From aeb2c3e532e78be9ac78ba6fd4a305b7be31d2ab Mon Sep 17 00:00:00 2001 From: Alex Bilbie Date: Sun, 21 Aug 2011 16:14:54 +0100 Subject: Added new config parameter "csrf_exclude_uris" which allows for URIs to be whitelisted from CSRF verification. Fixes #149 --- system/core/Security.php | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 3617cadcc..efd30eb14 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -93,6 +93,16 @@ class CI_Security { { return $this->csrf_set_cookie(); } + + // Check if URI has been whitelisted from CSRF checks + if ($exclude_uris = config_item('csrf_exclude_uris')) + { + $uri = load_class('URI', 'core'); + if (in_array($uri->uri_string(), $exclude_uris)) + { + return $this; + } + } // Do the tokens exist in both the _POST and _COOKIE arrays? if ( ! isset($_POST[$this->_csrf_token_name]) OR @@ -116,7 +126,7 @@ class CI_Security { $this->_csrf_set_hash(); $this->csrf_set_cookie(); - log_message('debug', "CSRF token verified "); + log_message('debug', "CSRF token verified"); return $this; } -- cgit v1.2.3-24-g4f1b From 8cc0cfe1ab1e10aad71d14e0b43e05444c00693d Mon Sep 17 00:00:00 2001 From: freewil Date: Sat, 27 Aug 2011 21:53:00 -0400 Subject: always use charset config item --- system/core/Security.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 342455f27..cc21ddc91 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -525,9 +525,10 @@ class CI_Security { * @param string * @return string */ - public function entity_decode($str, $charset='UTF-8') + public function entity_decode($str, $charset = NULL) { if (stristr($str, '&') === FALSE) return $str; + if (empty($charset)) $charset = config_item('charset'); // The reason we are not using html_entity_decode() by itself is because // while it is not technically correct to leave out the semicolon -- cgit v1.2.3-24-g4f1b From 5c9b0d1b5618ade5c6aa70475b08b3066f14ff3e Mon Sep 17 00:00:00 2001 From: freewil Date: Sun, 28 Aug 2011 12:15:23 -0400 Subject: always use charset config item --- system/core/Security.php | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index cc21ddc91..e99418bdd 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -527,8 +527,15 @@ class CI_Security { */ public function entity_decode($str, $charset = NULL) { - if (stristr($str, '&') === FALSE) return $str; - if (empty($charset)) $charset = config_item('charset'); + if (stristr($str, '&') === FALSE) + { + return $str; + } + + if (empty($charset)) + { + $charset = config_item('charset'); + } // The reason we are not using html_entity_decode() by itself is because // while it is not technically correct to leave out the semicolon -- cgit v1.2.3-24-g4f1b From e378a39304723d77f1a3a378706d2a20b83f8e28 Mon Sep 17 00:00:00 2001 From: Rommel Castro A Date: Thu, 22 Sep 2011 18:52:25 -0600 Subject: fixed issue #192 --- system/core/Security.php | 1 + 1 file changed, 1 insertion(+) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index e99418bdd..6c4c59057 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -169,6 +169,7 @@ class CI_Security { // Nothing should last forever unset($_COOKIE[$this->_csrf_cookie_name]); + $this->_csrf_hash = ''; $this->_csrf_set_hash(); $this->csrf_set_cookie(); -- cgit v1.2.3-24-g4f1b From d93e6f3890fd50b9aaf1e116fa8ceb7e3f0caa05 Mon Sep 17 00:00:00 2001 From: Chris Berthe Date: Sun, 25 Sep 2011 10:33:25 -0400 Subject: Fix #484 - Hash is never set to the cookie --- system/core/Security.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 6c4c59057..84ecb06db 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -886,7 +886,8 @@ class CI_Security { return $this->_csrf_hash = $_COOKIE[$this->_csrf_cookie_name]; } - return $this->_csrf_hash = md5(uniqid(rand(), TRUE)); + $this->_csrf_hash = md5(uniqid(rand(), TRUE)); + $this->csrf_set_cookie(); } return $this->_csrf_hash; -- cgit v1.2.3-24-g4f1b From 3d113bd40ba0688c548a52c7eee13b8a87defecd Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 5 Oct 2011 00:03:20 +0300 Subject: Clean up core Security class --- system/core/Security.php | 69 +++++++++++++----------------------------------- 1 file changed, 19 insertions(+), 50 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 84ecb06db..f71f7d228 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -33,7 +33,7 @@ class CI_Security { * @access protected */ protected $_xss_hash = ''; - + /** * Random Hash for Cross Site Request Forgery Protection Cookie * @@ -41,7 +41,7 @@ class CI_Security { * @access protected */ protected $_csrf_hash = ''; - + /** * Expiration time for Cross Site Request Forgery Protection Cookie * Defaults to two hours (in seconds) @@ -50,7 +50,7 @@ class CI_Security { * @access protected */ protected $_csrf_expire = 7200; - + /** * Token name for Cross Site Request Forgery Protection Cookie * @@ -58,7 +58,7 @@ class CI_Security { * @access protected */ protected $_csrf_token_name = 'ci_csrf_token'; - + /** * Cookie name for Cross Site Request Forgery Protection Cookie * @@ -66,14 +66,14 @@ class CI_Security { * @access protected */ protected $_csrf_cookie_name = 'ci_csrf_token'; - + /** * List of never allowed strings * * @var array * @access protected */ - + protected $_never_allowed_str = array( 'document.cookie' => '[removed]', 'document.write' => '[removed]', @@ -139,7 +139,7 @@ class CI_Security { { return $this->csrf_set_cookie(); } - + // Check if URI has been whitelisted from CSRF checks if ($exclude_uris = config_item('csrf_exclude_uris')) { @@ -172,9 +172,9 @@ class CI_Security { $this->_csrf_hash = ''; $this->_csrf_set_hash(); $this->csrf_set_cookie(); - + log_message('debug', "CSRF token verified"); - + return $this; } @@ -188,7 +188,7 @@ class CI_Security { public function csrf_set_cookie() { $expire = time() + $this->_csrf_expire; - $secure_cookie = (config_item('cookie_secure') === TRUE) ? 1 : 0; + $secure_cookie = (bool) config_item('cookie_secure'); if ($secure_cookie) { @@ -385,16 +385,11 @@ class CI_Security { foreach ($words as $word) { - $temp = ''; - - for ($i = 0, $wordlen = strlen($word); $i < $wordlen; $i++) - { - $temp .= substr($word, $i, 1)."\s*"; - } + $word = implode("\s*", str_split($word)) . "\s*"; // We only want to do this when it is followed by a non-word character // That way valid stuff like "dealer to" does not become "dealerto" - $str = preg_replace_callback('#('.substr($temp, 0, -3).')(\W)#is', array($this, '_compact_exploded_words'), $str); + $str = preg_replace_callback('#('.substr($word, 0, -3).')(\W)#is', array($this, '_compact_exploded_words'), $str); } /* @@ -473,7 +468,7 @@ class CI_Security { if ($is_image === TRUE) { - return ($str == $converted_string) ? TRUE: FALSE; + return ($str === $converted_string) ? TRUE : FALSE; } log_message('debug', "XSS Filtering completed"); @@ -513,26 +508,17 @@ class CI_Security { * * This function is a replacement for html_entity_decode() * - * In some versions of PHP the native function does not work - * when UTF-8 is the specified character set, so this gives us - * a work-around. More info here: - * http://bugs.php.net/bug.php?id=25670 - * - * NOTE: html_entity_decode() has a bug in some PHP versions when UTF-8 is the - * character set, and the PHP developers said they were not back porting the - * fix to versions other than PHP 5.x. - * * @param string * @param string * @return string */ public function entity_decode($str, $charset = NULL) { - if (stristr($str, '&') === FALSE) + if (strpos($str, '&') === FALSE) { return $str; } - + if (empty($charset)) { $charset = config_item('charset'); @@ -543,26 +529,9 @@ class CI_Security { // at the end of an entity most browsers will still interpret the entity // correctly. html_entity_decode() does not convert entities without // semicolons, so we are left with our own little solution here. Bummer. - - if (function_exists('html_entity_decode') && - (strtolower($charset) != 'utf-8')) - { - $str = html_entity_decode($str, ENT_COMPAT, $charset); - $str = preg_replace('~&#x(0*[0-9a-f]{2,5})~ei', 'chr(hexdec("\\1"))', $str); - return preg_replace('~&#([0-9]{2,4})~e', 'chr(\\1)', $str); - } - - // Numeric Entities - $str = preg_replace('~&#x(0*[0-9a-f]{2,5});{0,1}~ei', 'chr(hexdec("\\1"))', $str); - $str = preg_replace('~&#([0-9]{2,4});{0,1}~e', 'chr(\\1)', $str); - - // Literal Entities - Slightly slow so we do another check - if (stristr($str, '&') === FALSE) - { - $str = strtr($str, array_flip(get_html_translation_table(HTML_ENTITIES))); - } - - return $str; + $str = html_entity_decode($str, ENT_COMPAT, $charset); + $str = preg_replace('~&#x(0*[0-9a-f]{2,5})~ei', 'chr(hexdec("\\1"))', $str); + return preg_replace('~&#([0-9]{2,4})~e', 'chr(\\1)', $str); } // -------------------------------------------------------------------- @@ -896,4 +865,4 @@ class CI_Security { } /* End of file Security.php */ -/* Location: ./system/libraries/Security.php */ \ No newline at end of file +/* Location: ./system/libraries/Security.php */ -- cgit v1.2.3-24-g4f1b From 064da7b408102cf8dadc1fd2b968f9852a58d9cf Mon Sep 17 00:00:00 2001 From: purwandi Date: Wed, 5 Oct 2011 17:51:26 +0700 Subject: Fix location file Security Class to core folder --- system/core/Security.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index f71f7d228..65338ced3 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -865,4 +865,4 @@ class CI_Security { } /* End of file Security.php */ -/* Location: ./system/libraries/Security.php */ +/* Location: ./system/core/Security.php */ -- cgit v1.2.3-24-g4f1b From f4a4bd8fac188ebc9cda822ffc811c218fd92b45 Mon Sep 17 00:00:00 2001 From: Derek Jones Date: Thu, 20 Oct 2011 12:18:42 -0500 Subject: adding new license file (OSL 3.0) and updating readme to ReST added notice of license to all source files. OSL to all except the few files we ship inside of the application folder, those are AFL. Updated license in user guide. incrementing next dev version to 3.0 due to licensing change --- system/core/Security.php | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 65338ced3..ee4f0a08d 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -4,10 +4,22 @@ * * An open source application development framework for PHP 5.1.6 or newer * + * NOTICE OF LICENSE + * + * Licensed under the Open Software License version 3.0 + * + * This source file is subject to the Open Software License (OSL 3.0) that is + * bundled with this package in the files license.txt / license.rst. It is + * also available through the world wide web at this URL: + * http://opensource.org/licenses/OSL-3.0 + * If you did not receive a copy of the license and are unable to obtain it + * through the world wide web, please send an email to + * licensing@ellislab.com so we can send you a copy immediately. + * * @package CodeIgniter - * @author ExpressionEngine Dev Team - * @copyright Copyright (c) 2008 - 2011, EllisLab, Inc. - * @license http://codeigniter.com/user_guide/license.html + * @author EllisLab Dev Team + * @copyright Copyright (c) 2008 - 2011, EllisLab, Inc. (http://ellislab.com/) + * @license http://opensource.org/licenses/OSL-3.0 Open Software License (OSL 3.0) * @link http://codeigniter.com * @since Version 1.0 * @filesource @@ -21,7 +33,7 @@ * @package CodeIgniter * @subpackage Libraries * @category Security - * @author ExpressionEngine Dev Team + * @author EllisLab Dev Team * @link http://codeigniter.com/user_guide/libraries/security.html */ class CI_Security { -- cgit v1.2.3-24-g4f1b From 03abee3df4534028c795e3c3da91034a3d3ee0f4 Mon Sep 17 00:00:00 2001 From: Greg Aker Date: Sun, 25 Dec 2011 00:31:29 -0600 Subject: Fixing soft tabs in a few files. --- system/core/Security.