From eb93e7347f4c7320ba0247b29095907d3b5b7b7f Mon Sep 17 00:00:00 2001 From: Graham Campbell Date: Sun, 29 Jun 2014 14:05:49 +0100 Subject: Fixed typo --- system/core/Security.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 2cf214b18..cce20cdb9 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -605,7 +605,7 @@ class CI_Security { { if (($char = array_search($matches[$i].';', $_entities, TRUE)) !== FALSE) { - $replace[$matches[$i]] = $character; + $replace[$matches[$i]] = $char; } } @@ -934,4 +934,4 @@ class CI_Security { } /* End of file Security.php */ -/* Location: ./system/core/Security.php */ \ No newline at end of file +/* Location: ./system/core/Security.php */ -- cgit v1.2.3-24-g4f1b From 3820b5a7c4533599f114909376b2546ee282978c Mon Sep 17 00:00:00 2001 From: Graham Campbell Date: Sun, 29 Jun 2014 17:55:56 +0100 Subject: Fixed eof --- system/core/Security.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index cce20cdb9..c4621d588 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -934,4 +934,4 @@ class CI_Security { } /* End of file Security.php */ -/* Location: ./system/core/Security.php */ +/* Location: ./system/core/Security.php */ \ No newline at end of file -- cgit v1.2.3-24-g4f1b From 05fcc09436c0c34cc5883d7840abc81ad5af7969 Mon Sep 17 00:00:00 2001 From: Kyle Valade Date: Sun, 6 Jul 2014 13:43:20 -0700 Subject: Return 403 instead of 500 if no CSRF token given Not supplying a CSRF token shouldn't return a 500 response because it isn't a server error. The response status code should definitely be in the 400's, because it's the client's fault. And it should be a 403 because the client is forbidden from making that request without the appropriate credential (the CSRF token), though the request may be otherwise valid. http://en.wikipedia.org/wiki/List_of_HTTP_status_codes --- system/core/Security.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index c4621d588..f1802f0c4 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -275,7 +275,7 @@ class CI_Security { */ public function csrf_show_error() { - show_error('The action you have requested is not allowed.'); + show_error('The action you have requested is not allowed.', 403); } // -------------------------------------------------------------------- @@ -934,4 +934,4 @@ class CI_Security { } /* End of file Security.php */ -/* Location: ./system/core/Security.php */ \ No newline at end of file +/* Location: ./system/core/Security.php */ -- cgit v1.2.3-24-g4f1b From 2761ff49f406d43c749ea87f7d5ebd4e2b7c3197 Mon Sep 17 00:00:00 2001 From: Kyle Valade Date: Sun, 13 Jul 2014 16:11:19 -0700 Subject: Add changelog entry for CSRF status code; remove line at EOF --- system/core/Security.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index f1802f0c4..68e345c54 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -934,4 +934,4 @@ class CI_Security { } /* End of file Security.php */ -/* Location: ./system/core/Security.php */ +/* Location: ./system/core/Security.php */ \ No newline at end of file -- cgit v1.2.3-24-g4f1b From 9b8286cf0320c8d8864ce4a5fc892c06787a9762 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Tue, 5 Aug 2014 11:46:57 +0300 Subject: Fix #3123 --- system/core/Security.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 68e345c54..741ff229b 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -370,7 +370,7 @@ class CI_Security { * We only convert entities that are within tags since * these are the ones that will pose security problems. */ - $str = preg_replace_callback("/[a-z]+=([\'\"]).*?\\1/si", array($this, '_convert_attribute'), $str); + $str = preg_replace_callback("/[^a-z0-9>]+[a-z0-9]+=([\'\"]).*?\\1/si", array($this, '_convert_attribute'), $str); $str = preg_replace_callback('/<\w+.*/si', array($this, '_decode_entity'), $str); // Remove Invisible Characters Again! -- cgit v1.2.3-24-g4f1b From 2f4c3bc5c2fac164d1c58ac9aaa09ae070687443 Mon Sep 17 00:00:00 2001 From: Casey Hancock Date: Mon, 11 Aug 2014 12:52:20 -0400 Subject: CSRF whitelist supports regex Signed-off-by: Casey Hancock --- system/core/Security.php | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 741ff229b..a6fd75fa4 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -203,10 +203,13 @@ class CI_Security { if ($exclude_uris = config_item('csrf_exclude_uris')) { $uri = load_class('URI', 'core'); - if (in_array($uri->uri_string(), $exclude_uris)) - { - return $this; - } + foreach ($exclude_uris as $excluded) { + $excluded = str_replace(array(':any', ':num'), array('[^/]+', '[0-9]+'), $excluded); + if (preg_match('#^'.$excluded.'$#', $uri->uri_string())) + { + return $this; + } + } } // Do the tokens exist in both the _POST and _COOKIE arrays? -- cgit v1.2.3-24-g4f1b From 5ac7c77ee60b108fb9dee84b5fc0acf04638c6f5 Mon Sep 17 00:00:00 2001 From: caseyh Date: Mon, 18 Aug 2014 05:10:24 -0400 Subject: Alter Pull #3176 to follow discussion --- system/core/Security.