From 23719ab569c9c8d6b791f65d7861daba3895ddcb Mon Sep 17 00:00:00 2001 From: Hunter Wu Date: Thu, 1 Aug 2013 23:15:13 +0800 Subject: Add windows filename rule as an option for upload files --- system/core/Security.php | 51 ++++++++++++++++++++++++++++++------------------ 1 file changed, 32 insertions(+), 19 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 196d61144..cd1cb1ab4 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -114,6 +114,36 @@ class CI_Security { "([\"'])?data\s*:[^\\1]*?base64[^\\1]*?,[^\\1]*?\\1?" ); + /** + * List of bad chars for sanitize filename + * + * @var array + */ + private $_filename_bad_str_rules = array( + 'default' => array( + '../', '', '<', '>', + "'", '"', '&', '$', '#', + '{', '}', '[', ']', '=', + ';', '?', '%20', '%22', + '%3c', // < + '%253c', // < + '%3e', // > + '%0e', // > + '%28', // ( + '%29', // ) + '%2528', // ( + '%26', // & + '%24', // $ + '%3f', // ? + '%3b', // ; + '%3d' // = + ), + 'windows' => array( + '\\', '/', ':', '*', '?', + '"', '<', '>', '|', + ), + ); + /** * Class constructor * @@ -547,26 +577,9 @@ class CI_Security { * @param bool $relative_path Whether to preserve paths * @return string */ - public function sanitize_filename($str, $relative_path = FALSE) + public function sanitize_filename($str, $relative_path = FALSE, $rule = 'default') { - $bad = array( - '../', '', '<', '>', - "'", '"', '&', '$', '#', - '{', '}', '[', ']', '=', - ';', '?', '%20', '%22', - '%3c', // < - '%253c', // < - '%3e', // > - '%0e', // > - '%28', // ( - '%29', // ) - '%2528', // ( - '%26', // & - '%24', // $ - '%3f', // ? - '%3b', // ; - '%3d' // = - ); + $bad = $this->_filename_bad_str_rules[$rule]; if ( ! $relative_path) { -- cgit v1.2.3-24-g4f1b From 8df3352dff5f734c1b3831fdc131f676a9850d51 Mon Sep 17 00:00:00 2001 From: Hunter Wu Date: Sat, 3 Aug 2013 22:36:05 +0800 Subject: Revert "Add windows filename rule as an option for upload files" This reverts commit 23719ab569c9c8d6b791f65d7861daba3895ddcb. --- system/core/Security.php | 51 ++++++++++++++++++------------------------------ 1 file changed, 19 insertions(+), 32 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index cd1cb1ab4..196d61144 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -114,36 +114,6 @@ class CI_Security { "([\"'])?data\s*:[^\\1]*?base64[^\\1]*?,[^\\1]*?\\1?" ); - /** - * List of bad chars for sanitize filename - * - * @var array - */ - private $_filename_bad_str_rules = array( - 'default' => array( - '../', '', '<', '>', - "'", '"', '&', '$', '#', - '{', '}', '[', ']', '=', - ';', '?', '%20', '%22', - '%3c', // < - '%253c', // < - '%3e', // > - '%0e', // > - '%28', // ( - '%29', // ) - '%2528', // ( - '%26', // & - '%24', // $ - '%3f', // ? - '%3b', // ; - '%3d' // = - ), - 'windows' => array( - '\\', '/', ':', '*', '?', - '"', '<', '>', '|', - ), - ); - /** * Class constructor * @@ -577,9 +547,26 @@ class CI_Security { * @param bool $relative_path Whether to preserve paths * @return string */ - public function sanitize_filename($str, $relative_path = FALSE, $rule = 'default') + public function sanitize_filename($str, $relative_path = FALSE) { - $bad = $this->_filename_bad_str_rules[$rule]; + $bad = array( + '../', '', '<', '>', + "'", '"', '&', '$', '#', + '{', '}', '[', ']', '=', + ';', '?', '%20', '%22', + '%3c', // < + '%253c', // < + '%3e', // > + '%0e', // > + '%28', // ( + '%29', // ) + '%2528', // ( + '%26', // & + '%24', // $ + '%3f', // ? + '%3b', // ; + '%3d' // = + ); if ( ! $relative_path) { -- cgit v1.2.3-24-g4f1b From a8d6d3b13a0086c86e3dd69f0376be3a6982bc16 Mon Sep 17 00:00:00 2001 From: Hunter Wu Date: Sat, 3 Aug 2013 23:17:45 +0800 Subject: Make the bad filename array public in Security library --- system/core/Security.php | 56 ++++++++++++++++++++++++++++++++---------------- 1 file changed, 38 insertions(+), 18 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 196d61144..3d04d5e12 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -37,6 +37,30 @@ defined('BASEPATH') OR exit('No direct script access allowed'); */ class CI_Security { + /** + * List of sanitize filename strings + * + * @var array + */ + public $sanitize_filename_str = array( + '../', '', '<', '>', + "'", '"', '&', '$', '#', + '{', '}', '[', ']', '=', + ';', '?', '%20', '%22', + '%3c', // < + '%253c', // < + '%3e', // > + '%0e', // > + '%28', // ( + '%29', // ) + '%2528', // ( + '%26', // & + '%24', // $ + '%3f', // ? + '%3b', // ; + '%3d' // = + ); + /** * XSS Hash * @@ -540,6 +564,19 @@ class CI_Security { // -------------------------------------------------------------------- + /** + * Set Sanitize Filename Strings + * + * @param array $strings + * @return void + */ + public function set_sanitize_filename_str($strings) + { + $this->sanitize_filename_str = $strings; + } + + // -------------------------------------------------------------------- + /** * Sanitize Filename * @@ -549,24 +586,7 @@ class CI_Security { */ public function sanitize_filename($str, $relative_path = FALSE) { - $bad = array( - '../', '', '<', '>', - "'", '"', '&', '$', '#', - '{', '}', '[', ']', '=', - ';', '?', '%20', '%22', - '%3c', // < - '%253c', // < - '%3e', // > - '%0e', // > - '%28', // ( - '%29', // ) - '%2528', // ( - '%26', // & - '%24', // $ - '%3f', // ? - '%3b', // ; - '%3d' // = - ); + $bad = $this->sanitize_filename_str; if ( ! $relative_path) { -- cgit v1.2.3-24-g4f1b From 4495cc740c1c0e382cc62d3d174abd17c0b4d84f Mon Sep 17 00:00:00 2001 From: Hunter Wu Date: Sun, 4 Aug 2013 12:31:52 +0800 Subject: Rename bad chars property to filename_bad_chars, remove the setter and add changelog entry --- system/core/Security.php | 17 ++--------------- 1 file changed, 2 insertions(+), 15 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 3d04d5e12..70cf3e013 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -42,7 +42,7 @@ class CI_Security { * * @var array */ - public $sanitize_filename_str = array( + public $filename_bad_chars = array( '../', '', '<', '>', "'", '"', '&', '$', '#', '{', '}', '[', ']', '=', @@ -564,19 +564,6 @@ class CI_Security { // -------------------------------------------------------------------- - /** - * Set Sanitize Filename Strings - * - * @param array $strings - * @return void - */ - public function set_sanitize_filename_str($strings) - { - $this->sanitize_filename_str = $strings; - } - - // -------------------------------------------------------------------- - /** * Sanitize Filename * @@ -586,7 +573,7 @@ class CI_Security { */ public function sanitize_filename($str, $relative_path = FALSE) { - $bad = $this->sanitize_filename_str; + $bad = $this->filename_bad_chars; if ( ! $relative_path) { -- cgit v1.2.3-24-g4f1b From 46e77e0d28cf6c057484df022a012e85de2f79b6 Mon Sep 17 00:00:00 2001 From: David Cox Jr Date: Thu, 3 Oct 2013 16:56:04 -0400 Subject: partial fix #2667 this fixes the ability to replace a space with a / and skip the XSS filtering --- system/core/Security.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 70cf3e013..368e17dc3 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -603,7 +603,7 @@ class CI_Security { */ public function strip_image_tags($str) { - return preg_replace(array('##', '##'), '\\1', $str); + return preg_replace(array('##', '##'), '\\1', $str); } // ---------------------------------------------------------------- -- cgit v1.2.3-24-g4f1b From 3a3d5f6c2320a90436de241af41fe22df7344728 Mon Sep 17 00:00:00 2001 From: vlakoff Date: Thu, 17 Oct 2013 22:22:16 +0200 Subject: Replace the last rand() with mt_rand() Better entropy, faster. Also fixed a few "it's" typos. --- system/core/Security.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 368e17dc3..6f5f5cb90 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -884,7 +884,7 @@ class CI_Security { { if ($this->_csrf_hash === '') { - // If the cookie exists we will use it's value. + // If the cookie exists we will use its value. // We don't necessarily want to regenerate it with // each page load since a page could contain embedded // sub-pages causing this feature to fail @@ -894,7 +894,7 @@ class CI_Security { return $this->_csrf_hash = $_COOKIE[$this->_csrf_cookie_name]; } - $this->_csrf_hash = md5(uniqid(rand(), TRUE)); + $this->_csrf_hash = md5(uniqid(mt_rand(), TRUE)); $this->csrf_set_cookie(); } -- cgit v1.2.3-24-g4f1b From 3fa729d7092c814fe14e15d8d51789ce7907f2a8 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 18 Oct 2013 20:57:41 +0300 Subject: Fix issue #2681 (alternative to PR #2690) --- system/core/Security.