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index ce3f7d3cc..60a64f358 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -182,7 +182,7 @@ class CI_Security { // Nothing should last forever unset($_COOKIE[$this->_csrf_cookie_name]); - $this->_csrf_hash = ''; + $this->_csrf_hash = ''; $this->_csrf_set_hash(); $this->csrf_set_cookie(); -- cgit v1.2.3-24-g4f1b From 2be25a6fdb9aa197debca28d1cfe0e0e542296b0 Mon Sep 17 00:00:00 2001 From: RS71 Date: Sat, 31 Dec 2011 16:02:04 -0200 Subject: Update system/core/Security.php --- system/core/Security.php | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 60a64f358..510f3d1ae 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -180,9 +180,14 @@ class CI_Security { // polute the _POST array unset($_POST[$this->_csrf_token_name]); - // Nothing should last forever - unset($_COOKIE[$this->_csrf_cookie_name]); - $this->_csrf_hash = ''; + // Regenerate on every submission? + if (config_item('csrf_regenerate')) + { + // Nothing should last forever + unset($_COOKIE[$this->_csrf_cookie_name]); + $this->_csrf_hash = ''; + } + $this->_csrf_set_hash(); $this->csrf_set_cookie(); -- cgit v1.2.3-24-g4f1b From 0defe5d33ee2633f377a109519ca818becc60f64 Mon Sep 17 00:00:00 2001 From: Greg Aker Date: Sun, 1 Jan 2012 18:46:41 -0600 Subject: Updating copyright date to 2012 --- system/core/Security.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 60a64f358..272a8bf3f 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -18,7 +18,7 @@ * * @package CodeIgniter * @author EllisLab Dev Team - * @copyright Copyright (c) 2008 - 2011, EllisLab, Inc. (http://ellislab.com/) + * @copyright Copyright (c) 2008 - 2012, EllisLab, Inc. (http://ellislab.com/) * @license http://opensource.org/licenses/OSL-3.0 Open Software License (OSL 3.0) * @link http://codeigniter.com * @since Version 1.0 -- cgit v1.2.3-24-g4f1b From bb488dc3d4bbac9ac9a1860f066069e4bb4afdcb Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Sat, 7 Jan 2012 23:35:16 +0200 Subject: Improve the core Security library --- system/core/Security.php | 254 ++++++++++++++++++----------------------------- 1 file changed, 99 insertions(+), 155 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 272a8bf3f..d0d3c0803 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -1,13 +1,13 @@ - '[removed]', - 'document.write' => '[removed]', - '.parentNode' => '[removed]', - '.innerHTML' => '[removed]', - 'window.location' => '[removed]', - '-moz-binding' => '[removed]', - '' => '-->', - ' '<![CDATA[', - '' => '<comment>' - ); + 'document.cookie' => '[removed]', + 'document.write' => '[removed]', + '.parentNode' => '[removed]', + '.innerHTML' => '[removed]', + 'window.location' => '[removed]', + '-moz-binding' => '[removed]', + '' => '-->', + ' '<![CDATA[', + '' => '<comment>' + ); /** * List of never allowed regex replacement * * @var array - * @access protected */ protected $_never_allowed_regex = array( - "javascript\s*:" => '[removed]', - "expression\s*(\(|&\#40;)" => '[removed]', // CSS and IE - "vbscript\s*:" => '[removed]', // IE, surprise! - "Redirect\s+302" => '[removed]' - ); + 'javascript\s*:', + 'expression\s*(\(|&\#40;)', // CSS and IE + 'vbscript\s*:', // IE, surprise! + 'Redirect\s+302' + ); - /** - * Constructor - */ public function __construct() { // CSRF config @@ -135,7 +124,7 @@ class CI_Security { // Set the CSRF hash $this->_csrf_set_hash(); - log_message('debug', "Security Class Initialized"); + log_message('debug', 'Security Class Initialized'); } // -------------------------------------------------------------------- @@ -148,7 +137,7 @@ class CI_Security { public function csrf_verify() { // If no POST data exists we will set the CSRF cookie - if (count($_POST) == 0) + if (count($_POST) === 0) { return $this->csrf_set_cookie(); } @@ -186,8 +175,7 @@ class CI_Security { $this->_csrf_set_hash(); $this->csrf_set_cookie(); - log_message('debug', "CSRF token verified"); - + log_message('debug', 'CSRF token verified'); return $this; } @@ -203,19 +191,13 @@ class CI_Security { $expire = time() + $this->_csrf_expire; $secure_cookie = (bool) config_item('cookie_secure'); - if ($secure_cookie) + if ($secure_cookie && ( ! isset($_SERVER['HTTPS']) OR $_SERVER['HTTPS'] == 'off' OR ! $_SERVER['HTTPS'])) { - $req = isset($_SERVER['HTTPS']) ? $_SERVER['HTTPS'] : FALSE; - - if ( ! $req OR $req == 'off') - { - return FALSE; - } + return FALSE; } setcookie($this->_csrf_cookie_name, $this->_csrf_hash, $expire, config_item('cookie_path'), config_item('cookie_domain'), $secure_cookie); - - log_message('debug', "CRSF cookie Set"); + log_message('debug', 'CRSF cookie Set'); return $this; } @@ -253,7 +235,7 @@ class CI_Security { * * Getter Method * - * @return string self::csrf_token_name + * @return string self::_csrf_token_name */ public function get_csrf_token_name() { @@ -273,7 +255,7 @@ class CI_Security { * the filter. * * Note: This function should only be used to deal with data - * upon submission. It's not something that should + * upon submission. It's not something that should * be used for general runtime processing. * * This function was based in part on some code and ideas I @@ -290,10 +272,7 @@ class CI_Security { */ public function xss_clean($str, $is_image = FALSE) { - /* - * Is the string an array? - * - */ + // Is the string an array? if (is_array($str)) { while (list($key) = each($str)) @@ -304,13 +283,8 @@ class CI_Security { return $str; } - /* - * Remove Invisible Characters - */ - $str = remove_invisible_characters($str); - - // Validate Entities in URLs - $str = $this->_validate_entities($str); + // Remove Invisible Characters and validate entities in URLs + $str = $this->_validate_entities(remove_invisible_characters($str)); /* * URL Decode @@ -320,7 +294,6 @@ class CI_Security { * Google * * Note: Use rawurldecode() so it does not remove plus signs - * */ $str = rawurldecode($str); @@ -332,14 +305,10 @@ class CI_Security { * these are the ones that will pose security problems. * */ - $str = preg_replace_callback("/[a-z]+=([\'\"]).*?\\1/si", array($this, '_convert_attribute'), $str); - $str = preg_replace_callback("/<\w+.*?(?=>|<|$)/si", array($this, '_decode_entity'), $str); - /* - * Remove Invisible Characters Again! - */ + // Remove Invisible Characters Again! $str = remove_invisible_characters($str); /* @@ -350,11 +319,7 @@ class CI_Security { * NOTE: preg_replace was found to be amazingly slow here on * large blocks of data, so we use str_replace. */ - - if (strpos($str, "\t") !== FALSE) - { - $str = str_replace("\t", ' ', $str); - } + $str = str_replace("\t", ' ', $str); /* * Capture converted string for later comparison @@ -378,7 +343,7 @@ class CI_Security { // Images have a tendency to have the PHP short opening and // closing tags every so often so we skip those and only // do the long opening tags. - $str = preg_replace('/<\?(php)/i', "<?\\1", $str); + $str = preg_replace('/<\?(php)/i', '<?\\1', $str); } else { @@ -415,19 +380,19 @@ class CI_Security { { $original = $str; - if (preg_match("/]*?)(>|$)#si", array($this, '_js_link_removal'), $str); + $str = preg_replace_callback('#]*?)(>|$)#si', array($this, '_js_link_removal'), $str); } - if (preg_match("/]*?)(\s?/?>|$)#si", array($this, '_js_img_removal'), $str); + $str = preg_replace_callback('#]*?)(\s?/?>|$)#si', array($this, '_js_img_removal'), $str); } - if (preg_match("/script/i", $str) OR preg_match("/xss/i", $str)) + if (preg_match('/(script|xss)/i', $str)) { - $str = preg_replace("#<(/*)(script|xss)(.*?)\>#si", '[removed]', $str); + $str = preg_replace('#<(/*)(script|xss)(.*?)\>#si', '[removed]', $str); } } while($original != $str); @@ -454,14 +419,16 @@ class CI_Security { * * Similar to above, only instead of looking for * tags it looks for PHP and JavaScript commands - * that are disallowed. Rather than removing the + * that are disallowed. Rather than removing the * code, it simply converts the parenthesis to entities * rendering the code un-executable. * * For example: eval('some code') - * Becomes: eval('some code') + * Becomes: eval('some code') */ - $str = preg_replace('#(alert|cmd|passthru|eval|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)\((.*?)\)#si', "\\1\\2(\\3)", $str); + $str = preg_replace('#(alert|cmd|passthru|eval|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)\((.*?)\)#si', + '\\1\\2(\\3)', + $str); // Final clean up @@ -478,13 +445,12 @@ class CI_Security { * string post-removal of XSS, then it fails, as there was unwanted XSS * code found and removed/changed during processing. */ - if ($is_image === TRUE) { - return ($str === $converted_string) ? TRUE : FALSE; + return ($str === $converted_string); } - log_message('debug', "XSS Filtering completed"); + log_message('debug', 'XSS Filtering completed'); return $str; } @@ -516,7 +482,7 @@ class CI_Security { * The reason we are not using html_entity_decode() by itself is because * while it is not technically correct to leave out the semicolon * at the end of an entity most browsers will still interpret the entity - * correctly. html_entity_decode() does not convert entities without + * correctly. html_entity_decode() does not convert entities without * semicolons, so we are left with our own little solution here. Bummer. * * @param string @@ -552,38 +518,23 @@ class CI_Security { public function sanitize_filename($str, $relative_path = FALSE) { $bad = array( - "../", - "", - "<", - ">", - "'", - '"', - '&', - '$', - '#', - '{', - '}', - '[', - ']', - '=', - ';', - '?', - "%20", - "%22", - "%3c", // < - "%253c", // < - "%3e", // > - "%0e", // > - "%28", // ( - "%29", // ) - "%2528", // ( - "%26", // & - "%24", // $ - "%3f", // ? - "%3b", // ; - "%3d" // = - ); + '../', '', '<', '>', + "'", '"', '&', '$', '#', + '{', '}', '[', ']', '=', + ';', '?', '%20', '%22', + '%3c', // < + '%253c', // < + '%3e', // > + '%0e', // > + '%28', // ( + '%29', // ) + '%2528', // ( + '%26', // & + '%24', // $ + '%3f', // ? + '%3b', // ; + '%3d' // = + ); if ( ! $relative_path) { @@ -636,26 +587,26 @@ class CI_Security { if ($is_image === TRUE) { /* - * Adobe Photoshop puts XML metadata into JFIF images, + * Adobe Photoshop puts XML metadata into JFIF images, * including namespacing, so we have to allow this for images. */ unset($evil_attributes[array_search('xmlns', $evil_attributes)]); } - + do { $count = 0; $attribs = array(); - + // find occurrences of illegal attribute strings without quotes - preg_match_all("/(".implode('|', $evil_attributes).")