From 53437de1f94dd4c0ab270f0c6d2309344d323d9e Mon Sep 17 00:00:00 2001
From: Derek Jones
Date: Mon, 12 May 2008 18:07:08 +0000
Subject: Added protection in xss_clean() for GET variables in URLs
http://codeigniter.com/bug_tracker/bug/4167/
---
system/libraries/Input.php | 58 +++++++++++++++++++++++++++++++++++++++++++---
user_guide/changelog.html | 2 ++
2 files changed, 57 insertions(+), 3 deletions(-)
diff --git a/system/libraries/Input.php b/system/libraries/Input.php
index ee7e9ad31..9b012d320 100644
--- a/system/libraries/Input.php
+++ b/system/libraries/Input.php
@@ -28,6 +28,7 @@
*/
class CI_Input {
var $use_xss_clean = FALSE;
+ var $xss_hash = '';
var $ip_address = FALSE;
var $user_agent = FALSE;
var $allow_get_array = FALSE;
@@ -530,7 +531,21 @@ class CI_Input {
* @return string
*/
function xss_clean($str)
- {
+ {
+ /*
+ * Is the string an array?
+ *
+ */
+ if (is_array($str))
+ {
+ while (list($key) = each($str))
+ {
+ $str[$key] = $this->xss_clean($str[$key]);
+ }
+
+ return $str;
+ }
+
/*
* Remove Null Characters
*
@@ -541,6 +556,14 @@ class CI_Input {
$str = preg_replace('/\0+/', '', $str);
$str = preg_replace('/(\\\\0)+/', '', $str);
+ /*
+ * Protect GET variables in URLs
+ */
+
+ // 901119URL5918AMP18930PROTECT8198
+
+ $str = preg_replace('|\&([a-z\_0-9]+)\=([a-z\_0-9]+)|i', $this->xss_hash()."\\1=\\2", $str);
+
/*
* Validate standard character entities
*
@@ -558,6 +581,12 @@ class CI_Input {
*/
$str = preg_replace('#(&\#x?)([0-9A-F]+);?#i',"\\1\\2;",$str);
+ /*
+ * Un-Protect GET variables in URLs
+ */
+
+ $str = str_replace($this->xss_hash(), '&', $str);
+
/*
* URL Decode
*
@@ -796,6 +825,29 @@ class CI_Input {
// --------------------------------------------------------------------
+ /**
+ * Random Hash for protecting URLs
+ *
+ * @access public
+ * @return string
+ */
+ function xss_hash()
+ {
+ if ($this->xss_hash == '')
+ {
+ if (phpversion() >= 4.2)
+ mt_srand();
+ else
+ mt_srand(hexdec(substr(md5(microtime()), -8)) & 0x7fffffff);
+
+ $this->xss_hash = md5(time() + mt_rand(0, 1999999999));
+ }
+
+ return $this->xss_hash;
+ }
+
+ // --------------------------------------------------------------------
+
/**
* JS Link Removal
*
@@ -923,6 +975,6 @@ class CI_Input {
}
// END Input class
-
-/* End of file Input.php */
+
+/* End of file Input.php */
/* Location: ./system/libraries/Input.php */
\ No newline at end of file
diff --git a/user_guide/changelog.html b/user_guide/changelog.html
index de579f1ac..c7e48d855 100644
--- a/user_guide/changelog.html
+++ b/user_guide/changelog.html
@@ -109,6 +109,7 @@ SVN Commit: not currently released
Other
Changes
+ - Added ability for xss_clean() to accept arrays.
- Removed closing PHP tags from all PHP files to avoid accidental output and potential 'cannot modify headers' errors.
- Added a Reserved Names page to the userguide, and migrated reserved controller names into it.
- Added a Common Functions page to the userguide for globally available functions.
@@ -128,6 +129,7 @@ SVN Commit: not currently released
- Fixed an AR_caching error where it wasn't tracking table aliases (#3463).
- Fixed a bug in AR compiling, where select statements with arguments got incorrectly escaped (#3478).
- Fixed an AR bug with or_where_not_in() (#4171).
+ - Fixed a bug with xss_clean() that would add semicolons to GET URI variable strings.
- Fixed a bug in the FTP library where delete_dir() was not working recursively (#4215).
- Fixed a Validation bug when set_rules() is used with a non-array field name and rule (#4220).
- Fixed a bug in the Upload library that might output the same error twice (#4390).
--
cgit v1.2.3-24-g4f1b