From ad4750509885ad5bb368fc308f86d8c06d45b15c Mon Sep 17 00:00:00 2001 From: Timothy Warren Date: Thu, 19 Apr 2012 13:21:06 -0400 Subject: Normalize comments in core files --- system/core/Security.php | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index ac39ce97b..8d81babf2 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -102,6 +102,9 @@ class CI_Security { 'Redirect\s+302' ); + /** + * Initialize security class + */ public function __construct() { // Is CSRF protection enabled? @@ -558,8 +561,8 @@ class CI_Security { * Callback function for xss_clean() to remove whitespace from * things like j a v a s c r i p t * - * @param type - * @return type + * @param array + * @return string */ protected function _compact_exploded_words($matches) { @@ -568,8 +571,8 @@ class CI_Security { // -------------------------------------------------------------------- - /* - * Remove Evil HTML Attributes (like evenhandlers and style) + /** + * Remove Evil HTML Attributes (like event handlers and style) * * It removes the evil attribute and either: * - Everything up until a space -- cgit v1.2.3-24-g4f1b From 40403d21274d5e0792c7ab816ad984d6387d5c20 Mon Sep 17 00:00:00 2001 From: Timothy Warren Date: Thu, 19 Apr 2012 16:38:50 -0400 Subject: Additional formatting fixes --- system/core/Security.php | 84 ++++++++++++++++++++++++------------------------ 1 file changed, 42 insertions(+), 42 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 8d81babf2..139511661 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -41,14 +41,14 @@ class CI_Security { * * @var string */ - protected $_xss_hash = ''; + protected $_xss_hash = ''; /** * Random Hash for Cross Site Request Forgery Protection Cookie * * @var string */ - protected $_csrf_hash = ''; + protected $_csrf_hash = ''; /** * Expiration time for Cross Site Request Forgery Protection Cookie @@ -56,21 +56,21 @@ class CI_Security { * * @var int */ - protected $_csrf_expire = 7200; + protected $_csrf_expire = 7200; /** * Token name for Cross Site Request Forgery Protection Cookie * * @var string */ - protected $_csrf_token_name = 'ci_csrf_token'; + protected $_csrf_token_name = 'ci_csrf_token'; /** * Cookie name for Cross Site Request Forgery Protection Cookie * * @var string */ - protected $_csrf_cookie_name = 'ci_csrf_token'; + protected $_csrf_cookie_name = 'ci_csrf_token'; /** * List of never allowed strings @@ -78,17 +78,17 @@ class CI_Security { * @var array */ protected $_never_allowed_str = array( - 'document.cookie' => '[removed]', - 'document.write' => '[removed]', - '.parentNode' => '[removed]', - '.innerHTML' => '[removed]', - 'window.location' => '[removed]', - '-moz-binding' => '[removed]', - '' => '-->', - ' '<![CDATA[', - '' => '<comment>' - ); + 'document.cookie' => '[removed]', + 'document.write' => '[removed]', + '.parentNode' => '[removed]', + '.innerHTML' => '[removed]', + 'window.location' => '[removed]', + '-moz-binding' => '[removed]', + '' => '-->', + ' '<![CDATA[', + '' => '<comment>' + ); /** * List of never allowed regex replacement @@ -96,11 +96,11 @@ class CI_Security { * @var array */ protected $_never_allowed_regex = array( - 'javascript\s*:', - 'expression\s*(\(|&\#40;)', // CSS and IE - 'vbscript\s*:', // IE, surprise! - 'Redirect\s+302' - ); + 'javascript\s*:', + 'expression\s*(\(|&\#40;)', // CSS and IE + 'vbscript\s*:', // IE, surprise! + 'Redirect\s+302' + ); /** * Initialize security