatal = TRUE) - { - if ( ! preg_match('/^[a-z0-9:_\/|-]+$/i', $str)) - { - if ($fatal === TRUE) - { - return FALSE; - } - else - { - set_status_header(503); - echo 'Disallowed Key Characters.'; - exit(7); // EXIT_USER_INPUT - } - } - - // Clean UTF-8 if supported - if (UTF8_ENABLED === TRUE) - { - return $this->uni->clean_string($str); - } - - return $str; - } - - // -------------------------------------------------------------------- - - /** * Request Headers * * @param bool $xss_clean Whether to apply XSS filtering @@ -839,21 +623,6 @@ class CI_Input { // -------------------------------------------------------------------- /** - * Is CLI request? - * - * Test to see if a request was made from the command line. - * - * @deprecated 3.0.0 Use is_cli() instead - * @return bool - */ - public function is_cli_request() - { - return is_cli(); - } - - // -------------------------------------------------------------------- - - /** * Get Request Method * * Return the request method |