\s*=\s*([^\s]*)/is", $str, $matches, PREG_SET_ORDER); - + preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*([^\s]*)/is', $str, $matches, PREG_SET_ORDER); + foreach ($matches as $attr) { $attribs[] = preg_quote($attr[0], '/'); } - + // find occurrences of illegal attribute strings with quotes (042 and 047 are octal quotes) - preg_match_all("/(".implode('|', $evil_attributes).")\s*=\s*(\042|\047)([^\\2]*?)(\\2)/is", $str, $matches, PREG_SET_ORDER); + preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*(\042|\047)([^\\2]*?)(\\2)/is', $str, $matches, PREG_SET_ORDER); foreach ($matches as $attr) { @@ -665,11 +616,11 @@ class CI_Security { // replace illegal attribute strings that are inside an html tag if (count($attribs) > 0) { - $str = preg_replace("/<(\/?[^><]+?)([^A-Za-z\-])(".implode('|', $attribs).")([\s><])([><]*)/i", '<$1$2$4$5', $str, -1, $count); + $str = preg_replace('/<(\/?[^><]+?)([^A-Za-z\-])('.implode('|', $attribs).')([\s><])([><]*)/i', '<$1$2$4$5', $str, -1, $count); } - + } while ($count); - + return $str; } @@ -685,14 +636,9 @@ class CI_Security { */ protected function _sanitize_naughty_html($matches) { - // encode opening brace - $str = '<'.$matches[1].$matches[2].$matches[3]; - - // encode captured opening or closing brace to prevent recursive vectors - $str .= str_replace(array('>', '<'), array('>', '<'), - $matches[4]); - - return $str; + return '<'.$matches[1].$matches[2].$matches[3] // encode opening brace + // encode captured opening or closing brace to prevent recursive vectors: + . str_replace(array('>', '<'), array('>', '<'), $matches[4]); } // -------------------------------------------------------------------- @@ -710,9 +656,12 @@ class CI_Security { */ protected function _js_link_removal($match) { - $attributes = $this->_filter_attributes(str_replace(array('<', '>'), '', $match[1])); - - return str_replace($match[1], preg_replace("#href=.*?(alert\(|alert&\#40;|javascript\:|livescript\:|mocha\:|charset\=|window\.|document\.|\.cookie|_filter_attributes(str_replace(array('<', '>'), '', $match[1])) + ), + $match[0]); } // -------------------------------------------------------------------- @@ -730,9 +679,12 @@ class CI_Security { */ protected function _js_img_removal($match) { - $attributes = $this->_filter_attributes(str_replace(array('<', '>'), '', $match[1])); - - return str_replace($match[1], preg_replace("#src=.*?(alert\(|alert&\#40;|javascript\:|livescript\:|mocha\:|charset\=|window\.|document\.|\.cookie|_filter_attributes(str_replace(array('<', '>'), '', $match[1])) + ), + $match[0]); } // -------------------------------------------------------------------- @@ -806,33 +758,28 @@ class CI_Security { * Protect GET variables in URLs */ - // 901119URL5918AMP18930PROTECT8198 - - $str = preg_replace('|\&([a-z\_0-9\-]+)\=([a-z\_0-9\-]+)|i', $this->xss_hash()."\\1=\\2", $str); + // 901119URL5918AMP18930PROTECT8198 + $str = preg_replace('|\&([a-z\_0-9\-]+)\=([a-z\_0-9\-]+)|i', $this->xss_hash().'\\1=\\2', $str); /* * Validate standard character entities * * Add a semicolon if missing. We do this to enable * the conversion of entities to ASCII later. - * */ - $str = preg_replace('#(&\#?[0-9a-z]{2,})([\x00-\x20])*;?#i', "\\1;\\2", $str); + $str = preg_replace('#(&\#?[0-9a-z]{2,})([\x00-\x20])*;?#i', '\\1;\\2', $str); /* * Validate UTF16 two byte encoding (x00) * * Just as above, adds a semicolon if missing. - * */ - $str = preg_replace('#(&\#x?)([0-9A-F]+);?#i',"\\1\\2;",$str); + $str = preg_replace('#(&\#x?)([0-9A-F]+);?#i', '\\1\\2;', $str); /* * Un-Protect GET variables in URLs */ - $str = str_replace($this->xss_hash(), '&', $str); - - return $str; + return str_replace($this->xss_hash(), '&', $str); } // ---------------------------------------------------------------------- @@ -847,14 +794,11 @@ class CI_Security { */ protected function _do_never_allowed($str) { - foreach ($this->_never_allowed_str as $key => $val) - { - $str = str_replace($key, $val, $str); - } + $str = str_replace(array_keys($this->_never_allowed_str), $this->_never_allowed_str, $str); - foreach ($this->_never_allowed_regex as $key => $val) + foreach ($this->_never_allowed_regex as $regex) { - $str = preg_replace("#".$key."#i", $val, $str); + $str = preg_replace('#'.$regex.'#i', '[removed]', $str); } return $str; @@ -891,4 +835,4 @@ class CI_Security { } /* End of file Security.php */ -/* Location: ./system/core/Security.php */ \ No newline at end of file +/* Location: ./system/core/Security.php */ -- cgit v1.2.3-24-g4f1b From 8a7d078233bfb80fa01ee090e14ce0664f23b96b Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Sun, 8 Jan 2012 05:43:42 +0200 Subject: Remove some tabs --- system/core/Security.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index f09298bba..d7881d846 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -176,7 +176,7 @@ class CI_Security { unset($_COOKIE[$this->_csrf_cookie_name]); $this->_csrf_hash = ''; } - + $this->_csrf_set_hash(); $this->csrf_set_cookie(); -- cgit v1.2.3-24-g4f1b From 4562f2cbb3e5346c6e341516a31ca87dfa47bafd Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 9 Jan 2012 23:39:50 +0200 Subject: Some more stuff ... --- system/core/Security.php | 23 ++++++----------------- 1 file changed, 6 insertions(+), 17 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index d7881d846..1007f61f4 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -153,20 +153,13 @@ class CI_Security { } // Do the tokens exist in both the _POST and _COOKIE arrays? - if ( ! isset($_POST[$this->_csrf_token_name]) OR - ! isset($_COOKIE[$this->_csrf_cookie_name])) + if ( ! isset($_POST[$this->_csrf_token_name]) OR ! isset($_COOKIE[$this->_csrf_cookie_name]) + OR $_POST[$this->_csrf_token_name] != $_COOKIE[$this->_csrf_cookie_name]) // Do the tokens match? { $this->csrf_show_error(); } - // Do the tokens match? - if ($_POST[$this->_csrf_token_name] != $_COOKIE[$this->_csrf_cookie_name]) - { - $this->csrf_show_error(); - } - - // We kill this since we're done and we don't want to - // polute the _POST array + // We kill this since we're done and we don't want to polute the _POST array unset($_POST[$this->_csrf_token_name]); // Regenerate on every submission? @@ -308,10 +301,9 @@ class CI_Security { * This permits our tests below to work reliably. * We only convert entities that are within tags since * these are the ones that will pose security problems. - * */ $str = preg_replace_callback("/[a-z]+=([\'\"]).*?\\1/si", array($this, '_convert_attribute'), $str); - $str = preg_replace_callback("/<\w+.*?(?=>|<|$)/si", array($this, '_decode_entity'), $str); + $str = preg_replace_callback('/<\w+.*?(?=>|<|$)/si', array($this, '_decode_entity'), $str); // Remove Invisible Characters Again! $str = remove_invisible_characters($str); @@ -326,9 +318,7 @@ class CI_Security { */ $str = str_replace("\t", ' ', $str); - /* - * Capture converted string for later comparison - */ + // Capture converted string for later comparison $converted_string = $str; // Remove Strings that are never allowed @@ -720,12 +710,11 @@ class CI_Security { protected function _filter_attributes($str) { $out = ''; - if (preg_match_all('#\s*[a-z\-]+\s*=\s*(\042|\047)([^\\1]*?)\\1#is', $str, $matches)) { foreach ($matches[0] as $match) { - $out .= preg_replace("#/\*.*?\*/#s", '', $match); + $out .= preg_replace('#/\*.*?\*/#s', '', $match); } } -- cgit v1.2.3-24-g4f1b From 67ccdc02e1b66750b0e13eadcfacc47f01c1de67 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 27 Feb 2012 23:57:58 +0200 Subject: Do not create a CSRF cookie if CSRF protection is not enabled --- system/core/Security.php | 39 ++++++++++++++++++++------------------- 1 file changed, 20 insertions(+), 19 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 1007f61f4..688aeba33 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -25,8 +25,6 @@ * @filesource */ -// ------------------------------------------------------------------------ - /** * Security Class * @@ -106,23 +104,27 @@ class CI_Security { public function __construct() { - // CSRF config - foreach(array('csrf_expire', 'csrf_token_name', 'csrf_cookie_name') as $key) + // Is CSRF protection enabled? + if (config_item('csrf_protection') === TRUE) { - if (FALSE !== ($val = config_item($key))) + // CSRF config + foreach (array('csrf_expire', 'csrf_token_name', 'csrf_cookie_name') as $key) { - $this->{'_'.$key} = $val; + if (FALSE !== ($val = config_item($key))) + { + $this->{'_'.$key} = $val; + } } - } - // Append application specific cookie prefix - if (config_item('cookie_prefix')) - { - $this->_csrf_cookie_name = config_item('cookie_prefix').$this->_csrf_cookie_name; - } + // Append application specific cookie prefix + if (config_item('cookie_prefix')) + { + $this->_csrf_cookie_name = config_item('cookie_prefix').$this->_csrf_cookie_name; + } - // Set the CSRF hash - $this->_csrf_set_hash(); + // Set the CSRF hash + $this->_csrf_set_hash(); + } log_message('debug', 'Security Class Initialized'); } @@ -189,7 +191,7 @@ class CI_Security { $expire = time() + $this->_csrf_expire; $secure_cookie = (bool) config_item('cookie_secure'); - if ($secure_cookie && ( ! isset($_SERVER['HTTPS']) OR $_SERVER['HTTPS'] == 'off' OR ! $_SERVER['HTTPS'])) + if ($secure_cookie && (empty($_SERVER['HTTPS']) OR $_SERVER['HTTPS'] === 'off')) { return FALSE; } @@ -358,7 +360,7 @@ class CI_Security { foreach ($words as $word) { - $word = implode("\s*", str_split($word)) . "\s*"; + $word = implode('\s*', str_split($word)).'\s*'; // We only want to do this when it is followed by a non-word character // That way valid stuff like "dealer to" does not become "dealerto" @@ -425,7 +427,6 @@ class CI_Security { '\\1\\2(\\3)', $str); - // Final clean up // This adds a bit of extra precaution in case // something got through the above filters @@ -601,7 +602,7 @@ class CI_Security { } // find occurrences of illegal attribute strings with quotes (042 and 047 are octal quotes) - preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*(\042|\047)([^\\2]*?)(\\2)/is', $str, $matches, PREG_SET_ORDER); + preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*(\042|\047)([^\\2]*?)(\\2)/is', $str, $matches, PREG_SET_ORDER); foreach ($matches as $attr) { @@ -633,7 +634,7 @@ class CI_Security { { return '<'.$matches[1].$matches[2].$matches[3] // encode opening brace // encode captured opening or closing brace to prevent recursive vectors: - . str_replace(array('>', '<'), array('>', '<'), $matches[4]); + .str_replace(array('>', '<'), array('>', '<'), $matches[4]); } // -------------------------------------------------------------------- -- cgit v1.2.3-24-g4f1b From a10c8e17bbd1eb75aed1bb74523449f81ee393a2 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 29 Feb 2012 18:56:12 +0200 Subject: Add strtolower to the HTTPS check --- system/core/Security.