class @@ -365,9 +365,9 @@ class CI_Security { * These words are compacted back to their correct state. */ $words = array( - 'javascript', 'expression', 'vbscript', 'script', - 'applet', 'alert', 'document', 'write', 'cookie', 'window' - ); + 'javascript', 'expression', 'vbscript', 'script', + 'applet', 'alert', 'document', 'write', 'cookie', 'window' + ); foreach ($words as $word) { @@ -525,23 +525,23 @@ class CI_Security { public function sanitize_filename($str, $relative_path = FALSE) { $bad = array( - '../', '', '<', '>', - "'", '"', '&', '$', '#', - '{', '}', '[', ']', '=', - ';', '?', '%20', '%22', - '%3c', // < - '%253c', // < - '%3e', // > - '%0e', // > - '%28', // ( - '%29', // ) - '%2528', // ( - '%26', // & - '%24', // $ - '%3f', // ? - '%3b', // ; - '%3d' // = - ); + '../', '', '<', '>', + "'", '"', '&', '$', '#', + '{', '}', '[', ']', '=', + ';', '?', '%20', '%22', + '%3c', // < + '%253c', // < + '%3e', // > + '%0e', // > + '%28', // ( + '%29', // ) + '%2528', // ( + '%26', // & + '%24', // $ + '%3f', // ? + '%3b', // ; + '%3d' // = + ); if ( ! $relative_path) { @@ -841,4 +841,4 @@ class CI_Security { } /* End of file Security.php */ -/* Location: ./system/core/Security.php */ +/* Location: ./system/core/Security.php */ \ No newline at end of file -- cgit v1.2.3-24-g4f1b From 48a7fbbeb53e82e9298036d40c42ec2564699ed0 Mon Sep 17 00:00:00 2001 From: Timothy Warren Date: Mon, 23 Apr 2012 11:58:16 -0400 Subject: Use tabs to separate class properties --- system/core/Security.php | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 139511661..974e2e428 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -41,14 +41,14 @@ class CI_Security { * * @var string */ - protected $_xss_hash = ''; + protected $_xss_hash = ''; /** * Random Hash for Cross Site Request Forgery Protection Cookie * * @var string */ - protected $_csrf_hash = ''; + protected $_csrf_hash = ''; /** * Expiration time for Cross Site Request Forgery Protection Cookie @@ -56,28 +56,28 @@ class CI_Security { * * @var int */ - protected $_csrf_expire = 7200; + protected $_csrf_expire = 7200; /** * Token name for Cross Site Request Forgery Protection Cookie * * @var string */ - protected $_csrf_token_name = 'ci_csrf_token'; + protected $_csrf_token_name = 'ci_csrf_token'; /** * Cookie name for Cross Site Request Forgery Protection Cookie * * @var string */ - protected $_csrf_cookie_name = 'ci_csrf_token'; + protected $_csrf_cookie_name = 'ci_csrf_token'; /** * List of never allowed strings * * @var array */ - protected $_never_allowed_str = array( + protected $_never_allowed_str = array( 'document.cookie' => '[removed]', 'document.write' => '[removed]', '.parentNode' => '[removed]', @@ -95,7 +95,7 @@ class CI_Security { * * @var array */ - protected $_never_allowed_regex = array( + protected $_never_allowed_regex = array( 'javascript\s*:', 'expression\s*(\(|&\#40;)', // CSS and IE 'vbscript\s*:', // IE, surprise! -- cgit v1.2.3-24-g4f1b From 5335bc317f07f12c0f0bae5ac9189f75fcad0f1c Mon Sep 17 00:00:00 2001 From: Wes Baker Date: Tue, 24 Apr 2012 15:17:14 -0400 Subject: Updating XSS cleaning to better handle base64 encoded attributes. --- system/core/Security.php | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index ac39ce97b..65746637b 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -99,7 +99,8 @@ class CI_Security { 'javascript\s*:', 'expression\s*(\(|&\#40;)', // CSS and IE 'vbscript\s*:', // IE, surprise! - 'Redirect\s+302' + 'Redirect\s+302', + "([\"'])?data\s*:[^\\1]*?base64[^\\1]*?,[^\\1]*?