Home > Article > Backend Development > CI framework source code reading---------Security.php_PHP tutorial

CI framework source code reading---------Security.php_PHP tutorial

WBOYOriginal: 2016-07-14 10:09:21901browse

[php]

/**

* CodeIgniter

* An open source application development framework for PHP 5.1.6 or newer

* @package CodeIgniter

* @author ExpressionEngine Dev Team

* @license http://codeigniter.com/user_guide/license.html

* @link http://codeigniter.com

* @since Version 1.0

* @filesource

// ------------------------------------------------------------------------

/**

* Security Class

* This class contains some methods that can help you create secure applications and process input data securely.

* The address of CI official manual for this category: http://codeigniter.org.cn/user_guide/libraries/security.html

* @package CodeIgniter

* @subpackage Libraries

* @category Security

* @author ExpressionEngine Dev Team

* @link http://codeigniter.com/user_guide/libraries/security.html

class CI_Security {

/**

* Random Hash for protecting URLs

* Random hash value to protect URL (cross-site scripting attack)

* @var string

* @access protected

protected $_xss_hash = '';

/**

* Random Hash for Cross Site Request Forgery Protection Cookie

* Random hash to prevent cross-site requests from forging cookies

* @var string

* @access protected

protected $_csrf_hash = '';

/**

* Expiration time for Cross Site Request Forgery Protection Cookie

* Defaults to two hours (in seconds)

* Cross-site request protection cookie expiration time, the default is 2 hours (unit seconds)

* @var int

* @access protected

protected $_csrf_expire = 7200;

/**

* Token name for Cross Site Request Forgery Protection Cookie

* Cookie token name for cross-site request forgery protection

* @var string

* @access protected

protected $_csrf_token_name = 'ci_csrf_token';

/**

* Cookie name for Cross Site Request Forgery Protection Cookie

* Cookie name of the cookie for cross-site request forgery protection

* @var string

* @access protected

protected $_csrf_cookie_name = 'ci_csrf_token';

/**

* List of never allowed strings

* List of strings that are never allowed

* @var array

* @access protected

protected $_never_allowed_str = array(

'document.cookie' => '[removed]',

'document.write' => '[removed]',

'.parentNode' => '[removed]',

'.innerHTML' => '[removed]',

'window.location' => '[removed]',

'-moz-binding' => '[removed]',

'' => '-->',

' '

'' => ''

);

/* never allowed, regex replacement */

/**

* List of never allowed regex replacement

* List of disallowed regular replacement strings

* @var array

* @access protected

protected $_never_allowed_regex = array(

'javascripts*:',

'expressions*((|()', // CSS and IE

'vbscripts*:', // IE, surprise!

'Redirects+302',

"(["'])?datas*:[^\1]*?base64[^\1]*?,[^\1]*?\1?"

);

/**

* Constructor

* @return void

public function __construct()

{

// Is CSRF protection enabled?

// csrf 是否开启

if (config_item('csrf_protection') === TRUE)

{

// CSRF config 读取CSRF 配置并赋值给本类下的对应的属性

foreach (array('csrf_expire', 'csrf_token_name', 'csrf_cookie_name') as $key)

{

if (FALSE !== ($val = config_item($key)))

{

$this->{'_'.$key} = $val;

}

// Append application specific cookie prefix

// 添加应用指定的cookie前缀

if (config_item('cookie_prefix'))

{

$this->_csrf_cookie_name = config_item('cookie_prefix').$this->_csrf_cookie_name;

}

// Set the CSRF hash

// 设置CSRF hash

$this->_csrf_set_hash();

}

log_message('debug', "Security Class Initialized");

}

// --------------------------------------------------------------------

/**

* Verify Cross Site Request Forgery Protection

* 验证跨站请求伪造保护

* @return object

public function csrf_verify()

{

// If it's not a POST request we will set the CSRF cookie

// If it is not a post request, we need to set the CSRF cookie

if (strtoupper($_SERVER['REQUEST_METHOD']) !== 'POST')

{

return $this->csrf_set_cookie();

} }

// Do the tokens exist in both the _POST and _COOKIE arrays?

// If the request token does not exist, call csrf_show_error to report an error

if ( ! isset($_POST[$this->_csrf_token_name], $_COOKIE[$this->_csrf_cookie_name]))

{

$this->csrf_show_error();

} }

// Do the tokens match?

