Home > Backend Development > PHP Tutorial > CI framework security class Security.php source code analysis, cisecurity.php_PHP tutorial

CI framework security class Security.php source code analysis, cisecurity.php_PHP tutorial

WBOY
Release: 2016-07-13 10:15:14
Original
1178 people have browsed it

CI framework security class Security.php source code analysis, cisecurity.php

The CI security class provides a global defense strategy against CSRF attacks and XSS attacks. You only need to enable it in the configuration file:

Copy code The code is as follows:

$config['csrf_protection'] = TRUE;
$config['global_xss_filtering'] = TRUE;

And provides practical methods:

Copy code The code is as follows:

$this->security->xss_clean($data);//The second parameter is TRUE to verify the security of the image
$this->security->sanitize_filename()//Filter file name

CI also provides security functions:

xss_clean()//xss filtering
sanitize_filename()//Sanitize file name
do_hash()//md5 or sha encryption
strip_image_tags() //Remove unnecessary characters of image tags
encode_php_tags()//Force PHP script tags into entity objects

Copy code The code is as follows:

/**
* Security category
​*/
class CI_Security {
//Random hash value of url
protected $_xss_hash = '';
//Hash value of cookie tag to prevent CSRF attacks
protected $_csrf_hash = '';
//Anti-csrf cookie expiration time
protected $_csrf_expire = 7200;
//Csrf-proof cookie name
protected $_csrf_token_name = 'ci_csrf_token';
//Anti-csrf token name
protected $_csrf_cookie_name = 'ci_csrf_token';
//Array of strings that are not allowed
protected $_never_allowed_str = array(
'document.cookie' => '[removed]',
'document.write' => '[removed]',
'.parentNode' => '[removed]',
'.innerHTML' => '[removed]',
'window.location' => '[removed]',
'-moz-binding' => '[removed]',
'' => '-->',
' ' '' => ''
);
//Array of regular expressions that are not allowed
protected $_never_allowed_regex = array(
'javascripts*:',
'expressions*((|()', // CSS and IE
'vbscripts*:', // IE, surprise!
'Redirects+302',
"(["'])?datas*:[^\1]*?base64[^\1]*?,[^\1]*?\1?"
);
//Constructor
public function __construct()
{
// Whether CSRF protection is enabled
if (config_item('csrf_protection') === TRUE)
{
// CSRF configuration
foreach (array('csrf_expire', 'csrf_token_name', 'csrf_cookie_name') as $key)
{
If (FALSE !== ($val = config_item($key)))
{
$this->{'_'.$key} = $val;
}
}
// _csrf_cookie_name plus cookie prefix
If (config_item('cookie_prefix'))
{
$this->_csrf_cookie_name = config_item('cookie_prefix').$this->_csrf_cookie_name;
}
//Set the hash value of csrf
$this->_csrf_set_hash();
}
log_message('debug', "Security Class Initialized");
}
//------------------------------------------------ ------------------
/**
  * Verify Cross Site Request Forgery Protection
  *
  * @return object
 */
public function csrf_verify()
{
// If it is not a post request, set the cookie value of csrf
if (strtoupper($_SERVER['REQUEST_METHOD']) !== 'POST')
{
Return $this->csrf_set_cookie();
}
// Do the tokens exist in both the _POST and _COOKIE arrays?
if ( ! isset($_POST[$this->_csrf_token_name], $_COOKIE[$this->_csrf_cookie_name]))
{
$this->csrf_show_error();
}
//Does the token match
if ($_POST[$this->_csrf_token_name] != $_COOKIE[$this->_csrf_cookie_name])
{
$this->csrf_show_error();
}
// We kill this since we're done and we don't want to
//polute the _POST array
unset($_POST[$this->_csrf_token_name]);
// Nothing should last forever
unset($_COOKIE[$this->_csrf_cookie_name]);
$this->_csrf_set_hash();
$this->csrf_set_cookie();
log_message('debug', 'CSRF token verified');
return $this;
}
//------------------------------------------------ ------------------
/**
* Set the cookie value of csrf
​*/
public function csrf_set_cookie()
{
$expire = time() + $this->_csrf_expire;
  $secure_cookie = (config_item('cookie_secure') === TRUE) ? 1 : 0;
  if ($secure_cookie && (empty($_SERVER['HTTPS']) OR strtolower($_SERVER['HTTPS']) === 'off'))
  {
   return FALSE;
  }
  setcookie($this->_csrf_cookie_name, $this->_csrf_hash, $expire, config_item('cookie_path'), config_item('cookie_domain'), $secure_cookie);