\\1?" ); public function __construct() @@ -362,7 +363,7 @@ class CI_Security { * These words are compacted back to their correct state. */ $words = array( - 'javascript', 'expression', 'vbscript', 'script', + 'javascript', 'expression', 'vbscript', 'script', 'base64', 'applet', 'alert', 'document', 'write', 'cookie', 'window' ); @@ -602,10 +603,11 @@ class CI_Security { $attribs = array(); // find occurrences of illegal attribute strings without quotes - preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*([^\s]*)/is', $str, $matches, PREG_SET_ORDER); + preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*([^\s>]*)/is', $str, $matches, PREG_SET_ORDER); foreach ($matches as $attr) { + $attribs[] = preg_quote($attr[0], '/'); } @@ -620,7 +622,7 @@ class CI_Security { // replace illegal attribute strings that are inside an html tag if (count($attribs) > 0) { - $str = preg_replace('/<(\/?[^><]+?)([^A-Za-z\-])('.implode('|', $attribs).')([\s><])([><]*)/i', '<$1$2$4$5', $str, -1, $count); + $str = preg_replace("/<(\/?[^><]+?)([^A-Za-z<>\-])(.*?)(".implode('|', $attribs).")(.*?)([\s><])([><]*)/i", '<$1 $3$5$6$7', $str, -1, $count); } } while ($count); @@ -661,7 +663,7 @@ class CI_Security { protected function _js_link_removal($match) { return str_replace($match[1], - preg_replace('#href=.*?(alert\(|alert&\#40;|javascript\:|livescript\:|mocha\:|charset\=|window\.|document\.|\.cookie|_filter_attributes(str_replace(array('<', '>'), '', $match[1])) ), @@ -801,7 +803,7 @@ class CI_Security { foreach ($this->_never_allowed_regex as $regex) { - $str = preg_replace('#'.$regex.'#i', '[removed]', $str); + $str = preg_replace('#'.$regex.'#is', '[removed]', $str); } return $str; -- cgit v1.2.3-24-g4f1b From e2c374fc474f91cc1c04aaae68e15cef6984f494 Mon Sep 17 00:00:00 2001 From: Alexander Hofstede Date: Thu, 17 May 2012 00:28:08 +0200 Subject: Check cookie against md5 regex. Otherwise, cookie can contain arbitrary injected code that gets sent back directly to the browser. --- system/core/Security.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index a3e227437..6f5ac1ed8 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -848,7 +848,7 @@ class CI_Security { // each page load since a page could contain embedded // sub-pages causing this feature to fail if (isset($_COOKIE[$this->_csrf_cookie_name]) && - $_COOKIE[$this->_csrf_cookie_name] != '') + preg_match('#^[0-9a-f]{32}$#iS', $_COOKIE[$this->_csrf_cookie_name]) === 1) { return $this->_csrf_hash = $_COOKIE[$this->_csrf_cookie_name]; } -- cgit v1.2.3-24-g4f1b From 92ebfb65ac044f5c2e6d88fba137253854cf1b94 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 17 May 2012 12:49:24 +0300 Subject: Cleanup the core classes --- system/core/Security.php | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index c82b69ff9..81b6602ae 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -102,9 +102,11 @@ class CI_Security { 'Redirect\s+302', "([\"'])?data\s*:[^\\1]*?base64[^\\1]*?,[^\\1]*?\\1?" ); - + /** * Initialize security class + * + * @return void */ public function __construct() { @@ -201,11 +203,11 @@ class CI_Security { } setcookie( - $this->_csrf_cookie_name, - $this->_csrf_hash, - $expire, - config_item('cookie_path'), - config_item('cookie_domain'), + $this->_csrf_cookie_name, + $this->_csrf_hash, + $expire, + config_item('cookie_path'), + config_item('cookie_domain'), $secure_cookie, config_item('cookie_httponly') ); @@ -626,7 +628,7 @@ class CI_Security { // replace illegal attribute strings that are inside an html tag if (count($attribs) > 0) { - $str = preg_replace("/<(\/?