From 53437de1f94dd4c0ab270f0c6d2309344d323d9e Mon Sep 17 00:00:00 2001 From: Derek Jones Date: Mon, 12 May 2008 18:07:08 +0000 Subject: Added protection in xss_clean() for GET variables in URLs http://codeigniter.com/bug_tracker/bug/4167/ --- system/libraries/Input.php | 58 +++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 55 insertions(+), 3 deletions(-) (limited to 'system') diff --git a/system/libraries/Input.php b/system/libraries/Input.php index ee7e9ad31..9b012d320 100644 --- a/system/libraries/Input.php +++ b/system/libraries/Input.php @@ -28,6 +28,7 @@ */ class CI_Input { var $use_xss_clean = FALSE; + var $xss_hash = ''; var $ip_address = FALSE; var $user_agent = FALSE; var $allow_get_array = FALSE; @@ -530,7 +531,21 @@ class CI_Input { * @return string */ function xss_clean($str) - { + { + /* + * Is the string an array? + * + */ + if (is_array($str)) + { + while (list($key) = each($str)) + { + $str[$key] = $this->xss_clean($str[$key]); + } + + return $str; + } + /* * Remove Null Characters * @@ -541,6 +556,14 @@ class CI_Input { $str = preg_replace('/\0+/', '', $str); $str = preg_replace('/(\\\\0)+/', '', $str); + /* + * Protect GET variables in URLs + */ + + // 901119URL5918AMP18930PROTECT8198 + + $str = preg_replace('|\&([a-z\_0-9]+)\=([a-z\_0-9]+)|i', $this->xss_hash()."\\1=\\2", $str); + /* * Validate standard character entities * @@ -558,6 +581,12 @@ class CI_Input { */ $str = preg_replace('#(&\#x?)([0-9A-F]+);?#i',"\\1\\2;",$str); + /* + * Un-Protect GET variables in URLs + */ + + $str = str_replace($this->xss_hash(), '&', $str); + /* * URL Decode * @@ -796,6 +825,29 @@ class CI_Input { // -------------------------------------------------------------------- + /** + * Random Hash for protecting URLs + * + * @access public + * @return string + */ + function xss_hash() + { + if ($this->xss_hash == '') + { + if (phpversion() >= 4.2) + mt_srand(); + else + mt_srand(hexdec(substr(md5(microtime()), -8)) & 0x7fffffff); + + $this->xss_hash = md5(time() + mt_rand(0, 1999999999)); + } + + return $this->xss_hash; + } + + // -------------------------------------------------------------------- + /** * JS Link Removal * @@ -923,6 +975,6 @@ class CI_Input { } // END Input class - -/* End of file Input.php */ + +/* End of file Input.php */ /* Location: ./system/libraries/Input.php */ \ No newline at end of file -- cgit v1.2.3-24-g4f1b