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 688aeba33..6f25fb5bb 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -191,7 +191,7 @@ class CI_Security { $expire = time() + $this->_csrf_expire; $secure_cookie = (bool) config_item('cookie_secure'); - if ($secure_cookie && (empty($_SERVER['HTTPS']) OR $_SERVER['HTTPS'] === 'off')) + if ($secure_cookie && (empty($_SERVER['HTTPS']) OR strtolower($_SERVER['HTTPS']) === 'off')) { return FALSE; } -- cgit v1.2.3-24-g4f1b From 5d27c43d29fc049497010ea62ac7877a64bfed92 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 8 Mar 2012 12:01:52 +0200 Subject: Fix issue #940 --- system/core/Security.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 6f25fb5bb..2bffa41b7 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -138,8 +138,8 @@ class CI_Security { */ public function csrf_verify() { - // If no POST data exists we will set the CSRF cookie - if (count($_POST) === 0) + // If it's not a POST request we will set the CSRF cookie + if (strtoupper($_SERVER['REQUEST_METHOD']) !== 'POST') { return $this->csrf_set_cookie(); } -- cgit v1.2.3-24-g4f1b From 07c1ac830b4e98aa40f48baef3dd05fb68c0a836 Mon Sep 17 00:00:00 2001 From: Phil Sturgeon Date: Fri, 9 Mar 2012 17:03:37 +0000 Subject: Bumped CodeIgniter's PHP requirement to 5.2.4. Yes I know PHP 5.4 just came out, and yes I know PHP 5.3 has lovely features, but there are plenty of corporate systems running on CodeIgniter and PHP 5.3 still is not widely supported enough. CodeIgniter is great for distributed applications, and this is the highest we can reasonably go without breaking support. PHP 5.3 will most likely happen in another year or so. Fingers crossed on that one anyway... --- system/core/Security.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 6f25fb5bb..bf73bd15d 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -2,7 +2,7 @@ /** * CodeIgniter * - * An open source application development framework for PHP 5.1.6 or newer + * An open source application development framework for PHP 5.2.4 or newer * * NOTICE OF LICENSE * -- cgit v1.2.3-24-g4f1b From 4ad0fd86e8dc6dba74305dbb0c88c593b46a19a2 Mon Sep 17 00:00:00 2001 From: freewil Date: Tue, 13 Mar 2012 22:37:42 -0400 Subject: add support for httponly cookies --- system/core/Security.php | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index cd8a61028..ac39ce97b 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -196,7 +196,15 @@ class CI_Security { return FALSE; } - setcookie($this->_csrf_cookie_name, $this->_csrf_hash, $expire, config_item('cookie_path'), config_item('cookie_domain'), $secure_cookie); + setcookie( + $this->_csrf_cookie_name, + $this->_csrf_hash, + $expire, + config_item('cookie_path'), + config_item('cookie_domain'), + $secure_cookie, + config_item('cookie_httponly') + ); log_message('debug', 'CRSF cookie Set'); return $this; -- cgit v1.2.3-24-g4f1b From ad4750509885ad5bb368fc308f86d8c06d45b15c Mon Sep 17 00:00:00 2001 From: Timothy Warren Date: Thu, 19 Apr 2012 13:21:06 -0400 Subject: Normalize comments in core files --- system/core/Security.php | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index ac39ce97b..8d81babf2 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -102,6 +102,9 @@ class CI_Security { 'Redirect\s+302' ); + /** + * Initialize security class + */ public function __construct() { // Is CSRF protection enabled? @@ -558,8 +561,8 @@ class CI_Security { * Callback function for xss_clean() to remove whitespace from * things like j a v a s c r i p t * - * @param type - * @return type + * @param array + * @return string */ protected function _compact_exploded_words($matches) { @@ -568,8 +571,8 @@ class CI_Security { // -------------------------------------------------------------------- - /* - * Remove Evil HTML Attributes (like evenhandlers and style) + /** + * Remove Evil HTML Attributes (like event handlers and style) * * It removes the evil attribute and either: * - Everything up until a space -- cgit v1.2.3-24-g4f1b From 40403d21274d5e0792c7ab816ad984d6387d5c20 Mon Sep 17 00:00:00 2001 From: Timothy Warren Date: Thu, 19 Apr 2012 16:38:50 -0400 Subject: Additional formatting fixes --- system/core/Security.php | 84 ++++++++++++++++++++++++------------------------ 1 file changed, 42 insertions(+), 42 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 8d81babf2..139511661 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -41,14 +41,14 @@ class CI_Security { * * @var string */ - protected $_xss_hash = ''; + protected $_xss_hash = ''; /** * Random Hash for Cross Site Request Forgery Protection Cookie * * @var string */ - protected $_csrf_hash = ''; + protected $_csrf_hash = ''; /** * Expiration time for Cross Site Request Forgery Protection Cookie @@ -56,21 +56,21 @@ class CI_Security { * * @var int */ - protected $_csrf_expire = 7200; + protected $_csrf_expire = 7200; /** * Token name for Cross Site Request Forgery Protection Cookie * * @var string */ - protected $_csrf_token_name = 'ci_csrf_token'; + protected $_csrf_token_name = 'ci_csrf_token'; /** * Cookie name for Cross Site Request Forgery Protection Cookie * * @var string */ - protected $_csrf_cookie_name = 'ci_csrf_token'; + protected $_csrf_cookie_name = 'ci_csrf_token'; /** * List of never allowed strings @@ -78,17 +78,17 @@ class CI_Security { * @var array */ protected $_never_allowed_str = array( - 'document.cookie' => '[removed]', - 'document.write' => '[removed]', - '.parentNode' => '[removed]', - '.innerHTML' => '[removed]', - 'window.location' => '[removed]', - '-moz-binding' => '[removed]', - '' => '-->', - ' '<![CDATA[', - '' => '<comment>' - ); + 'document.cookie' => '[removed]', + 'document.write' => '[removed]', + '.parentNode' => '[removed]', + '.innerHTML' => '[removed]', + 'window.location' => '[removed]', + '-moz-binding' => '[removed]', + '' => '-->', + ' '<![CDATA[', + '' => '<comment>' + ); /** * List of never allowed regex replacement @@ -96,11 +96,11 @@ class CI_Security { * @var array */ protected $_never_allowed_regex = array( - 'javascript\s*:', - 'expression\s*(\(|&\#40;)', // CSS and IE - 'vbscript\s*:', // IE, surprise! - 'Redirect\s+302' - ); + 'javascript\s*:', + 'expression\s*(\(|&\#40;)', // CSS and IE + 'vbscript\s*:', // IE, surprise! + 'Redirect\s+302' + ); /** * Initialize security class @@ -365,9 +365,9 @@ class CI_Security { * These words are compacted back to their correct state. */ $words = array( - 'javascript', 'expression', 'vbscript', 'script', - 'applet', 'alert', 'document', 'write', 'cookie', 'window' - ); + 'javascript', 'expression', 'vbscript', 'script', + 'applet', 'alert', 'document', 'write', 'cookie', 'window' + ); foreach ($words as $word) { @@ -525,23 +525,23 @@ class CI_Security { public function sanitize_filename($str, $relative_path = FALSE) { $bad = array( - '../', '', '<', '>', - "'", '"', '&', '$', '#', - '{', '}', '[', ']', '=', - ';', '?', '%20', '%22', - '%3c', // < - '%253c', // < - '%3e', // > - '%0e', // > - '%28', // ( - '%29', // ) - '%2528', // ( - '%26', // & - '%24', // $ - '%3f', // ? - '%3b', // ; - '%3d' // = - ); + '../', '', '<', '>', + "'", '"', '&', '$', '#', + '{', '}', '[', ']', '=', + ';', '?', '%20', '%22', + '%3c', // < + '%253c', // < + '%3e', // > + '%0e', // > + '%28', // ( + '%29', // ) + '%2528', // ( + '%26', // & + '%24', // $ + '%3f', // ? + '%3b', // ; + '%3d' // = + ); if ( ! $relative_path) { @@ -841,4 +841,4 @@ class CI_Security { } /* End of file Security.php */ -/* Location: ./system/core/Security.php */ +/* Location: ./system/core/Security.php */ \ No newline at end of file -- cgit v1.2.3-24-g4f1b From 48a7fbbeb53e82e9298036d40c42ec2564699ed0 Mon Sep 17 00:00:00 2001 From: Timothy Warren Date: Mon, 23 Apr 2012 11:58:16 -0400 Subject: Use tabs to separate class properties --- system/core/Security.php | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 139511661..974e2e428 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -41,14 +41,14 @@ class CI_Security { * * @var string */ - protected $_xss_hash = ''; + protected $_xss_hash = ''; /** * Random Hash for Cross Site Request Forgery Protection Cookie * * @var string */ - protected $_csrf_hash = ''; + protected $_csrf_hash = ''; /** * Expiration time for Cross Site Request Forgery Protection Cookie @@ -56,28 +56,28 @@ class CI_Security { * * @var int */ - protected $_csrf_expire = 7200; + protected $_csrf_expire = 7200; /** * Token name for Cross Site Request Forgery Protection Cookie * * @var string */ - protected $_csrf_token_name = 'ci_csrf_token'; + protected $_csrf_token_name = 'ci_csrf_token'; /** * Cookie name for Cross Site Request Forgery Protection Cookie * * @var string */ - protected $_csrf_cookie_name = 'ci_csrf_token'; + protected $_csrf_cookie_name = 'ci_csrf_token'; /** * List of never allowed strings * * @var array */ - protected $_never_allowed_str = array( + protected $_never_allowed_str = array( 'document.cookie' => '[removed]', 'document.write' => '[removed]', '.parentNode' => '[removed]', @@ -95,7 +95,7 @@ class CI_Security { * * @var array */ - protected $_never_allowed_regex = array( + protected $_never_allowed_regex = array( 'javascript\s*:', 'expression\s*(\(|&\#40;)', // CSS and IE 'vbscript\s*:', // IE, surprise! -- cgit v1.2.3-24-g4f1b From 5335bc317f07f12c0f0bae5ac9189f75fcad0f1c Mon Sep 17 00:00:00 2001 From: Wes Baker Date: Tue, 24 Apr 2012 15:17:14 -0400 Subject: Updating XSS cleaning to better handle base64 encoded attributes. --- system/core/Security.php | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index ac39ce97b..65746637b 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -99,7 +99,8 @@ class CI_Security { 'javascript\s*:', 'expression\s*(\(|&\#40;)', // CSS and IE 'vbscript\s*:', // IE, surprise! - 'Redirect\s+302' + 'Redirect\s+302', + "([\"'])?data\s*:[^\\1]*?base64[^\\1]*?,[^\\1]*?\\1?" ); public function __construct() @@ -362,7 +363,7 @@ class CI_Security { * These words are compacted back to their correct state. */ $words = array( - 'javascript', 'expression', 'vbscript', 'script', + 'javascript', 'expression', 'vbscript', 'script', 'base64', 'applet', 'alert', 'document', 'write', 'cookie', 'window' ); @@ -602,10 +603,11 @@ class CI_Security { $attribs = array(); // find occurrences of illegal attribute strings without quotes - preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*([^\s]*)/is', $str, $matches, PREG_SET_ORDER); + preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*([^\s>]*)/is', $str, $matches, PREG_SET_ORDER); foreach ($matches as $attr) { + $attribs[] = preg_quote($attr[0], '/'); } @@ -620,7 +622,7 @@ class CI_Security { // replace illegal attribute strings that are inside an html tag if (count($attribs) > 0) { - $str = preg_replace('/<(\/?[^><]+?)([^A-Za-z\-])('.implode('|', $attribs).')([\s><])([><]*)/i', '<$1$2$4$5', $str, -1, $count); + $str = preg_replace("/<(\/?[^><]+?)([^A-Za-z<>\-])(.*?)(".implode('|', $attribs).")(.*?)([\s><])([><]*)/i", '<$1 $3$5$6$7', $str, -1, $count); } } while ($count); @@ -661,7 +663,7 @@ class CI_Security { protected function _js_link_removal($match) { return str_replace($match[1], - preg_replace('#href=.*?(alert\(|alert&\#40;|javascript\:|livescript\:|mocha\:|charset\=|window\.|document\.