@@ 51-952 (lines=902) @@ | ||
48 | * @author EllisLab Dev Team |
|
49 | * @link https://codeigniter.com/user_guide/libraries/input.html |
|
50 | */ |
|
51 | class CI_Input { |
|
52 | ||
53 | /** |
|
54 | * IP address of the current user |
|
55 | * |
|
56 | * @var string |
|
57 | */ |
|
58 | protected $ip_address = FALSE; |
|
59 | ||
60 | /** |
|
61 | * Allow GET array flag |
|
62 | * |
|
63 | * If set to FALSE, then $_GET will be set to an empty array. |
|
64 | * |
|
65 | * @var bool |
|
66 | */ |
|
67 | protected $_allow_get_array = TRUE; |
|
68 | ||
69 | /** |
|
70 | * Standardize new lines flag |
|
71 | * |
|
72 | * If set to TRUE, then newlines are standardized. |
|
73 | * |
|
74 | * @var bool |
|
75 | */ |
|
76 | protected $_standardize_newlines; |
|
77 | ||
78 | /** |
|
79 | * Enable XSS flag |
|
80 | * |
|
81 | * Determines whether the XSS filter is always active when |
|
82 | * GET, POST or COOKIE data is encountered. |
|
83 | * Set automatically based on config setting. |
|
84 | * |
|
85 | * @var bool |
|
86 | */ |
|
87 | protected $_enable_xss = FALSE; |
|
88 | ||
89 | /** |
|
90 | * Enable CSRF flag |
|
91 | * |
|
92 | * Enables a CSRF cookie token to be set. |
|
93 | * Set automatically based on config setting. |
|
94 | * |
|
95 | * @var bool |
|
96 | */ |
|
97 | protected $_enable_csrf = FALSE; |
|
98 | ||
99 | /** |
|
100 | * List of all HTTP request headers |
|
101 | * |
|
102 | * @var array |
|
103 | */ |
|
104 | protected $headers = array(); |
|
105 | ||
106 | /** |
|
107 | * Raw input stream data |
|
108 | * |
|
109 | * Holds a cache of php://input contents |
|
110 | * |
|
111 | * @var string |
|
112 | */ |
|
113 | protected $_raw_input_stream; |
|
114 | ||
115 | /** |
|
116 | * Parsed input stream data |
|
117 | * |
|
118 | * Parsed from php://input at runtime |
|
119 | * |
|
120 | * @see CI_Input::input_stream() |
|
121 | * @var array |
|
122 | */ |
|
123 | protected $_input_stream; |
|
124 | ||
125 | protected $security; |
|
126 | protected $uni; |
|
127 | ||
128 | // -------------------------------------------------------------------- |
|
129 | ||
130 | /** |
|
131 | * Class constructor |
|
132 | * |
|
133 | * Determines whether to globally enable the XSS processing |
|
134 | * and whether to allow the $_GET array. |
|
135 | * |
|
136 | * @return void |
|
137 | * |
|
138 | * @codeCoverageIgnore |
|
139 | */ |
|
140 | public function __construct() |
|
141 | { |
|
142 | $this->_allow_get_array = (config_item('allow_get_array') !== FALSE); |
|
143 | $this->_enable_xss = (config_item('global_xss_filtering') === TRUE); |
|
144 | $this->_enable_csrf = (config_item('csrf_protection') === TRUE); |
|
145 | $this->_standardize_newlines = (bool) config_item('standardize_newlines'); |
|
146 | ||
147 | $this->security =& load_class('Security', 'core'); |
|
148 | ||
149 | // Do we need the UTF-8 class? |
|
150 | if (UTF8_ENABLED === TRUE) |
|
151 | { |
|
152 | $this->uni =& load_class('Utf8', 'core'); |
|
153 | } |
|
154 | ||
155 | // Sanitize global arrays |
|
156 | $this->_sanitize_globals(); |
|
157 | ||
158 | // CSRF Protection check |
|
159 | if ($this->_enable_csrf === TRUE && ! is_cli()) |
|
160 | { |
|
161 | $this->security->csrf_verify(); |
|
162 | } |
|
163 | ||
164 | log_message('info', 'Input Class Initialized'); |
|
165 | } |
|
166 | ||
167 | // -------------------------------------------------------------------- |
|
168 | ||
169 | /** |
|
170 | * Fetch from array |
|
171 | * |
|
172 | * Internal method used to retrieve values from global arrays. |
|
173 | * |
|
174 | * @param array &$array $_GET, $_POST, $_COOKIE, $_SERVER, etc. |
|
175 | * @param mixed $index Index for item to be fetched from $array |
|
176 | * @param bool $xss_clean Whether to apply XSS filtering |
|
177 | * @return mixed |
|
178 | * |
|
179 | * @codeCoverageIgnore |
|
180 | */ |
|
181 | protected function _fetch_from_array(&$array, $index = NULL, $xss_clean = NULL) |
|
182 | { |
|
183 | is_bool($xss_clean) OR $xss_clean = $this->_enable_xss; |
|
184 | ||
185 | // If $index is NULL, it means that the whole $array is requested |
|
186 | isset($index) OR $index = array_keys($array); |
|
187 | ||
188 | // allow fetching multiple keys at once |
|
189 | if (is_array($index)) |
|
190 | { |
|
191 | $output = array(); |
|
192 | foreach ($index as $key) |
|
193 | { |
|
194 | $output[$key] = $this->_fetch_from_array($array, $key, $xss_clean); |
|
195 | } |
|
196 | ||
197 | return $output; |
|
198 | } |
|
199 | ||
200 | if (isset($array[$index])) |
|
201 | { |
|
202 | $value = $array[$index]; |
|
203 | } |
|
204 | elseif (($count = preg_match_all('/(?:^[^\[]+)|\[[^]]*\]/', $index, $matches)) > 1) // Does the index contain array notation |
|
205 | { |
|
206 | $value = $array; |
|
207 | for ($i = 0; $i < $count; $i++) |
|
208 | { |
|
209 | $key = trim($matches[0][$i], '[]'); |
|
210 | if ($key === '') // Empty notation will return the value as array |
|
211 | { |
|
212 | break; |
|
213 | } |
|
214 | ||
215 | if (isset($value[$key])) |
|
216 | { |
|
217 | $value = $value[$key]; |
|
218 | } |
|
219 | else |
|
220 | { |
|
221 | return NULL; |
|
222 | } |
|
223 | } |
|
224 | } |
|
225 | else |
|
226 | { |
|
227 | return NULL; |
|
228 | } |
|
229 | ||
230 | return ($xss_clean === TRUE) |
|
231 | ? $this->security->xss_clean($value) |
|
232 | : $value; |
|
233 | } |
|
234 | ||
235 | // -------------------------------------------------------------------- |
|
236 | ||
237 | /** |
|
238 | * Fetch an item from the GET array |
|
239 | * |
|
240 | * @param mixed $index Index for item to be fetched from $_GET |
|
241 | * @param bool $xss_clean Whether to apply XSS filtering |
|
242 | * @return mixed |
|
243 | * |
|
244 | * @codeCoverageIgnore |
|
245 | */ |
|
246 | public function get($index = NULL, $xss_clean = NULL) |
|
247 | { |
|
248 | return $this->_fetch_from_array($_GET, $index, $xss_clean); |
|
249 | } |
|
250 | ||
251 | // -------------------------------------------------------------------- |
|
252 | ||
253 | /** |
|
254 | * Fetch an item from the POST array |
|
255 | * |
|
256 | * @param mixed $index Index for item to be fetched from $_POST |
|
257 | * @param bool $xss_clean Whether to apply XSS filtering |
|
258 | * @return mixed |
|
259 | * |
|
260 | * @codeCoverageIgnore |
|
261 | */ |
|
262 | public function post($index = NULL, $xss_clean = NULL) |
|
263 | { |
|
264 | return $this->_fetch_from_array($_POST, $index, $xss_clean); |
|
265 | } |
|
266 | ||
267 | // -------------------------------------------------------------------- |
|
268 | ||
269 | /** |
|
270 | * Fetch an item from POST data with fallback to GET |
|
271 | * |
|
272 | * @param string $index Index for item to be fetched from $_POST or $_GET |
|
273 | * @param bool $xss_clean Whether to apply XSS filtering |
|
274 | * @return mixed |
|
275 | * |
|
276 | * @codeCoverageIgnore |
|
277 | */ |
|
278 | public function post_get($index, $xss_clean = NULL) |
|
279 | { |
|
280 | return isset($_POST[$index]) |
|
281 | ? $this->post($index, $xss_clean) |
|
282 | : $this->get($index, $xss_clean); |
|
283 | } |
|
284 | ||
285 | // -------------------------------------------------------------------- |
|
286 | ||
287 | /** |
|
288 | * Fetch an item from GET data with fallback to POST |
|
289 | * |
|
290 | * @param string $index Index for item to be fetched from $_GET or $_POST |
|
291 | * @param bool $xss_clean Whether to apply XSS filtering |
|
292 | * @return mixed |
|
293 | * |
|
294 | * @codeCoverageIgnore |
|
295 | */ |
|
296 | public function get_post($index, $xss_clean = NULL) |
|
297 | { |
|
298 | return isset($_GET[$index]) |
|
299 | ? $this->get($index, $xss_clean) |
|
300 | : $this->post($index, $xss_clean); |
|
301 | } |
|
302 | ||
303 | // -------------------------------------------------------------------- |
|
304 | ||
305 | /** |
|
306 | * Fetch an item from the COOKIE array |
|
307 | * |
|
308 | * @param mixed $index Index for item to be fetched from $_COOKIE |
|
309 | * @param bool $xss_clean Whether to apply XSS filtering |
|
310 | * @return mixed |
|
311 | * |
|
312 | * @codeCoverageIgnore |
|
313 | */ |
|
314 | public function cookie($index = NULL, $xss_clean = NULL) |
|
315 | { |
|
316 | return $this->_fetch_from_array($_COOKIE, $index, $xss_clean); |
|
317 | } |
|
318 | ||
319 | // -------------------------------------------------------------------- |
|
320 | ||
321 | /** |
|
322 | * Fetch an item from the SERVER array |
|
323 | * |
|
324 | * @param mixed $index Index for item to be fetched from $_SERVER |
|
325 | * @param bool $xss_clean Whether to apply XSS filtering |
|
326 | * @return mixed |
|
327 | * |
|
328 | * @codeCoverageIgnore |
|
329 | */ |
|
330 | public function server($index, $xss_clean = NULL) |
|
331 | { |
|
332 | return $this->_fetch_from_array($_SERVER, $index, $xss_clean); |
|
333 | } |
|
334 | ||
335 | // ------------------------------------------------------------------------ |
|
336 | ||
337 | /** |
|
338 | * Fetch an item from the php://input stream |
|
339 | * |
|
340 | * Useful when you need to access PUT, DELETE or PATCH request data. |
|
341 | * |
|
342 | * @param string $index Index for item to be fetched |
|
343 | * @param bool $xss_clean Whether to apply XSS filtering |
|
344 | * @return mixed |
|
345 | * |
|
346 | * @codeCoverageIgnore |
|
347 | */ |
|
348 | public function input_stream($index = NULL, $xss_clean = NULL) |
|
349 | { |
|
350 | // Prior to PHP 5.6, the input stream can only be read once, |
|
351 | // so we'll need to check if we have already done that first. |
|
352 | if ( ! is_array($this->_input_stream)) |
|
353 | { |
|
354 | // $this->raw_input_stream will trigger __get(). |
|
355 | parse_str($this->raw_input_stream, $this->_input_stream); |
|
356 | is_array($this->_input_stream) OR $this->_input_stream = array(); |
|
357 | } |
|
358 | ||
359 | return $this->_fetch_from_array($this->_input_stream, $index, $xss_clean); |
|
360 | } |
|
361 | ||
362 | // ------------------------------------------------------------------------ |
|
363 | ||
364 | /** |
|
365 | * Set cookie |
|
366 | * |
|
367 | * Accepts an arbitrary number of parameters (up to 7) or an associative |
|
368 | * array in the first parameter containing all the values. |
|
369 | * |
|
370 | * @param string|mixed[] $name Cookie name or an array containing parameters |
|
371 | * @param string $value Cookie value |
|
372 | * @param int $expire Cookie expiration time in seconds |
|
373 | * @param string $domain Cookie domain (e.g.: '.yourdomain.com') |
|
374 | * @param string $path Cookie path (default: '/') |
|
375 | * @param string $prefix Cookie name prefix |
|
376 | * @param bool $secure Whether to only transfer cookies via SSL |
|
377 | * @param bool $httponly Whether to only makes the cookie accessible via HTTP (no javascript) |
|
378 | * @return void |
|
379 | * |
|
380 | * modified by ci-phpunit-test |
|
381 | */ |
|
382 | public function set_cookie($name, $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = NULL, $httponly = NULL) |
|
383 | { |
|
384 | if (is_array($name)) |
|
385 | { |
|
386 | // always leave 'name' in last place, as the loop will break otherwise, due to $$item |
|
387 | foreach (array('value', 'expire', 'domain', 'path', 'prefix', 'secure', 'httponly', 'name') as $item) |
|
388 | { |
|
389 | if (isset($name[$item])) |
|
390 | { |
|
391 | $$item = $name[$item]; |
|
392 | } |
|
393 | } |
|
394 | } |
|
395 | ||
396 | if ($prefix === '' && config_item('cookie_prefix') !== '') |
|
397 | { |
|
398 | $prefix = config_item('cookie_prefix'); |
|
399 | } |
|
400 | ||
401 | if ($domain == '' && config_item('cookie_domain') != '') |
|
402 | { |
|
403 | $domain = config_item('cookie_domain'); |
|
404 | } |
|
405 | ||
406 | if ($path === '/' && config_item('cookie_path') !== '/') |
|
407 | { |
|
408 | $path = config_item('cookie_path'); |
|
409 | } |
|
410 | ||
411 | $secure = ($secure === NULL && config_item('cookie_secure') !== NULL) |
|
412 | ? (bool) config_item('cookie_secure') |
|
413 | : (bool) $secure; |
|
414 | ||
415 | $httponly = ($httponly === NULL && config_item('cookie_httponly') !== NULL) |
|
416 | ? (bool) config_item('cookie_httponly') |
|
417 | : (bool) $httponly; |
|
418 | ||
419 | if ( ! is_numeric($expire)) |
|
420 | { |
|
421 | $expire = time() - 86500; |
|
422 | } |
|
423 | else |
|
424 | { |
|
425 | $expire = ($expire > 0) ? time() + $expire : 0; |
|
426 | } |
|
427 | ||
428 | // setcookie($prefix.$name, $value, $expire, $path, $domain, $secure, $httponly); |
|
429 | ||
430 | // Save cookie in Output object |
|
431 | // added by ci-phpunit-test |
|
432 | $CI =& get_instance(); |
|
433 | $output = $CI->output; |
|
434 | $output->_cookies[$prefix.$name][] = [ |
|
435 | 'value' => $value, |
|
436 | 'expire' => $expire, |
|
437 | 'path' => $path, |
|
438 | 'domain' => $domain, |
|
439 | 'secure' => $secure, |
|
440 | 'httponly' => $httponly, |
|
441 | ]; |
|
442 | } |
|
443 | ||
444 | // -------------------------------------------------------------------- |
|
445 | ||
446 | /** |
|
447 | * Fetch the IP Address |
|
448 | * |
|
449 | * Determines and validates the visitor's IP address. |
|
450 | * |
|
451 | * @return string IP address |
|
452 | * |
|
453 | * @codeCoverageIgnore |
|
454 | */ |
|
455 | public function ip_address() |
|
456 | { |
|
457 | if ($this->ip_address !== FALSE) |
|
458 | { |
|
459 | return $this->ip_address; |
|
460 | } |
|
461 | ||
462 | $proxy_ips = config_item('proxy_ips'); |
|
463 | if ( ! empty($proxy_ips) && ! is_array($proxy_ips)) |
|
464 | { |
|
465 | $proxy_ips = explode(',', str_replace(' ', '', $proxy_ips)); |
|
466 | } |
|
467 | ||
468 | $this->ip_address = $this->server('REMOTE_ADDR'); |
|
469 | ||
470 | if ($proxy_ips) |
|
471 | { |
|
472 | foreach (array('HTTP_X_FORWARDED_FOR', 'HTTP_CLIENT_IP', 'HTTP_X_CLIENT_IP', 'HTTP_X_CLUSTER_CLIENT_IP') as $header) |
|
473 | { |
|
474 | if (($spoof = $this->server($header)) !== NULL) |
|
475 | { |
|
476 | // Some proxies typically list the whole chain of IP |
|
477 | // addresses through which the client has reached us. |
|
478 | // e.g. client_ip, proxy_ip1, proxy_ip2, etc. |
|
479 | sscanf($spoof, '%[^,]', $spoof); |
|
480 | ||
481 | if ( ! $this->valid_ip($spoof)) |
|
482 | { |
|
483 | $spoof = NULL; |
|
484 | } |
|
485 | else |
|
486 | { |
|
487 | break; |
|
488 | } |
|
489 | } |
|
490 | } |
|
491 | ||
492 | if ($spoof) |
|
493 | { |
|
494 | for ($i = 0, $c = count($proxy_ips); $i < $c; $i++) |
|
495 | { |
|
496 | // Check if we have an IP address or a subnet |
|
497 | if (strpos($proxy_ips[$i], '/') === FALSE) |
|
498 | { |
|
499 | // An IP address (and not a subnet) is specified. |
|
500 | // We can compare right away. |
|
501 | if ($proxy_ips[$i] === $this->ip_address) |
|
502 | { |
|
503 | $this->ip_address = $spoof; |
|
504 | break; |
|
505 | } |
|
506 | ||
507 | continue; |
|
508 | } |
|
509 | ||
510 | // We have a subnet ... now the heavy lifting begins |
|
511 | isset($separator) OR $separator = $this->valid_ip($this->ip_address, 'ipv6') ? ':' : '.'; |
|
512 | ||
513 | // If the proxy entry doesn't match the IP protocol - skip it |
|
514 | if (strpos($proxy_ips[$i], $separator) === FALSE) |
|
515 | { |
|
516 | continue; |
|
517 | } |
|
518 | ||
519 | // Convert the REMOTE_ADDR IP address to binary, if needed |
|
520 | if ( ! isset($ip, $sprintf)) |
|
521 | { |
|
522 | if ($separator === ':') |
|
523 | { |
|
524 | // Make sure we're have the "full" IPv6 format |
|
525 | $ip = explode(':', |
|
526 | str_replace('::', |
|
527 | str_repeat(':', 9 - substr_count($this->ip_address, ':')), |
|
528 | $this->ip_address |
|
529 | ) |
|
530 | ); |
|
531 | ||
532 | for ($j = 0; $j < 8; $j++) |
|
533 | { |
|
534 | $ip[$j] = intval($ip[$j], 16); |
|
535 | } |
|
536 | ||
537 | $sprintf = '%016b%016b%016b%016b%016b%016b%016b%016b'; |
|
538 | } |
|
539 | else |
|
540 | { |
|
541 | $ip = explode('.', $this->ip_address); |
|
542 | $sprintf = '%08b%08b%08b%08b'; |
|
543 | } |
|
544 | ||
545 | $ip = vsprintf($sprintf, $ip); |
|
546 | } |