// If the token is incorrect, an error will be reported.

if ($_POST[$this->_csrf_token_name] != $_COOKIE[$this->_csrf_cookie_name])

{

$this->csrf_show_error();

} }

// We kill this since we're done and we don't want to

// pollute the _POST array

// Destroy the sign because we don’t want to pollute the _POST array

unset($_POST[$this->_csrf_token_name]);

// Nothing should last forever

// Destroy cookie name and reset hash and cookie

unset($_COOKIE[$this->_csrf_cookie_name]);

$this->_csrf_set_hash();

$this->csrf_set_cookie();

log_message('debug', 'CSRF token verified');

return $this;

}

//------------------------------------------------ -----------------------

/**

* Set Cross Site Request Forgery Protection Cookie

* Set fake cookies to protect cross-site requests

* @return object

public function csrf_set_cookie()

{

$expire = time() + $this->_csrf_expire;

$secure_cookie = (config_item('cookie_secure') === TRUE) ? 1 : 0;

// Set cookie when https exists

if ($secure_cookie && (emptyempty($_SERVER['HTTPS']) OR strtolower($_SERVER['HTTPS']) === 'off'))

{

return FALSE;

} }

// Set cookie

setcookie($this->_csrf_cookie_name, $this->_csrf_hash, $expire, config_item('cookie_path'), config_item('cookie_domain'), $secure_cookie);

log_message('debug', "CRSF cookie Set");

return $this;

}

//------------------------------------------------ -----------------------

/**

* Show CSRF Error

* Show CSRF error

* @return void

public function csrf_show_error()

{

show_error('The action you have requested is not allowed.');

}

// --------------------------------------------------------------------

/**

* Get CSRF Hash

* 获取CSRF hash

* Getter Method

* @return string self::_csrf_hash

public function get_csrf_hash()

{

return $this->_csrf_hash;

}

// --------------------------------------------------------------------

/**

* Get CSRF Token Name

* Get CSRF order ranking

* Getter Method

* @return string self::csrf_token_name

public function get_csrf_token_name()

{

return $this->_csrf_token_name;

}

// --------------------------------------------------------------------

/**

* XSS Clean

* Sanitizes data so that Cross Site Scripting Hacks can be

* prevented.Prevent This function does a fair amount of work but

* it is extremely thorough, designed to prevent even the

* most obscure XSS attempts. Nothing is ever 100% foolproof,

* of course, but I haven't been able to get anything passed

* the filter.

* Filter data to prevent cross-site scripting attacks. This function does some work, but it's very thorough,

* Even prevents most obscure XSS attempts. Of course, nothing is 100% safe,

* But we have done all we can think of in this filter.

* Note: This function should only be used to deal with data

* upon submission. It's not something that should

* be used for general runtime processing.

* Note: This function can only be used to process submitted data.

* This function should not be used during normal operation.

* This function was based in part on some code and ideas I

* got from Bitflux: http://channel.bitflux.ch/wiki/XSS_Prevention

* To help develop this script I used this great list of

* vulnerabilities along with a few other hacks I've

* harvested from examining vulnerabilities in other programs:

* http://ha.ckers.org/xss.html

* @param mixed string or array

* @param bool

* @return string

public function xss_clean($str, $is_image = FALSE)

{

* Is the string an array?

* 需要过滤的字符串是数组吗？

if (is_array($str))

{

while (list($key) = each($str))

$str[$key] = $this->xss_clean($str[$key]);

}

return $str;

} }

* Remove Invisible Characters

* Remove invisible characters

$str = remove_invisible_characters($str);

// Validate Entities in URLs

// Verify the character entity in the URL

$str = $this->_validate_entities($str);

* URL Decode

* URL decoding

* Just in case stuff like this is submitted:

* Prevent things like the following from being submitted

* Google

* *

* Note: Use rawurldecode() so it does not remove plus signs

* rawurldecode() does not decode the plus sign ('+') into a space, while urldecode() does.

* *

$str = rawurldecode($str);

* Convert character entities to ASCII

* Convert physical characters into ASCII code

* This makes our test below reliable, we only convert tags within entities because these are the entities that will cause security issues

* This permits our tests below to work reliably.

* We only convert entities that are within tags since

* these are the ones that will pose security problems.

* *

$str = preg_replace_callback("/[a-z]+=(['"]).*?\1/si", array($this, '_convert_attribute'), $str);

$str = preg_replace_callback("/|<|$)/si", array($this, '_decode_entity'), $str);

* Remove Invisible Characters Again!

