search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
New version submitted by TomB
[carbonphp.git] / Source / carbon / libraries / Input.php
blob258cd441cd927924bbbd1794e3d2ed8529315667
1 <?php
2 /*------------------------------------------------------------
3 * CarbonPHP framework (C) Tom Bell
4 * http://tombell.org.uk
5 *------------------------------------------------------------*/
6
7 if (!defined('CARBON_PATH'))
8 {
9 exit('Direct script access is not allowed.');
10 }
11
12 class Carbon_Input
13 {
14 protected $use_xss_clean = false;
15 protected $ip_address = false;
16 protected $user_agent = false;
17 protected $allow_get_array = false;
18
19 public function __construct()
20 {
21 $config =& load_class('Config');
22 $this->use_xss_clean = ($config->get_config_item('use_xss_filtering') === true) ? true : false;
23 $this->allow_get_array = ($config->get_config_item('use_query_strings') === true) ? true : false;
24 $this->_sanitise_globals();
25
26 log_message('debug', 'Input.php - Carbon_Input class initialised');
27 }
28
29 protected function _sanitise_globals()
30 {
31 $protected = array(
32 '_SERVER',
33 '_GET',
34 '_POST',
35 '_FILES',
36 '_REQUEST',
37 '_SESSION',
38 '_ENV',
39 'GLOBALS',
40 'HTTP_RAW_POST_DATA',
41 'carbon_folder',
42 'application_folder',
43 'benchmark',
44 'ext',
45 'config',
46 'uri',
47 'router',
48 'output',
49 'input');
50
51 foreach (array($_GET, $_POST, $_COOKIE, $_SERVER, $_FILES, $_ENV, (isset($_SESSION) && is_array($_SESSION)) ? $_SESSION : array()) as $global)
52 {
53 if (!is_array($global))
54 {
55 if (!in_array($global, $protected))
56 {
57 unset($GLOBALS[$global]);
58 }
59 }
60 else
61 {
62 foreach ($global as $key => $val)
63 {
64 if (!in_array($key, $protected))
65 {
66 unset($GLOBALS[$key]);
67 }
68
69 if (is_array($val))
70 {
71 foreach ($val as $k => $v)
72 {
73 if (!in_array($k, $protected))
74 {
75 unset($GLOBALS[$k]);
76 }
77 }
78 }
79 }
80 }
81 }
82
83 if ($this->allow_get_array == false)
84 {
85 $_GET = array();
86 }
87 else
88 {
89 if (is_array($_GET) && count($_GET) > 0)
90 {
91 foreach ($_GET as $key => $val)
92 {
93 $_GET[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
94 }
95 }
96 }
97
98 if (is_array($_POST) && count($_POST) > 0)
99 {
100 foreach ($_POST as $key => $val)
101 {
102 $_POST[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
103 }
104 }
105
106 if (is_array($_COOKIE) && count($_COOKIE) > 0)
107 {
108 foreach ($_COOKIE as $key => $val)
109 {
110 $_COOKIE[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
111 }
112 }
113
114 log_message('debug', 'Input.php - Global GET, POST, and COOKIE arrays have been sanitised');
115 }
116
117 protected function _clean_input_data($string)
118 {
119 if (is_array($string))
120 {
121 $new_array = array();
122
123 foreach ($string as $key => $val)
124 {
125 $new_array[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
126 }
127
128 return $new_array;
129 }
130
131 if (get_magic_quotes_gpc())
132 {
133 $string = stripslashes($string);
134 }
135
136 if ($this->use_xss_clean === true)
137 {
138 $string = $this->xss_clean($string);
139 }
140
141 return preg_replace("/\015\012|\015|\012/", "\n", $string);
142 }
143
144 protected function _clean_input_keys($string)
145 {
146 if (!preg_match("/^[a-z0-9:_\/-]+$/i", $string))