|
547 | ||
548 | // Split the netmask length off the network address |
|
549 | sscanf($proxy_ips[$i], '%[^/]/%d', $netaddr, $masklen); |
|
550 | ||
551 | // Again, an IPv6 address is most likely in a compressed form |
|
552 | if ($separator === ':') |
|
553 | { |
|
554 | $netaddr = explode(':', str_replace('::', str_repeat(':', 9 - substr_count($netaddr, ':')), $netaddr)); |
|
555 | for ($j = 0; $j < 8; $j++) |
|
556 | { |
|
557 | $netaddr[$j] = intval($netaddr[$j], 16); |
|
558 | } |
|
559 | } |
|
560 | else |
|
561 | { |
|
562 | $netaddr = explode('.', $netaddr); |
|
563 | } |
|
564 | ||
565 | // Convert to binary and finally compare |
|
566 | if (strncmp($ip, vsprintf($sprintf, $netaddr), $masklen) === 0) |
|
567 | { |
|
568 | $this->ip_address = $spoof; |
|
569 | break; |
|
570 | } |
|
571 | } |
|
572 | } |
|
573 | } |
|
574 | ||
575 | if ( ! $this->valid_ip($this->ip_address)) |
|
576 | { |
|
577 | return $this->ip_address = '0.0.0.0'; |
|
578 | } |
|
579 | ||
580 | return $this->ip_address; |
|
581 | } |
|
582 | ||
583 | // -------------------------------------------------------------------- |
|
584 | ||
585 | /** |
|
586 | * Validate IP Address |
|
587 | * |
|
588 | * @param string $ip IP address |
|
589 | * @param string $which IP protocol: 'ipv4' or 'ipv6' |
|
590 | * @return bool |
|
591 | * |
|
592 | * @codeCoverageIgnore |
|
593 | */ |
|
594 | public function valid_ip($ip, $which = '') |
|
595 | { |
|
596 | switch (strtolower($which)) |
|
597 | { |
|
598 | case 'ipv4': |
|
599 | $which = FILTER_FLAG_IPV4; |
|
600 | break; |
|
601 | case 'ipv6': |
|
602 | $which = FILTER_FLAG_IPV6; |
|
603 | break; |
|
604 | default: |
|
605 | $which = NULL; |
|
606 | break; |
|
607 | } |
|
608 | ||
609 | return (bool) filter_var($ip, FILTER_VALIDATE_IP, $which); |
|
610 | } |
|
611 | ||
612 | // -------------------------------------------------------------------- |
|
613 | ||
614 | /** |
|
615 | * Fetch User Agent string |
|
616 | * |
|
617 | * @return string|null User Agent string or NULL if it doesn't exist |
|
618 | * |
|
619 | * @codeCoverageIgnore |
|
620 | */ |
|
621 | public function user_agent($xss_clean = NULL) |
|
622 | { |
|
623 | return $this->_fetch_from_array($_SERVER, 'HTTP_USER_AGENT', $xss_clean); |
|
624 | } |
|
625 | ||
626 | // -------------------------------------------------------------------- |
|
627 | ||
628 | /** |
|
629 | * Sanitize Globals |
|
630 | * |
|
631 | * Internal method serving for the following purposes: |
|
632 | * |
|
633 | * - Unsets $_GET data, if query strings are not enabled |
|
634 | * - Cleans POST, COOKIE and SERVER data |
|
635 | * - Standardizes newline characters to PHP_EOL |
|
636 | * |
|
637 | * @return void |
|
638 | * |
|
639 | * @codeCoverageIgnore |
|
640 | */ |
|
641 | protected function _sanitize_globals() |
|
642 | { |
|
643 | // Is $_GET data allowed? If not we'll set the $_GET to an empty array |
|
644 | if ($this->_allow_get_array === FALSE) |
|
645 | { |
|
646 | $_GET = array(); |
|
647 | } |
|
648 | elseif (is_array($_GET)) |
|
649 | { |
|
650 | foreach ($_GET as $key => $val) |
|
651 | { |
|
652 | $_GET[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); |
|
653 | } |
|
654 | } |
|
655 | ||
656 | // Clean $_POST Data |
|
657 | if (is_array($_POST)) |
|
658 | { |
|
659 | foreach ($_POST as $key => $val) |
|
660 | { |
|
661 | $_POST[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); |
|
662 | } |
|
663 | } |
|
664 | ||
665 | // Clean $_COOKIE Data |
|
666 | if (is_array($_COOKIE)) |
|
667 | { |
|
668 | // Also get rid of specially treated cookies that might be set by a server |
|
669 | // or silly application, that are of no use to a CI application anyway |
|
670 | // but that when present will trip our 'Disallowed Key Characters' alarm |
|
671 | // http://www.ietf.org/rfc/rfc2109.txt |
|
672 | // note that the key names below are single quoted strings, and are not PHP variables |
|
673 | unset( |
|
674 | $_COOKIE['$Version'], |
|
675 | $_COOKIE['$Path'], |
|
676 | $_COOKIE['$Domain'] |
|
677 | ); |
|
678 | ||
679 | foreach ($_COOKIE as $key => $val) |
|
680 | { |
|
681 | if (($cookie_key = $this->_clean_input_keys($key)) !== FALSE) |
|
682 | { |
|
683 | $_COOKIE[$cookie_key] = $this->_clean_input_data($val); |
|
684 | } |
|
685 | else |
|
686 | { |
|
687 | unset($_COOKIE[$key]); |
|
688 | } |
|
689 | } |
|
690 | } |
|
691 | ||
692 | // Sanitize PHP_SELF |
|
693 | $_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']); |
|
694 | ||
695 | log_message('debug', 'Global POST, GET and COOKIE data sanitized'); |
|
696 | } |
|
697 | ||
698 | // -------------------------------------------------------------------- |
|
699 | ||
700 | /** |
|
701 | * Clean Input Data |
|
702 | * |
|
703 | * Internal method that aids in escaping data and |
|
704 | * standardizing newline characters to PHP_EOL. |
|
705 | * |
|
706 | * @param string|string[] $str Input string(s) |
|
707 | * @return string |
|
708 | * |
|
709 | * @codeCoverageIgnore |
|
710 | */ |
|
711 | protected function _clean_input_data($str) |
|
712 | { |
|
713 | if (is_array($str)) |
|
714 | { |
|
715 | $new_array = array(); |
|
716 | foreach (array_keys($str) as $key) |
|
717 | { |
|
718 | $new_array[$this->_clean_input_keys($key)] = $this->_clean_input_data($str[$key]); |
|
719 | } |
|
720 | return $new_array; |
|
721 | } |
|
722 | ||
723 | /* We strip slashes if magic quotes is on to keep things consistent |
|
724 | ||
725 | NOTE: In PHP 5.4 get_magic_quotes_gpc() will always return 0 and |
|
726 | it will probably not exist in future versions at all. |
|
727 | */ |
|
728 | if ( ! is_php('5.4') && get_magic_quotes_gpc()) |
|
729 | { |
|
730 | $str = stripslashes($str); |
|
731 | } |
|
732 | ||
733 | // Clean UTF-8 if supported |
|
734 | if (UTF8_ENABLED === TRUE) |
|
735 | { |
|
736 | $str = $this->uni->clean_string($str); |
|
737 | } |
|
738 | ||
739 | // Remove control characters |
|
740 | $str = remove_invisible_characters($str, FALSE); |
|
741 | ||
742 | // Standardize newlines if needed |
|
743 | if ($this->_standardize_newlines === TRUE) |
|
744 | { |
|
745 | return preg_replace('/(?:\r\n|[\r\n])/', PHP_EOL, $str); |
|
746 | } |
|
747 | ||
748 | return $str; |
|
749 | } |
|
750 | ||
751 | // -------------------------------------------------------------------- |
|
752 | ||
753 | /** |
|
754 | * Clean Keys |
|
755 | * |
|
756 | * Internal method that helps to prevent malicious users |
|
757 | * from trying to exploit keys we make sure that keys are |
|
758 | * only named with alpha-numeric text and a few other items. |
|
759 | * |
|
760 | * @param string $str Input string |
|
761 | * @param bool $fatal Whether to terminate script exection |
|
762 | * or to return FALSE if an invalid |
|
763 | * key is encountered |
|
764 | * @return string|bool |
|
765 | * |
|
766 | * @codeCoverageIgnore |
|
767 | */ |
|
768 | protected function _clean_input_keys($str, $fatal = TRUE) |
|
769 | { |
|
770 | if ( ! preg_match('/^[a-z0-9:_\/|-]+$/i', $str)) |
|
771 | { |
|
772 | if ($fatal === TRUE) |
|
773 | { |
|
774 | return FALSE; |
|
775 | } |
|
776 | else |
|
777 | { |
|
778 | set_status_header(503); |
|
779 | echo 'Disallowed Key Characters.'; |
|
780 | exit(7); // EXIT_USER_INPUT |
|
781 | } |
|
782 | } |
|
783 | ||
784 | // Clean UTF-8 if supported |
|
785 | if (UTF8_ENABLED === TRUE) |
|
786 | { |
|
787 | return $this->uni->clean_string($str); |
|
788 | } |
|
789 | ||
790 | return $str; |
|
791 | } |
|
792 | ||
793 | // -------------------------------------------------------------------- |
|
794 | ||
795 | /** |
|
796 | * Request Headers |
|
797 | * |
|
798 | * @param bool $xss_clean Whether to apply XSS filtering |
|
799 | * @return array |
|
800 | * |
|
801 | * @codeCoverageIgnore |
|
802 | */ |
|
803 | public function request_headers($xss_clean = FALSE) |
|
804 | { |
|
805 | // If header is already defined, return it immediately |
|
806 | if ( ! empty($this->headers)) |
|
807 | { |
|
808 | return $this->_fetch_from_array($this->headers, NULL, $xss_clean); |
|
809 | } |
|
810 | ||
811 | // In Apache, you can simply call apache_request_headers() |
|
812 | if (function_exists('apache_request_headers')) |
|
813 | { |
|
814 | $this->headers = apache_request_headers(); |
|
815 | } |
|
816 | else |
|
817 | { |
|
818 | isset($_SERVER['CONTENT_TYPE']) && $this->headers['Content-Type'] = $_SERVER['CONTENT_TYPE']; |
|
819 | ||
820 | foreach ($_SERVER as $key => $val) |
|
821 | { |
|
822 | if (sscanf($key, 'HTTP_%s', $header) === 1) |
|
823 | { |
|
824 | // take SOME_HEADER and turn it into Some-Header |
|
825 | $header = str_replace('_', ' ', strtolower($header)); |
|
826 | $header = str_replace(' ', '-', ucwords($header)); |
|
827 | ||
828 | $this->headers[$header] = $_SERVER[$key]; |
|
829 | } |
|
830 | } |
|
831 | } |
|
832 | ||
833 | return $this->_fetch_from_array($this->headers, NULL, $xss_clean); |
|
834 | } |
|
835 | ||
836 | // -------------------------------------------------------------------- |
|
837 | ||
838 | /** |
|
839 | * Get Request Header |
|
840 | * |
|
841 | * Returns the value of a single member of the headers class member |
|
842 | * |
|
843 | * @param string $index Header name |
|
844 | * @param bool $xss_clean Whether to apply XSS filtering |
|
845 | * @return string|null The requested header on success or NULL on failure |
|
846 | * |
|
847 | * modified by ci-phpunit-test |
|
848 | */ |
|
849 | public function get_request_header($index, $xss_clean = FALSE) |
|
850 | { |
|
851 | // static $headers; |
|
852 | ||
853 | if ( ! isset($headers)) |
|
854 | { |
|
855 | empty($this->headers) && $this->request_headers(); |
|
856 | foreach ($this->headers as $key => $value) |
|
857 | { |
|
858 | $headers[strtolower($key)] = $value; |
|
859 | } |
|
860 | } |
|
861 | ||
862 | $index = strtolower($index); |
|
863 | ||
864 | if ( ! isset($headers[$index])) |
|
865 | { |
|
866 | return NULL; |
|
867 | } |
|
868 | ||
869 | return ($xss_clean === TRUE) |
|
870 | ? $this->security->xss_clean($headers[$index]) |
|
871 | : $headers[$index]; |
|
872 | } |
|
873 | ||
874 | // -------------------------------------------------------------------- |
|
875 | ||
876 | /** |
|
877 | * Is AJAX request? |
|
878 | * |
|
879 | * Test to see if a request contains the HTTP_X_REQUESTED_WITH header. |
|
880 | * |
|
881 | * @return bool |
|
882 | * |
|
883 | * @codeCoverageIgnore |
|
884 | */ |
|
885 | public function is_ajax_request() |
|
886 | { |
|
887 | return ( ! empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) === 'xmlhttprequest'); |
|
888 | } |
|
889 | ||
890 | // -------------------------------------------------------------------- |
|
891 | ||
892 | /** |
|
893 | * Is CLI request? |
|
894 | * |
|
895 | * Test to see if a request was made from the command line. |
|
896 | * |
|
897 | * @deprecated 3.0.0 Use is_cli() instead |
|
898 | * @return bool |
|
899 | * |
|
900 | * @codeCoverageIgnore |
|
901 | */ |
|
902 | public function is_cli_request() |
|
903 | { |
|
904 | return is_cli(); |
|
905 | } |
|
906 | ||
907 | // -------------------------------------------------------------------- |
|
908 | ||
909 | /** |
|
910 | * Get Request Method |
|
911 | * |
|
912 | * Return the request method |
|
913 | * |
|
914 | * @param bool $upper Whether to return in upper or lower case |
|
915 | * (default: FALSE) |
|
916 | * @return string |
|
917 | * |
|
918 | * @codeCoverageIgnore |
|
919 | */ |
|
920 | public function method($upper = FALSE) |
|
921 | { |
|
922 | return ($upper) |
|
923 | ? strtoupper($this->server('REQUEST_METHOD')) |
|
924 | : strtolower($this->server('REQUEST_METHOD')); |
|
925 | } |
|
926 | ||
927 | // ------------------------------------------------------------------------ |
|
928 | ||
929 | /** |
|
930 | * Magic __get() |
|
931 | * |
|
932 | * Allows read access to protected properties |
|
933 | * |
|
934 | * @param string $name |
|
935 | * @return mixed |
|
936 | * |
|
937 | * @codeCoverageIgnore |
|
938 | */ |
|
939 | public function __get($name) |
|
940 | { |
|
941 | if ($name === 'raw_input_stream') |
|
942 | { |
|
943 | isset($this->_raw_input_stream) OR $this->_raw_input_stream = file_get_contents('php://input'); |
|
944 | return $this->_raw_input_stream; |
|
945 | } |
|
946 | elseif ($name === 'ip_address') |
|
947 | { |
|
948 | return $this->ip_address; |
|
949 | } |
|
950 | } |
|
951 | ||
952 | } |
|
953 |
@@ 51-952 (lines=902) @@ | ||
48 | * @author EllisLab Dev Team |
|
49 | * @link https://codeigniter.com/user_guide/libraries/input.html |
|
50 | */ |
|
51 | class CI_Input { |
|
52 | ||
53 | /** |
|
54 | * IP address of the current user |
|
55 | * |
|
56 | * @var string |
|
57 | */ |
|
58 | protected $ip_address = FALSE; |
|
59 | ||
60 | /** |
|
61 | * Allow GET array flag |
|
62 | * |
|
63 | * If set to FALSE, then $_GET will be set to an empty array. |
|
64 | * |
|
65 | * @var bool |
|
66 | */ |
|
67 | protected $_allow_get_array = TRUE; |
|
68 | ||
69 | /** |
|
70 | * Standardize new lines flag |
|
71 | * |
|
72 | * If set to TRUE, then newlines are standardized. |
|
73 | * |
|
74 | * @var bool |
|
75 | */ |
|
76 | protected $_standardize_newlines; |
|
77 | ||
78 | /** |
|
79 | * Enable XSS flag |
|
80 | * |
|
81 | * Determines whether the XSS filter is always active when |
|
82 | * GET, POST or COOKIE data is encountered. |
|
83 | * Set automatically based on config setting. |
|
84 | * |
|
85 | * @var bool |
|
86 | */ |
|
87 | protected $_enable_xss = FALSE; |
|
88 | ||
89 | /** |
|
90 | * Enable CSRF flag |
|
91 | * |
|
92 | * Enables a CSRF cookie token to be set. |
|
93 | * Set automatically based on config setting. |
|
94 | * |
|
95 | * @var bool |
|
96 | */ |
|
97 | protected $_enable_csrf = FALSE; |
|
98 | ||
99 | /** |
|
100 | * List of all HTTP request headers |
|
101 | * |
|
102 | * @var array |
|
103 | */ |
|
104 | protected $headers = array(); |
|
105 | ||
106 | /** |
|
107 | * Raw input stream data |
|
108 | * |
|
109 | * Holds a cache of php://input contents |
|
110 | * |
|
111 | * @var string |
|
112 | */ |
|
113 | protected $_raw_input_stream; |
|
114 | ||
115 | /** |
|
116 | * Parsed input stream data |
|
117 | * |
|
118 | * Parsed from php://input at runtime |
|
119 | * |
|
120 | * @see CI_Input::input_stream() |
|
121 | * @var array |
|
122 | */ |
|
123 | protected $_input_stream; |
|
124 | ||
125 | protected $security; |
|
126 | protected $uni; |
|
127 | ||
128 | // -------------------------------------------------------------------- |
|
129 | ||
130 | /** |
|
131 | * Class constructor |
|
132 | * |
|
133 | * Determines whether to globally enable the XSS processing |
|
134 | * and whether to allow the $_GET array. |
|
135 | * |
|
136 | * @return void |
|
137 | * |
|
138 | * @codeCoverageIgnore |
|
139 | */ |
|
140 | public function __construct() |
|
141 | { |
|
142 | $this->_allow_get_array = (config_item('allow_get_array') === TRUE); |
|
143 | $this->_enable_xss = (config_item('global_xss_filtering') === TRUE); |
|
144 | $this->_enable_csrf = (config_item('csrf_protection') === TRUE); |
|
145 | $this->_standardize_newlines = (bool) config_item('standardize_newlines'); |
|
146 | ||
147 | $this->security =& load_class('Security', 'core'); |
|
148 | ||
149 | // Do we need the UTF-8 class? |
|
150 | if (UTF8_ENABLED === TRUE) |
|
151 | { |
|
152 | $this->uni =& load_class('Utf8', 'core'); |
|
153 | } |
|
154 | ||
155 | // Sanitize global arrays |
|
156 | $this->_sanitize_globals(); |
|
157 | ||
158 | // CSRF Protection check |
|
159 | if ($this->_enable_csrf === TRUE && ! is_cli()) |
|
160 | { |
|
161 | $this->security->csrf_verify(); |
|
162 | } |
|
163 | ||
164 | log_message('info', 'Input Class Initialized'); |
|
165 | } |
|
166 | ||
167 | // -------------------------------------------------------------------- |
|
168 | ||
169 | /** |
|
170 | * Fetch from array |
|
171 | * |
|
172 | * Internal method used to retrieve values from global arrays. |
|
173 | * |
|
174 | * @param array &$array $_GET, $_POST, $_COOKIE, $_SERVER, etc. |
|