* Remove invisible characters again

$str = remove_invisible_characters($str);

* Convert all tabs to spaces

* Convert all tab characters to spaces

* This prevents strings like this: ja vascript

* This is used to prevent strings similar to javascript

* NOTE: we deal with spaces between characters later.

* Note: We will deal with the spaces between characters later

* NOTE: preg_replace was found to be amazingly slow here on

* large blocks of data, so we use str_replace.

* Note: preg_replace is extremely slow here for large chunks of data, so use str_replace

* *

if (strpos($str, "t") !== FALSE)

{

$str = str_replace("t", ' ', $str);

} }

* Capture capture converted string for later comparison

* Capture the converted string for later comparison

$converted_string = $str;

// Remove Strings that are never allowed

// Delete strings that are not allowed

$str = $this->_do_never_allowed($str);

* Makes PHP tags safe

* Make PHP tags safe

* Note: XML tags are inadvertently replaced too:

* Note: XML tags can also be unintentionally replaced

* *

* But it doesn't seem to pose a problem.

* But it doesn’t seem to be a problem

if ($is_image === TRUE)

{

// Images have a tendency to have the PHP short opening and

// closing tags every so often so we skip those and only

// do the long opening tags.

$str = preg_replace('/

} }

else

{

$str = str_replace(array(''), array(''), $str);

} }

* Compact any exploded words

* Compress all decomposed words

* This corrects words like: j a v a s c r i p t

* These words are compacted back to their correct state.

$words = array(

'javascript', 'expression', 'vbscript', 'script', 'base64',

'applet', 'alert', 'document', 'write', 'cookie', 'window'

);

foreach ($words as $word)

{

$temp = '';

for ($i = 0, $wordlen = strlen($word); $i < $wordlen; $i++)

$temp .= substr($word, $i, 1)."s*";

}

// That way valid stuff like "dealer to" does not become ""dealerto"

$str = preg_replace_callback('#('.substr($temp, 0, -3).')(W)#is', array($this, '_compact_exploded_words'), $str);

} }

* Remove disallowed Javascript in links or img tags

* Remove javascript code that is not allowed in link and image tags

* We used to do some version comparisons and use of stripos for PHP5,

* We usually use stripos in PHP5 to do some version comparisons,

* but it is dog slow compared to these simplified non-capturing

* But especially when the pattern exists in the string, it is much slower than the non-capturing preg_match()

* preg_match(), especially if the pattern exists in the string

{

$original = $str;

if (preg_match("/

$str = preg_replace_callback("#]*?)(>|$)#si", array($this, '_js_link_removal'), $str);

}

if (preg_match("/

$str = preg_replace_callback("#]*?)(s?/?>|$)#si", array($this, '_js_img_removal'), $str);

}

if (preg_match("/script/i", $str) OR preg_match("/xss/i", $str))

$str = preg_replace("#<(/*)(script|xss)(.*?)>#si", '[removed]', $str);

}

} }

while($original != $str);

unset($original);

// Remove evil attributes such as style, onclick and xmlns

// Remove harmful attributes, such as style, onclick, xmlns

$str = $this->_remove_evil_attributes($str, $is_image);

* Sanitize naughty HTML elements

* Clean inappropriate HTML elements

* If a tag containing any of the words in the list

* below is found, the tag gets converted to entities.

* If a tag contains any of the words in the list below, the tag is converted to a character entity

* So this:

* Becomes:

$str = preg_replace_callback('#<(/*s*)('.$naughty.')([^><]*)([><]*)#is', array ($this, '_sanitize_naughty_html'), $str);

* Sanitize naughty scripting elements

* Clean up illegal script elements

* tags it looks for PHP and JavaScript commands

* that are disallowed. Rather than removing the

* code, it simply converts the parenthesis to entities

* rendering the code un-executable.

* Rather than removing the code, it is better to convert the code into a non-executable entity

* *

* For example: eval('some code')

* Becomes: eval('some code')

// Final clean up

// Final cleanup

// This adds a bit of extra precaution in case

// something got through the above filters

// Extra precautions to prevent the above processing from generating illegal characters

$str = $this->_do_never_allowed($str);

* Images are Handled in a Special Way

* - Essentially, we want to know that after all of the character

* conversion is done whether any unwanted, likely XSS, code was found.

* If not, we return TRUE, as the image is clean.