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 6f5f5cb90..5c5c0efb6 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -553,9 +553,9 @@ class CI_Security { { $matches = $matches1 = 0; + $str = preg_replace('~(�*[0-9a-f]{2,5});?~iS', $str, -1, $matches); + $str = preg_replace('~(&#\d{2,4});?~S', $str, -1, $matches1); $str = html_entity_decode($str, ENT_COMPAT, $charset); - $str = preg_replace('~&#x(0*[0-9a-f]{2,5})~ei', 'chr(hexdec("\\1"))', $str, -1, $matches); - $str = preg_replace('~&#([0-9]{2,4})~e', 'chr(\\1)', $str, -1, $matches1); } while ($matches OR $matches1); -- cgit v1.2.3-24-g4f1b From e08411d72226ba5b2f97b519051f78d978747e18 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 18 Oct 2013 21:13:56 +0300 Subject: Eh ... preg_replace() needs a replacement --- system/core/Security.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 5c5c0efb6..9423f825c 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -553,8 +553,8 @@ class CI_Security { { $matches = $matches1 = 0; - $str = preg_replace('~(�*[0-9a-f]{2,5});?~iS', $str, -1, $matches); - $str = preg_replace('~(&#\d{2,4});?~S', $str, -1, $matches1); + $str = preg_replace('~(�*[0-9a-f]{2,5});?~iS', '$1;', $str, -1, $matches); + $str = preg_replace('~(&#\d{2,4});?~S', '$1;', $str, -1, $matches1); $str = html_entity_decode($str, ENT_COMPAT, $charset); } while ($matches OR $matches1); -- cgit v1.2.3-24-g4f1b From 1bbc5644b0c306ff72dc1228b169db56902fc031 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Tue, 7 Jan 2014 12:45:27 +0200 Subject: Fix #2268 (manually implementing PR #2269) --- system/core/Security.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 9423f825c..0944fef92 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -117,7 +117,6 @@ class CI_Security { 'document.write' => '[removed]', '.parentNode' => '[removed]', '.innerHTML' => '[removed]', - 'window.location' => '[removed]', '-moz-binding' => '[removed]', '' => '-->', @@ -132,6 +131,7 @@ class CI_Security { */ protected $_never_allowed_regex = array( 'javascript\s*:', + '(document|(document\.)?window)\.(location|on\w*)', 'expression\s*(\(|&\#40;)', // CSS and IE 'vbscript\s*:', // IE, surprise! 'Redirect\s+302', @@ -648,8 +648,8 @@ class CI_Security { */ protected function _remove_evil_attributes($str, $is_image) { - // All javascript event handlers (e.g. onload, onclick, onmouseover), style, and xmlns - $evil_attributes = array('on\w*', 'style', 'xmlns', 'formaction'); + // Formaction, style, and xmlns + $evil_attributes = array('style', 'xmlns', 'formaction'); if ($is_image === TRUE) { -- cgit v1.2.3-24-g4f1b From 99e2f8e2397ec4bf3ce5637d5a660a122aaa7b1b Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Sun, 19 Jan 2014 00:04:44 +0200 Subject: Fix #2829 --- system/core/Security.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 0944fef92..4c01da2b8 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -551,13 +551,13 @@ class CI_Security { do { - $matches = $matches1 = 0; + $m1 = $m2 = 0; - $str = preg_replace('~(�*[0-9a-f]{2,5});?~iS', '$1;', $str, -1, $matches); - $str = preg_replace('~(&#\d{2,4});?~S', '$1;', $str, -1, $matches1); + $str = preg_replace('/(�*[0-9a-f]{2,5})(?![0-9a-f;])/iS', '$1;', $str, -1, $m1); + $str = preg_replace('/(&#\d{2,4})(?![0-9;])/S', '$1;', $str, -1, $m2); $str = html_entity_decode($str, ENT_COMPAT, $charset); } - while ($matches OR $matches1); + while ($m1 OR $m2); return $str; } -- cgit v1.2.3-24-g4f1b From 4d0571666d03511ac5b4a1f2a6882ccb1509a209 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 20 Jan 2014 11:17:34 +0200 Subject: Fix #2729 --- system/core/Security.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 4c01da2b8..95957a3d8 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -837,14 +837,15 @@ class CI_Security { * Add a semicolon if missing. We do this to enable * the conversion of entities to ASCII later. */ - $str = preg_replace('#(&\#?[0-9a-z]{2,})([\x00-\x20])*;?#i', '\\1;\\2', $str); + $str = preg_replace('/(&#\d{2,4})(?![0-9;])/', '$1;', $str); + $str = preg_replace('/(&[a-z]{2,})(?![a-z;])/i', '$1;', $str); /* * Validate UTF16 two byte encoding (x00) * * Just as above, adds a semicolon if missing. */ - $str = preg_replace('#(&\#x?)([0-9A-F]+);?#i', '\\1\\2;', $str); + $str = preg_replace('/(�*[0-9a-f]{2,5})(?![0-9a-f;])/i', '$1;', $str); /* * Un-Protect GET variables in URLs -- cgit v1.2.3-24-g4f1b