175 | * @param mixed $index Index for item to be fetched from $array |
|
176 | * @param bool $xss_clean Whether to apply XSS filtering |
|
177 | * @return mixed |
|
178 | * |
|
179 | * @codeCoverageIgnore |
|
180 | */ |
|
181 | protected function _fetch_from_array(&$array, $index = NULL, $xss_clean = NULL) |
|
182 | { |
|
183 | is_bool($xss_clean) OR $xss_clean = $this->_enable_xss; |
|
184 | ||
185 | // If $index is NULL, it means that the whole $array is requested |
|
186 | isset($index) OR $index = array_keys($array); |
|
187 | ||
188 | // allow fetching multiple keys at once |
|
189 | if (is_array($index)) |
|
190 | { |
|
191 | $output = array(); |
|
192 | foreach ($index as $key) |
|
193 | { |
|
194 | $output[$key] = $this->_fetch_from_array($array, $key, $xss_clean); |
|
195 | } |
|
196 | ||
197 | return $output; |
|
198 | } |
|
199 | ||
200 | if (isset($array[$index])) |
|
201 | { |
|
202 | $value = $array[$index]; |
|
203 | } |
|
204 | elseif (($count = preg_match_all('/(?:^[^\[]+)|\[[^]]*\]/', $index, $matches)) > 1) // Does the index contain array notation |
|
205 | { |
|
206 | $value = $array; |
|
207 | for ($i = 0; $i < $count; $i++) |
|
208 | { |
|
209 | $key = trim($matches[0][$i], '[]'); |
|
210 | if ($key === '') // Empty notation will return the value as array |
|
211 | { |
|
212 | break; |
|
213 | } |
|
214 | ||
215 | if (isset($value[$key])) |
|
216 | { |
|
217 | $value = $value[$key]; |
|
218 | } |
|
219 | else |
|
220 | { |
|
221 | return NULL; |
|
222 | } |
|
223 | } |
|
224 | } |
|
225 | else |
|
226 | { |
|
227 | return NULL; |
|
228 | } |
|
229 | ||
230 | return ($xss_clean === TRUE) |
|
231 | ? $this->security->xss_clean($value) |
|
232 | : $value; |
|
233 | } |
|
234 | ||
235 | // -------------------------------------------------------------------- |
|
236 | ||
237 | /** |
|
238 | * Fetch an item from the GET array |
|
239 | * |
|
240 | * @param mixed $index Index for item to be fetched from $_GET |
|
241 | * @param bool $xss_clean Whether to apply XSS filtering |
|
242 | * @return mixed |
|
243 | * |
|
244 | * @codeCoverageIgnore |
|
245 | */ |
|
246 | public function get($index = NULL, $xss_clean = NULL) |
|
247 | { |
|
248 | return $this->_fetch_from_array($_GET, $index, $xss_clean); |
|
249 | } |
|
250 | ||
251 | // -------------------------------------------------------------------- |
|
252 | ||
253 | /** |
|
254 | * Fetch an item from the POST array |
|
255 | * |
|
256 | * @param mixed $index Index for item to be fetched from $_POST |
|
257 | * @param bool $xss_clean Whether to apply XSS filtering |
|
258 | * @return mixed |
|
259 | * |
|
260 | * @codeCoverageIgnore |
|
261 | */ |
|
262 | public function post($index = NULL, $xss_clean = NULL) |
|
263 | { |
|
264 | return $this->_fetch_from_array($_POST, $index, $xss_clean); |
|
265 | } |
|
266 | ||
267 | // -------------------------------------------------------------------- |
|
268 | ||
269 | /** |
|
270 | * Fetch an item from POST data with fallback to GET |
|
271 | * |
|
272 | * @param string $index Index for item to be fetched from $_POST or $_GET |
|
273 | * @param bool $xss_clean Whether to apply XSS filtering |
|
274 | * @return mixed |
|
275 | * |
|
276 | * @codeCoverageIgnore |
|
277 | */ |
|
278 | public function post_get($index, $xss_clean = NULL) |
|
279 | { |
|
280 | return isset($_POST[$index]) |
|
281 | ? $this->post($index, $xss_clean) |
|
282 | : $this->get($index, $xss_clean); |
|
283 | } |
|
284 | ||
285 | // -------------------------------------------------------------------- |
|
286 | ||
287 | /** |
|
288 | * Fetch an item from GET data with fallback to POST |
|
289 | * |
|
290 | * @param string $index Index for item to be fetched from $_GET or $_POST |
|
291 | * @param bool $xss_clean Whether to apply XSS filtering |
|
292 | * @return mixed |
|
293 | * |
|
294 | * @codeCoverageIgnore |
|
295 | */ |
|
296 | public function get_post($index, $xss_clean = NULL) |
|
297 | { |
|
298 | return isset($_GET[$index]) |
|
299 | ? $this->get($index, $xss_clean) |
|
300 | : $this->post($index, $xss_clean); |
|
301 | } |
|
302 | ||
303 | // -------------------------------------------------------------------- |
|
304 | ||
305 | /** |
|
306 | * Fetch an item from the COOKIE array |
|
307 | * |
|
308 | * @param mixed $index Index for item to be fetched from $_COOKIE |
|
309 | * @param bool $xss_clean Whether to apply XSS filtering |
|
310 | * @return mixed |
|
311 | * |
|
312 | * @codeCoverageIgnore |
|
313 | */ |
|
314 | public function cookie($index = NULL, $xss_clean = NULL) |
|
315 | { |
|
316 | return $this->_fetch_from_array($_COOKIE, $index, $xss_clean); |
|
317 | } |
|
318 | ||
319 | // -------------------------------------------------------------------- |
|
320 | ||
321 | /** |
|
322 | * Fetch an item from the SERVER array |
|
323 | * |
|
324 | * @param mixed $index Index for item to be fetched from $_SERVER |
|
325 | * @param bool $xss_clean Whether to apply XSS filtering |
|
326 | * @return mixed |
|
327 | * |
|
328 | * @codeCoverageIgnore |
|
329 | */ |
|
330 | public function server($index, $xss_clean = NULL) |
|
331 | { |
|
332 | return $this->_fetch_from_array($_SERVER, $index, $xss_clean); |
|
333 | } |
|
334 | ||
335 | // ------------------------------------------------------------------------ |
|
336 | ||
337 | /** |
|
338 | * Fetch an item from the php://input stream |
|
339 | * |
|
340 | * Useful when you need to access PUT, DELETE or PATCH request data. |
|
341 | * |
|
342 | * @param string $index Index for item to be fetched |
|
343 | * @param bool $xss_clean Whether to apply XSS filtering |
|
344 | * @return mixed |
|
345 | * |
|
346 | * @codeCoverageIgnore |
|
347 | */ |
|
348 | public function input_stream($index = NULL, $xss_clean = NULL) |
|
349 | { |
|
350 | // Prior to PHP 5.6, the input stream can only be read once, |
|
351 | // so we'll need to check if we have already done that first. |
|
352 | if ( ! is_array($this->_input_stream)) |
|
353 | { |
|
354 | // $this->raw_input_stream will trigger __get(). |
|
355 | parse_str($this->raw_input_stream, $this->_input_stream); |
|
356 | is_array($this->_input_stream) OR $this->_input_stream = array(); |
|
357 | } |
|
358 | ||
359 | return $this->_fetch_from_array($this->_input_stream, $index, $xss_clean); |
|
360 | } |
|
361 | ||
362 | // ------------------------------------------------------------------------ |
|
363 | ||
364 | /** |
|
365 | * Set cookie |
|
366 | * |
|
367 | * Accepts an arbitrary number of parameters (up to 7) or an associative |
|
368 | * array in the first parameter containing all the values. |
|
369 | * |
|
370 | * @param string|mixed[] $name Cookie name or an array containing parameters |
|
371 | * @param string $value Cookie value |
|
372 | * @param int $expire Cookie expiration time in seconds |
|
373 | * @param string $domain Cookie domain (e.g.: '.yourdomain.com') |
|
374 | * @param string $path Cookie path (default: '/') |
|
375 | * @param string $prefix Cookie name prefix |
|
376 | * @param bool $secure Whether to only transfer cookies via SSL |
|
377 | * @param bool $httponly Whether to only makes the cookie accessible via HTTP (no javascript) |
|
378 | * @return void |
|
379 | * |
|
380 | * modified by ci-phpunit-test |
|
381 | */ |
|
382 | public function set_cookie($name, $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = NULL, $httponly = NULL) |
|
383 | { |
|
384 | if (is_array($name)) |
|
385 | { |
|
386 | // always leave 'name' in last place, as the loop will break otherwise, due to $$item |
|
387 | foreach (array('value', 'expire', 'domain', 'path', 'prefix', 'secure', 'httponly', 'name') as $item) |
|
388 | { |
|
389 | if (isset($name[$item])) |
|
390 | { |
|
391 | $$item = $name[$item]; |
|
392 | } |
|
393 | } |
|
394 | } |
|
395 | ||
396 | if ($prefix === '' && config_item('cookie_prefix') !== '') |
|
397 | { |
|
398 | $prefix = config_item('cookie_prefix'); |
|
399 | } |
|
400 | ||
401 | if ($domain == '' && config_item('cookie_domain') != '') |
|
402 | { |
|
403 | $domain = config_item('cookie_domain'); |
|
404 | } |
|
405 | ||
406 | if ($path === '/' && config_item('cookie_path') !== '/') |
|
407 | { |
|
408 | $path = config_item('cookie_path'); |
|
409 | } |
|
410 | ||
411 | $secure = ($secure === NULL && config_item('cookie_secure') !== NULL) |
|
412 | ? (bool) config_item('cookie_secure') |
|
413 | : (bool) $secure; |
|
414 | ||
415 | $httponly = ($httponly === NULL && config_item('cookie_httponly') !== NULL) |
|
416 | ? (bool) config_item('cookie_httponly') |
|
417 | : (bool) $httponly; |
|
418 | ||
419 | if ( ! is_numeric($expire)) |
|
420 | { |
|
421 | $expire = time() - 86500; |
|
422 | } |
|
423 | else |
|
424 | { |
|
425 | $expire = ($expire > 0) ? time() + $expire : 0; |
|
426 | } |
|
427 | ||
428 | // setcookie($prefix.$name, $value, $expire, $path, $domain, $secure, $httponly); |
|
429 | ||
430 | // Save cookie in Output object |
|
431 | // added by ci-phpunit-test |
|
432 | $CI =& get_instance(); |
|
433 | $output = $CI->output; |
|
434 | $output->_cookies[$prefix.$name][] = [ |
|
435 | 'value' => $value, |
|
436 | 'expire' => $expire, |
|
437 | 'path' => $path, |
|
438 | 'domain' => $domain, |
|
439 | 'secure' => $secure, |
|
440 | 'httponly' => $httponly, |
|
441 | ]; |
|
442 | } |
|
443 | ||
444 | // -------------------------------------------------------------------- |
|
445 | ||
446 | /** |
|
447 | * Fetch the IP Address |
|
448 | * |
|
449 | * Determines and validates the visitor's IP address. |
|
450 | * |
|
451 | * @return string IP address |
|
452 | * |
|
453 | * @codeCoverageIgnore |
|
454 | */ |
|
455 | public function ip_address() |
|
456 | { |
|
457 | if ($this->ip_address !== FALSE) |
|
458 | { |
|
459 | return $this->ip_address; |
|
460 | } |
|
461 | ||
462 | $proxy_ips = config_item('proxy_ips'); |
|
463 | if ( ! empty($proxy_ips) && ! is_array($proxy_ips)) |
|
464 | { |
|
465 | $proxy_ips = explode(',', str_replace(' ', '', $proxy_ips)); |
|
466 | } |
|
467 | ||
468 | $this->ip_address = $this->server('REMOTE_ADDR'); |
|
469 | ||
470 | if ($proxy_ips) |
|
471 | { |
|
472 | foreach (array('HTTP_X_FORWARDED_FOR', 'HTTP_CLIENT_IP', 'HTTP_X_CLIENT_IP', 'HTTP_X_CLUSTER_CLIENT_IP') as $header) |
|
473 | { |
|
474 | if (($spoof = $this->server($header)) !== NULL) |
|
475 | { |
|
476 | // Some proxies typically list the whole chain of IP |
|
477 | // addresses through which the client has reached us. |
|
478 | // e.g. client_ip, proxy_ip1, proxy_ip2, etc. |
|
479 | sscanf($spoof, '%[^,]', $spoof); |
|
480 | ||
481 | if ( ! $this->valid_ip($spoof)) |
|
482 | { |
|
483 | $spoof = NULL; |
|
484 | } |
|
485 | else |
|
486 | { |
|
487 | break; |
|
488 | } |
|
489 | } |
|
490 | } |
|
491 | ||
492 | if ($spoof) |
|
493 | { |
|
494 | for ($i = 0, $c = count($proxy_ips); $i < $c; $i++) |
|
495 | { |
|
496 | // Check if we have an IP address or a subnet |
|
497 | if (strpos($proxy_ips[$i], '/') === FALSE) |
|
498 | { |
|
499 | // An IP address (and not a subnet) is specified. |
|
500 | // We can compare right away. |
|
501 | if ($proxy_ips[$i] === $this->ip_address) |
|
502 | { |
|
503 | $this->ip_address = $spoof; |
|
504 | break; |
|
505 | } |
|
506 | ||
507 | continue; |
|
508 | } |
|
509 | ||
510 | // We have a subnet ... now the heavy lifting begins |
|
511 | isset($separator) OR $separator = $this->valid_ip($this->ip_address, 'ipv6') ? ':' : '.'; |
|
512 | ||
513 | // If the proxy entry doesn't match the IP protocol - skip it |
|
514 | if (strpos($proxy_ips[$i], $separator) === FALSE) |
|
515 | { |
|
516 | continue; |
|
517 | } |
|
518 | ||
519 | // Convert the REMOTE_ADDR IP address to binary, if needed |
|
520 | if ( ! isset($ip, $sprintf)) |
|
521 | { |
|
522 | if ($separator === ':') |
|
523 | { |
|
524 | // Make sure we're have the "full" IPv6 format |
|
525 | $ip = explode(':', |
|
526 | str_replace('::', |
|
527 | str_repeat(':', 9 - substr_count($this->ip_address, ':')), |
|
528 | $this->ip_address |
|
529 | ) |
|
530 | ); |
|
531 | ||
532 | for ($j = 0; $j < 8; $j++) |
|
533 | { |
|
534 | $ip[$j] = intval($ip[$j], 16); |
|
535 | } |
|
536 | ||
537 | $sprintf = '%016b%016b%016b%016b%016b%016b%016b%016b'; |
|
538 | } |
|
539 | else |
|
540 | { |
|
541 | $ip = explode('.', $this->ip_address); |
|
542 | $sprintf = '%08b%08b%08b%08b'; |
|
543 | } |
|
544 | ||
545 | $ip = vsprintf($sprintf, $ip); |
|
546 | } |
|
547 | ||
548 | // Split the netmask length off the network address |
|
549 | sscanf($proxy_ips[$i], '%[^/]/%d', $netaddr, $masklen); |
|
550 | ||
551 | // Again, an IPv6 address is most likely in a compressed form |
|
552 | if ($separator === ':') |
|
553 | { |
|
554 | $netaddr = explode(':', str_replace('::', str_repeat(':', 9 - substr_count($netaddr, ':')), $netaddr)); |
|
555 | for ($j = 0; $j < 8; $j++) |
|
556 | { |
|
557 | $netaddr[$j] = intval($netaddr[$j], 16); |
|
558 | } |
|
559 | } |
|
560 | else |
|
561 | { |
|
562 | $netaddr = explode('.', $netaddr); |
|
563 | } |
|
564 | ||
565 | // Convert to binary and finally compare |
|
566 | if (strncmp($ip, vsprintf($sprintf, $netaddr), $masklen) === 0) |
|
567 | { |
|
568 | $this->ip_address = $spoof; |
|
569 | break; |
|
570 | } |
|
571 | } |
|
572 | } |
|
573 | } |
|
574 | ||
575 | if ( ! $this->valid_ip($this->ip_address)) |
|
576 | { |
|
577 | return $this->ip_address = '0.0.0.0'; |
|
578 | } |
|
579 | ||
580 | return $this->ip_address; |
|
581 | } |
|
582 | ||
583 | // -------------------------------------------------------------------- |
|
584 | ||
585 | /** |
|
586 | * Validate IP Address |
|
587 | * |
|
588 | * @param string $ip IP address |
|
589 | * @param string $which IP protocol: 'ipv4' or 'ipv6' |
|
590 | * @return bool |
|
591 | * |
|
592 | * @codeCoverageIgnore |
|
593 | */ |
|
594 | public function valid_ip($ip, $which = '') |
|
595 | { |
|
596 | switch (strtolower($which)) |
|
597 | { |
|
598 | case 'ipv4': |
|
599 | $which = FILTER_FLAG_IPV4; |
|
600 | break; |
|
601 | case 'ipv6': |
|
602 | $which = FILTER_FLAG_IPV6; |
|
603 | break; |
|
604 | default: |
|
605 | $which = NULL; |
|
606 | break; |
|
607 | } |
|
608 | ||
609 | return (bool) filter_var($ip, FILTER_VALIDATE_IP, $which); |
|
610 | } |
|
611 | ||
612 | // -------------------------------------------------------------------- |
|
613 | ||
614 | /** |
|
615 | * Fetch User Agent string |
|
616 | * |
|
617 | * @return string|null User Agent string or NULL if it doesn't exist |
|
618 | * |
|
619 | * @codeCoverageIgnore |
|
620 | */ |
|
621 | public function user_agent($xss_clean = NULL) |
|
622 | { |
|
623 | return $this->_fetch_from_array($_SERVER, 'HTTP_USER_AGENT', $xss_clean); |
|
624 | } |
|
625 | ||
626 | // -------------------------------------------------------------------- |
|
627 | ||
628 | /** |
|
629 | * Sanitize Globals |
|
630 | * |
|
631 | * Internal method serving for the following purposes: |
|
632 | * |
|
633 | * - Unsets $_GET data, if query strings are not enabled |
|
634 | * - Cleans POST, COOKIE and SERVER data |
|
635 | * - Standardizes newline characters to PHP_EOL |
|
636 | * |
|
637 | * @return void |
|
638 | * |
|
639 | * @codeCoverageIgnore |
|
640 | */ |
|
641 | protected function _sanitize_globals() |
|
642 | { |
|
643 | // Is $_GET data allowed? If not we'll set the $_GET to an empty array |
|
644 | if ($this->_allow_get_array === FALSE) |
|
645 | { |
|
646 | $_GET = array(); |
|
647 | } |
|
648 | elseif (is_array($_GET)) |
|
649 | { |
|
650 | foreach ($_GET as $key => $val) |
|
651 | { |
|
652 | $_GET[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); |
|
653 | } |
|
654 | } |
|
655 | ||
656 | // Clean $_POST Data |
|
657 | if (is_array($_POST)) |
|
658 | { |
|
659 | foreach ($_POST as $key => $val) |
|
660 | { |
|
661 | $_POST[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); |
|
662 | } |
|
663 | } |
|
664 | ||
665 | // Clean $_COOKIE Data |
|
666 | if (is_array($_COOKIE)) |
|
667 | { |
|
668 | // Also get rid of specially treated cookies that might be set by a server |
|