|\.cookie|_filter_attributes(str_replace(array('<', '>'), '', $match[1])) ), @@ -801,7 +803,7 @@ class CI_Security { foreach ($this->_never_allowed_regex as $regex) { - $str = preg_replace('#'.$regex.'#i', '[removed]', $str); + $str = preg_replace('#'.$regex.'#is', '[removed]', $str); } return $str; -- cgit v1.2.3-24-g4f1b From 92ebfb65ac044f5c2e6d88fba137253854cf1b94 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 17 May 2012 12:49:24 +0300 Subject: Cleanup the core classes --- system/core/Security.php | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index c82b69ff9..81b6602ae 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -102,9 +102,11 @@ class CI_Security { 'Redirect\s+302', "([\"'])?data\s*:[^\\1]*?base64[^\\1]*?,[^\\1]*?\\1?" ); - + /** * Initialize security class + * + * @return void */ public function __construct() { @@ -201,11 +203,11 @@ class CI_Security { } setcookie( - $this->_csrf_cookie_name, - $this->_csrf_hash, - $expire, - config_item('cookie_path'), - config_item('cookie_domain'), + $this->_csrf_cookie_name, + $this->_csrf_hash, + $expire, + config_item('cookie_path'), + config_item('cookie_domain'), $secure_cookie, config_item('cookie_httponly') ); @@ -626,7 +628,7 @@ class CI_Security { // replace illegal attribute strings that are inside an html tag if (count($attribs) > 0) { - $str = preg_replace("/<(\/?[^><]+?)([^A-Za-z<>\-])(.*?)(".implode('|', $attribs).")(.*?)([\s><])([><]*)/i", '<$1 $3$5$6$7', $str, -1, $count); + $str = preg_replace('/<(\/?[^><]+?)([^A-Za-z<>\-])(.*?)('.implode('|', $attribs).')(.*?)([\s><])([><]*)/i', '<$1 $3$5$6$7', $str, -1, $count); } } while ($count); @@ -844,4 +846,4 @@ class CI_Security { } /* End of file Security.php */ -/* Location: ./system/core/Security.php */ +/* Location: ./system/core/Security.php */ \ No newline at end of file -- cgit v1.2.3-24-g4f1b From 6c7526c95b3fbd502dc8105a67fd38da793caa4e Mon Sep 17 00:00:00 2001 From: Taufan Aditya Date: Sun, 27 May 2012 13:51:27 +0700 Subject: Continuation for Security and Table code-coverage, add coverage report to travis --- system/core/Security.php | 1 + 1 file changed, 1 insertion(+) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index f953011eb..9b7ba5799 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -191,6 +191,7 @@ class CI_Security { * Set Cross Site Request Forgery Protection Cookie * * @return object + * @codeCoverageIgnore */ public function csrf_set_cookie() { -- cgit v1.2.3-24-g4f1b From ed944a3c70a0bad158cd5a6ca5ce1f2e717aff5d Mon Sep 17 00:00:00 2001 From: Alex Bilbie Date: Sat, 2 Jun 2012 11:07:47 +0100 Subject: Replaced `==` with `===` and `!=` with `!==` in /system/core --- system/core/Security.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 9b7ba5799..9cbcd9248 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -162,7 +162,7 @@ class CI_Security { // Do the tokens exist in both the _POST and _COOKIE arrays? if ( ! isset($_POST[$this->_csrf_token_name]) OR ! isset($_COOKIE[$this->_csrf_cookie_name]) - OR $_POST[$this->_csrf_token_name] != $_COOKIE[$this->_csrf_cookie_name]) // Do the tokens match? + OR $_POST[$this->_csrf_token_name] !== $_COOKIE[$this->_csrf_cookie_name]) // Do the tokens match? { $this->csrf_show_error(); } @@ -408,7 +408,7 @@ class CI_Security { $str = preg_replace('#<(/*)(script|xss)(.*?)\>#si', '[removed]', $str); } } - while($original != $str); + while($original !== $str); unset($original); @@ -475,7 +475,7 @@ class CI_Security { */ public function xss_hash() { - if ($this->_xss_hash == '') + if ($this->_xss_hash === '') { mt_srand(); $this->_xss_hash = md5(time() + mt_rand(0, 1999999999)); @@ -825,7 +825,7 @@ class CI_Security { */ protected function _csrf_set_hash() { - if ($this->_csrf_hash == '') + if ($this->_csrf_hash === '') { // If the cookie exists we will use it's value. // We don't necessarily want to regenerate it with -- cgit v1.2.3-24-g4f1b From 9ba661b02c492e89028e5c67b7edbfc0efefc9f1 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 4 Jun 2012 14:44:34 +0300 Subject: Revert/optimize some changes from ed944a3c70a0bad158cd5a6ca5ce1f2e717aff5d --- system/core/Security.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 9cbcd9248..4593a1090 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -847,4 +847,4 @@ class CI_Security { } /* End of file Security.php */ -/* Location: ./system/core/Security.php */ +/* Location: ./system/core/Security.php */ \ No newline at end of file -- cgit v1.2.3-24-g4f1b From 0d2c06ea1d96ea3f35dd1e7856977a24cec43233 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Tue, 12 Jun 2012 02:33:45 +0300 Subject: Change file permissions for system/core/*.php and system/database/DB.php so that they don't differ from the rest --- system/core/Security.php | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100755 => 100644 system/core/Security.php (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php old mode 100755 new mode 100644 -- cgit v1.2.3-24-g4f1b From 1a24a9da3cfbacf8802ffd0b79f5494d30278007 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 27 Jun 2012 00:52:47 +0300 Subject: Fix issue #427 --- system/core/Security.php | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 4593a1090..227217e75 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -560,6 +560,19 @@ class CI_Security { // ---------------------------------------------------------------- + /** + * Strip Image Tags + * + * @param string + * @return string + */ + public function strip_image_tags($str) + { + return preg_replace(array('##', '##'), '\\1', $str); + } + + // ---------------------------------------------------------------- + /** * Compact Exploded Words * -- cgit v1.2.3-24-g4f1b From a81f60c6bf59a4ce8b9fc8ccdea9bc7a0fbeb16d Mon Sep 17 00:00:00 2001 From: vlakoff Date: Mon, 2 Jul 2012 15:20:11 +0200 Subject: Clean up regexes in Security->xss_clean() Removed some unneeded capturing groups (or made them non-capturing) and some unneeded escape characters --- system/core/Security.php | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 227217e75..b22d2cf19 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -395,20 +395,20 @@ class CI_Security { if (preg_match('/]*?)(>|$)#si', array($this, '_js_link_removal'), $str); + $str = preg_replace_callback('#]*?)(?:>|$)#si', array($this, '_js_link_removal'), $str); } if (preg_match('/]*?)(\s?/?>|$)#si', array($this, '_js_img_removal'), $str); + $str = preg_replace_callback('#]*?)(?:\s?/?>|$)#si', array($this, '_js_img_removal'), $str); } - if (preg_match('/(script|xss)/i', $str)) + if (preg_match('/script|xss/i', $str)) { - $str = preg_replace('#<(/*)(script|xss)(.*?)\>#si', '[removed]', $str); + $str = preg_replace('##si', '[removed]', $str); } } - while($original !== $str); + while ($original !== $str); unset($original); @@ -683,7 +683,7 @@ class CI_Security { protected function _js_link_removal($match) { return str_replace($match[1], - preg_replace('#href=.*?(alert\(|alert&\#40;|javascript\:|livescript\:|mocha\:|charset\=|window\.|document\.|\.cookie|_filter_attributes(str_replace(array('<', '>'), '', $match[1])) ), @@ -706,7 +706,7 @@ class CI_Security { protected function _js_img_removal($match) { return str_replace($match[1], - preg_replace('#src=.*?(alert\(|alert&\#40;|javascript\:|livescript\:|mocha\:|charset\=|window\.|document\.|\.cookie|_filter_attributes(str_replace(array('<', '>'), '', $match[1])) ), -- cgit v1.2.3-24-g4f1b From 3fb026713013b60845c4cfe633a8a59a30b9c7dd Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 22 Oct 2012 16:48:01 +0300 Subject: Add is_https() as a common function --- system/core/Security.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index b22d2cf19..2fbc5b34c 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -198,7 +198,7 @@ class CI_Security { $expire = time() + $this->_csrf_expire; $secure_cookie = (bool) config_item('cookie_secure'); - if ($secure_cookie && (empty($_SERVER['HTTPS']) OR strtolower($_SERVER['HTTPS']) === 'off')) + if ($secure_cookie && ! is_https()) { return FALSE; } -- cgit v1.2.3-24-g4f1b From f795ab52dadaef20afd3a97ad4c8ed408e211dc2 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 24 Oct 2012 21:28:25 +0300 Subject: [ci skip] Document get_csrf_token_name(), get_csrf_hash() (issue #715) --- system/core/Security.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 2fbc5b34c..d7c82712d 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -161,7 +161,7 @@ class CI_Security { } // Do the tokens exist in both the _POST and _COOKIE arrays? - if ( ! isset($_POST[$this->_csrf_token_name]) OR ! isset($_COOKIE[$this->_csrf_cookie_name]) + if ( ! isset($_POST[$this->_csrf_token_name], $_COOKIE[$this->_csrf_cookie_name]) OR $_POST[$this->_csrf_token_name] !== $_COOKIE[$this->_csrf_cookie_name]) // Do the tokens match? { $this->csrf_show_error(); -- cgit v1.2.3-24-g4f1b From 64354104d69425848e477b322ebf0604e2593326 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Sun, 28 Oct 2012 14:16:02 +0200 Subject: [ci skip] DocBlock improvements for Security library --- system/core/Security.php | 177 ++++++++++++++++++++++++++--------------------- 1 file changed, 100 insertions(+), 77 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index d7c82712d..50d0ce052 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -37,45 +37,55 @@ class CI_Security { /** - * Random Hash for protecting URLs + * XSS Hash * - * @var string + * Random Hash for protecting URLs. + * + * @var string */ protected $_xss_hash = ''; /** - * Random Hash for Cross Site Request Forgery Protection Cookie + * CSRF Hash + * + * Random hash for Cross Site Request Forgery protection cookie * - * @var string + * @var string */ protected $_csrf_hash = ''; /** - * Expiration time for Cross Site Request Forgery Protection Cookie - * Defaults to two hours (in seconds) + * CSRF Expire time + * + * Expiration time for Cross Site Request Forgery protection cookie. + * Defaults to two hours (in seconds). * - * @var int + * @var int */ protected $_csrf_expire = 7200; /** - * Token name for Cross Site Request Forgery Protection Cookie + * CSRF Token name * - * @var string + * Token name for Cross Site Request Forgery protection cookie. + * + * @var string */ protected $_csrf_token_name = 'ci_csrf_token'; /** - * Cookie name for Cross Site Request Forgery Protection Cookie + * CSRF Cookie name + * + * Cookie name for Cross Site Request Forgery protection cookie. * - * @var string + * @var string */ protected $_csrf_cookie_name = 'ci_csrf_token'; /** * List of never allowed strings * - * @var array + * @var array */ protected $_never_allowed_str = array( 'document.cookie' => '[removed]', @@ -91,9 +101,9 @@ class CI_Security { ); /** - * List of never allowed regex replacement + * List of never allowed regex replacements * - * @var array + * @var array */ protected $_never_allowed_regex = array( 'javascript\s*:', @@ -104,7 +114,7 @@ class CI_Security { ); /** - * Initialize security class + * Class constructor * * @return void */ @@ -138,7 +148,7 @@ class CI_Security { // -------------------------------------------------------------------- /** - * Verify