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index a6fd75fa4..39e4f7c24 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -203,9 +203,9 @@ class CI_Security { if ($exclude_uris = config_item('csrf_exclude_uris')) { $uri = load_class('URI', 'core'); - foreach ($exclude_uris as $excluded) { - $excluded = str_replace(array(':any', ':num'), array('[^/]+', '[0-9]+'), $excluded); - if (preg_match('#^'.$excluded.'$#', $uri->uri_string())) + foreach ($exclude_uris as $excluded) + { + if (preg_match('#^'.$excluded.'$#i'.(UTF8_ENABLED ? 'u' : ''), $uri->uri_string())) { return $this; } @@ -937,4 +937,4 @@ class CI_Security { } /* End of file Security.php */ -/* Location: ./system/core/Security.php */ \ No newline at end of file +/* Location: ./system/core/Security.php */ -- cgit v1.2.3-24-g4f1b From 6c52096f4f9147244e9631b8040088025ae6e79d Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 18 Aug 2014 12:24:42 +0300 Subject: [ci skip] Polish changes from PR #3176 --- system/core/Security.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 39e4f7c24..bb0670500 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -205,11 +205,11 @@ class CI_Security { $uri = load_class('URI', 'core'); foreach ($exclude_uris as $excluded) { - if (preg_match('#^'.$excluded.'$#i'.(UTF8_ENABLED ? 'u' : ''), $uri->uri_string())) - { - return $this; - } - } + if (preg_match('#^'.$excluded.'$#i'.(UTF8_ENABLED ? 'u' : ''), $uri->uri_string())) + { + return $this; + } + } } // Do the tokens exist in both the _POST and _COOKIE arrays? @@ -937,4 +937,4 @@ class CI_Security { } /* End of file Security.php */ -/* Location: ./system/core/Security.php */ +/* Location: ./system/core/Security.php */ \ No newline at end of file -- cgit v1.2.3-24-g4f1b From 487ccc9c8a21cb6338aab7173b3adda194d29c26 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 27 Aug 2014 16:26:23 +0300 Subject: Add CI_Security::get_random_bytes() for CSRF & XSS token generation --- system/core/Security.php | 61 ++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 54 insertions(+), 7 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index bb0670500..bc224e7e3 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -77,7 +77,7 @@ class CI_Security { * * @var string */ - protected $_xss_hash = ''; + protected $_xss_hash; /** * CSRF Hash @@ -86,7 +86,7 @@ class CI_Security { * * @var string */ - protected $_csrf_hash = ''; + protected $_csrf_hash; /** * CSRF Expire time @@ -227,7 +227,7 @@ class CI_Security { { // Nothing should last forever unset($_COOKIE[$this->_csrf_cookie_name]); - $this->_csrf_hash = ''; + $this->_csrf_hash = NULL; } $this->_csrf_set_hash(); @@ -538,9 +538,12 @@ class CI_Security { */ public function xss_hash() { - if ($this->_xss_hash === '') + if ($this->_xss_hash === NULL) { - $this->_xss_hash = md5(uniqid(mt_rand())); + $rand = $this->get_random_bytes(16); + $this->_xss_hash = ($rand === FALSE) + ? md5(uniqid(mt_rand(), TRUE)) + : bin2hex($rand); } return $this->_xss_hash; @@ -548,6 +551,46 @@ class CI_Security { // -------------------------------------------------------------------- + /** + * Get random bytes + * + * @param int $length Output length + * @return string + */ + public function get_random_bytes($length) + { + if (empty($length) OR ! ctype_digit($length)) + { + return FALSE; + } + + // Unfortunately, none of the following PRNGs is guaranteed to exist ... + if (defined(MCRYPT_DEV_URANDOM) && ($output = mcrypt_create_iv($length, MCRYPT_DEV_URANDOM)) !== FALSE) + { + return $output; + } + + + if (is_readable('/dev/urandom') && ($fp = fopen('/dev/urandom', 'rb')) !== FALSE) + { + $output = fread($fp, $length); + fclose($fp); + if ($output !== FALSE) + { + return $output; + } + } + + if (function_exists('openssl_random_pseudo_bytes')) + { + return openssl_random_pseudo_bytes($length); + } + + return FALSE; + } + + // -------------------------------------------------------------------- + /** * HTML Entities Decode * @@ -915,7 +958,7 @@ class CI_Security { */ protected function _csrf_set_hash() { - if ($this->_csrf_hash === '') + if ($this->_csrf_hash === NULL) { // If the cookie exists we will use its value. // We don't necessarily want to regenerate it with @@ -927,7 +970,11 @@ class CI_Security { return $this->_csrf_hash = $_COOKIE[$this->_csrf_cookie_name]; } - $this->_csrf_hash = md5(uniqid(mt_rand(), TRUE)); + $rand = $this->get_random_bytes(16); + $this->_csrf_hash = ($rand === FALSE) + ? md5(uniqid(mt_rand(), TRUE)) + : bin2hex($rand); + $this->csrf_set_cookie(); } -- cgit v1.2.3-24-g4f1b From efe33a2187ceb501e3c2038016c89f8423b8bcaa Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 28 Aug 2014 09:53:44 +0300 Subject: Fix CI_Security::get_random_bytes() length validation --- system/core/Security.