669 | // or silly application, that are of no use to a CI application anyway |
|
670 | // but that when present will trip our 'Disallowed Key Characters' alarm |
|
671 | // http://www.ietf.org/rfc/rfc2109.txt |
|
672 | // note that the key names below are single quoted strings, and are not PHP variables |
|
673 | unset( |
|
674 | $_COOKIE['$Version'], |
|
675 | $_COOKIE['$Path'], |
|
676 | $_COOKIE['$Domain'] |
|
677 | ); |
|
678 | ||
679 | foreach ($_COOKIE as $key => $val) |
|
680 | { |
|
681 | if (($cookie_key = $this->_clean_input_keys($key)) !== FALSE) |
|
682 | { |
|
683 | $_COOKIE[$cookie_key] = $this->_clean_input_data($val); |
|
684 | } |
|
685 | else |
|
686 | { |
|
687 | unset($_COOKIE[$key]); |
|
688 | } |
|
689 | } |
|
690 | } |
|
691 | ||
692 | // Sanitize PHP_SELF |
|
693 | $_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']); |
|
694 | ||
695 | log_message('debug', 'Global POST, GET and COOKIE data sanitized'); |
|
696 | } |
|
697 | ||
698 | // -------------------------------------------------------------------- |
|
699 | ||
700 | /** |
|
701 | * Clean Input Data |
|
702 | * |
|
703 | * Internal method that aids in escaping data and |
|
704 | * standardizing newline characters to PHP_EOL. |
|
705 | * |
|
706 | * @param string|string[] $str Input string(s) |
|
707 | * @return string |
|
708 | * |
|
709 | * @codeCoverageIgnore |
|
710 | */ |
|
711 | protected function _clean_input_data($str) |
|
712 | { |
|
713 | if (is_array($str)) |
|
714 | { |
|
715 | $new_array = array(); |
|
716 | foreach (array_keys($str) as $key) |
|
717 | { |
|
718 | $new_array[$this->_clean_input_keys($key)] = $this->_clean_input_data($str[$key]); |
|
719 | } |
|
720 | return $new_array; |
|
721 | } |
|
722 | ||
723 | /* We strip slashes if magic quotes is on to keep things consistent |
|
724 | ||
725 | NOTE: In PHP 5.4 get_magic_quotes_gpc() will always return 0 and |
|
726 | it will probably not exist in future versions at all. |
|
727 | */ |
|
728 | if ( ! is_php('5.4') && get_magic_quotes_gpc()) |
|
729 | { |
|
730 | $str = stripslashes($str); |
|
731 | } |
|
732 | ||
733 | // Clean UTF-8 if supported |
|
734 | if (UTF8_ENABLED === TRUE) |
|
735 | { |
|
736 | $str = $this->uni->clean_string($str); |
|
737 | } |
|
738 | ||
739 | // Remove control characters |
|
740 | $str = remove_invisible_characters($str, FALSE); |
|
741 | ||
742 | // Standardize newlines if needed |
|
743 | if ($this->_standardize_newlines === TRUE) |
|
744 | { |
|
745 | return preg_replace('/(?:\r\n|[\r\n])/', PHP_EOL, $str); |
|
746 | } |
|
747 | ||
748 | return $str; |
|
749 | } |
|
750 | ||
751 | // -------------------------------------------------------------------- |
|
752 | ||
753 | /** |
|
754 | * Clean Keys |
|
755 | * |
|
756 | * Internal method that helps to prevent malicious users |
|
757 | * from trying to exploit keys we make sure that keys are |
|
758 | * only named with alpha-numeric text and a few other items. |
|
759 | * |
|
760 | * @param string $str Input string |
|
761 | * @param bool $fatal Whether to terminate script exection |
|
762 | * or to return FALSE if an invalid |
|
763 | * key is encountered |
|
764 | * @return string|bool |
|
765 | * |
|
766 | * @codeCoverageIgnore |
|
767 | */ |
|
768 | protected function _clean_input_keys($str, $fatal = TRUE) |
|
769 | { |
|
770 | if ( ! preg_match('/^[a-z0-9:_\/|-]+$/i', $str)) |
|
771 | { |
|
772 | if ($fatal === TRUE) |
|
773 | { |
|
774 | return FALSE; |
|
775 | } |
|
776 | else |
|
777 | { |
|
778 | set_status_header(503); |
|
779 | echo 'Disallowed Key Characters.'; |
|
780 | exit(7); // EXIT_USER_INPUT |
|
781 | } |
|
782 | } |
|
783 | ||
784 | // Clean UTF-8 if supported |
|
785 | if (UTF8_ENABLED === TRUE) |
|
786 | { |
|
787 | return $this->uni->clean_string($str); |
|
788 | } |
|
789 | ||
790 | return $str; |
|
791 | } |
|
792 | ||
793 | // -------------------------------------------------------------------- |
|
794 | ||
795 | /** |
|
796 | * Request Headers |
|
797 | * |
|
798 | * @param bool $xss_clean Whether to apply XSS filtering |
|
799 | * @return array |
|
800 | * |
|
801 | * @codeCoverageIgnore |
|
802 | */ |
|
803 | public function request_headers($xss_clean = FALSE) |
|
804 | { |
|
805 | // If header is already defined, return it immediately |
|
806 | if ( ! empty($this->headers)) |
|
807 | { |
|
808 | return $this->_fetch_from_array($this->headers, NULL, $xss_clean); |
|
809 | } |
|
810 | ||
811 | // In Apache, you can simply call apache_request_headers() |
|
812 | if (function_exists('apache_request_headers')) |
|
813 | { |
|
814 | $this->headers = apache_request_headers(); |
|
815 | } |
|
816 | else |
|
817 | { |
|
818 | isset($_SERVER['CONTENT_TYPE']) && $this->headers['Content-Type'] = $_SERVER['CONTENT_TYPE']; |
|
819 | ||
820 | foreach ($_SERVER as $key => $val) |
|
821 | { |
|
822 | if (sscanf($key, 'HTTP_%s', $header) === 1) |
|
823 | { |
|
824 | // take SOME_HEADER and turn it into Some-Header |
|
825 | $header = str_replace('_', ' ', strtolower($header)); |
|
826 | $header = str_replace(' ', '-', ucwords($header)); |
|
827 | ||
828 | $this->headers[$header] = $_SERVER[$key]; |
|
829 | } |
|
830 | } |
|
831 | } |
|
832 | ||
833 | return $this->_fetch_from_array($this->headers, NULL, $xss_clean); |
|
834 | } |
|
835 | ||
836 | // -------------------------------------------------------------------- |
|
837 | ||
838 | /** |
|
839 | * Get Request Header |
|
840 | * |
|
841 | * Returns the value of a single member of the headers class member |
|
842 | * |
|
843 | * @param string $index Header name |
|
844 | * @param bool $xss_clean Whether to apply XSS filtering |
|
845 | * @return string|null The requested header on success or NULL on failure |
|
846 | * |
|
847 | * modified by ci-phpunit-test |
|
848 | */ |
|
849 | public function get_request_header($index, $xss_clean = FALSE) |
|
850 | { |
|
851 | // static $headers; |
|
852 | ||
853 | if ( ! isset($headers)) |
|
854 | { |
|
855 | empty($this->headers) && $this->request_headers(); |
|
856 | foreach ($this->headers as $key => $value) |
|
857 | { |
|
858 | $headers[strtolower($key)] = $value; |
|
859 | } |
|
860 | } |
|
861 | ||
862 | $index = strtolower($index); |
|
863 | ||
864 | if ( ! isset($headers[$index])) |
|
865 | { |
|
866 | return NULL; |
|
867 | } |
|
868 | ||
869 | return ($xss_clean === TRUE) |
|
870 | ? $this->security->xss_clean($headers[$index]) |
|
871 | : $headers[$index]; |
|
872 | } |
|
873 | ||
874 | // -------------------------------------------------------------------- |
|
875 | ||
876 | /** |
|
877 | * Is AJAX request? |
|
878 | * |
|
879 | * Test to see if a request contains the HTTP_X_REQUESTED_WITH header. |
|
880 | * |
|
881 | * @return bool |
|
882 | * |
|
883 | * @codeCoverageIgnore |
|
884 | */ |
|
885 | public function is_ajax_request() |
|
886 | { |
|
887 | return ( ! empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) === 'xmlhttprequest'); |
|
888 | } |
|
889 | ||
890 | // -------------------------------------------------------------------- |
|
891 | ||
892 | /** |
|
893 | * Is CLI request? |
|
894 | * |
|
895 | * Test to see if a request was made from the command line. |
|
896 | * |
|
897 | * @deprecated 3.0.0 Use is_cli() instead |
|
898 | * @return bool |
|
899 | * |
|
900 | * @codeCoverageIgnore |
|
901 | */ |
|
902 | public function is_cli_request() |
|
903 | { |
|
904 | return is_cli(); |
|
905 | } |
|
906 | ||
907 | // -------------------------------------------------------------------- |
|
908 | ||
909 | /** |
|
910 | * Get Request Method |
|
911 | * |
|
912 | * Return the request method |
|
913 | * |
|
914 | * @param bool $upper Whether to return in upper or lower case |
|
915 | * (default: FALSE) |
|
916 | * @return string |
|
917 | * |
|
918 | * @codeCoverageIgnore |
|
919 | */ |
|
920 | public function method($upper = FALSE) |
|
921 | { |
|
922 | return ($upper) |
|
923 | ? strtoupper($this->server('REQUEST_METHOD')) |
|
924 | : strtolower($this->server('REQUEST_METHOD')); |
|
925 | } |
|
926 | ||
927 | // ------------------------------------------------------------------------ |
|
928 | ||
929 | /** |
|
930 | * Magic __get() |
|
931 | * |
|
932 | * Allows read access to protected properties |
|
933 | * |
|
934 | * @param string $name |
|
935 | * @return mixed |
|
936 | * |
|
937 | * @codeCoverageIgnore |
|
938 | */ |
|
939 | public function __get($name) |
|
940 | { |
|
941 | if ($name === 'raw_input_stream') |
|
942 | { |
|
943 | isset($this->_raw_input_stream) OR $this->_raw_input_stream = file_get_contents('php://input'); |
|
944 | return $this->_raw_input_stream; |
|
945 | } |
|
946 | elseif ($name === 'ip_address') |
|
947 | { |
|
948 | return $this->ip_address; |
|
949 | } |
|
950 | } |
|
951 | ||
952 | } |
|
953 |
@@ 51-952 (lines=902) @@ | ||
48 | * @author EllisLab Dev Team |
|
49 | * @link https://codeigniter.com/user_guide/libraries/input.html |
|
50 | */ |
|
51 | class CI_Input { |
|
52 | ||
53 | /** |
|
54 | * IP address of the current user |
|
55 | * |
|
56 | * @var string |
|
57 | */ |
|
58 | protected $ip_address = FALSE; |
|
59 | ||
60 | /** |
|
61 | * Allow GET array flag |
|
62 | * |
|
63 | * If set to FALSE, then $_GET will be set to an empty array. |
|
64 | * |
|
65 | * @var bool |
|
66 | */ |
|
67 | protected $_allow_get_array = TRUE; |
|
68 | ||
69 | /** |
|
70 | * Standardize new lines flag |
|
71 | * |
|
72 | * If set to TRUE, then newlines are standardized. |
|
73 | * |
|
74 | * @var bool |
|
75 | */ |
|
76 | protected $_standardize_newlines; |
|
77 | ||
78 | /** |
|
79 | * Enable XSS flag |
|
80 | * |
|
81 | * Determines whether the XSS filter is always active when |
|
82 | * GET, POST or COOKIE data is encountered. |
|
83 | * Set automatically based on config setting. |
|
84 | * |
|
85 | * @var bool |
|
86 | */ |
|
87 | protected $_enable_xss = FALSE; |
|
88 | ||
89 | /** |
|
90 | * Enable CSRF flag |
|
91 | * |
|
92 | * Enables a CSRF cookie token to be set. |
|
93 | * Set automatically based on config setting. |
|
94 | * |
|
95 | * @var bool |
|
96 | */ |
|
97 | protected $_enable_csrf = FALSE; |
|
98 | ||
99 | /** |
|
100 | * List of all HTTP request headers |
|
101 | * |
|
102 | * @var array |
|
103 | */ |
|
104 | protected $headers = array(); |
|
105 | ||
106 | /** |
|
107 | * Raw input stream data |
|
108 | * |
|
109 | * Holds a cache of php://input contents |
|
110 | * |
|
111 | * @var string |
|
112 | */ |
|
113 | protected $_raw_input_stream; |
|
114 | ||
115 | /** |
|
116 | * Parsed input stream data |
|
117 | * |
|
118 | * Parsed from php://input at runtime |
|
119 | * |
|
120 | * @see CI_Input::input_stream() |
|
121 | * @var array |
|
122 | */ |
|
123 | protected $_input_stream; |
|
124 | ||
125 | protected $security; |
|
126 | protected $uni; |
|
127 | ||
128 | // -------------------------------------------------------------------- |
|
129 | ||
130 | /** |
|
131 | * Class constructor |
|
132 | * |
|
133 | * Determines whether to globally enable the XSS processing |
|
134 | * and whether to allow the $_GET array. |
|
135 | * |
|
136 | * @return void |
|
137 | * |
|
138 | * @codeCoverageIgnore |
|
139 | */ |
|
140 | public function __construct() |
|
141 | { |
|
142 | $this->_allow_get_array = (config_item('allow_get_array') === TRUE); |
|
143 | $this->_enable_xss = (config_item('global_xss_filtering') === TRUE); |
|
144 | $this->_enable_csrf = (config_item('csrf_protection') === TRUE); |
|
145 | $this->_standardize_newlines = (bool) config_item('standardize_newlines'); |
|
146 | ||
147 | $this->security =& load_class('Security', 'core'); |
|
148 | ||
149 | // Do we need the UTF-8 class? |
|
150 | if (UTF8_ENABLED === TRUE) |
|
151 | { |
|
152 | $this->uni =& load_class('Utf8', 'core'); |
|
153 | } |
|
154 | ||
155 | // Sanitize global arrays |
|
156 | $this->_sanitize_globals(); |
|
157 | ||
158 | // CSRF Protection check |
|
159 | if ($this->_enable_csrf === TRUE && ! is_cli()) |
|
160 | { |
|
161 | $this->security->csrf_verify(); |
|
162 | } |
|
163 | ||
164 | log_message('info', 'Input Class Initialized'); |
|
165 | } |
|
166 | ||
167 | // -------------------------------------------------------------------- |
|
168 | ||
169 | /** |
|
170 | * Fetch from array |
|
171 | * |
|
172 | * Internal method used to retrieve values from global arrays. |
|
173 | * |
|
174 | * @param array &$array $_GET, $_POST, $_COOKIE, $_SERVER, etc. |
|
175 | * @param mixed $index Index for item to be fetched from $array |
|
176 | * @param bool $xss_clean Whether to apply XSS filtering |
|
177 | * @return mixed |
|
178 | * |
|
179 | * @codeCoverageIgnore |
|
180 | */ |
|
181 | protected function _fetch_from_array(&$array, $index = NULL, $xss_clean = NULL) |
|
182 | { |
|
183 | is_bool($xss_clean) OR $xss_clean = $this->_enable_xss; |
|
184 | ||
185 | // If $index is NULL, it means that the whole $array is requested |
|
186 | isset($index) OR $index = array_keys($array); |
|
187 | ||
188 | // allow fetching multiple keys at once |
|
189 | if (is_array($index)) |
|
190 | { |
|
191 | $output = array(); |
|
192 | foreach ($index as $key) |
|
193 | { |
|
194 | $output[$key] = $this->_fetch_from_array($array, $key, $xss_clean); |
|
195 | } |
|
196 | ||
197 | return $output; |
|
198 | } |
|
199 | ||
200 | if (isset($array[$index])) |
|
201 | { |
|
202 | $value = $array[$index]; |
|
203 | } |
|
204 | elseif (($count = preg_match_all('/(?:^[^\[]+)|\[[^]]*\]/', $index, $matches)) > 1) // Does the index contain array notation |
|
205 | { |
|
206 | $value = $array; |
|
207 | for ($i = 0; $i < $count; $i++) |
|
208 | { |
|
209 | $key = trim($matches[0][$i], '[]'); |
|
210 | if ($key === '') // Empty notation will return the value as array |
|
211 | { |
|
212 | break; |
|
213 | } |
|
214 | ||
215 | if (isset($value[$key])) |
|
216 | { |
|
217 | $value = $value[$key]; |
|
218 | } |
|
219 | else |
|
220 | { |
|
221 | return NULL; |
|
222 | } |
|
223 | } |
|
224 | } |
|
225 | else |
|
226 | { |
|
227 | return NULL; |
|
228 | } |
|
229 | ||
230 | return ($xss_clean === TRUE) |
|
231 | ? $this->security->xss_clean($value) |
|
232 | : $value; |
|
233 | } |
|
234 | ||
235 | // -------------------------------------------------------------------- |
|
236 | ||
237 | /** |
|
238 | * Fetch an item from the GET array |
|
239 | * |
|
240 | * @param mixed $index Index for item to be fetched from $_GET |
|
241 | * @param bool $xss_clean Whether to apply XSS filtering |
|
242 | * @return mixed |
|
243 | * |
|
244 | * @codeCoverageIgnore |
|
245 | */ |
|
246 | public function get($index = NULL, $xss_clean = NULL) |
|
247 | { |
|
248 | return $this->_fetch_from_array($_GET, $index, $xss_clean); |
|
249 | } |
|
250 | ||
251 | // -------------------------------------------------------------------- |
|
252 | ||
253 | /** |
|
254 | * Fetch an item from the POST array |
|
255 | * |
|
256 | * @param mixed $index Index for item to be fetched from $_POST |
|
257 | * @param bool $xss_clean Whether to apply XSS filtering |
|
258 | * @return mixed |
|
259 | * |
|
260 | * @codeCoverageIgnore |
|
261 | */ |
|
262 | public function post($index = NULL, $xss_clean = NULL) |
|
263 | { |
|
264 | return $this->_fetch_from_array($_POST, $index, $xss_clean); |
|
265 | } |
|
266 | ||
267 | // -------------------------------------------------------------------- |
|
268 | ||
269 | /** |
|
270 | * Fetch an item from POST data with fallback to GET |
|
271 | * |
|
272 | * @param string $index Index for item to be fetched from $_POST or $_GET |
|
273 | * @param bool $xss_clean Whether to apply XSS filtering |
|
274 | * @return mixed |
|
275 | * |
|
276 | * @codeCoverageIgnore |
|
277 | */ |
|
278 | public function post_get($index, $xss_clean = NULL) |
|
279 | { |
|
280 | return isset($_POST[$index]) |
|
281 | ? $this->post($index, $xss_clean) |
|
282 | : $this->get($index, $xss_clean); |
|
283 | } |
|
284 | ||
285 | // -------------------------------------------------------------------- |
|
286 | ||
287 | /** |
|
288 | * Fetch an item from GET data with fallback to POST |
|
289 | * |