Cross Site Request Forgery Protection + * CSRF Verify * * @return object */ @@ -188,10 +198,10 @@ class CI_Security { // -------------------------------------------------------------------- /** - * Set Cross Site Request Forgery Protection Cookie + * CSRF Set Cookie * - * @return object * @codeCoverageIgnore + * @return object */ public function csrf_set_cookie() { @@ -234,9 +244,8 @@ class CI_Security { /** * Get CSRF Hash * - * Getter Method - * - * @return string self::_csrf_hash + * @see CI_Security::$_csrf_hash + * @return string CSRF hash */ public function get_csrf_hash() { @@ -248,9 +257,8 @@ class CI_Security { /** * Get CSRF Token Name * - * Getter Method - * - * @return string self::_csrf_token_name + * @see CI_Security::$_csrf_token_name + * @return string CSRF token name */ public function get_csrf_token_name() { @@ -263,26 +271,26 @@ class CI_Security { * XSS Clean * * Sanitizes data so that Cross Site Scripting Hacks can be - * prevented. This function does a fair amount of work but + * prevented. This method does a fair amount of work but * it is extremely thorough, designed to prevent even the * most obscure XSS attempts. Nothing is ever 100% foolproof, * of course, but I haven't been able to get anything passed * the filter. * - * Note: This function should only be used to deal with data - * upon submission. It's not something that should - * be used for general runtime processing. + * Note: Should only be used to deal with data upon submission. + * It's not something that should be used for general + * runtime processing. * - * This function was based in part on some code and ideas I - * got from Bitflux: http://channel.bitflux.ch/wiki/XSS_Prevention + * @link http://channel.bitflux.ch/wiki/XSS_Prevention + * Based in part on some code and ideas from Bitflux. * - * To help develop this script I used this great list of - * vulnerabilities along with a few other hacks I've - * harvested from examining vulnerabilities in other programs: - * http://ha.ckers.org/xss.html + * @link http://ha.ckers.org/xss.html + * To help develop this script I used this great list of + * vulnerabilities along with a few other hacks I've + * harvested from examining vulnerabilities in other programs. * - * @param mixed string or array - * @param bool + * @param string|string[] $str Input data + * @param bool $is_image Whether the input is an image * @return string */ public function xss_clean($str, $is_image = FALSE) @@ -469,9 +477,12 @@ class CI_Security { // -------------------------------------------------------------------- /** - * Random Hash for protecting URLs + * XSS Hash * - * @return string + * Generates the XSS hash if needed and returns it. + * + * @see CI_Security::$_xss_hash + * @return string XSS hash */ public function xss_hash() { @@ -489,7 +500,7 @@ class CI_Security { /** * HTML Entities Decode * - * This function is a replacement for html_entity_decode() + * A replacement for html_entity_decode() * * The reason we are not using html_entity_decode() by itself is because * while it is not technically correct to leave out the semicolon @@ -497,8 +508,10 @@ class CI_Security { * correctly. html_entity_decode() does not convert entities without * semicolons, so we are left with our own little solution here. Bummer. * - * @param string - * @param string + * @link http://php.net/html-entity-decode + * + * @param string $str Input + * @param string $charset Character set * @return string */ public function entity_decode($str, $charset = NULL) @@ -521,10 +534,10 @@ class CI_Security { // -------------------------------------------------------------------- /** - * Filename Security + * Sanitize Filename * - * @param string - * @param bool + * @param string $str Input file name + * @param bool $relative_path Whether to preserve paths * @return string */ public function sanitize_filename($str, $relative_path = FALSE) @@ -563,7 +576,7 @@ class CI_Security { /** * Strip Image Tags * - * @param string + * @param string $str * @return string */ public function strip_image_tags($str) @@ -576,10 +589,11 @@ class CI_Security { /** * Compact Exploded Words * - * Callback function for xss_clean() to remove whitespace from - * things like j a v a s c r i p t + * Callback method for xss_clean() to remove whitespace from + * things like 'j a v a s c r i p t'. * - * @param array + * @used-by CI_Security::xss_clean() + * @param array $matches * @return string */ protected function _compact_exploded_words($matches) @@ -593,16 +607,22 @@ class CI_Security { * Remove Evil HTML Attributes (like event handlers and style) * * It removes the evil attribute and either: - * - Everything up until a space - * For example, everything between the pipes: + * + * - Everything up until a space. For example, everything between the pipes: + * + * * - * - Everything inside the quotes - * For example, everything between the pipes: + * + * + * - Everything inside the quotes. For example, everything between the pipes: + * + * * + * * - * @param string $str The string to check - * @param boolean $is_image TRUE if this is an image - * @return string The string with the evil attributes removed + * @param string $str The string to check + * @param bool $is_image Whether the input is an image + * @return string The string with the evil attributes removed */ protected function _remove_evil_attributes($str, $is_image) { @@ -655,9 +675,10 @@ class CI_Security { /** * Sanitize Naughty HTML * - * Callback function for xss_clean() to remove naughty HTML elements + * Callback method for xss_clean() to remove naughty HTML elements. * - * @param array + * @used-by CI_Security::xss_clean() + * @param array $matches * @return string */ protected function _sanitize_naughty_html($matches) @@ -672,12 +693,14 @@ class CI_Security { /** * JS Link Removal * - * Callback function for xss_clean() to sanitize links + * Callback method for xss_clean() to sanitize links. + * * This limits the PCRE backtracks, making it more performance friendly * and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in - * PHP 5.2+ on link-heavy strings + * PHP 5.2+ on link-heavy strings. * - * @param array + * @used-by CI_Security::xss_clean() + * @param array $match * @return string */ protected function _js_link_removal($match) @@ -695,12 +718,14 @@ class CI_Security { /** * JS Image Removal * - * Callback function for xss_clean() to sanitize image tags + * Callback method for xss_clean() to sanitize image tags. + * * This limits the PCRE backtracks, making it more performance friendly * and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in - * PHP 5.2+ on image tag heavy strings + * PHP 5.2+ on image tag heavy strings. * - * @param array + * @used-by CI_Security::xss_clean() + * @param array $match * @return string */ protected function _js_img_removal($match) @@ -718,9 +743,8 @@ class CI_Security { /** * Attribute Conversion * - * Used as a callback for XSS Clean - * - * @param array + * @used-by CI_Security::xss_clean() + * @param array $match * @return string */ protected function _convert_attribute($match) @@ -733,9 +757,11 @@ class CI_Security { /** * Filter Attributes * - * Filters tag attributes for consistency and safety + * Filters tag attributes for consistency and safety. * - * @param string + * @used-by CI_Security::_js_img_removal() + * @used-by CI_Security::_js_link_removal() + * @param string $str * @return string */ protected function _filter_attributes($str) @@ -757,9 +783,8 @@ class CI_Security { /** * HTML Entity Decode Callback * - * Used as a callback for XSS Clean - * - * @param array + * @used-by CI_Security::xss_clean() + * @param array $match * @return string */ protected function _decode_entity($match) @@ -772,9 +797,8 @@ class CI_Security { /** * Validate URL entities * - * Called by xss_clean() - * - * @param string + * @used-by CI_Security::xss_clean() + * @param string $str * @return string */ protected function _validate_entities($str) @@ -812,8 +836,7 @@ class CI_Security { /** * Do Never Allowed * - * A utility function for xss_clean() - * + * @used-by CI_Security::xss_clean() * @param string * @return string */ @@ -832,7 +855,7 @@ class CI_Security { // -------------------------------------------------------------------- /** - * Set Cross Site Request Forgery Protection Cookie + * Set CSRF Hash and Cookie * * @return string */ -- cgit v1.2.3-24-g4f1b From c5536aac5752054f7f76e448d58b86407d8f574e Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 1 Nov 2012 17:33:58 +0200 Subject: Manually apply PR #1594 (fixing phpdoc page-level generation/warnings) Also partially fixes issue #1295, fixes inconsistencies in some page-level docblocks and adds include checks in language files. --- system/core/Security.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 50d0ce052..b8e66c087 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -1,4 +1,4 @@ - Date: Mon, 3 Dec 2012 14:37:47 +0200 Subject: [ci skip] Cleaned some spaces --- system/core/Security.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index b8e66c087..c415544b6 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -368,7 +368,7 @@ class CI_Security { } else { - $str = str_replace(array(''), array('<?', '?>'), $str); + $str = str_replace(array(''), array('<?', '?>'), $str); } /* @@ -382,7 +382,6 @@ class CI_Security { 'applet', 'alert', 'document', 'write', 'cookie', 'window' ); - foreach ($words as $word) { $word = implode('\s*', str_split($word)).'\s*'; -- cgit v1.2.3-24-g4f1b From 160c7d16c4e0c92c030c0a41d1223f916a82089d Mon Sep 17 00:00:00 2001 From: brian978 Date: Mon, 3 Dec 2012 21:18:20 +0200 Subject: Added small improvement to the _remove_evil_attributes function Signed-off-by: brian978 --- system/core/Security.php | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index c415544b6..4f2185db5 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -642,17 +642,16 @@ class CI_Security { $count = 0; $attribs = array(); - // find occurrences of illegal attribute strings without quotes - preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*([^\s>]*)/is', $str, $matches, PREG_SET_ORDER); + // find occurrences of illegal attribute strings with quotes (042 and 047 are octal quotes) + preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*(\042|\047)([^\\2]*?)(\\2)/is', $str, $matches, PREG_SET_ORDER); foreach ($matches as $attr) { - $attribs[] = preg_quote($attr[0], '/'); } - // find occurrences of illegal attribute strings with quotes (042 and 047 are octal quotes) - preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*(\042|\047)([^\\2]*?)(\\2)/is', $str, $matches, PREG_SET_ORDER); + // find occurrences of illegal attribute strings without quotes + preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*([^\s>]*)/is', $str, $matches, PREG_SET_ORDER); foreach ($matches as $attr) { @@ -662,7 +661,7 @@ class CI_Security { // replace illegal attribute strings that are inside an html tag if (count($attribs) > 0) { - $str = preg_replace('/<(\/?[^><]+?)([^A-Za-z<>\-])(.*?)('.implode('|', $attribs).')