diff options
Diffstat (limited to 'system/core')
-rw-r--r-- | system/core/Config.php | 1 | ||||
-rw-r--r-- | system/core/Input.php | 85 | ||||
-rw-r--r-- | system/core/Security.php | 26 |
3 files changed, 38 insertions, 74 deletions
diff --git a/system/core/Config.php b/system/core/Config.php index a0e830abe..93c950e2e 100644 --- a/system/core/Config.php +++ b/system/core/Config.php @@ -332,6 +332,7 @@ class CI_Config { /** * System URL * + * @deprecated 3.0.0 Encourages insecure practices * @return string */ public function system_url() diff --git a/system/core/Input.php b/system/core/Input.php index ccb70daec..35ce5f12f 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -152,8 +152,20 @@ class CI_Input { * @param bool $xss_clean Whether to apply XSS filtering * @return mixed */ - protected function _fetch_from_array(&$array, $index = '', $xss_clean = NULL) + protected function _fetch_from_array(&$array, $index = NULL, $xss_clean = NULL) { + // If $index is NULL, it means that the whole $array is requested + if ($index === NULL) + { + $output = array(); + foreach (array_keys($array) as $key) + { + $output[$key] = $this->_fetch_from_array($array, $key, $xss_clean); + } + + return $output; + } + is_bool($xss_clean) OR $xss_clean = $this->_enable_xss; if (isset($array[$index])) @@ -202,26 +214,6 @@ class CI_Input { */ public function get($index = NULL, $xss_clean = NULL) { - is_bool($xss_clean) OR $xss_clean = $this->_enable_xss; - - // Check if a field has been provided - if ($index === NULL) - { - if (empty($_GET)) - { - return array(); - } - - $get = array(); - - // loop through the full _GET array - foreach (array_keys($_GET) as $key) - { - $get[$key] = $this->_fetch_from_array($_GET, $key, $xss_clean); - } - return $get; - } - return $this->_fetch_from_array($_GET, $index, $xss_clean); } @@ -236,26 +228,6 @@ class CI_Input { */ public function post($index = NULL, $xss_clean = NULL) { - is_bool($xss_clean) OR $xss_clean = $this->_enable_xss; - - // Check if a field has been provided - if ($index === NULL) - { - if (empty($_POST)) - { - return array(); - } - - $post = array(); - - // Loop through the full _POST array and return it - foreach (array_keys($_POST) as $key) - { - $post[$key] = $this->_fetch_from_array($_POST, $key, $xss_clean); - } - return $post; - } - return $this->_fetch_from_array($_POST, $index, $xss_clean); } @@ -268,10 +240,8 @@ class CI_Input { * @param bool $xss_clean Whether to apply XSS filtering * @return mixed */ - public function post_get($index = '', $xss_clean = NULL) + public function post_get($index, $xss_clean = NULL) { - is_bool($xss_clean) OR $xss_clean = $this->_enable_xss; - return isset($_POST[$index]) ? $this->post($index, $xss_clean) : $this->get($index, $xss_clean); @@ -286,10 +256,8 @@ class CI_Input { * @param bool $xss_clean Whether to apply XSS filtering * @return mixed */ - public function get_post($index = '', $xss_clean = NULL) + public function get_post($index, $xss_clean = NULL) { - is_bool($xss_clean) OR $xss_clean = $this->_enable_xss; - return isset($_GET[$index]) ? $this->get($index, $xss_clean) : $this->post($index, $xss_clean); @@ -304,10 +272,8 @@ class CI_Input { * @param bool $xss_clean Whether to apply XSS filtering * @return mixed */ - public function cookie($index = '', $xss_clean = NULL) + public function cookie($index = NULL, $xss_clean = NULL) { - is_bool($xss_clean) OR $xss_clean = $this->_enable_xss; - return $this->_fetch_from_array($_COOKIE, $index, $xss_clean); } @@ -320,10 +286,8 @@ class CI_Input { * @param bool $xss_clean Whether to apply XSS filtering * @return mixed */ - public function server($index = '', $xss_clean = NULL) + public function server($index, $xss_clean = NULL) { - is_bool($xss_clean) OR $xss_clean = $this->_enable_xss; - return $this->_fetch_from_array($_SERVER, $index, $xss_clean); } @@ -338,23 +302,14 @@ class CI_Input { * @param bool $xss_clean Whether to apply XSS filtering * @return mixed */ - public function input_stream($index = '', $xss_clean = NULL) + public function input_stream($index = NULL, $xss_clean = NULL) { - is_bool($xss_clean) OR $xss_clean = $this->_enable_xss; - // The input stream can only be read once, so we'll need to check // if we have