|
290 | * @param string $index Index for item to be fetched from $_GET or $_POST |
|
291 | * @param bool $xss_clean Whether to apply XSS filtering |
|
292 | * @return mixed |
|
293 | * |
|
294 | * @codeCoverageIgnore |
|
295 | */ |
|
296 | public function get_post($index, $xss_clean = NULL) |
|
297 | { |
|
298 | return isset($_GET[$index]) |
|
299 | ? $this->get($index, $xss_clean) |
|
300 | : $this->post($index, $xss_clean); |
|
301 | } |
|
302 | ||
303 | // -------------------------------------------------------------------- |
|
304 | ||
305 | /** |
|
306 | * Fetch an item from the COOKIE array |
|
307 | * |
|
308 | * @param mixed $index Index for item to be fetched from $_COOKIE |
|
309 | * @param bool $xss_clean Whether to apply XSS filtering |
|
310 | * @return mixed |
|
311 | * |
|
312 | * @codeCoverageIgnore |
|
313 | */ |
|
314 | public function cookie($index = NULL, $xss_clean = NULL) |
|
315 | { |
|
316 | return $this->_fetch_from_array($_COOKIE, $index, $xss_clean); |
|
317 | } |
|
318 | ||
319 | // -------------------------------------------------------------------- |
|
320 | ||
321 | /** |
|
322 | * Fetch an item from the SERVER array |
|
323 | * |
|
324 | * @param mixed $index Index for item to be fetched from $_SERVER |
|
325 | * @param bool $xss_clean Whether to apply XSS filtering |
|
326 | * @return mixed |
|
327 | * |
|
328 | * @codeCoverageIgnore |
|
329 | */ |
|
330 | public function server($index, $xss_clean = NULL) |
|
331 | { |
|
332 | return $this->_fetch_from_array($_SERVER, $index, $xss_clean); |
|
333 | } |
|
334 | ||
335 | // ------------------------------------------------------------------------ |
|
336 | ||
337 | /** |
|
338 | * Fetch an item from the php://input stream |
|
339 | * |
|
340 | * Useful when you need to access PUT, DELETE or PATCH request data. |
|
341 | * |
|
342 | * @param string $index Index for item to be fetched |
|
343 | * @param bool $xss_clean Whether to apply XSS filtering |
|
344 | * @return mixed |
|
345 | * |
|
346 | * @codeCoverageIgnore |
|
347 | */ |
|
348 | public function input_stream($index = NULL, $xss_clean = NULL) |
|
349 | { |
|
350 | // Prior to PHP 5.6, the input stream can only be read once, |
|
351 | // so we'll need to check if we have already done that first. |
|
352 | if ( ! is_array($this->_input_stream)) |
|
353 | { |
|
354 | // $this->raw_input_stream will trigger __get(). |
|
355 | parse_str($this->raw_input_stream, $this->_input_stream); |
|
356 | is_array($this->_input_stream) OR $this->_input_stream = array(); |
|
357 | } |
|
358 | ||
359 | return $this->_fetch_from_array($this->_input_stream, $index, $xss_clean); |
|
360 | } |
|
361 | ||
362 | // ------------------------------------------------------------------------ |
|
363 | ||
364 | /** |
|
365 | * Set cookie |
|
366 | * |
|
367 | * Accepts an arbitrary number of parameters (up to 7) or an associative |
|
368 | * array in the first parameter containing all the values. |
|
369 | * |
|
370 | * @param string|mixed[] $name Cookie name or an array containing parameters |
|
371 | * @param string $value Cookie value |
|
372 | * @param int $expire Cookie expiration time in seconds |
|
373 | * @param string $domain Cookie domain (e.g.: '.yourdomain.com') |
|
374 | * @param string $path Cookie path (default: '/') |
|
375 | * @param string $prefix Cookie name prefix |
|
376 | * @param bool $secure Whether to only transfer cookies via SSL |
|
377 | * @param bool $httponly Whether to only makes the cookie accessible via HTTP (no javascript) |
|
378 | * @return void |
|
379 | * |
|
380 | * modified by ci-phpunit-test |
|
381 | */ |
|
382 | public function set_cookie($name, $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = NULL, $httponly = NULL) |
|
383 | { |
|
384 | if (is_array($name)) |
|
385 | { |
|
386 | // always leave 'name' in last place, as the loop will break otherwise, due to $$item |
|
387 | foreach (array('value', 'expire', 'domain', 'path', 'prefix', 'secure', 'httponly', 'name') as $item) |
|
388 | { |
|
389 | if (isset($name[$item])) |
|
390 | { |
|
391 | $$item = $name[$item]; |
|
392 | } |
|
393 | } |
|
394 | } |
|
395 | ||
396 | if ($prefix === '' && config_item('cookie_prefix') !== '') |
|
397 | { |
|
398 | $prefix = config_item('cookie_prefix'); |
|
399 | } |
|
400 | ||
401 | if ($domain == '' && config_item('cookie_domain') != '') |
|
402 | { |
|
403 | $domain = config_item('cookie_domain'); |
|
404 | } |
|
405 | ||
406 | if ($path === '/' && config_item('cookie_path') !== '/') |
|
407 | { |
|
408 | $path = config_item('cookie_path'); |
|
409 | } |
|
410 | ||
411 | $secure = ($secure === NULL && config_item('cookie_secure') !== NULL) |
|
412 | ? (bool) config_item('cookie_secure') |
|
413 | : (bool) $secure; |
|
414 | ||
415 | $httponly = ($httponly === NULL && config_item('cookie_httponly') !== NULL) |
|
416 | ? (bool) config_item('cookie_httponly') |
|
417 | : (bool) $httponly; |
|
418 | ||
419 | if ( ! is_numeric($expire)) |
|
420 | { |
|
421 | $expire = time() - 86500; |
|
422 | } |
|
423 | else |
|
424 | { |
|
425 | $expire = ($expire > 0) ? time() + $expire : 0; |
|
426 | } |
|
427 | ||
428 | // setcookie($prefix.$name, $value, $expire, $path, $domain, $secure, $httponly); |
|
429 | ||
430 | // Save cookie in Output object |
|
431 | // added by ci-phpunit-test |
|
432 | $CI =& get_instance(); |
|
433 | $output = $CI->output; |
|
434 | $output->_cookies[$prefix.$name][] = [ |
|
435 | 'value' => $value, |
|
436 | 'expire' => $expire, |
|
437 | 'path' => $path, |
|
438 | 'domain' => $domain, |
|
439 | 'secure' => $secure, |
|
440 | 'httponly' => $httponly, |
|
441 | ]; |
|
442 | } |
|
443 | ||
444 | // -------------------------------------------------------------------- |
|
445 | ||
446 | /** |
|
447 | * Fetch the IP Address |
|
448 | * |
|
449 | * Determines and validates the visitor's IP address. |
|
450 | * |
|
451 | * @return string IP address |
|
452 | * |
|
453 | * @codeCoverageIgnore |
|
454 | */ |
|
455 | public function ip_address() |
|
456 | { |
|
457 | if ($this->ip_address !== FALSE) |
|
458 | { |
|
459 | return $this->ip_address; |
|
460 | } |
|
461 | ||
462 | $proxy_ips = config_item('proxy_ips'); |
|
463 | if ( ! empty($proxy_ips) && ! is_array($proxy_ips)) |
|
464 | { |
|
465 | $proxy_ips = explode(',', str_replace(' ', '', $proxy_ips)); |
|
466 | } |
|
467 | ||
468 | $this->ip_address = $this->server('REMOTE_ADDR'); |
|
469 | ||
470 | if ($proxy_ips) |
|
471 | { |
|
472 | foreach (array('HTTP_X_FORWARDED_FOR', 'HTTP_CLIENT_IP', 'HTTP_X_CLIENT_IP', 'HTTP_X_CLUSTER_CLIENT_IP') as $header) |
|
473 | { |
|
474 | if (($spoof = $this->server($header)) !== NULL) |
|
475 | { |
|
476 | // Some proxies typically list the whole chain of IP |
|
477 | // addresses through which the client has reached us. |
|
478 | // e.g. client_ip, proxy_ip1, proxy_ip2, etc. |
|
479 | sscanf($spoof, '%[^,]', $spoof); |
|
480 | ||
481 | if ( ! $this->valid_ip($spoof)) |
|
482 | { |
|
483 | $spoof = NULL; |
|
484 | } |
|
485 | else |
|
486 | { |
|
487 | break; |
|
488 | } |
|
489 | } |
|
490 | } |
|
491 | ||
492 | if ($spoof) |
|
493 | { |
|
494 | for ($i = 0, $c = count($proxy_ips); $i < $c; $i++) |
|
495 | { |
|
496 | // Check if we have an IP address or a subnet |
|
497 | if (strpos($proxy_ips[$i], '/') === FALSE) |
|
498 | { |
|
499 | // An IP address (and not a subnet) is specified. |
|
500 | // We can compare right away. |
|
501 | if ($proxy_ips[$i] === $this->ip_address) |
|
502 | { |
|
503 | $this->ip_address = $spoof; |
|
504 | break; |
|
505 | } |
|
506 | ||
507 | continue; |
|
508 | } |
|
509 | ||
510 | // We have a subnet ... now the heavy lifting begins |
|
511 | isset($separator) OR $separator = $this->valid_ip($this->ip_address, 'ipv6') ? ':' : '.'; |
|
512 | ||
513 | // If the proxy entry doesn't match the IP protocol - skip it |
|
514 | if (strpos($proxy_ips[$i], $separator) === FALSE) |
|
515 | { |
|
516 | continue; |
|
517 | } |
|
518 | ||
519 | // Convert the REMOTE_ADDR IP address to binary, if needed |
|
520 | if ( ! isset($ip, $sprintf)) |
|
521 | { |
|
522 | if ($separator === ':') |
|
523 | { |
|
524 | // Make sure we're have the "full" IPv6 format |
|
525 | $ip = explode(':', |
|
526 | str_replace('::', |
|
527 | str_repeat(':', 9 - substr_count($this->ip_address, ':')), |
|
528 | $this->ip_address |
|
529 | ) |
|
530 | ); |
|
531 | ||
532 | for ($j = 0; $j < 8; $j++) |
|
533 | { |
|
534 | $ip[$j] = intval($ip[$j], 16); |
|
535 | } |
|
536 | ||
537 | $sprintf = '%016b%016b%016b%016b%016b%016b%016b%016b'; |
|
538 | } |
|
539 | else |
|
540 | { |
|
541 | $ip = explode('.', $this->ip_address); |
|
542 | $sprintf = '%08b%08b%08b%08b'; |
|
543 | } |
|
544 | ||
545 | $ip = vsprintf($sprintf, $ip); |
|
546 | } |
|
547 | ||
548 | // Split the netmask length off the network address |
|
549 | sscanf($proxy_ips[$i], '%[^/]/%d', $netaddr, $masklen); |
|
550 | ||
551 | // Again, an IPv6 address is most likely in a compressed form |
|
552 | if ($separator === ':') |
|
553 | { |
|
554 | $netaddr = explode(':', str_replace('::', str_repeat(':', 9 - substr_count($netaddr, ':')), $netaddr)); |
|
555 | for ($j = 0; $j < 8; $j++) |
|
556 | { |
|
557 | $netaddr[$j] = intval($netaddr[$j], 16); |
|
558 | } |
|
559 | } |
|
560 | else |
|
561 | { |
|
562 | $netaddr = explode('.', $netaddr); |
|
563 | } |
|
564 | ||
565 | // Convert to binary and finally compare |
|
566 | if (strncmp($ip, vsprintf($sprintf, $netaddr), $masklen) === 0) |
|
567 | { |
|
568 | $this->ip_address = $spoof; |
|
569 | break; |
|
570 | } |
|
571 | } |
|
572 | } |
|
573 | } |
|
574 | ||
575 | if ( ! $this->valid_ip($this->ip_address)) |
|
576 | { |
|
577 | return $this->ip_address = '0.0.0.0'; |
|
578 | } |
|
579 | ||
580 | return $this->ip_address; |
|
581 | } |
|
582 | ||
583 | // -------------------------------------------------------------------- |
|
584 | ||
585 | /** |
|
586 | * Validate IP Address |
|
587 | * |
|
588 | * @param string $ip IP address |
|
589 | * @param string $which IP protocol: 'ipv4' or 'ipv6' |
|
590 | * @return bool |
|
591 | * |
|
592 | * @codeCoverageIgnore |
|
593 | */ |
|
594 | public function valid_ip($ip, $which = '') |
|
595 | { |
|
596 | switch (strtolower($which)) |
|
597 | { |
|
598 | case 'ipv4': |
|
599 | $which = FILTER_FLAG_IPV4; |
|
600 | break; |
|
601 | case 'ipv6': |
|
602 | $which = FILTER_FLAG_IPV6; |
|
603 | break; |
|
604 | default: |
|
605 | $which = NULL; |
|
606 | break; |
|
607 | } |
|
608 | ||
609 | return (bool) filter_var($ip, FILTER_VALIDATE_IP, $which); |
|
610 | } |
|
611 | ||
612 | // -------------------------------------------------------------------- |
|
613 | ||
614 | /** |
|
615 | * Fetch User Agent string |
|
616 | * |
|
617 | * @return string|null User Agent string or NULL if it doesn't exist |
|
618 | * |
|
619 | * @codeCoverageIgnore |
|
620 | */ |
|
621 | public function user_agent($xss_clean = NULL) |
|
622 | { |
|
623 | return $this->_fetch_from_array($_SERVER, 'HTTP_USER_AGENT', $xss_clean); |
|
624 | } |
|
625 | ||
626 | // -------------------------------------------------------------------- |
|
627 | ||
628 | /** |
|
629 | * Sanitize Globals |
|
630 | * |
|
631 | * Internal method serving for the following purposes: |
|
632 | * |
|
633 | * - Unsets $_GET data, if query strings are not enabled |
|
634 | * - Cleans POST, COOKIE and SERVER data |
|
635 | * - Standardizes newline characters to PHP_EOL |
|
636 | * |
|
637 | * @return void |
|
638 | * |
|
639 | * @codeCoverageIgnore |
|
640 | */ |
|
641 | protected function _sanitize_globals() |
|
642 | { |
|
643 | // Is $_GET data allowed? If not we'll set the $_GET to an empty array |
|
644 | if ($this->_allow_get_array === FALSE) |
|
645 | { |
|
646 | $_GET = array(); |
|
647 | } |
|
648 | elseif (is_array($_GET)) |
|
649 | { |
|
650 | foreach ($_GET as $key => $val) |
|
651 | { |
|
652 | $_GET[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); |
|
653 | } |
|
654 | } |
|
655 | ||
656 | // Clean $_POST Data |
|
657 | if (is_array($_POST)) |
|
658 | { |
|
659 | foreach ($_POST as $key => $val) |
|
660 | { |
|
661 | $_POST[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); |
|
662 | } |
|
663 | } |
|
664 | ||
665 | // Clean $_COOKIE Data |
|
666 | if (is_array($_COOKIE)) |
|
667 | { |
|
668 | // Also get rid of specially treated cookies that might be set by a server |
|
669 | // or silly application, that are of no use to a CI application anyway |
|
670 | // but that when present will trip our 'Disallowed Key Characters' alarm |
|
671 | // http://www.ietf.org/rfc/rfc2109.txt |
|
672 | // note that the key names below are single quoted strings, and are not PHP variables |
|
673 | unset( |
|
674 | $_COOKIE['$Version'], |
|
675 | $_COOKIE['$Path'], |
|
676 | $_COOKIE['$Domain'] |
|
677 | ); |
|
678 | ||
679 | foreach ($_COOKIE as $key => $val) |
|
680 | { |
|
681 | if (($cookie_key = $this->_clean_input_keys($key)) !== FALSE) |
|
682 | { |
|
683 | $_COOKIE[$cookie_key] = $this->_clean_input_data($val); |
|
684 | } |
|
685 | else |
|
686 | { |
|
687 | unset($_COOKIE[$key]); |
|
688 | } |
|
689 | } |
|
690 | } |
|
691 | ||
692 | // Sanitize PHP_SELF |
|
693 | $_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']); |
|
694 | ||
695 | log_message('debug', 'Global POST, GET and COOKIE data sanitized'); |
|
696 | } |
|
697 | ||
698 | // -------------------------------------------------------------------- |
|
699 | ||
700 | /** |
|
701 | * Clean Input Data |
|
702 | * |
|
703 | * Internal method that aids in escaping data and |
|
704 | * standardizing newline characters to PHP_EOL. |
|
705 | * |
|
706 | * @param string|string[] $str Input string(s) |
|
707 | * @return string |
|
708 | * |
|
709 | * @codeCoverageIgnore |
|
710 | */ |
|
711 | protected function _clean_input_data($str) |
|
712 | { |
|
713 | if (is_array($str)) |
|
714 | { |
|
715 | $new_array = array(); |
|
716 | foreach (array_keys($str) as $key) |
|
717 | { |
|
718 | $new_array[$this->_clean_input_keys($key)] = $this->_clean_input_data($str[$key]); |
|
719 | } |
|
720 | return $new_array; |
|
721 | } |
|
722 | ||
723 | /* We strip slashes if magic quotes is on to keep things consistent |
|
724 | ||
725 | NOTE: In PHP 5.4 get_magic_quotes_gpc() will always return 0 and |
|
726 | it will probably not exist in future versions at all. |
|
727 | */ |
|
728 | if ( ! is_php('5.4') && get_magic_quotes_gpc()) |
|
729 | { |
|
730 | $str = stripslashes($str); |
|
731 | } |
|
732 | ||
733 | // Clean UTF-8 if supported |
|
734 | if (UTF8_ENABLED === TRUE) |
|
735 | { |
|
736 | $str = $this->uni->clean_string($str); |
|
737 | } |
|
738 | ||
739 | // Remove control characters |
|
740 | $str = remove_invisible_characters($str, FALSE); |
|
741 | ||
742 | // Standardize newlines if needed |
|
743 | if ($this->_standardize_newlines === TRUE) |
|
744 | { |
|
745 | return preg_replace('/(?:\r\n|[\r\n])/', PHP_EOL, $str); |
|
746 | } |
|
747 | ||
748 | return $str; |
|
749 | } |
|
750 | ||
751 | // -------------------------------------------------------------------- |
|
752 | ||
753 | /** |
|
754 | * Clean Keys |
|
755 | * |
|
756 | * Internal method that helps to prevent malicious users |
|
757 | * from trying to exploit keys we make sure that keys are |
|
758 | * only named with alpha-numeric text and a few other items. |
|
759 | * |
|
760 | * @param string $str Input string |
|
761 | * @param bool $fatal Whether to terminate script exection |
|
762 | * or to return FALSE if an invalid |
|
763 | * key is encountered |
|
764 | * @return string|bool |
|
765 | * |
|
766 | * @codeCoverageIgnore |
|
767 | */ |
|
768 | protected function _clean_input_keys($str, $fatal = TRUE) |
|
769 | { |
|
770 | if ( ! preg_match('/^[a-z0-9:_\/|-]+$/i', $str)) |
|
771 | { |
|
772 | if ($fatal === TRUE) |
|
773 | { |
|
774 | return FALSE; |
|
775 | } |
|
776 | else |
|
777 | { |
|
778 | set_status_header(503); |
|
779 | echo 'Disallowed Key Characters.'; |
|
780 | exit(7); // EXIT_USER_INPUT |
|
781 | } |
|
782 | } |
|
783 | ||