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index bc224e7e3..782d3e83c 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -559,7 +559,7 @@ class CI_Security { */ public function get_random_bytes($length) { - if (empty($length) OR ! ctype_digit($length)) + if (empty($length) OR ! ctype_digit((string) $length)) { return FALSE; } -- cgit v1.2.3-24-g4f1b From a135a18fe99ccf4f27dabc6c4a045e42cd239cea Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 12 Sep 2014 10:57:02 +0300 Subject: Fix #3228 --- system/core/Security.php | 2 -- 1 file changed, 2 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 782d3e83c..0dc74a284 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -974,8 +974,6 @@ class CI_Security { $this->_csrf_hash = ($rand === FALSE) ? md5(uniqid(mt_rand(), TRUE)) : bin2hex($rand); - - $this->csrf_set_cookie(); } return $this->_csrf_hash; -- cgit v1.2.3-24-g4f1b From 607d5e287a24403e4578a69f8065d0ede8cce56e Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 17 Sep 2014 14:54:05 +0300 Subject: Fix a defined() check Close #3233 --- system/core/Security.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 0dc74a284..181ace20b 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -565,7 +565,7 @@ class CI_Security { } // Unfortunately, none of the following PRNGs is guaranteed to exist ... - if (defined(MCRYPT_DEV_URANDOM) && ($output = mcrypt_create_iv($length, MCRYPT_DEV_URANDOM)) !== FALSE) + if (defined('MCRYPT_DEV_URANDOM') && ($output = mcrypt_create_iv($length, MCRYPT_DEV_URANDOM)) !== FALSE) { return $output; } -- cgit v1.2.3-24-g4f1b From f9a615a5a304a2ead573d6e2869ee4ec7620511e Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Sun, 28 Sep 2014 20:24:06 +0300 Subject: [ci skip] Remove references to 'PHP5' from comments --- system/core/Security.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 181ace20b..4b204ad95 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -439,7 +439,7 @@ class CI_Security { /* * Remove disallowed Javascript in links or img tags - * We used to do some version comparisons and use of stripos for PHP5, + * We used to do some version comparisons and use of stripos(), * but it is dog slow compared to these simplified non-capturing * preg_match(), especially if the pattern exists in the string * -- cgit v1.2.3-24-g4f1b From b627430ae60d7c5f13ecc2f289bce8185c218be0 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Tue, 30 Sep 2014 20:30:06 +0300 Subject: Make sure we don't waste entropy --- system/core/Security.php | 1 + 1 file changed, 1 insertion(+) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 4b204ad95..b97df4647 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -573,6 +573,7 @@ class CI_Security { if (is_readable('/dev/urandom') && ($fp = fopen('/dev/urandom', 'rb')) !== FALSE) { + stream_set_chunk_size($fp, $length); $output = fread($fp, $length); fclose($fp); if ($output !== FALSE) -- cgit v1.2.3-24-g4f1b From e4b9cd64e2e7185ddf874ddf9861fe21961edb79 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 2 Oct 2014 02:19:06 +0300 Subject: stream_set_chunk_size() requires PHP 5.4 --- system/core/Security.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index b97df4647..15a66430a 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -573,7 +573,8 @@ class CI_Security { if (is_readable('/dev/urandom') && ($fp = fopen('/dev/urandom', 'rb')) !== FALSE) { - stream_set_chunk_size($fp, $length); + // Try not to waste entropy ... + is_php('5.4') && stream_set_chunk_size($fp, $length); $output = fread($fp, $length); fclose($fp); if ($output !== FALSE) -- cgit v1.2.3-24-g4f1b From d444d445ed0458a352ecb9ff79ffd158677ee805 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 6 Oct 2014 00:00:08 +0300 Subject: config_item() to return NULL instead of FALSE for non-existing items Close #3001 Close #3232 Related: #3244 --- system/core/Security.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 15a66430a..cffdb9ad9 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -158,7 +158,7 @@ class CI_Security { public function __construct() { // Is CSRF protection enabled? - if (config_item('csrf_protection') === TRUE) + if (config_item('csrf_protection')) { // CSRF config foreach (array('csrf_expire', 'csrf_token_name', 'csrf_cookie_name') as $key) @@ -170,9 +170,9 @@ class CI_Security { } // Append application specific cookie prefix - if (config_item('cookie_prefix')) + if ($cookie_prefix = config_item('cookie_prefix')) { - $this->_csrf_cookie_name = config_item('cookie_prefix').$this->_csrf_cookie_name; + $this->_csrf_cookie_name = $cookie_prefix.$this->_csrf_cookie_name; } // Set the CSRF hash -- cgit v1.2.3-24-g4f1b