  log_message('debug', "CRSF cookie Set");
  return $this;
 }
 //csrf保存
 public function csrf_show_error()
 {
  show_error('The action you have requested is not allowed.');
 }
 //获取csrf的hash值
 public function get_csrf_hash()
 {
  return $this->_csrf_hash;
 }
 //获取csrf的token值
 public function get_csrf_token_name()
 {
  return $this->_csrf_token_name;
 }
 /**
* XSS filtering
​*/
 public function xss_clean($str, $is_image = FALSE)
 {
  //是否是数组
  if (is_array($str))
  {
   while (list($key) = each($str))
   {
    $str[$key] = $this->xss_clean($str[$key]);
   }
   return $str;
  }
  //去掉可见字符串
  $str = remove_invisible_characters($str);
  // 验证实体url
  $str = $this->_validate_entities($str);
  /*
   * URL 解码
   *
   * Just in case stuff like this is submitted:
   *
   * Google
   *
   * Note: Use rawurldecode() so it does not remove plus signs
   *
   */
  $str = rawurldecode($str);
  /*
   * Convert character entities to ASCII
   *
   * This permits our tests below to work reliably.
   * We only convert entities that are within tags since
   * these are the ones that will pose security problems.
   *
   */
  $str = preg_replace_callback("/[a-z]+=(['"]).*?\1/si", array($this, '_convert_attribute'), $str);
  $str = preg_replace_callback("/|<|$)/si", array($this, '_decode_entity'), $str);
  /*
   * Remove Invisible Characters Again!
   */
  $str = remove_invisible_characters($str);
  /*
   * Convert all tabs to spaces
   *
   * This prevents strings like this: ja vascript
   * NOTE: we deal with spaces between characters later.
   * NOTE: preg_replace was found to be amazingly slow here on
   * large blocks of data, so we use str_replace.
   */
  if (strpos($str, "t") !== FALSE)
  {
   $str = str_replace("t", ' ', $str);
  }
  /*
   * Capture converted string for later comparison
   */
  $converted_string = $str;
  // Remove Strings that are never allowed
  $str = $this->_do_never_allowed($str);
  /*
   * Makes PHP tags safe
   *
   * Note: XML tags are inadvertently replaced too:
   *
   *    *
   * But it doesn't seem to pose a problem.
   */
  if ($is_image === TRUE)
  {
   // Images have a tendency to have the PHP short opening and
   // closing tags every so often so we skip those and only
   // do the long opening tags.
   $str = preg_replace('/   }
  else
  {
   $str = str_replace(array(''),  array(''), $str);
  }
  /*
   * Compact any exploded words
   *
   * This corrects words like:  j a v a s c r i p t
   * These words are compacted back to their correct state.
   */
  $words = array(
   'javascript', 'expression', 'vbscript', 'script', 'base64',
   'applet', 'alert', 'document', 'write', 'cookie', 'window'
  );
  foreach ($words as $word)
  {
   $temp = '';
   for ($i = 0, $wordlen = strlen($word); $i < $wordlen; $i++)
   {
    $temp .= substr($word, $i, 1)."s*";
   }
   // We only want to do this when it is followed by a non-word character
   // That way valid stuff like "dealer to" does not become "dealerto"
   $str = preg_replace_callback('#('.substr($temp, 0, -3).')(W)#is', array($this, '_compact_exploded_words'), $str);
  }
  /*
   * Remove disallowed Javascript in links or img tags
   * We used to do some version comparisons and use of stripos for PHP5,
   * but it is dog slow compared to these simplified non-capturing
   * preg_match(), especially if the pattern exists in the string
   */
  do
  {
   $original = $str;
   if (preg_match("/    {
    $str = preg_replace_callback("#]*?)(>|$)#si", array($this, '_js_link_removal'), $str);
   }
   if (preg_match("/    {
    $str = preg_replace_callback("#]*?)(s?/?>|$)#si", array($this, '_js_img_removal'), $str);
   }
   if (preg_match("/script/i", $str) OR preg_match("/xss/i", $str))
   {
    $str = preg_replace("#<(/*)(script|xss)(.*?)>#si", '[removed]', $str);
   }
  }
  while($original != $str);
  unset($original);
  // Remove evil attributes such as style, onclick and xmlns
  $str = $this->_remove_evil_attributes($str, $is_image);
  /*
   * Sanitize naughty HTML elements