(.*?)([\s><])([><]*)/i', '<$1 $3$5$6$7', $str, -1, $count); + $str = preg_replace('/(<]+?)([^A-Za-z<>\-])(.*?)('.implode('|', $attribs).')(.*?)([\s><]?)([><]*)/i', '$1$2 $4$6$7$8', $str, -1, $count); } } while ($count); -- cgit v1.2.3-24-g4f1b From f50fc73cf63136b720c2bd247175f236d5b27eaa Mon Sep 17 00:00:00 2001 From: brian978 Date: Sat, 8 Dec 2012 23:22:26 +0200 Subject: All the HEX code must be replaced or else some XSS attacks can be successful --- system/core/Security.php | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 4f2185db5..220188edc 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -526,9 +526,17 @@ class CI_Security { $charset = config_item('charset'); } - $str = html_entity_decode($str, ENT_COMPAT, $charset); - $str = preg_replace('~&#x(0*[0-9a-f]{2,5})~ei', 'chr(hexdec("\\1"))', $str); - return preg_replace('~&#([0-9]{2,4})~e', 'chr(\\1)', $str); + do + { + $matches = $matches1 = 0; + + $str = html_entity_decode($str, ENT_COMPAT, $charset); + $str = preg_replace('~&#x(0*[0-9a-f]{2,5})~ei', 'chr(hexdec("\\1"))', $str, -1, $matches); + $str = preg_replace('~&#([0-9]{2,4})~e', 'chr(\\1)', $str, -1, $matches1); + } + while($matches || $matches1); + + return $str; } // -------------------------------------------------------------------- -- cgit v1.2.3-24-g4f1b From 0a83fcc748ef29e644bf9e8cac4d7dd9a7408d5f Mon Sep 17 00:00:00 2001 From: brian978 Date: Mon, 10 Dec 2012 13:05:06 +0200 Subject: Fixed bug with regexp that matched tags --- system/core/Security.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 220188edc..635f9ff31 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -329,7 +329,7 @@ class CI_Security { * these are the ones that will pose security problems. */ $str = preg_replace_callback("/[a-z]+=([\'\"]).*?\\1/si", array($this, '_convert_attribute'), $str); - $str = preg_replace_callback('/<\w+.*?(?=>|<|$)/si', array($this, '_decode_entity'), $str); + $str = preg_replace_callback('/<\w+.*?=.*?>\b/si', array($this, '_decode_entity'), $str); // Remove Invisible Characters Again! $str = remove_invisible_characters($str); -- cgit v1.2.3-24-g4f1b From 6caeaada6e4a1acc88c230e47f36ebcf8f0182ac Mon Sep 17 00:00:00 2001 From: brian978 Date: Mon, 10 Dec 2012 15:58:49 +0200 Subject: Removed boundary from regexp --- system/core/Security.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 635f9ff31..c179c46ff 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -329,7 +329,7 @@ class CI_Security { * these are the ones that will pose security problems. */ $str = preg_replace_callback("/[a-z]+=([\'\"]).*?\\1/si", array($this, '_convert_attribute'), $str); - $str = preg_replace_callback('/<\w+.*?=.*?>\b/si', array($this, '_decode_entity'), $str); + $str = preg_replace_callback('/<\w+.*?=.*?>/si', array($this, '_decode_entity'), $str); // Remove Invisible Characters Again! $str = remove_invisible_characters($str); -- cgit v1.2.3-24-g4f1b From 07ccbe59cf9d78d944551f810a14064e979840a3 Mon Sep 17 00:00:00 2001 From: brian978 Date: Tue, 11 Dec 2012 20:24:12 +0200 Subject: Modified regexp to match partial tags --- system/core/Security.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index c179c46ff..70e9e973c 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -329,7 +329,7 @@ class CI_Security { * these are the ones that will pose security problems. */ $str = preg_replace_callback("/[a-z]+=([\'\"]).*?\\1/si", array($this, '_convert_attribute'), $str); - $str = preg_replace_callback('/<\w+.*?=.*?>/si', array($this, '_decode_entity'), $str); + $str = preg_replace_callback('/<\w+.*/si', array($this, '_decode_entity'), $str); // Remove Invisible Characters Again! $str = remove_invisible_characters($str); @@ -529,7 +529,7 @@ class CI_Security { do { $matches = $matches1 = 0; - + $str = html_entity_decode($str, ENT_COMPAT, $charset); $str = preg_replace('~&#x(0*[0-9a-f]{2,5})~ei', 'chr(hexdec("\\1"))', $str, -1, $matches); $str = preg_replace('~&#([0-9]{2,4})~e', 'chr(\\1)', $str, -1, $matches1); -- cgit v1.2.3-24-g4f1b From 4296a65693504736b5e65bee5b163fa08cacb563 Mon Sep 17 00:00:00 2001 From: Andrew Podner Date: Mon, 17 Dec 2012 07:51:15 -0500 Subject: update for Issue #2064 (changed docblocks which return $this or only call a method that returns $this to @return CI_DB_class_name) --- system/core/Security.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index c415544b6..3bf626635 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -151,7 +151,7 @@ class CI_Security { /** * CSRF Verify * - * @return object + * @return CI_Security */ public function csrf_verify() { @@ -202,7 +202,7 @@ class CI_Security { * CSRF Set Cookie * * @codeCoverageIgnore - * @return object + * @return CI_Security */ public function csrf_set_cookie() { -- cgit v1.2.3-24-g4f1b From 638a9d243065733f862761eed0fa5829409b571a Mon Sep 17 00:00:00 2001 From: brian978 Date: Tue, 18 Dec 2012 13:25:54 +0200 Subject: Replaced spaces with tabs for indentation and || with OR --- system/core/Security.php | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 8c70e85de..5ae8e653c 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -526,17 +526,17 @@ class CI_Security { $charset = config_item('charset'); } - do - { - $matches = $matches1 = 0; + do + { + $matches = $matches1 = 0; - $str = html_entity_decode($str, ENT_COMPAT, $charset); - $str = preg_replace('~&#x(0*[0-9a-f]{2,5})~ei', 'chr(hexdec("\\1"))', $str, -1, $matches); - $str = preg_replace('~&#([0-9]{2,4})~e', 'chr(\\1)', $str, -1, $matches1); - } - while($matches || $matches1); + $str = html_entity_decode($str, ENT_COMPAT, $charset); + $str = preg_replace('~&#x(0*[0-9a-f]{2,5})~ei', 'chr(hexdec("\\1"))', $str, -1, $matches); + $str = preg_replace('~&#([0-9]{2,4})~e', 'chr(\\1)', $str, -1, $matches1); + } + while($matches OR $matches1); - return $str; + return $str; } // -------------------------------------------------------------------- -- cgit v1.2.3-24-g4f1b From 72ed4c322652d88bf90ddfe8b8c9a563c51e4660 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 19 Dec 2012 17:07:54 +0200 Subject: [ci skip] Some micro-optimizations and style changes (following PRs #2049, #2079) --- system/core/Security.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 5ae8e653c..7c929b6ca 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -534,7 +534,7 @@ class CI_Security { $str = preg_replace('~&#x(0*[0-9a-f]{2,5})~ei', 'chr(hexdec("\\1"))', $str, -1, $matches); $str = preg_replace('~&#([0-9]{2,4})~e', 'chr(\\1)', $str, -1, $matches1); } - while($matches OR $matches1); + while ($matches OR $matches1); return $str; } @@ -671,8 +671,8 @@ class CI_Security { { $str = preg_replace('/(<]+?)([^A-Za-z<>\-])(.*?)('.implode('|', $attribs).')(.*?)([\s><]?)([><]*)/i', '$1$2 $4$6$7$8', $str, -1, $count); } - - } while ($count); + } + while ($count); return $str; } -- cgit v1.2.3-24-g4f1b From 80500afbd188600212ca913a7bac073009feac73 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Tue, 1 Jan 2013 08:16:53 +0200 Subject: [ci skip] Happy new year --- system/core/Security.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 7c929b6ca..a6cd14a5f 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -18,7 +18,7 @@ * * @package CodeIgniter * @author EllisLab Dev Team - * @copyright Copyright (c) 2008 - 2012, EllisLab, Inc. (http://ellislab.com/) + * @copyright Copyright (c) 2008 - 2013, EllisLab, Inc. (http://ellislab.com/) * @license http://opensource.org/licenses/OSL-3.0 Open Software License (OSL 3.0) * @link http://codeigniter.com * @since Version 1.0 -- cgit v1.2.3-24-g4f1b From 7e5597782a589e4171ca08abdd9ce1a185542ff4 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Tue, 29 Jan 2013 15:38:33 +0200 Subject: Replace CI_Upload::clean_file_name() usage with CI_Security::sanitize_filename() Also applied @xeptor's fix (a big thanks) to the sanitize_filename() method and added a changelog entry for it - fixes issue #73. --- system/core/Security.php | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index a6cd14a5f..7aae54efc 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -576,7 +576,15 @@ class CI_Security { } $str = remove_invisible_characters($str, FALSE); - return stripslashes(str_replace($bad, '', $str)); + + do + { + $old = $str; + $str = str_replace($bad, '', $str); + } + while ($old !== $str); + + return stripslashes($str); } // ---------------------------------------------------------------- -- cgit v1.2.3-24-g4f1b From 0612756dd37a3472259a19814e1a9bb403ab6e11 Mon Sep 17 00:00:00 2001 From: vlakoff Date: Sat, 30 Mar 2013 00:06:39 +0100 Subject: Some cleanup related to mt_rand() - min and max values are 0 and mt_getrandmax() by default - remove useless mt_srand() seed calls --- system/core/Security.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 7aae54efc..196d61144 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -488,8 +488,7 @@ class CI_Security { { if ($this->_xss_hash === '') { - mt_srand(); - $this->_xss_hash = md5(time() + mt_rand(0, 1999999999)); + $this->_xss_hash = md5(uniqid(mt_rand())); } return $this->_xss_hash; -- cgit v1.2.3-24-g4f1b From 23719ab569c9c8d6b791f65d7861daba3895ddcb Mon Sep 17 00:00:00 2001 From: Hunter Wu Date: Thu, 1 Aug 2013 23:15:13 +0800 Subject: Add windows filename rule as an option for upload files --- system/core/Security.php | 51 ++++++++++++++++++++++++++++++------------------ 1 file changed, 32 insertions(+), 19 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 196d61144..cd1cb1ab4 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -114,6 +114,36 @@ class CI_Security { "([\"'])?data\s*:[^\\1]*?base64[^\\1]*?,[^\\1]*?\\1?" ); + /** + * List of bad chars for sanitize filename + * + * @var array + */ + private $_filename_bad_str_rules = array( + 'default' => array( + '../', '', '<', '>', + "'", '"', '&', '$', '#', + '{', '}', '[', ']', '=', + ';', '?', '%20', '%22', + '%3c', // < + '%253c', // < + '%3e', // > + '%0e', // > + '%28', // ( + '%29', // ) + '%2528', // ( + '%26', // & + '%24', // $ + '%3f', // ? + '%3b', // ; + '%3d' // = + ), + 'windows' => array( + '\\', '/', ':', '*', '?', + '"', '<', '>', '|', + ), + ); + /** * Class constructor * @@ -547,26 +577,9 @@ class CI_Security { * @param bool $relative_path Whether to preserve paths * @return string */ - public function sanitize_filename($str, $relative_path = FALSE) + public function sanitize_filename($str, $relative_path = FALSE, $rule = 'default') { - $bad = array( - '../', '', '<', '>', - "'", '"', '&', '$', '#', - '{', '}', '[', ']', '=', - ';', '?', '%20', '%22', - '%3c', // < - '%253c', // < - '%3e', // > - '%0e', // > - '%28', // ( - '%29', // ) - '%2528', // ( - '%26', // & - '%24', // $ - '%3f', // ? - '%3b', // ; - '%3d' // = - ); + $bad = $this->_filename_bad_str_rules[$rule]; if ( ! $relative_path) { -- cgit v1.2.3-24-g4f1b From 8df3352dff5f734c1b3831fdc131f676a9850d51 Mon Sep 17 00:00:00 2001 From: Hunter Wu Date: Sat, 3 Aug 2013 22:36:05 +0800 Subject: Revert "Add windows filename rule as an option for upload files" This reverts commit 23719ab569c9c8d6b791f65d7861daba3895ddcb. --- system/core/Security.php | 51 ++++++++++++++++++------------------------------ 1 file changed, 19 insertions(+), 32 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index cd1cb1ab4..196d61144 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -114,36 +114,6 @@ class CI_Security { "([\"'])?data\s*:[^\\1]*?base64[^\\1]*?,[^\\1]*?