already done that first. - if (is_array($this->_input_stream)) - { - return $this->_fetch_from_array($this->_input_stream, $index, $xss_clean); - } - - // Parse the input stream in our cache var - parse_str(file_get_contents('php://input'), $this->_input_stream); if ( ! is_array($this->_input_stream)) { - $this->_input_stream = array(); - return NULL; + parse_str(file_get_contents('php://input'), $this->_input_stream); + is_array($this->_input_stream) OR $this->_input_stream = array(); } return $this->_fetch_from_array($this->_input_stream, $index, $xss_clean); diff --git a/system/core/Security.php b/system/core/Security.php index cbff38b30..beb7f56e0 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -147,6 +147,9 @@ class CI_Security { '(document|(document\.)?window)\.(location|on\w*)', 'expression\s*(\(|&\#40;)', // CSS and IE 'vbscript\s*:', // IE, surprise! + 'wscript\s*:', // IE + 'jscript\s*:', // IE + 'vbs\s*:', // IE 'Redirect\s+30\d', "([\"'])?data\s*:[^\\1]*?base64[^\\1]*?,[^\\1]*?\\1?" ); @@ -356,7 +359,11 @@ class CI_Security { * * Note: Use rawurldecode() so it does not remove plus signs */ - $str = rawurldecode($str); + do + { + $str = rawurldecode($str); + } + while (preg_match('/%[0-9a-f]{2,}/i', $str)); /* * Convert character entities to ASCII @@ -415,8 +422,9 @@ class CI_Security { * These words are compacted back to their correct state. */ $words = array( - 'javascript', 'expression', 'vbscript', 'script', 'base64', - 'applet', 'alert', 'document', 'write', 'cookie', 'window' + 'javascript', 'expression', 'vbscript', 'jscript', 'wscript', + 'vbs', 'script', 'base64', 'applet', 'alert', 'document', + 'write', 'cookie', 'window', 'confirm', 'prompt' ); foreach ($words as $word) @@ -446,12 +454,12 @@ class CI_Security { if (preg_match('/<a/i', $str)) { - $str = preg_replace_callback('#<a[\s\d"\'`;/=,\(]+([^>]*?)(?:>|$)#si', array($this, '_js_link_removal'), $str); + $str = preg_replace_callback('#<a[\s\d"\'`;/=,\(\\\\]+([^>]*?)(?:>|$)#si', array($this, '_js_link_removal'), $str); } if (preg_match('/<img/i', $str)) { - $str = preg_replace_callback('#<img[\s\d"\'`;/=,\(]+([^>]*?)(?:\s?/?>|$)#si', array($this, '_js_img_removal'), $str); + $str = preg_replace_callback('#<img[\s\d"\'`;/=,\(\\\\]+([^>]*?)(?:\s?/?>|$)#si', array($this, '_js_img_removal'), $str); } if (preg_match('/script|xss/i', $str)) @@ -475,7 +483,7 @@ class CI_Security { * So this: <blink> * Becomes: <blink> */ - $naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|button|select|isindex|layer|link|meta|keygen|object|plaintext|style|script|textarea|title|math|video|svg|xml|xss'; + $naughty = 'alert|prompt|confirm|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|button|select|isindex|layer|link|meta|keygen|object|plaintext|style|script|textarea|title|math|video|svg|xml|xss'; $str = preg_replace_callback('#<(/*\s*)('.$naughty.')([^><]*)([><]*)#is', array($this, '_sanitize_naughty_html'), $str); /* @@ -490,7 +498,7 @@ class CI_Security { * For example: eval('some code') * Becomes: eval('some code') */ - $str = preg_replace('#(alert|cmd|passthru|eval|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)\((.*?)\)#si', + $str = preg_replace('#(alert|prompt|confirm|cmd|passthru|eval|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)\((.*?)\)#si', '\\1\\2(\\3)', $str); @@ -745,7 +753,7 @@ class CI_Security { protected function _js_link_removal($match) { return str_replace($match[1], - preg_replace('#href=.*?(?:alert\(|alert&\#40;|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|<script|<xss|data\s*:)#si', + preg_replace('#href=.*?(?:(?:alert|prompt|confirm)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|<script|<xss|data\s*:)#si', '', $this->_filter_attributes(str_replace(array('<', '>'), '', $match[1])) ), @@ -770,7 +778,7 @@ class CI_Security { protected function _js_img_removal($match) { return str_replace($match[1], - preg_replace('#src=.*?(?:alert\(|alert&\#40;|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|<script|<xss|base64\s*,)#si', + preg_replace('#src=.*?(?:(?:alert|prompt|confirm)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|<script|<xss|base64\s*,)#si', '', $this->_filter_attributes(str_replace(array('<', '>'), '', $match[1])) ), |