784 | // Clean UTF-8 if supported |
|
785 | if (UTF8_ENABLED === TRUE) |
|
786 | { |
|
787 | return $this->uni->clean_string($str); |
|
788 | } |
|
789 | ||
790 | return $str; |
|
791 | } |
|
792 | ||
793 | // -------------------------------------------------------------------- |
|
794 | ||
795 | /** |
|
796 | * Request Headers |
|
797 | * |
|
798 | * @param bool $xss_clean Whether to apply XSS filtering |
|
799 | * @return array |
|
800 | * |
|
801 | * @codeCoverageIgnore |
|
802 | */ |
|
803 | public function request_headers($xss_clean = FALSE) |
|
804 | { |
|
805 | // If header is already defined, return it immediately |
|
806 | if ( ! empty($this->headers)) |
|
807 | { |
|
808 | return $this->_fetch_from_array($this->headers, NULL, $xss_clean); |
|
809 | } |
|
810 | ||
811 | // In Apache, you can simply call apache_request_headers() |
|
812 | if (function_exists('apache_request_headers')) |
|
813 | { |
|
814 | $this->headers = apache_request_headers(); |
|
815 | } |
|
816 | else |
|
817 | { |
|
818 | isset($_SERVER['CONTENT_TYPE']) && $this->headers['Content-Type'] = $_SERVER['CONTENT_TYPE']; |
|
819 | ||
820 | foreach ($_SERVER as $key => $val) |
|
821 | { |
|
822 | if (sscanf($key, 'HTTP_%s', $header) === 1) |
|
823 | { |
|
824 | // take SOME_HEADER and turn it into Some-Header |
|
825 | $header = str_replace('_', ' ', strtolower($header)); |
|
826 | $header = str_replace(' ', '-', ucwords($header)); |
|
827 | ||
828 | $this->headers[$header] = $_SERVER[$key]; |
|
829 | } |
|
830 | } |
|
831 | } |
|
832 | ||
833 | return $this->_fetch_from_array($this->headers, NULL, $xss_clean); |
|
834 | } |
|
835 | ||
836 | // -------------------------------------------------------------------- |
|
837 | ||
838 | /** |
|
839 | * Get Request Header |
|
840 | * |
|
841 | * Returns the value of a single member of the headers class member |
|
842 | * |
|
843 | * @param string $index Header name |
|
844 | * @param bool $xss_clean Whether to apply XSS filtering |
|
845 | * @return string|null The requested header on success or NULL on failure |
|
846 | * |
|
847 | * modified by ci-phpunit-test |
|
848 | */ |
|
849 | public function get_request_header($index, $xss_clean = FALSE) |
|
850 | { |
|
851 | // static $headers; |
|
852 | ||
853 | if ( ! isset($headers)) |
|
854 | { |
|
855 | empty($this->headers) && $this->request_headers(); |
|
856 | foreach ($this->headers as $key => $value) |
|
857 | { |
|
858 | $headers[strtolower($key)] = $value; |
|
859 | } |
|
860 | } |
|
861 | ||
862 | $index = strtolower($index); |
|
863 | ||
864 | if ( ! isset($headers[$index])) |
|
865 | { |
|
866 | return NULL; |
|
867 | } |
|
868 | ||
869 | return ($xss_clean === TRUE) |
|
870 | ? $this->security->xss_clean($headers[$index]) |
|
871 | : $headers[$index]; |
|
872 | } |
|
873 | ||
874 | // -------------------------------------------------------------------- |
|
875 | ||
876 | /** |
|
877 | * Is AJAX request? |
|
878 | * |
|
879 | * Test to see if a request contains the HTTP_X_REQUESTED_WITH header. |
|
880 | * |
|
881 | * @return bool |
|
882 | * |
|
883 | * @codeCoverageIgnore |
|
884 | */ |
|
885 | public function is_ajax_request() |
|
886 | { |
|
887 | return ( ! empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) === 'xmlhttprequest'); |
|
888 | } |
|
889 | ||
890 | // -------------------------------------------------------------------- |
|
891 | ||
892 | /** |
|
893 | * Is CLI request? |
|
894 | * |
|
895 | * Test to see if a request was made from the command line. |
|
896 | * |
|
897 | * @deprecated 3.0.0 Use is_cli() instead |
|
898 | * @return bool |
|
899 | * |
|
900 | * @codeCoverageIgnore |
|
901 | */ |
|
902 | public function is_cli_request() |
|
903 | { |
|
904 | return is_cli(); |
|
905 | } |
|
906 | ||
907 | // -------------------------------------------------------------------- |
|
908 | ||
909 | /** |
|
910 | * Get Request Method |
|
911 | * |
|
912 | * Return the request method |
|
913 | * |
|
914 | * @param bool $upper Whether to return in upper or lower case |
|
915 | * (default: FALSE) |
|
916 | * @return string |
|
917 | * |
|
918 | * @codeCoverageIgnore |
|
919 | */ |
|
920 | public function method($upper = FALSE) |
|
921 | { |
|
922 | return ($upper) |
|
923 | ? strtoupper($this->server('REQUEST_METHOD')) |
|
924 | : strtolower($this->server('REQUEST_METHOD')); |
|
925 | } |
|
926 | ||
927 | // ------------------------------------------------------------------------ |
|
928 | ||
929 | /** |
|
930 | * Magic __get() |
|
931 | * |
|
932 | * Allows read access to protected properties |
|
933 | * |
|
934 | * @param string $name |
|
935 | * @return mixed |
|
936 | * |
|
937 | * @codeCoverageIgnore |
|
938 | */ |
|
939 | public function __get($name) |
|
940 | { |
|
941 | if ($name === 'raw_input_stream') |
|
942 | { |
|
943 | isset($this->_raw_input_stream) OR $this->_raw_input_stream = file_get_contents('php://input'); |
|
944 | return $this->_raw_input_stream; |
|
945 | } |
|
946 | elseif ($name === 'ip_address') |
|
947 | { |
|
948 | return $this->ip_address; |
|
949 | } |
|
950 | } |
|
951 | ||
952 | } |
|
953 |
@@ 51-952 (lines=902) @@ | ||
48 | * @author EllisLab Dev Team |
|
49 | * @link https://codeigniter.com/user_guide/libraries/input.html |
|
50 | */ |
|
51 | class CI_Input { |
|
52 | ||
53 | /** |
|
54 | * IP address of the current user |
|
55 | * |
|
56 | * @var string |
|
57 | */ |
|
58 | protected $ip_address = FALSE; |
|
59 | ||
60 | /** |
|
61 | * Allow GET array flag |
|
62 | * |
|
63 | * If set to FALSE, then $_GET will be set to an empty array. |
|
64 | * |
|
65 | * @var bool |
|
66 | */ |
|
67 | protected $_allow_get_array = TRUE; |
|
68 | ||
69 | /** |
|
70 | * Standardize new lines flag |
|
71 | * |
|
72 | * If set to TRUE, then newlines are standardized. |
|
73 | * |
|
74 | * @var bool |
|
75 | */ |
|
76 | protected $_standardize_newlines; |
|
77 | ||
78 | /** |
|
79 | * Enable XSS flag |
|
80 | * |
|
81 | * Determines whether the XSS filter is always active when |
|
82 | * GET, POST or COOKIE data is encountered. |
|
83 | * Set automatically based on config setting. |
|
84 | * |
|
85 | * @var bool |
|
86 | */ |
|
87 | protected $_enable_xss = FALSE; |
|
88 | ||
89 | /** |
|
90 | * Enable CSRF flag |
|
91 | * |
|
92 | * Enables a CSRF cookie token to be set. |
|
93 | * Set automatically based on config setting. |
|
94 | * |
|
95 | * @var bool |
|
96 | */ |
|
97 | protected $_enable_csrf = FALSE; |
|
98 | ||
99 | /** |
|
100 | * List of all HTTP request headers |
|
101 | * |
|
102 | * @var array |
|
103 | */ |
|
104 | protected $headers = array(); |
|
105 | ||
106 | /** |
|
107 | * Raw input stream data |
|
108 | * |
|
109 | * Holds a cache of php://input contents |
|
110 | * |
|
111 | * @var string |
|
112 | */ |
|
113 | protected $_raw_input_stream; |
|
114 | ||
115 | /** |
|
116 | * Parsed input stream data |
|
117 | * |
|
118 | * Parsed from php://input at runtime |
|
119 | * |
|
120 | * @see CI_Input::input_stream() |
|
121 | * @var array |
|
122 | */ |
|
123 | protected $_input_stream; |
|
124 | ||
125 | protected $security; |
|
126 | protected $uni; |
|
127 | ||
128 | // -------------------------------------------------------------------- |
|
129 | ||
130 | /** |
|
131 | * Class constructor |
|
132 | * |
|
133 | * Determines whether to globally enable the XSS processing |
|
134 | * and whether to allow the $_GET array. |
|
135 | * |
|
136 | * @return void |
|
137 | * |
|
138 | * @codeCoverageIgnore |
|
139 | */ |
|
140 | public function __construct() |
|
141 | { |
|
142 | $this->_allow_get_array = (config_item('allow_get_array') === TRUE); |
|
143 | $this->_enable_xss = (config_item('global_xss_filtering') === TRUE); |
|
144 | $this->_enable_csrf = (config_item('csrf_protection') === TRUE); |
|
145 | $this->_standardize_newlines = (bool) config_item('standardize_newlines'); |
|
146 | ||
147 | $this->security =& load_class('Security', 'core'); |
|
148 | ||
149 | // Do we need the UTF-8 class? |
|
150 | if (UTF8_ENABLED === TRUE) |
|
151 | { |
|
152 | $this->uni =& load_class('Utf8', 'core'); |
|
153 | } |
|
154 | ||
155 | // Sanitize global arrays |
|
156 | $this->_sanitize_globals(); |
|
157 | ||
158 | // CSRF Protection check |
|
159 | if ($this->_enable_csrf === TRUE && ! is_cli()) |
|
160 | { |
|
161 | $this->security->csrf_verify(); |
|
162 | } |
|
163 | ||
164 | log_message('info', 'Input Class Initialized'); |
|
165 | } |
|
166 | ||
167 | // -------------------------------------------------------------------- |
|
168 | ||
169 | /** |
|
170 | * Fetch from array |
|
171 | * |
|
172 | * Internal method used to retrieve values from global arrays. |
|
173 | * |
|
174 | * @param array &$array $_GET, $_POST, $_COOKIE, $_SERVER, etc. |
|
175 | * @param mixed $index Index for item to be fetched from $array |
|
176 | * @param bool $xss_clean Whether to apply XSS filtering |
|
177 | * @return mixed |
|
178 | * |
|
179 | * @codeCoverageIgnore |
|
180 | */ |
|
181 | protected function _fetch_from_array(&$array, $index = NULL, $xss_clean = NULL) |
|
182 | { |
|
183 | is_bool($xss_clean) OR $xss_clean = $this->_enable_xss; |
|
184 | ||
185 | // If $index is NULL, it means that the whole $array is requested |
|
186 | isset($index) OR $index = array_keys($array); |
|
187 | ||
188 | // allow fetching multiple keys at once |
|
189 | if (is_array($index)) |
|
190 | { |
|
191 | $output = array(); |
|
192 | foreach ($index as $key) |
|
193 | { |
|
194 | $output[$key] = $this->_fetch_from_array($array, $key, $xss_clean); |
|
195 | } |
|
196 | ||
197 | return $output; |
|
198 | } |
|
199 | ||
200 | if (isset($array[$index])) |
|
201 | { |
|
202 | $value = $array[$index]; |
|
203 | } |
|
204 | elseif (($count = preg_match_all('/(?:^[^\[]+)|\[[^]]*\]/', $index, $matches)) > 1) // Does the index contain array notation |
|
205 | { |
|
206 | $value = $array; |
|
207 | for ($i = 0; $i < $count; $i++) |
|
208 | { |
|
209 | $key = trim($matches[0][$i], '[]'); |
|
210 | if ($key === '') // Empty notation will return the value as array |
|
211 | { |
|
212 | break; |
|
213 | } |
|
214 | ||
215 | if (isset($value[$key])) |
|
216 | { |
|
217 | $value = $value[$key]; |
|
218 | } |
|
219 | else |
|
220 | { |
|
221 | return NULL; |
|
222 | } |
|
223 | } |
|
224 | } |
|
225 | else |
|
226 | { |
|
227 | return NULL; |
|
228 | } |
|
229 | ||
230 | return ($xss_clean === TRUE) |
|
231 | ? $this->security->xss_clean($value) |
|
232 | : $value; |
|
233 | } |
|
234 | ||
235 | // -------------------------------------------------------------------- |
|
236 | ||
237 | /** |
|
238 | * Fetch an item from the GET array |
|
239 | * |
|
240 | * @param mixed $index Index for item to be fetched from $_GET |
|
241 | * @param bool $xss_clean Whether to apply XSS filtering |
|
242 | * @return mixed |
|
243 | * |
|
244 | * @codeCoverageIgnore |
|
245 | */ |
|
246 | public function get($index = NULL, $xss_clean = NULL) |
|
247 | { |
|
248 | return $this->_fetch_from_array($_GET, $index, $xss_clean); |
|
249 | } |
|
250 | ||
251 | // -------------------------------------------------------------------- |
|
252 | ||
253 | /** |
|
254 | * Fetch an item from the POST array |
|
255 | * |
|
256 | * @param mixed $index Index for item to be fetched from $_POST |
|
257 | * @param bool $xss_clean Whether to apply XSS filtering |
|
258 | * @return mixed |
|
259 | * |
|
260 | * @codeCoverageIgnore |
|
261 | */ |
|
262 | public function post($index = NULL, $xss_clean = NULL) |
|
263 | { |
|
264 | return $this->_fetch_from_array($_POST, $index, $xss_clean); |
|
265 | } |
|
266 | ||
267 | // -------------------------------------------------------------------- |
|
268 | ||
269 | /** |
|
270 | * Fetch an item from POST data with fallback to GET |
|
271 | * |
|
272 | * @param string $index Index for item to be fetched from $_POST or $_GET |
|
273 | * @param bool $xss_clean Whether to apply XSS filtering |
|
274 | * @return mixed |
|
275 | * |
|
276 | * @codeCoverageIgnore |
|
277 | */ |
|
278 | public function post_get($index, $xss_clean = NULL) |
|
279 | { |
|
280 | return isset($_POST[$index]) |
|
281 | ? $this->post($index, $xss_clean) |
|
282 | : $this->get($index, $xss_clean); |
|
283 | } |
|
284 | ||
285 | // -------------------------------------------------------------------- |
|
286 | ||
287 | /** |
|
288 | * Fetch an item from GET data with fallback to POST |
|
289 | * |
|
290 | * @param string $index Index for item to be fetched from $_GET or $_POST |
|
291 | * @param bool $xss_clean Whether to apply XSS filtering |
|
292 | * @return mixed |
|
293 | * |
|
294 | * @codeCoverageIgnore |
|
295 | */ |
|
296 | public function get_post($index, $xss_clean = NULL) |
|
297 | { |
|
298 | return isset($_GET[$index]) |
|
299 | ? $this->get($index, $xss_clean) |
|
300 | : $this->post($index, $xss_clean); |
|
301 | } |
|
302 | ||
303 | // -------------------------------------------------------------------- |
|
304 | ||
305 | /** |
|
306 | * Fetch an item from the COOKIE array |
|
307 | * |
|
308 | * @param mixed $index Index for item to be fetched from $_COOKIE |
|
309 | * @param bool $xss_clean Whether to apply XSS filtering |
|
310 | * @return mixed |
|
311 | * |
|
312 | * @codeCoverageIgnore |
|
313 | */ |
|
314 | public function cookie($index = NULL, $xss_clean = NULL) |
|
315 | { |
|
316 | return $this->_fetch_from_array($_COOKIE, $index, $xss_clean); |
|
317 | } |
|
318 | ||
319 | // -------------------------------------------------------------------- |
|
320 | ||
321 | /** |
|
322 | * Fetch an item from the SERVER array |
|
323 | * |
|
324 | * @param mixed $index Index for item to be fetched from $_SERVER |
|
325 | * @param bool $xss_clean Whether to apply XSS filtering |
|
326 | * @return mixed |
|
327 | * |
|
328 | * @codeCoverageIgnore |
|
329 | */ |
|
330 | public function server($index, $xss_clean = NULL) |
|
331 | { |
|
332 | return $this->_fetch_from_array($_SERVER, $index, $xss_clean); |
|
333 | } |
|
334 | ||
335 | // ------------------------------------------------------------------------ |
|
336 | ||
337 | /** |
|
338 | * Fetch an item from the php://input stream |
|
339 | * |
|
340 | * Useful when you need to access PUT, DELETE or PATCH request data. |
|
341 | * |
|
342 | * @param string $index Index for item to be fetched |
|
343 | * @param bool $xss_clean Whether to apply XSS filtering |
|
344 | * @return mixed |
|
345 | * |
|
346 | * @codeCoverageIgnore |
|
347 | */ |
|
348 | public function input_stream($index = NULL, $xss_clean = NULL) |
|
349 | { |
|
350 | // Prior to PHP 5.6, the input stream can only be read once, |
|
351 | // so we'll need to check if we have already done that first. |
|
352 | if ( ! is_array($this->_input_stream)) |
|
353 | { |
|
354 | // $this->raw_input_stream will trigger __get(). |
|
355 | parse_str($this->raw_input_stream, $this->_input_stream); |
|
356 | is_array($this->_input_stream) OR $this->_input_stream = array(); |
|
357 | } |
|
358 | ||
359 | return $this->_fetch_from_array($this->_input_stream, $index, $xss_clean); |
|
360 | } |
|
361 | ||
362 | // ------------------------------------------------------------------------ |
|
363 | ||
364 | /** |
|
365 | * Set cookie |
|
366 | * |
|
367 | * Accepts an arbitrary number of parameters (up to 7) or an associative |
|
368 | * array in the first parameter containing all the values. |
|
369 | * |
|
370 | * @param string|mixed[] $name Cookie name or an array containing parameters |
|
371 | * @param string $value Cookie value |
|
372 | * @param int $expire Cookie expiration time in seconds |
|
373 | * @param string $domain Cookie domain (e.g.: '.yourdomain.com') |
|
374 | * @param string $path Cookie path (default: '/') |
|
375 | * @param string $prefix Cookie name prefix |
|
376 | * @param bool $secure Whether to only transfer cookies via SSL |
|
377 | * @param bool $httponly Whether to only makes the cookie accessible via HTTP (no javascript) |
|
378 | * @return void |
|
379 | * |
|
380 | * modified by ci-phpunit-test |
|
381 | */ |
|