\\1?" ); - /** - * List of bad chars for sanitize filename - * - * @var array - */ - private $_filename_bad_str_rules = array( - 'default' => array( - '../', '', '<', '>', - "'", '"', '&', '$', '#', - '{', '}', '[', ']', '=', - ';', '?', '%20', '%22', - '%3c', // < - '%253c', // < - '%3e', // > - '%0e', // > - '%28', // ( - '%29', // ) - '%2528', // ( - '%26', // & - '%24', // $ - '%3f', // ? - '%3b', // ; - '%3d' // = - ), - 'windows' => array( - '\\', '/', ':', '*', '?', - '"', '<', '>', '|', - ), - ); - /** * Class constructor * @@ -577,9 +547,26 @@ class CI_Security { * @param bool $relative_path Whether to preserve paths * @return string */ - public function sanitize_filename($str, $relative_path = FALSE, $rule = 'default') + public function sanitize_filename($str, $relative_path = FALSE) { - $bad = $this->_filename_bad_str_rules[$rule]; + $bad = array( + '../', '', '<', '>', + "'", '"', '&', '$', '#', + '{', '}', '[', ']', '=', + ';', '?', '%20', '%22', + '%3c', // < + '%253c', // < + '%3e', // > + '%0e', // > + '%28', // ( + '%29', // ) + '%2528', // ( + '%26', // & + '%24', // $ + '%3f', // ? + '%3b', // ; + '%3d' // = + ); if ( ! $relative_path) { -- cgit v1.2.3-24-g4f1b From a8d6d3b13a0086c86e3dd69f0376be3a6982bc16 Mon Sep 17 00:00:00 2001 From: Hunter Wu Date: Sat, 3 Aug 2013 23:17:45 +0800 Subject: Make the bad filename array public in Security library --- system/core/Security.php | 56 ++++++++++++++++++++++++++++++++---------------- 1 file changed, 38 insertions(+), 18 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 196d61144..3d04d5e12 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -37,6 +37,30 @@ defined('BASEPATH') OR exit('No direct script access allowed'); */ class CI_Security { + /** + * List of sanitize filename strings + * + * @var array + */ + public $sanitize_filename_str = array( + '../', '', '<', '>', + "'", '"', '&', '$', '#', + '{', '}', '[', ']', '=', + ';', '?', '%20', '%22', + '%3c', // < + '%253c', // < + '%3e', // > + '%0e', // > + '%28', // ( + '%29', // ) + '%2528', // ( + '%26', // & + '%24', // $ + '%3f', // ? + '%3b', // ; + '%3d' // = + ); + /** * XSS Hash * @@ -540,6 +564,19 @@ class CI_Security { // -------------------------------------------------------------------- + /** + * Set Sanitize Filename Strings + * + * @param array $strings + * @return void + */ + public function set_sanitize_filename_str($strings) + { + $this->sanitize_filename_str = $strings; + } + + // -------------------------------------------------------------------- + /** * Sanitize Filename * @@ -549,24 +586,7 @@ class CI_Security { */ public function sanitize_filename($str, $relative_path = FALSE) { - $bad = array( - '../', '', '<', '>', - "'", '"', '&', '$', '#', - '{', '}', '[', ']', '=', - ';', '?', '%20', '%22', - '%3c', // < - '%253c', // < - '%3e', // > - '%0e', // > - '%28', // ( - '%29', // ) - '%2528', // ( - '%26', // & - '%24', // $ - '%3f', // ? - '%3b', // ; - '%3d' // = - ); + $bad = $this->sanitize_filename_str; if ( ! $relative_path) { -- cgit v1.2.3-24-g4f1b From 4495cc740c1c0e382cc62d3d174abd17c0b4d84f Mon Sep 17 00:00:00 2001 From: Hunter Wu Date: Sun, 4 Aug 2013 12:31:52 +0800 Subject: Rename bad chars property to filename_bad_chars, remove the setter and add changelog entry --- system/core/Security.php | 17 ++--------------- 1 file changed, 2 insertions(+), 15 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 3d04d5e12..70cf3e013 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -42,7 +42,7 @@ class CI_Security { * * @var array */ - public $sanitize_filename_str = array( + public $filename_bad_chars = array( '../', '', '<', '>', "'", '"', '&', '$', '#', '{', '}', '[', ']', '=', @@ -564,19 +564,6 @@ class CI_Security { // -------------------------------------------------------------------- - /** - * Set Sanitize Filename Strings - * - * @param array $strings - * @return void - */ - public function set_sanitize_filename_str($strings) - { - $this->sanitize_filename_str = $strings; - } - - // -------------------------------------------------------------------- - /** * Sanitize Filename * @@ -586,7 +573,7 @@ class CI_Security { */ public function sanitize_filename($str, $relative_path = FALSE) { - $bad = $this->sanitize_filename_str; + $bad = $this->filename_bad_chars; if ( ! $relative_path) { -- cgit v1.2.3-24-g4f1b From 46e77e0d28cf6c057484df022a012e85de2f79b6 Mon Sep 17 00:00:00 2001 From: David Cox Jr Date: Thu, 3 Oct 2013 16:56:04 -0400 Subject: partial fix #2667 this fixes the ability to replace a space with a / and skip the XSS filtering --- system/core/Security.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 70cf3e013..368e17dc3 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -603,7 +603,7 @@ class CI_Security { */ public function strip_image_tags($str) { - return preg_replace(array('##', '##'), '\\1', $str); + return preg_replace(array('##', '##'), '\\1', $str); } // ---------------------------------------------------------------- -- cgit v1.2.3-24-g4f1b From 3a3d5f6c2320a90436de241af41fe22df7344728 Mon Sep 17 00:00:00 2001 From: vlakoff Date: Thu, 17 Oct 2013 22:22:16 +0200 Subject: Replace the last rand() with mt_rand() Better entropy, faster. Also fixed a few "it's" typos. --- system/core/Security.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 368e17dc3..6f5f5cb90 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -884,7 +884,7 @@ class CI_Security { { if ($this->_csrf_hash === '') { - // If the cookie exists we will use it's value. + // If the cookie exists we will use its value. // We don't necessarily want to regenerate it with // each page load since a page could contain embedded // sub-pages causing this feature to fail @@ -894,7 +894,7 @@ class CI_Security { return $this->_csrf_hash = $_COOKIE[$this->_csrf_cookie_name]; } - $this->_csrf_hash = md5(uniqid(rand(), TRUE)); + $this->_csrf_hash = md5(uniqid(mt_rand(), TRUE)); $this->csrf_set_cookie(); } -- cgit v1.2.3-24-g4f1b From 3fa729d7092c814fe14e15d8d51789ce7907f2a8 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 18 Oct 2013 20:57:41 +0300 Subject: Fix issue #2681 (alternative to PR #2690) --- system/core/Security.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 6f5f5cb90..5c5c0efb6 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -553,9 +553,9 @@ class CI_Security { { $matches = $matches1 = 0; + $str = preg_replace('~(�*[0-9a-f]{2,5});?~iS', $str, -1, $matches); + $str = preg_replace('~(&#\d{2,4});?~S', $str, -1, $matches1); $str = html_entity_decode($str, ENT_COMPAT, $charset); - $str = preg_replace('~&#x(0*[0-9a-f]{2,5})~ei', 'chr(hexdec("\\1"))', $str, -1, $matches); - $str = preg_replace('~&#([0-9]{2,4})~e', 'chr(\\1)', $str, -1, $matches1); } while ($matches OR $matches1); -- cgit v1.2.3-24-g4f1b From e08411d72226ba5b2f97b519051f78d978747e18 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 18 Oct 2013 21:13:56 +0300 Subject: Eh ... preg_replace() needs a replacement --- system/core/Security.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 5c5c0efb6..9423f825c 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -553,8 +553,8 @@ class CI_Security { { $matches = $matches1 = 0; - $str = preg_replace('~(�*[0-9a-f]{2,5});?~iS', $str, -1, $matches); - $str = preg_replace('~(&#\d{2,4});?~S', $str, -1, $matches1); + $str = preg_replace('~(�*[0-9a-f]{2,5});?~iS', '$1;', $str, -1, $matches); + $str = preg_replace('~(&#\d{2,4});?~S', '$1;', $str, -1, $matches1); $str = html_entity_decode($str, ENT_COMPAT, $charset); } while ($matches OR $matches1); -- cgit v1.2.3-24-g4f1b From 1bbc5644b0c306ff72dc1228b169db56902fc031 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Tue, 7 Jan 2014 12:45:27 +0200 Subject: Fix #2268 (manually implementing PR #2269) --- system/core/Security.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 9423f825c..0944fef92 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -117,7 +117,6 @@ class CI_Security { 'document.write' => '[removed]', '.parentNode' => '[removed]', '.innerHTML' => '[removed]', - 'window.location' => '[removed]', '-moz-binding' => '[removed]', '' => '-->', @@ -132,6 +131,7 @@ class CI_Security { */ protected $_never_allowed_regex = array( 'javascript\s*:', + '(document|(document\.)?window)\.(location|on\w*)', 'expression\s*(\(|&\#40;)', // CSS and IE 'vbscript\s*:', // IE, surprise! 'Redirect\s+302', @@ -648,8 +648,8 @@ class CI_Security { */ protected function _remove_evil_attributes($str, $is_image) { - // All javascript event handlers (e.g. onload, onclick, onmouseover), style, and xmlns - $evil_attributes = array('on\w*', 'style', 'xmlns', 'formaction'); + // Formaction, style, and xmlns + $evil_attributes = array('style', 'xmlns', 'formaction'); if ($is_image === TRUE) { -- cgit v1.2.3-24-g4f1b From 99e2f8e2397ec4bf3ce5637d5a660a122aaa7b1b Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Sun, 19 Jan 2014 00:04:44 +0200 Subject: Fix #2829 --- system/core/Security.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 0944fef92..4c01da2b8 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -551,13 +551,13 @@ class CI_Security { do { - $matches = $matches1 = 0; + $m1 = $m2 = 0; - $str = preg_replace('~(�*[0-9a-f]{2,5});?~iS', '$1;', $str, -1, $matches); - $str = preg_replace('~(&#\d{2,4});?~S', '$1;', $str, -1, $matches1); + $str = preg_replace('/(�*[0-9a-f]{2,5})(?![0-9a-f;])/iS', '$1;', $str, -1, $m1); + $str = preg_replace('/(&#\d{2,4})(?![0-9;])/S', '$1;', $str, -1, $m2); $str = html_entity_decode($str, ENT_COMPAT, $charset); } - while ($matches OR $matches1); + while ($m1 OR $m2); return $str; } -- cgit v1.2.3-24-g4f1b From 4d0571666d03511ac5b4a1f2a6882ccb1509a209 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 20 Jan 2014 11:17:34 +0200 Subject: Fix #2729 --- system/core/Security.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 4c01da2b8..95957a3d8 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -837,14 +837,15 @@ class CI_Security { * Add a semicolon if missing. We do this to enable * the conversion of entities to ASCII later. */ - $str = preg_replace('#(&\#?[0-9a-z]{2,})([\x00-\x20])*;?#i', '\\1;\\2', $str); + $str = preg_replace('/(&#\d{2,4})(?![0-9;])/', '$1;', $str); + $str = preg_replace('/(&[a-z]{2,})(?![a-z;])/i', '$1;', $str); /* * Validate UTF16 two byte encoding (x00) * * Just as above, adds a semicolon if missing. */ - $str = preg_replace('#(&\#x?)([0-9A-F]+);?#i', '\\1\\2;', $str); + $str = preg_replace('/(�*[0-9a-f]{2,5})(?![0-9a-f;])/i', '$1;', $str); /* * Un-Protect GET variables in URLs -- cgit v1.2.3-24-g4f1b From 4356806dc0298363217694d727db9cad84a073e0 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Tue, 21 Jan 2014 23:52:31 +0200 Subject: Add