147 {
148 exit('Disallowed characters in the array key.');
149 }
150
151 return $string;
152 }
153
154 public function get($index = '', $xss_clean = false)
155 {
156 if (!isset($_GET[$index]))
157 {
158 return false;
159 }
160
161 if ($xss_clean === true)
162 {
163 if (is_array($_GET[$index]))
164 {
165 foreach ($_GET[$index] as $key => $val)
166 {
167 $_GET[$index][$key] = $this->xss_clean($val);
168 }
169 }
170 else
171 {
172 return $this->xss_clean($_GET[$index]);
173 }
174 }
175
176 return $_GET[$index];
177 }
178
179 public function post($index = '', $xss_clean = false)
180 {
181 if (!isset($_POST[$index]))
182 {
183 return false;
184 }
185
186 if ($xss_clean === true)
187 {
188 if (is_array($_POST[$index]))
189 {
190 foreach ($_POST[$index] as $key => $val)
191 {
192 $_POST[$index][$key] = $this->xss_clean($val);
193 }
194 }
195 else
196 {
197 return $this->xss_clean($_POST[$index]);
198 }
199 }
200
201 return $_POST[$index];
202 }
203
204 public function cookie($index = '', $xss_clean = false)
205 {
206 if (!isset($_COOKIE[$index]))
207 {
208 return false;
209 }
210
211 if ($xss_clean === true)
212 {
213 if (is_array($_COOKIE[$index]))
214 {
215 $cookie = array();
216
217 foreach ($_COOKIE[$index] as $key => $val)
218 {
219 $cookie[$key] = $this->xss_clean($val);
220 }
221
222 return $cookie;
223 }
224 else
225 {
226 return $this->xss_clean($_COOKIE[$index]);
227 }
228 }
229 else
230 {
231 return $_COOKIE[$index];
232 }
233 }
234
235 public function server($index = '', $xss_clean = false)
236 {
237 if (!isset($_SERVER[$index]))
238 {
239 return false;
240 }
241
242 if ($xss_clean === true)
243 {
244 return $this->xss_clean($_SERVER[$index]);
245 }
246
247 return $_SERVER[$index];
248 }
249
250 public function ip_address()
251 {
252 if ($this->ip_address !== false)
253 {
254 return $this->ip_address;
255 }
256
257 if ($this->server('REMOTE_ADDR') && $this->server('HTTP_CLIENT_IP'))
258 {
259 $this->ip_address = $_SERVER['HTTP_CLIENT_IP'];
260 }
261 else if ($this->server('REMOTE_ADDR'))
262 {
263 $this->ip_address = $_SERVER['REMOTE_ADDR'];
264 }
265 else if ($this->server('HTTP_CLIENT_IP'))
266 {
267 $this->ip_address = $_SERVER['HTTP_CLIENT_IP'];
268 }
269 else if ($this->server('HTTP_X_FORWARDED_FOR'))
270 {
271 $this->ip_address = $_SERVER['HTTP_X_FORWARDED_FOR'];
272 }
273
274 if ($this->ip_address === false)
275 {
276 $this->ip_address = '0.0.0.0';
277
278 return $this->ip_address;
279 }
280
281 if (strstr($this->ip_address, ','))
282 {
283 $x = explode(',', $this->ip_address);
284 $this->ip_address = end($x);
285 }
286
287 if (!$this->valid_ip($this->ip_address))
288 {
289 $this->ip_address = '0.0.0.0';
290 }
291
292 return $this->ip_address;
293 }
294
295 public function valid_ip($ip)
296 {
297 $ip_segments = explode('.', $ip);
298
299 if (count($ip_segments) != 4)
300 {
301 return false;
302 }
303
304 if (substr($ip_segments[0], 0, 1) == '0')
305 {
306 return false;
307 }
308
309 foreach ($ip_segments as $segment)
310 {
311 if (preg_match("/[^0-9]/", $segment) || $segment > 255 || strlen($segment) > 3)
312 {
313 return false;
314 }
315 }
316
317 return true;
318 }
319
320 public function user_agent()
321 {
322 if ($this->user_agent !== false)
323 {
324 return $this->user_agent;
325 }
326