382 | public function set_cookie($name, $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = NULL, $httponly = NULL) |
|
383 | { |
|
384 | if (is_array($name)) |
|
385 | { |
|
386 | // always leave 'name' in last place, as the loop will break otherwise, due to $$item |
|
387 | foreach (array('value', 'expire', 'domain', 'path', 'prefix', 'secure', 'httponly', 'name') as $item) |
|
388 | { |
|
389 | if (isset($name[$item])) |
|
390 | { |
|
391 | $$item = $name[$item]; |
|
392 | } |
|
393 | } |
|
394 | } |
|
395 | ||
396 | if ($prefix === '' && config_item('cookie_prefix') !== '') |
|
397 | { |
|
398 | $prefix = config_item('cookie_prefix'); |
|
399 | } |
|
400 | ||
401 | if ($domain == '' && config_item('cookie_domain') != '') |
|
402 | { |
|
403 | $domain = config_item('cookie_domain'); |
|
404 | } |
|
405 | ||
406 | if ($path === '/' && config_item('cookie_path') !== '/') |
|
407 | { |
|
408 | $path = config_item('cookie_path'); |
|
409 | } |
|
410 | ||
411 | $secure = ($secure === NULL && config_item('cookie_secure') !== NULL) |
|
412 | ? (bool) config_item('cookie_secure') |
|
413 | : (bool) $secure; |
|
414 | ||
415 | $httponly = ($httponly === NULL && config_item('cookie_httponly') !== NULL) |
|
416 | ? (bool) config_item('cookie_httponly') |
|
417 | : (bool) $httponly; |
|
418 | ||
419 | if ( ! is_numeric($expire)) |
|
420 | { |
|
421 | $expire = time() - 86500; |
|
422 | } |
|
423 | else |
|
424 | { |
|
425 | $expire = ($expire > 0) ? time() + $expire : 0; |
|
426 | } |
|
427 | ||
428 | // setcookie($prefix.$name, $value, $expire, $path, $domain, $secure, $httponly); |
|
429 | ||
430 | // Save cookie in Output object |
|
431 | // added by ci-phpunit-test |
|
432 | $CI =& get_instance(); |
|
433 | $output = $CI->output; |
|
434 | $output->_cookies[$prefix.$name][] = [ |
|
435 | 'value' => $value, |
|
436 | 'expire' => $expire, |
|
437 | 'path' => $path, |
|
438 | 'domain' => $domain, |
|
439 | 'secure' => $secure, |
|
440 | 'httponly' => $httponly, |
|
441 | ]; |
|
442 | } |
|
443 | ||
444 | // -------------------------------------------------------------------- |
|
445 | ||
446 | /** |
|
447 | * Fetch the IP Address |
|
448 | * |
|
449 | * Determines and validates the visitor's IP address. |
|
450 | * |
|
451 | * @return string IP address |
|
452 | * |
|
453 | * @codeCoverageIgnore |
|
454 | */ |
|
455 | public function ip_address() |
|
456 | { |
|
457 | if ($this->ip_address !== FALSE) |
|
458 | { |
|
459 | return $this->ip_address; |
|
460 | } |
|
461 | ||
462 | $proxy_ips = config_item('proxy_ips'); |
|
463 | if ( ! empty($proxy_ips) && ! is_array($proxy_ips)) |
|
464 | { |
|
465 | $proxy_ips = explode(',', str_replace(' ', '', $proxy_ips)); |
|
466 | } |
|
467 | ||
468 | $this->ip_address = $this->server('REMOTE_ADDR'); |
|
469 | ||
470 | if ($proxy_ips) |
|
471 | { |
|
472 | foreach (array('HTTP_X_FORWARDED_FOR', 'HTTP_CLIENT_IP', 'HTTP_X_CLIENT_IP', 'HTTP_X_CLUSTER_CLIENT_IP') as $header) |
|
473 | { |
|
474 | if (($spoof = $this->server($header)) !== NULL) |
|
475 | { |
|
476 | // Some proxies typically list the whole chain of IP |
|
477 | // addresses through which the client has reached us. |
|
478 | // e.g. client_ip, proxy_ip1, proxy_ip2, etc. |
|
479 | sscanf($spoof, '%[^,]', $spoof); |
|
480 | ||
481 | if ( ! $this->valid_ip($spoof)) |
|
482 | { |
|
483 | $spoof = NULL; |
|
484 | } |
|
485 | else |
|
486 | { |
|
487 | break; |
|
488 | } |
|
489 | } |
|
490 | } |
|
491 | ||
492 | if ($spoof) |
|
493 | { |
|
494 | for ($i = 0, $c = count($proxy_ips); $i < $c; $i++) |
|
495 | { |
|
496 | // Check if we have an IP address or a subnet |
|
497 | if (strpos($proxy_ips[$i], '/') === FALSE) |
|
498 | { |
|
499 | // An IP address (and not a subnet) is specified. |
|
500 | // We can compare right away. |
|
501 | if ($proxy_ips[$i] === $this->ip_address) |
|
502 | { |
|
503 | $this->ip_address = $spoof; |
|
504 | break; |
|
505 | } |
|
506 | ||
507 | continue; |
|
508 | } |
|
509 | ||
510 | // We have a subnet ... now the heavy lifting begins |
|
511 | isset($separator) OR $separator = $this->valid_ip($this->ip_address, 'ipv6') ? ':' : '.'; |
|
512 | ||
513 | // If the proxy entry doesn't match the IP protocol - skip it |
|
514 | if (strpos($proxy_ips[$i], $separator) === FALSE) |
|
515 | { |
|
516 | continue; |
|
517 | } |
|
518 | ||
519 | // Convert the REMOTE_ADDR IP address to binary, if needed |
|
520 | if ( ! isset($ip, $sprintf)) |
|
521 | { |
|
522 | if ($separator === ':') |
|
523 | { |
|
524 | // Make sure we're have the "full" IPv6 format |
|
525 | $ip = explode(':', |
|
526 | str_replace('::', |
|
527 | str_repeat(':', 9 - substr_count($this->ip_address, ':')), |
|
528 | $this->ip_address |
|
529 | ) |
|
530 | ); |
|
531 | ||
532 | for ($j = 0; $j < 8; $j++) |
|
533 | { |
|
534 | $ip[$j] = intval($ip[$j], 16); |
|
535 | } |
|
536 | ||
537 | $sprintf = '%016b%016b%016b%016b%016b%016b%016b%016b'; |
|
538 | } |
|
539 | else |
|
540 | { |
|
541 | $ip = explode('.', $this->ip_address); |
|
542 | $sprintf = '%08b%08b%08b%08b'; |
|
543 | } |
|
544 | ||
545 | $ip = vsprintf($sprintf, $ip); |
|
546 | } |
|
547 | ||
548 | // Split the netmask length off the network address |
|
549 | sscanf($proxy_ips[$i], '%[^/]/%d', $netaddr, $masklen); |
|
550 | ||
551 | // Again, an IPv6 address is most likely in a compressed form |
|
552 | if ($separator === ':') |
|
553 | { |
|
554 | $netaddr = explode(':', str_replace('::', str_repeat(':', 9 - substr_count($netaddr, ':')), $netaddr)); |
|
555 | for ($j = 0; $j < 8; $j++) |
|
556 | { |
|
557 | $netaddr[$j] = intval($netaddr[$j], 16); |
|
558 | } |
|
559 | } |
|
560 | else |
|
561 | { |
|
562 | $netaddr = explode('.', $netaddr); |
|
563 | } |
|
564 | ||
565 | // Convert to binary and finally compare |
|
566 | if (strncmp($ip, vsprintf($sprintf, $netaddr), $masklen) === 0) |
|
567 | { |
|
568 | $this->ip_address = $spoof; |
|
569 | break; |
|
570 | } |
|
571 | } |
|
572 | } |
|
573 | } |
|
574 | ||
575 | if ( ! $this->valid_ip($this->ip_address)) |
|
576 | { |
|
577 | return $this->ip_address = '0.0.0.0'; |
|
578 | } |
|
579 | ||
580 | return $this->ip_address; |
|
581 | } |
|
582 | ||
583 | // -------------------------------------------------------------------- |
|
584 | ||
585 | /** |
|
586 | * Validate IP Address |
|
587 | * |
|
588 | * @param string $ip IP address |
|
589 | * @param string $which IP protocol: 'ipv4' or 'ipv6' |
|
590 | * @return bool |
|
591 | * |
|
592 | * @codeCoverageIgnore |
|
593 | */ |
|
594 | public function valid_ip($ip, $which = '') |
|
595 | { |
|
596 | switch (strtolower($which)) |
|
597 | { |
|
598 | case 'ipv4': |
|
599 | $which = FILTER_FLAG_IPV4; |
|
600 | break; |
|
601 | case 'ipv6': |
|
602 | $which = FILTER_FLAG_IPV6; |
|
603 | break; |
|
604 | default: |
|
605 | $which = NULL; |
|
606 | break; |
|
607 | } |
|
608 | ||
609 | return (bool) filter_var($ip, FILTER_VALIDATE_IP, $which); |
|
610 | } |
|
611 | ||
612 | // -------------------------------------------------------------------- |
|
613 | ||
614 | /** |
|
615 | * Fetch User Agent string |
|
616 | * |
|
617 | * @return string|null User Agent string or NULL if it doesn't exist |
|
618 | * |
|
619 | * @codeCoverageIgnore |
|
620 | */ |
|
621 | public function user_agent($xss_clean = NULL) |
|
622 | { |
|
623 | return $this->_fetch_from_array($_SERVER, 'HTTP_USER_AGENT', $xss_clean); |
|
624 | } |
|
625 | ||
626 | // -------------------------------------------------------------------- |
|
627 | ||
628 | /** |
|
629 | * Sanitize Globals |
|
630 | * |
|
631 | * Internal method serving for the following purposes: |
|
632 | * |
|
633 | * - Unsets $_GET data, if query strings are not enabled |
|
634 | * - Cleans POST, COOKIE and SERVER data |
|
635 | * - Standardizes newline characters to PHP_EOL |
|
636 | * |
|
637 | * @return void |
|
638 | * |
|
639 | * @codeCoverageIgnore |
|
640 | */ |
|
641 | protected function _sanitize_globals() |
|
642 | { |
|
643 | // Is $_GET data allowed? If not we'll set the $_GET to an empty array |
|
644 | if ($this->_allow_get_array === FALSE) |
|
645 | { |
|
646 | $_GET = array(); |
|
647 | } |
|
648 | elseif (is_array($_GET)) |
|
649 | { |
|
650 | foreach ($_GET as $key => $val) |
|
651 | { |
|
652 | $_GET[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); |
|
653 | } |
|
654 | } |
|
655 | ||
656 | // Clean $_POST Data |
|
657 | if (is_array($_POST)) |
|
658 | { |
|
659 | foreach ($_POST as $key => $val) |
|
660 | { |
|
661 | $_POST[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); |
|
662 | } |
|
663 | } |
|
664 | ||
665 | // Clean $_COOKIE Data |
|
666 | if (is_array($_COOKIE)) |
|
667 | { |
|
668 | // Also get rid of specially treated cookies that might be set by a server |
|
669 | // or silly application, that are of no use to a CI application anyway |
|
670 | // but that when present will trip our 'Disallowed Key Characters' alarm |
|
671 | // http://www.ietf.org/rfc/rfc2109.txt |
|
672 | // note that the key names below are single quoted strings, and are not PHP variables |
|
673 | unset( |
|
674 | $_COOKIE['$Version'], |
|
675 | $_COOKIE['$Path'], |
|
676 | $_COOKIE['$Domain'] |
|
677 | ); |
|
678 | ||
679 | foreach ($_COOKIE as $key => $val) |
|
680 | { |
|
681 | if (($cookie_key = $this->_clean_input_keys($key)) !== FALSE) |
|
682 | { |
|
683 | $_COOKIE[$cookie_key] = $this->_clean_input_data($val); |
|
684 | } |
|
685 | else |
|
686 | { |
|
687 | unset($_COOKIE[$key]); |
|
688 | } |
|
689 | } |
|
690 | } |
|
691 | ||
692 | // Sanitize PHP_SELF |
|
693 | $_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']); |
|
694 | ||
695 | log_message('debug', 'Global POST, GET and COOKIE data sanitized'); |
|
696 | } |
|
697 | ||
698 | // -------------------------------------------------------------------- |
|
699 | ||
700 | /** |
|
701 | * Clean Input Data |
|
702 | * |
|
703 | * Internal method that aids in escaping data and |
|
704 | * standardizing newline characters to PHP_EOL. |
|
705 | * |
|
706 | * @param string|string[] $str Input string(s) |
|
707 | * @return string |
|
708 | * |
|
709 | * @codeCoverageIgnore |
|
710 | */ |
|
711 | protected function _clean_input_data($str) |
|
712 | { |
|
713 | if (is_array($str)) |
|
714 | { |
|
715 | $new_array = array(); |
|
716 | foreach (array_keys($str) as $key) |
|
717 | { |
|
718 | $new_array[$this->_clean_input_keys($key)] = $this->_clean_input_data($str[$key]); |
|
719 | } |
|
720 | return $new_array; |
|
721 | } |
|
722 | ||
723 | /* We strip slashes if magic quotes is on to keep things consistent |
|
724 | ||
725 | NOTE: In PHP 5.4 get_magic_quotes_gpc() will always return 0 and |
|
726 | it will probably not exist in future versions at all. |
|
727 | */ |
|
728 | if ( ! is_php('5.4') && get_magic_quotes_gpc()) |
|
729 | { |
|
730 | $str = stripslashes($str); |
|
731 | } |
|
732 | ||
733 | // Clean UTF-8 if supported |
|
734 | if (UTF8_ENABLED === TRUE) |
|
735 | { |
|
736 | $str = $this->uni->clean_string($str); |
|
737 | } |
|
738 | ||
739 | // Remove control characters |
|
740 | $str = remove_invisible_characters($str, FALSE); |
|
741 | ||
742 | // Standardize newlines if needed |
|
743 | if ($this->_standardize_newlines === TRUE) |
|
744 | { |
|
745 | return preg_replace('/(?:\r\n|[\r\n])/', PHP_EOL, $str); |
|
746 | } |
|
747 | ||
748 | return $str; |
|
749 | } |
|
750 | ||
751 | // -------------------------------------------------------------------- |
|
752 | ||
753 | /** |
|
754 | * Clean Keys |
|
755 | * |
|
756 | * Internal method that helps to prevent malicious users |
|
757 | * from trying to exploit keys we make sure that keys are |
|
758 | * only named with alpha-numeric text and a few other items. |
|
759 | * |
|
760 | * @param string $str Input string |
|
761 | * @param bool $fatal Whether to terminate script exection |
|
762 | * or to return FALSE if an invalid |
|
763 | * key is encountered |
|
764 | * @return string|bool |
|
765 | * |
|
766 | * @codeCoverageIgnore |
|
767 | */ |
|
768 | protected function _clean_input_keys($str, $fatal = TRUE) |
|
769 | { |
|
770 | if ( ! preg_match('/^[a-z0-9:_\/|-]+$/i', $str)) |
|
771 | { |
|
772 | if ($fatal === TRUE) |
|
773 | { |
|
774 | return FALSE; |
|
775 | } |
|
776 | else |
|
777 | { |
|
778 | set_status_header(503); |
|
779 | echo 'Disallowed Key Characters.'; |
|
780 | exit(7); // EXIT_USER_INPUT |
|
781 | } |
|
782 | } |
|
783 | ||
784 | // Clean UTF-8 if supported |
|
785 | if (UTF8_ENABLED === TRUE) |
|
786 | { |
|
787 | return $this->uni->clean_string($str); |
|
788 | } |
|
789 | ||
790 | return $str; |
|
791 | } |
|
792 | ||
793 | // -------------------------------------------------------------------- |
|
794 | ||
795 | /** |
|
796 | * Request Headers |
|
797 | * |
|
798 | * @param bool $xss_clean Whether to apply XSS filtering |
|
799 | * @return array |
|
800 | * |
|
801 | * @codeCoverageIgnore |
|
802 | */ |
|
803 | public function request_headers($xss_clean = FALSE) |
|
804 | { |
|
805 | // If header is already defined, return it immediately |
|
806 | if ( ! empty($this->headers)) |
|
807 | { |
|
808 | return $this->_fetch_from_array($this->headers, NULL, $xss_clean); |
|
809 | } |
|
810 | ||
811 | // In Apache, you can simply call apache_request_headers() |
|
812 | if (function_exists('apache_request_headers')) |
|
813 | { |
|
814 | $this->headers = apache_request_headers(); |
|
815 | } |
|
816 | else |
|
817 | { |
|
818 | isset($_SERVER['CONTENT_TYPE']) && $this->headers['Content-Type'] = $_SERVER['CONTENT_TYPE']; |
|
819 | ||
820 | foreach ($_SERVER as $key => $val) |
|
821 | { |
|
822 | if (sscanf($key, 'HTTP_%s', $header) === 1) |
|
823 | { |
|
824 | // take SOME_HEADER and turn it into Some-Header |
|
825 | $header = str_replace('_', ' ', strtolower($header)); |
|
826 | $header = str_replace(' ', '-', ucwords($header)); |
|
827 | ||
828 | $this->headers[$header] = $_SERVER[$key]; |
|
829 | } |
|
830 | } |
|
831 | } |
|
832 | ||
833 | return $this->_fetch_from_array($this->headers, NULL, $xss_clean); |
|
834 | } |
|
835 | ||
836 | // -------------------------------------------------------------------- |
|
837 | ||
838 | /** |
|
839 | * Get Request Header |
|
840 | * |
|
841 | * Returns the value of a single member of the headers class member |
|
842 | * |
|
843 | * @param string $index Header name |
|
844 | * @param bool $xss_clean Whether to apply XSS filtering |
|
845 | * @return string|null The requested header on success or NULL on failure |
|
846 | * |
|
847 | * modified by ci-phpunit-test |
|
848 | */ |
|
849 | public function get_request_header($index, $xss_clean = FALSE) |
|
850 | { |
|
851 | // static $headers; |
|
852 | ||
853 | if ( ! isset($headers)) |
|
854 | { |
|
855 | empty($this->headers) && $this->request_headers(); |
|
856 | foreach ($this->headers as $key => $value) |
|
857 | { |
|
858 | $headers[strtolower($key)] = $value; |
|
859 | } |
|
860 | } |
|
861 | ||
862 | $index = strtolower($index); |
|
863 | ||
864 | if ( ! isset($headers[$index])) |
|
865 | { |
|
866 | return NULL; |
|
867 | } |
|
868 | ||
869 | return ($xss_clean === TRUE) |
|
870 | ? $this->security->xss_clean($headers[$index]) |
|
871 | : $headers[$index]; |
|
872 | } |
|
873 | ||
874 | // -------------------------------------------------------------------- |
|
875 | ||
876 | /** |
|
877 | * Is AJAX request? |
|
878 | * |
|
879 | * Test to see if a request contains the HTTP_X_REQUESTED_WITH header. |
|
880 | * |
|
881 | * @return bool |
|
882 | * |
|
883 | * @codeCoverageIgnore |
|
884 | */ |
|
885 | public function is_ajax_request() |
|
886 | { |
|
887 | return ( ! empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) === 'xmlhttprequest'); |
|
888 | } |
|
889 | ||
890 | // -------------------------------------------------------------------- |
|
891 | ||
892 | /** |
|
893 | * Is CLI request? |
|
894 | * |
|
895 | * Test to see if a request was made from the command line. |
|
896 | * |
|
897 | * @deprecated 3.0.0 Use is_cli() instead |
|
898 | * @return bool |
|
899 | * |
|