* However, if the string post-conversion does not matched the

* string post-removal of XSS, then it fails, as there was unwanted XSS

* code found and removed/changed during processing.

if ($is_image === TRUE)

{

return ($str == $converted_string) ? TRUE: FALSE;

} }

log_message('debug', "XSS Filtering completed");

return $str;

}

//------------------------------------------------ -----------------------

/**

* Random Hash for protecting URLs

* Then generate an _xss_hssh

* @return string

public function xss_hash()

{

if ($this->_xss_hash == '')

{

mt_srand();

$this->_xss_hash = md5(time() + mt_rand(0, 1999999999));

} }

return $this->_xss_hash;

}

//------------------------------------------------ -----------------------

/**

* HTML Entities Decode

* HTML entity decoding

* This function is a replacement for html_entity_decode()

* This function is used to replace the html_entity_decode() function

* The reason we are not using html_entity_decode() by itself is because

* while it is not technically technically correct to leave out the semicolon

* at the end of an entity most browsers will still interpret the entity

* correctly. html_entity_decode() does not convert entities without

* semicolons, so we are left with our own little solution here. Bummer.

* When there is no ; written after the encoded character, most browsers will be able to interpret the code correctly, however, html_entity_decode will not interpret it

* html_entity_decode() will not convert entities without semicolons, so use your own solution

* @param string

* @return string

public function entity_decode($str, $charset='UTF-8')

{

if (stristr($str, '&') === FALSE)

{

return $str;

} }

$str = html_entity_decode($str, ENT_COMPAT, $charset);

$str = preg_replace('~(0*[0-9a-f]{2,5})~ei', 'chr(hexdec("\1"))', $str);

return preg_replace('~([0-9]{2,4})~e', 'chr(\1)', $str);

}

//------------------------------------------------ -----------------------

public function sanitize_filename($str, $relative_path = FALSE)

if ( ! $relative_path)

$str = remove_invisible_characters($str, FALSE);

return stripslashes(str_replace($bad, '', $str));

}

// ----------------------------------------------------------------

/**

* Compact Exploded Words

* Compress the searched words

* Callback function for xss_clean() to remove whitespace from

* things like j a v a s c r i p t

* Callback function for xss_clean(), remove spaces from j a v a s c r i p t

* @param type

* @return type

protected function _compact_exploded_words($matches)

{

return preg_replace('/s+/s', '', $matches[1]).$matches[2];

}

// --------------------------------------------------------------------

* Remove Evil HTML Attributes (like evenhandlers and style)

* 移除有害的html属性，（像事件处理和样式）

* It removes the evil attribute and either:

* - Everything up until a space

* For example, everything between the pipes:

* - Everything inside the quotes

* For example, everything between the pipes:

* @param string $str The string to check

* @param boolean $is_image TRUE if this is an image

* @return string The string with the evil attributes removed

protected function _remove_evil_attributes($str, $is_image)

{

// All javascript event handlers (e.g. onload, onclick, onmouseover), style, and xmlns

// 所有的havascript事件处理器

$evil_attributes = array('onw*', 'style', 'xmlns', 'formaction');

if ($is_image === TRUE)

{

* Adobe Photoshop puts XML metadata into JFIF images,

* including namespacing, so we have to allow this for images.

* Adobe Photoshop在JFIF图片中放入了XML元数据

* 包含命名空间，所以我们必须对图片允许这些

unset($evil_attributes[array_search('xmlns', $evil_attributes)]);

// find occurrences of illegal attribute strings without quotes

// Find out illegal attributes that have not been added

preg_match_all('/('.implode('|', $evil_attributes).')s*=s*([^s>]*)/is', $str, $matches, PREG_SET_ORDER);

foreach ($matches as $attr)

$attribs[] = preg_quote($attr[0], '/');

}

// find occurrences of illegal illegal attribute strings with quotes (042 and 047 are octal quotes)

// Find out illegal attributes without quotations (042, 4,0 is an octagonal quotation)

preg_match_all("/(".implode('|', $evil_attributes).")s*=s*(

foreach ($matches as $attr)

$attribs[] = preg_quote($attr[0], '/');

}

// replace illegal attribute strings that are inside an html tag

// Replace the illegal attributes in the html label

if (count($attribs) > 0)

$str = preg_replace("/<(/?[^><]+?)([^A-Za-z<>-])(.*?)(".implode(' |', $attribs).")(.*?)([s><])([><]*)/i", '<$1 $3$5$6$7', $str, -1 , $count);

//------------------------------------------------ -----------------------

/**

* Sanitize Naughty HTML

* 消除有害的html

* Callback function for xss_clean() to remove naughty HTML elements

* @param array

* @return string

protected function _sanitize_naughty_html($matches)