327 $this->user_agent = (!isset($_SERVER['HTTP_USER_AGENT'])) ? false : $_SERVER['HTTP_USER_AGENT'];
328
329 return $this->user_agent;
330 }
331
332 public function filename_security($string)
333 {
334 $bad = array(
335 "../",
336 "./",
337 "<!--",
338 "-->",
339 "<",
340 ">",
341 "'",
342 '"',
343 '&',
344 '$',
345 '#',
346 '{',
347 '}',
348 '[',
349 ']',
350 '=',
351 ';',
352 '?',
353 "%20",
354 "%22",
355 "%3c",
356 "%253c",
357 "%3e",
358 "%0e",
359 "%28",
360 "%29",
361 "%2528",
362 "%26",
363 "%24",
364 "%3f",
365 "%3b",
366 "%3d"
367 );
368
369 return stripslashes(str_replace($bad, '', $string));
370 }
371
372 public function xss_clean($string)
373 {
374 $string = preg_replace('/\0+/', '', $string);
375 $string = preg_replace('/(\\\\0)+/', '', $string);
376
377 $string = preg_replace('#(&\#?[0-9a-z]+)[\x00-\x20]*;?#i', "\\1;", $string);
378
379 $string = preg_replace('#(&\#x?)([0-9A-F]+);?#i', "\\1\\2;", $string);
380
381 $string = preg_replace("/(%20)+/", '9u3iovBnRThju941s89rKozm', $string);
382 $string = preg_replace("/%u0([a-z0-9]{3})/i", "&#x\\1;", $string);
383 $string = preg_replace("/%([a-z0-9]{2})/i", "&#x\\1;", $string);
384 $string = str_replace('9u3iovBnRThju941s89rKozm', "%20", $string);
385
386 $string = preg_replace_callback("/[a-z]+=([\'\"]).*?\\1/si", array($this, '_attribute_conversion'), $string);
387 $string = preg_replace_callback("/<([\w]+)[^>]*>/si", array($this, '_html_entity_decode_callback'), $string);
388
389 $string = str_replace("\t", " ", $string);
390
391 $bad = array(
392 'document.cookie' => '[removed]',
393 'document.write' => '[removed]',
394 '.parentNode' => '[removed]',
395 '.innerHTML' => '[removed]',
396 'window.location' => '[removed]',
397 '-moz-binding' => '[removed]',
398 '<!--' => '&lt;!--',
399 '-->' => '--&gt;',
400 '<!CDATA[' => '&lt;![CDATA['
401 );
402
403 foreach ($bad as $key => $val)
404 {
405 $string = str_replace($key, $val, $string);
406 }
407
408 $bad = array(
409 "javascript\s*:" => '[removed]',
410 "expression\s*\(" => '[removed]',
411 "Redirect\s+302" => '[removed]'
412 );
413
414 foreach ($bad as $key => $val)
415 {
416 $string = preg_replace("#" . $key . "#i", $val, $string);
417 }
418
419 $string = str_replace(array('<?php', '<?PHP', '<?', '?' . '>'), array('&lt;?php', '&lt;?PHP', '&lt;?', '?&gt;'), $string);
420
421 $words = array('javascript', 'expression', 'vbscript', 'script', 'applet', 'alert', 'document', 'write', 'cookie', 'window');
422
423 foreach ($words as $word)
424 {
425 $temp = '';
426
427 for ($i = 0; $i < strlen($word); $i++)
428 {
429 $temp .= substr($word, $i, 1) . "\s*";
430 }
431
432 $string = preg_replace('#(' . substr($temp, 0, -3) . ')(\W)#ise', "preg_replace('/\s+/s', '', '\\1') . '\\2'", $string);
433 }
434
435 do
436 {
437 $original = $string;
438
439 if (stripos($string, '</a>') !== false || preg_match("/<\/a>/i", $string))
440 {
441 $string = preg_replace_callback("#<a.*?</a>#si", array($this, '_js_link_removal'), $string);
442 }
443
444 if (stripos($string, '<img') !== false || preg_match("/img/i", $string))
445 {
446 $string = preg_replace_callback("#<img.*?" . ">#si", array($this, '_js_img_removal'), $string);
447 }
448
449 if (stripos($string, 'script') !== false || stripos($string, 'xss') !== false || preg_match("/(script|xss)/i", $string))
450 {