[^><]+?)([^A-Za-z<>\-])(.*?)(".implode('|', $attribs).")(.*?)([\s><])([><]*)/i", '<$1 $3$5$6$7', $str, -1, $count); + $str = preg_replace('/<(\/?[^><]+?)([^A-Za-z<>\-])(.*?)('.implode('|', $attribs).')(.*?)([\s><])([><]*)/i', '<$1 $3$5$6$7', $str, -1, $count); } } while ($count); @@ -844,4 +846,4 @@ class CI_Security { } /* End of file Security.php */ -/* Location: ./system/core/Security.php */ +/* Location: ./system/core/Security.php */ \ No newline at end of file -- cgit v1.2.3-24-g4f1b From 6c7526c95b3fbd502dc8105a67fd38da793caa4e Mon Sep 17 00:00:00 2001 From: Taufan Aditya Date: Sun, 27 May 2012 13:51:27 +0700 Subject: Continuation for Security and Table code-coverage, add coverage report to travis --- system/core/Security.php | 1 + 1 file changed, 1 insertion(+) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index f953011eb..9b7ba5799 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -191,6 +191,7 @@ class CI_Security { * Set Cross Site Request Forgery Protection Cookie * * @return object + * @codeCoverageIgnore */ public function csrf_set_cookie() { -- cgit v1.2.3-24-g4f1b From ed944a3c70a0bad158cd5a6ca5ce1f2e717aff5d Mon Sep 17 00:00:00 2001 From: Alex Bilbie Date: Sat, 2 Jun 2012 11:07:47 +0100 Subject: Replaced `==` with `===` and `!=` with `!==` in /system/core --- system/core/Security.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 9b7ba5799..9cbcd9248 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -162,7 +162,7 @@ class CI_Security { // Do the tokens exist in both the _POST and _COOKIE arrays? if ( ! isset($_POST[$this->_csrf_token_name]) OR ! isset($_COOKIE[$this->_csrf_cookie_name]) - OR $_POST[$this->_csrf_token_name] != $_COOKIE[$this->_csrf_cookie_name]) // Do the tokens match? + OR $_POST[$this->_csrf_token_name] !== $_COOKIE[$this->_csrf_cookie_name]) // Do the tokens match? { $this->csrf_show_error(); } @@ -408,7 +408,7 @@ class CI_Security { $str = preg_replace('#<(/*)(script|xss)(.*?)\>#si', '[removed]', $str); } } - while($original != $str); + while($original !== $str); unset($original); @@ -475,7 +475,7 @@ class CI_Security { */ public function xss_hash() { - if ($this->_xss_hash == '') + if ($this->_xss_hash === '') { mt_srand(); $this->_xss_hash = md5(time() + mt_rand(0, 1999999999)); @@ -825,7 +825,7 @@ class CI_Security { */ protected function _csrf_set_hash() { - if ($this->_csrf_hash == '') + if ($this->_csrf_hash === '') { // If the cookie exists we will use it's value. // We don't necessarily want to regenerate it with -- cgit v1.2.3-24-g4f1b From 9ba661b02c492e89028e5c67b7edbfc0efefc9f1 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 4 Jun 2012 14:44:34 +0300 Subject: Revert/optimize some changes from ed944a3c70a0bad158cd5a6ca5ce1f2e717aff5d --- system/core/Security.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 9cbcd9248..4593a1090 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -847,4 +847,4 @@ class CI_Security { } /* End of file Security.php */ -/* Location: ./system/core/Security.php */ +/* Location: ./system/core/Security.php */ \ No newline at end of file -- cgit v1.2.3-24-g4f1b