{

// encode opening brace

$str = '<'.$matches[1].$matches[2].$matches[3];

// encode captured opening or closing brace to prevent recursive vectors

$str .= str_replace(array('>', '<'), array('>', '<'),

$matches[4]);

return $str;

}

//------------------------------------------------ -----------------------

/**

* JS Link Removal

* js link cleaning

* Callback function for xss_clean() to sanitize links

* This limits the PCRE backtracks, making it more performance friendly

* and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in

* PHP 5.2+ on link-heavy strings

* Call xss_clean to clean up the connection

* @param array

* @return string

protected function _js_link_removal($match)

$this->_filter_attributes(str_replace(array('<', '>'), '', $match[1]))

$match[0]

);

}

// --------------------------------------------------------------------

/**

* JS Image Removal

* js图片清理

* Callback function for xss_clean() to sanitize image tags

* This limits the PCRE backtracks, making it more performance friendly

* and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in

* PHP 5.2+ on image tag heavy strings

* @param array

* @return string

protected function _js_img_removal($match)

$this->_filter_attributes(str_replace(array('<', '>'), '', $match[1]))

$match[0]

);

}

// --------------------------------------------------------------------

/**

* Attribute Conversion

* 属性转换

* Used as a callback for XSS Clean

* @param array

* @return string

protected function _convert_attribute($match)

{

return str_replace(array('>', '<', '\'), array('>', '<', '\\'), $match[0]);

}

// --------------------------------------------------------------------

/**

* Filter Attributes

* Filter attributes

* Filters tag attributes for consistency and safety

* Filter tag attributes for consistency and security

* @param string

* @return string

protected function _filter_attributes($str)

{

$out = '';

if (preg_match_all('#s*[a-z-]+s*=s*(42|47)([^\1]*?)\1#is', $str, $matches))

{

foreach ($matches[0] as $match)

{

$out .= preg_replace("#/*.*?*/#s", '', $match);

}

return $out;

}

// --------------------------------------------------------------------

/**

* HTML Entity Decode Callback

* html实体解码

* Used as a callback for XSS Clean

* @param array

* @return string

protected function _decode_entity($match)

{

return $this->entity_decode($match[0], strtoupper(config_item('charset')));

}

// --------------------------------------------------------------------

/**

* Validate URL entities

* Verify URL character entity

* Called by xss_clean()

* @param string

* @return string

protected function _validate_entities($str)

{

* Protect GET variables in URLs

* 保护url中的GET变量

// 901119URL5918AMP18930PROTECT8198

$str = preg_replace('|&([a-z_0-9-]+)=([a-z_0-9-]+)|i', $this->xss_hash()."\1=\2", $str);

* Validate standard character entities

* 验证标准字符实体

* Add a semicolon if missing. We do this to enable

* the conversion of entities to ASCII later.

* 如果没有的话，添加一个分号。这样做是为了以后允许字符实体到ASCII的转换

$str = preg_replace('#(?[0-9a-z]{2,})([x00-x20])*;?#i', "\1;\2", $str);

* Validate UTF16 two byte encoding (x00)

* 验证UTF16两个字节的编码（x00）

* Just as above, adds a semicolon if missing.

* 像上面一样如果不存在添加一个分号。

$str = preg_replace('#(?)([0-9A-F]+);?#i',"\1\2;",$str);

* Un-Protect GET variables in URLs

* URL中不保护的GET变量

$str = str_replace($this->xss_hash(), '&', $str);

return $str;

}

// ----------------------------------------------------------------------

/**

* Do Never Allowed

* 移除不允许的字符

* A utility function for xss_clean()

* @param string

* @return string

protected function _do_never_allowed($str)

{

$str = str_replace(array_keys($this->_never_allowed_str), $this->_never_allowed_str, $str);

foreach ($this->_never_allowed_regex as $regex)

{

$str = preg_replace('#'.$regex.'#is', '[removed]', $str);

}

return $str;

}

// --------------------------------------------------------------------

/**

* Set Cross Site Request Forgery Protection Cookie

* Set cross-site request protection cookie

* @return string

protected function _csrf_set_hash()

{

Statement：

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Previous article：Detailed explanation of PHP+Ajax username detection_PHP tutorialNext article：Detailed explanation of PHP+Ajax username detection_PHP tutorial

See more

CI framework source code reading---------Security.php_PHP tutorial

Related articles