451 $string = preg_replace("#</*(script|xss).*?\>#si", "", $string);
452 }
453 }
454 while ($original != $string);
455
456 unset($original);
457
458 $event_handlers = array('onblur', 'onchange', 'onclick', 'onfocus', 'onload', 'onmouseover', 'onmouseup', 'onmousedown', 'onselect', 'onsubmit', 'onupload', 'onkeypress', 'onkeydown', 'onkeyup', 'onresize', 'xmlns');
459 $string = preg_replace("#<([^>]+)(" . implode('|', $event_handlers) . ")([^>]*)>#iU", "&lt;\\1\\2\\3&gt;", $string);
460
461 $string = preg_replace('#<(/*\s*)(alert|applet|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|layer|link|meta|object|plaintext|style|script|textarea|title|xml|xss)([^>]*)>#is', "&lt;\\1\\2\\3&gt;", $string);
462
463 $string = preg_replace('#(alert|cmd|passthru|eval|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)\((.*?)\)#si', "\\1\\2&#40;\\3&#41;", $string);
464
465 $bad = array(
466 'document.cookie' => '[removed]',
467 'document.write' => '[removed]',
468 '.parentNode' => '[removed]',
469 '.innerHTML' => '[removed]',
470 'window.location' => '[removed]',
471 '-moz-binding' => '[removed]',
472 '<!--' => '&lt;!--',
473 '-->' => '--&gt;',
474 '<!CDATA[' => '&lt;![CDATA['
475 );
476
477 foreach ($bad as $key => $val)
478 {
479 $string = str_replace($key, $val, $string);
480 }
481
482 $bad = array(
483 "javascript\s*:" => '[removed]',
484 "expression\s*\(" => '[removed]',
485 "Redirect\s+302" => '[removed]'
486 );
487
488 foreach ($bad as $key => $val)
489 {
490 $string = preg_replace("#" . $key . "#i", $val, $string);
491 }
492
493 log_message('debug', 'XSS filtering completed');
494
495 return $string;
496 }
497
498 protected function _js_link_removal($match)
499 {
500 return preg_replace("#<a.+?href=.*?(alert\(|alert&\#40;|javascript\:|window\.|document\.|\.cookie|<script|<xss).*?\>.*?</a>#si", "", $match[0]);
501 }
502
503 protected function _js_img_removal($match)
504 {
505 return preg_replace("#<img.+?src=.*?(alert\(|alert&\#40;|javascript\:|window\.|document\.|\.cookie|<script|<xss).*?\>#si", "", $match[0]);
506 }
507
508 protected function _attribute_conversion($match)
509 {
510 return str_replace('>', '&lt;', $match[0]);
511 }
512
513 protected function _html_entity_decode_callback($match)
514 {
515 $config =& load_class('Config');
516
517 $charset = $config->get_config_item('charset');
518
519 return $this->_html_entity_decode($match[0], strtoupper($charset));
520 }
521
522 protected function _html_entity_decode($string, $charset = 'UTF-8')
523 {
524 if (stristr($string, '&') === false)
525 {
526 return $string;
527 }
528
529 if (function_exists('html_entitiy_decode') && strtolower($charset) != 'utf-8')
530 {
531 $string = html_entity_decode($string, ENT_COMPAT, $charset);
532 $string = preg_match('~&#x([0-9a-f]{2,5})~ei', 'chr(hexdec("\\1"))', $string);
533
534 return preg_replace('~&#([0-9]{2,4})~e', 'chr(\\1)', $string);
535 }
536
537 $string = preg_replace('~&#x([0-9a-f]{2,5});{0,1}~ei', 'chr(hexdec("\\1"))', $string);
538 $string = preg_replace('~&#([0-9]{2,4})~e', 'chr(\\1)', $string);
539
540 if (stristr($string, '&') === false)
541 {
542 $string = strtr($string, array(get_html_translation_table(HTML_ENTITIES)));
543 }
544
545 return $string;
546 }
547 }
548
549 ?>
carbonPHP is a framework for PHP using the common design pattern model-view-controller.