   *
   * If a tag containing any of the words in the list
   * below is found, the tag gets converted to entities.
   *
   * So this:
   * Becomes:
   */
  $naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|isindex|layer|link|meta|object|plaintext|style|script|textarea|title|video|xml|xss';
  $str = preg_replace_callback('#<(/*s*)('.$naughty.')([^><]*)([><]*)#is', array($this, '_sanitize_naughty_html'), $str);
  /*
   * Sanitize naughty scripting elements
   *
   * Similar to above, only instead of looking for
   * tags it looks for PHP and JavaScript commands
   * that are disallowed.  Rather than removing the
   * code, it simply converts the parenthesis to entities
   * rendering the code un-executable.
   *
   * For example: eval('some code')
   * Becomes:  eval('some code')
   */
  $str = preg_replace('#(alert|cmd|passthru|eval|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(s*)((.*?))#si', "\1\2(\3)", $str);
  // Final clean up
  // This adds a bit of extra precaution in case
  // something got through the above filters
  $str = $this->_do_never_allowed($str);
  /*
   * Images are Handled in a Special Way
   * - Essentially, we want to know that after all of the character
   * conversion is done whether any unwanted, likely XSS, code was found.
   * If not, we return TRUE, as the image is clean.
   * However, if the string post-conversion does not matched the
   * string post-removal of XSS, then it fails, as there was unwanted XSS
   * code found and removed/changed during processing.
   */
  if ($is_image === TRUE)
  {
   return ($str == $converted_string) ? TRUE: FALSE;
  }
  log_message('debug', "XSS Filtering completed");
  return $str;
 }
 // --------------------------------------------------------------------
 //保护url的随机hash值
 public function xss_hash()
 {
  if ($this->_xss_hash == '')
  {
   mt_srand();
   $this->_xss_hash = md5(time() + mt_rand(0, 1999999999));
  }
  return $this->_xss_hash;
 }
 // --------------------------------------------------------------------
 /**
* html entity transcoding
​*/
 public function entity_decode($str, $charset='UTF-8')
 {
  if (stristr($str, '&') === FALSE)
  {
   return $str;
  }
  $str = html_entity_decode($str, ENT_COMPAT, $charset);
  $str = preg_replace('~(0*[0-9a-f]{2,5})~ei', 'chr(hexdec("\1"))', $str);
  return preg_replace('~([0-9]{2,4})~e', 'chr(\1)', $str);
 }
 // --------------------------------------------------------------------
 //过滤文件名,保证文件名安全
 public function sanitize_filename($str, $relative_path = FALSE)
 {
  $bad = array(
   "../",
   "",
   "<",
   ">",
   "'",
   '"',
   '&',
   '$',
   '#',
   '{',
   '}',
   '[',
   ']',
   '=',
   ';',
   '?',
   "%20",
   "%22",
   "%3c",  // <
   "%253c", // <
   "%3e",  // >
   "%0e",  // >
   "%28",  // (
   "%29",  // )
   "%2528", // (
   "%26",  // &
   "%24",  // $
   "%3f",  // ?
   "%3b",  // ;
   "%3d"  // =
  );
  if ( ! $relative_path)
  {
   $bad[] = './';
   $bad[] = '/';
  }
  $str = remove_invisible_characters($str, FALSE);
  return stripslashes(str_replace($bad, '', $str));
 }
 //压缩单词如j a v a s c r i p t成javascript
 protected function _compact_exploded_words($matches)
 {
  return preg_replace('/s+/s', '', $matches[1]).$matches[2];
 }
 // --------------------------------------------------------------------
 /*
  * 去掉一些危害的html属性
  */
 protected function _remove_evil_attributes($str, $is_image)
 {
  // All javascript event handlers (e.g. onload, onclick, onmouseover), style, and xmlns
  $evil_attributes = array('onw*', 'style', 'xmlns', 'formaction');
  if ($is_image === TRUE)
  {
   /*
    * Adobe Photoshop puts XML metadata into JFIF images,
    * including namespacing, so we have to allow this for images.
    */
   unset($evil_attributes[array_search('xmlns', $evil_attributes)]);
  }
  do {
   $count = 0;
   $attribs = array();
   // find occurrences of illegal attribute strings with quotes (042 and 047 are octal quotes)
   preg_match_all('/('.implode('|', $evil_attributes).')s*=s*(
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template