900 | * @codeCoverageIgnore |
|
901 | */ |
|
902 | public function is_cli_request() |
|
903 | { |
|
904 | return is_cli(); |
|
905 | } |
|
906 | ||
907 | // -------------------------------------------------------------------- |
|
908 | ||
909 | /** |
|
910 | * Get Request Method |
|
911 | * |
|
912 | * Return the request method |
|
913 | * |
|
914 | * @param bool $upper Whether to return in upper or lower case |
|
915 | * (default: FALSE) |
|
916 | * @return string |
|
917 | * |
|
918 | * @codeCoverageIgnore |
|
919 | */ |
|
920 | public function method($upper = FALSE) |
|
921 | { |
|
922 | return ($upper) |
|
923 | ? strtoupper($this->server('REQUEST_METHOD')) |
|
924 | : strtolower($this->server('REQUEST_METHOD')); |
|
925 | } |
|
926 | ||
927 | // ------------------------------------------------------------------------ |
|
928 | ||
929 | /** |
|
930 | * Magic __get() |
|
931 | * |
|
932 | * Allows read access to protected properties |
|
933 | * |
|
934 | * @param string $name |
|
935 | * @return mixed |
|
936 | * |
|
937 | * @codeCoverageIgnore |
|
938 | */ |
|
939 | public function __get($name) |
|
940 | { |
|
941 | if ($name === 'raw_input_stream') |
|
942 | { |
|
943 | isset($this->_raw_input_stream) OR $this->_raw_input_stream = file_get_contents('php://input'); |
|
944 | return $this->_raw_input_stream; |
|
945 | } |
|
946 | elseif ($name === 'ip_address') |
|
947 | { |
|
948 | return $this->ip_address; |
|
949 | } |
|
950 | } |
|
951 | ||
952 | } |
|
953 |
@@ 51-952 (lines=902) @@ | ||
48 | * @author EllisLab Dev Team |
|
49 | * @link https://codeigniter.com/user_guide/libraries/input.html |
|
50 | */ |
|
51 | class CI_Input { |
|
52 | ||
53 | /** |
|
54 | * IP address of the current user |
|
55 | * |
|
56 | * @var string |
|
57 | */ |
|
58 | protected $ip_address = FALSE; |
|
59 | ||
60 | /** |
|
61 | * Allow GET array flag |
|
62 | * |
|
63 | * If set to FALSE, then $_GET will be set to an empty array. |
|
64 | * |
|
65 | * @var bool |
|
66 | */ |
|
67 | protected $_allow_get_array = TRUE; |
|
68 | ||
69 | /** |
|
70 | * Standardize new lines flag |
|
71 | * |
|
72 | * If set to TRUE, then newlines are standardized. |
|
73 | * |
|
74 | * @var bool |
|
75 | */ |
|
76 | protected $_standardize_newlines; |
|
77 | ||
78 | /** |
|
79 | * Enable XSS flag |
|
80 | * |
|
81 | * Determines whether the XSS filter is always active when |
|
82 | * GET, POST or COOKIE data is encountered. |
|
83 | * Set automatically based on config setting. |
|
84 | * |
|
85 | * @var bool |
|
86 | */ |
|
87 | protected $_enable_xss = FALSE; |
|
88 | ||
89 | /** |
|
90 | * Enable CSRF flag |
|
91 | * |
|
92 | * Enables a CSRF cookie token to be set. |
|
93 | * Set automatically based on config setting. |
|
94 | * |
|
95 | * @var bool |
|
96 | */ |
|
97 | protected $_enable_csrf = FALSE; |
|
98 | ||
99 | /** |
|
100 | * List of all HTTP request headers |
|
101 | * |
|
102 | * @var array |
|
103 | */ |
|
104 | protected $headers = array(); |
|
105 | ||
106 | /** |
|
107 | * Raw input stream data |
|
108 | * |
|
109 | * Holds a cache of php://input contents |
|
110 | * |
|
111 | * @var string |
|
112 | */ |
|
113 | protected $_raw_input_stream; |
|
114 | ||
115 | /** |
|
116 | * Parsed input stream data |
|
117 | * |
|
118 | * Parsed from php://input at runtime |
|
119 | * |
|
120 | * @see CI_Input::input_stream() |
|
121 | * @var array |
|
122 | */ |
|
123 | protected $_input_stream; |
|
124 | ||
125 | protected $security; |
|
126 | protected $uni; |
|
127 | ||
128 | // -------------------------------------------------------------------- |
|
129 | ||
130 | /** |
|
131 | * Class constructor |
|
132 | * |
|
133 | * Determines whether to globally enable the XSS processing |
|
134 | * and whether to allow the $_GET array. |
|
135 | * |
|
136 | * @return void |
|
137 | * |
|
138 | * @codeCoverageIgnore |
|
139 | */ |
|
140 | public function __construct() |
|
141 | { |
|
142 | $this->_allow_get_array = (config_item('allow_get_array') !== FALSE); |
|
143 | $this->_enable_xss = (config_item('global_xss_filtering') === TRUE); |
|
144 | $this->_enable_csrf = (config_item('csrf_protection') === TRUE); |
|
145 | $this->_standardize_newlines = (bool) config_item('standardize_newlines'); |
|
146 | ||
147 | $this->security =& load_class('Security', 'core'); |
|
148 | ||
149 | // Do we need the UTF-8 class? |
|
150 | if (UTF8_ENABLED === TRUE) |
|
151 | { |
|
152 | $this->uni =& load_class('Utf8', 'core'); |
|
153 | } |
|
154 | ||
155 | // Sanitize global arrays |
|
156 | $this->_sanitize_globals(); |
|
157 | ||
158 | // CSRF Protection check |
|
159 | if ($this->_enable_csrf === TRUE && ! is_cli()) |
|
160 | { |
|
161 | $this->security->csrf_verify(); |
|
162 | } |
|
163 | ||
164 | log_message('info', 'Input Class Initialized'); |
|
165 | } |
|
166 | ||
167 | // -------------------------------------------------------------------- |
|
168 | ||
169 | /** |
|
170 | * Fetch from array |
|
171 | * |
|
172 | * Internal method used to retrieve values from global arrays. |
|
173 | * |
|
174 | * @param array &$array $_GET, $_POST, $_COOKIE, $_SERVER, etc. |
|
175 | * @param mixed $index Index for item to be fetched from $array |
|
176 | * @param bool $xss_clean Whether to apply XSS filtering |
|
177 | * @return mixed |
|
178 | * |
|
179 | * @codeCoverageIgnore |
|
180 | */ |
|
181 | protected function _fetch_from_array(&$array, $index = NULL, $xss_clean = NULL) |
|
182 | { |
|
183 | is_bool($xss_clean) OR $xss_clean = $this->_enable_xss; |
|
184 | ||
185 | // If $index is NULL, it means that the whole $array is requested |
|
186 | isset($index) OR $index = array_keys($array); |
|
187 | ||
188 | // allow fetching multiple keys at once |
|
189 | if (is_array($index)) |
|
190 | { |
|
191 | $output = array(); |
|
192 | foreach ($index as $key) |
|
193 | { |
|
194 | $output[$key] = $this->_fetch_from_array($array, $key, $xss_clean); |
|
195 | } |
|
196 | ||
197 | return $output; |
|
198 | } |
|
199 | ||
200 | if (isset($array[$index])) |
|
201 | { |
|
202 | $value = $array[$index]; |
|
203 | } |
|
204 | elseif (($count = preg_match_all('/(?:^[^\[]+)|\[[^]]*\]/', $index, $matches)) > 1) // Does the index contain array notation |
|
205 | { |
|
206 | $value = $array; |
|
207 | for ($i = 0; $i < $count; $i++) |
|
208 | { |
|
209 | $key = trim($matches[0][$i], '[]'); |
|
210 | if ($key === '') // Empty notation will return the value as array |
|
211 | { |
|
212 | break; |
|
213 | } |
|
214 | ||
215 | if (isset($value[$key])) |
|
216 | { |
|
217 | $value = $value[$key]; |
|
218 | } |
|
219 | else |
|
220 | { |
|
221 | return NULL; |
|
222 | } |
|
223 | } |
|
224 | } |
|
225 | else |
|
226 | { |
|
227 | return NULL; |
|
228 | } |
|
229 | ||
230 | return ($xss_clean === TRUE) |
|
231 | ? $this->security->xss_clean($value) |
|
232 | : $value; |
|
233 | } |
|
234 | ||
235 | // -------------------------------------------------------------------- |
|
236 | ||
237 | /** |
|
238 | * Fetch an item from the GET array |
|
239 | * |
|
240 | * @param mixed $index Index for item to be fetched from $_GET |
|
241 | * @param bool $xss_clean Whether to apply XSS filtering |
|
242 | * @return mixed |
|
243 | * |
|
244 | * @codeCoverageIgnore |
|
245 | */ |
|
246 | public function get($index = NULL, $xss_clean = NULL) |
|
247 | { |
|
248 | return $this->_fetch_from_array($_GET, $index, $xss_clean); |
|
249 | } |
|
250 | ||
251 | // -------------------------------------------------------------------- |
|
252 | ||
253 | /** |
|
254 | * Fetch an item from the POST array |
|
255 | * |
|
256 | * @param mixed $index Index for item to be fetched from $_POST |
|
257 | * @param bool $xss_clean Whether to apply XSS filtering |
|
258 | * @return mixed |
|
259 | * |
|
260 | * @codeCoverageIgnore |
|
261 | */ |
|
262 | public function post($index = NULL, $xss_clean = NULL) |
|
263 | { |
|
264 | return $this->_fetch_from_array($_POST, $index, $xss_clean); |
|
265 | } |
|
266 | ||
267 | // -------------------------------------------------------------------- |
|
268 | ||
269 | /** |
|
270 | * Fetch an item from POST data with fallback to GET |
|
271 | * |
|
272 | * @param string $index Index for item to be fetched from $_POST or $_GET |
|
273 | * @param bool $xss_clean Whether to apply XSS filtering |
|
274 | * @return mixed |
|
275 | * |
|
276 | * @codeCoverageIgnore |
|
277 | */ |
|
278 | public function post_get($index, $xss_clean = NULL) |
|
279 | { |
|
280 | return isset($_POST[$index]) |
|
281 | ? $this->post($index, $xss_clean) |
|
282 | : $this->get($index, $xss_clean); |
|
283 | } |
|
284 | ||
285 | // -------------------------------------------------------------------- |
|
286 | ||
287 | /** |
|
288 | * Fetch an item from GET data with fallback to POST |
|
289 | * |
|
290 | * @param string $index Index for item to be fetched from $_GET or $_POST |
|
291 | * @param bool $xss_clean Whether to apply XSS filtering |
|
292 | * @return mixed |
|
293 | * |
|
294 | * @codeCoverageIgnore |
|
295 | */ |
|
296 | public function get_post($index, $xss_clean = NULL) |
|
297 | { |
|
298 | return isset($_GET[$index]) |
|
299 | ? $this->get($index, $xss_clean) |
|
300 | : $this->post($index, $xss_clean); |
|
301 | } |
|
302 | ||
303 | // -------------------------------------------------------------------- |
|
304 | ||
305 | /** |
|
306 | * Fetch an item from the COOKIE array |
|
307 | * |
|
308 | * @param mixed $index Index for item to be fetched from $_COOKIE |
|
309 | * @param bool $xss_clean Whether to apply XSS filtering |
|
310 | * @return mixed |
|
311 | * |
|
312 | * @codeCoverageIgnore |
|
313 | */ |
|
314 | public function cookie($index = NULL, $xss_clean = NULL) |
|
315 | { |
|
316 | return $this->_fetch_from_array($_COOKIE, $index, $xss_clean); |
|
317 | } |
|
318 | ||
319 | // -------------------------------------------------------------------- |
|
320 | ||
321 | /** |
|
322 | * Fetch an item from the SERVER array |
|
323 | * |
|
324 | * @param mixed $index Index for item to be fetched from $_SERVER |
|
325 | * @param bool $xss_clean Whether to apply XSS filtering |
|
326 | * @return mixed |
|
327 | * |
|
328 | * @codeCoverageIgnore |
|
329 | */ |
|
330 | public function server($index, $xss_clean = NULL) |
|
331 | { |
|
332 | return $this->_fetch_from_array($_SERVER, $index, $xss_clean); |
|
333 | } |
|
334 | ||
335 | // ------------------------------------------------------------------------ |
|
336 | ||
337 | /** |
|
338 | * Fetch an item from the php://input stream |
|
339 | * |
|
340 | * Useful when you need to access PUT, DELETE or PATCH request data. |
|
341 | * |
|
342 | * @param string $index Index for item to be fetched |
|
343 | * @param bool $xss_clean Whether to apply XSS filtering |
|
344 | * @return mixed |
|
345 | * |
|
346 | * @codeCoverageIgnore |
|
347 | */ |
|
348 | public function input_stream($index = NULL, $xss_clean = NULL) |
|
349 | { |
|
350 | // Prior to PHP 5.6, the input stream can only be read once, |
|
351 | // so we'll need to check if we have already done that first. |
|
352 | if ( ! is_array($this->_input_stream)) |
|
353 | { |
|
354 | // $this->raw_input_stream will trigger __get(). |
|
355 | parse_str($this->raw_input_stream, $this->_input_stream); |
|
356 | is_array($this->_input_stream) OR $this->_input_stream = array(); |
|
357 | } |
|
358 | ||
359 | return $this->_fetch_from_array($this->_input_stream, $index, $xss_clean); |
|
360 | } |
|
361 | ||
362 | // ------------------------------------------------------------------------ |
|
363 | ||
364 | /** |
|
365 | * Set cookie |
|
366 | * |
|
367 | * Accepts an arbitrary number of parameters (up to 7) or an associative |
|
368 | * array in the first parameter containing all the values. |
|
369 | * |
|
370 | * @param string|mixed[] $name Cookie name or an array containing parameters |
|
371 | * @param string $value Cookie value |
|
372 | * @param int $expire Cookie expiration time in seconds |
|
373 | * @param string $domain Cookie domain (e.g.: '.yourdomain.com') |
|
374 | * @param string $path Cookie path (default: '/') |
|
375 | * @param string $prefix Cookie name prefix |
|
376 | * @param bool $secure Whether to only transfer cookies via SSL |
|
377 | * @param bool $httponly Whether to only makes the cookie accessible via HTTP (no javascript) |
|
378 | * @return void |
|
379 | * |
|
380 | * modified by ci-phpunit-test |
|
381 | */ |
|
382 | public function set_cookie($name, $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = NULL, $httponly = NULL) |
|
383 | { |
|
384 | if (is_array($name)) |
|
385 | { |
|
386 | // always leave 'name' in last place, as the loop will break otherwise, due to $$item |
|
387 | foreach (array('value', 'expire', 'domain', 'path', 'prefix', 'secure', 'httponly', 'name') as $item) |
|
388 | { |
|
389 | if (isset($name[$item])) |
|
390 | { |
|
391 | $$item = $name[$item]; |
|
392 | } |
|
393 | } |
|
394 | } |
|
395 | ||
396 | if ($prefix === '' && config_item('cookie_prefix') !== '') |
|
397 | { |
|
398 | $prefix = config_item('cookie_prefix'); |
|
399 | } |
|
400 | ||
401 | if ($domain == '' && config_item('cookie_domain') != '') |
|
402 | { |
|
403 | $domain = config_item('cookie_domain'); |
|
404 | } |
|
405 | ||
406 | if ($path === '/' && config_item('cookie_path') !== '/') |
|
407 | { |
|
408 | $path = config_item('cookie_path'); |
|
409 | } |
|
410 | ||
411 | $secure = ($secure === NULL && config_item('cookie_secure') !== NULL) |
|
412 | ? (bool) config_item('cookie_secure') |
|
413 | : (bool) $secure; |
|
414 | ||
415 | $httponly = ($httponly === NULL && config_item('cookie_httponly') !== NULL) |
|
416 | ? (bool) config_item('cookie_httponly') |
|
417 | : (bool) $httponly; |
|
418 | ||
419 | if ( ! is_numeric($expire)) |
|
420 | { |
|
421 | $expire = time() - 86500; |
|
422 | } |
|
423 | else |
|
424 | { |
|
425 | $expire = ($expire > 0) ? time() + $expire : 0; |
|
426 | } |
|
427 | ||
428 | // setcookie($prefix.$name, $value, $expire, $path, $domain, $secure, $httponly); |
|
429 | ||
430 | // Save cookie in Output object |
|
431 | // added by ci-phpunit-test |
|
432 | $CI =& get_instance(); |
|
433 | $output = $CI->output; |
|
434 | $output->_cookies[$prefix.$name][] = [ |
|
435 | 'value' => $value, |
|
436 | 'expire' => $expire, |
|
437 | 'path' => $path, |
|
438 | 'domain' => $domain, |
|
439 | 'secure' => $secure, |
|
440 | 'httponly' => $httponly, |
|
441 | ]; |
|
442 | } |
|
443 | ||
444 | // -------------------------------------------------------------------- |
|
445 | ||
446 | /** |
|
447 | * Fetch the IP Address |
|
448 | * |
|
449 | * Determines and validates the visitor's IP address. |
|
450 | * |
|
451 | * @return string IP address |
|
452 | * |
|
453 | * @codeCoverageIgnore |
|
454 | */ |
|
455 | public function ip_address() |
|
456 | { |
|
457 | if ($this->ip_address !== FALSE) |
|
458 | { |
|
459 | return $this->ip_address; |
|
460 | } |
|
461 | ||
462 | $proxy_ips = config_item('proxy_ips'); |
|
463 | if ( ! empty($proxy_ips) && ! is_array($proxy_ips)) |
|
464 | { |
|
465 | $proxy_ips = explode(',', str_replace(' ', '', $proxy_ips)); |
|
466 | } |
|
467 | ||
468 | $this->ip_address = $this->server('REMOTE_ADDR'); |
|
469 | ||
470 | if ($proxy_ips) |
|
471 | { |
|
472 | foreach (array('HTTP_X_FORWARDED_FOR', 'HTTP_CLIENT_IP', 'HTTP_X_CLIENT_IP', 'HTTP_X_CLUSTER_CLIENT_IP') as $header) |
|
473 | { |
|
474 | if (($spoof = $this->server($header)) !== NULL) |
|
475 | { |
|
476 | // Some proxies typically list the whole chain of IP |
|
477 | // addresses through which the client has reached us. |
|
478 | // e.g. client_ip, proxy_ip1, proxy_ip2, etc. |
|
479 | sscanf($spoof, '%[^,]', $spoof); |
|
480 | ||
481 | if ( ! $this->valid_ip($spoof)) |
|
482 | { |
|
483 | $spoof = NULL; |
|
484 | } |
|
485 | else |
|
486 | { |
|
487 | break; |
|
488 | } |
|
489 | } |
|
490 | } |
|
491 | ||
492 | if ($spoof) |
|
493 | { |
|
494 | for ($i = 0, $c = count($proxy_ips); $i < $c; $i++) |
|
495 | { |
|
496 | // Check if we have an IP address or a subnet |
|
497 | if (strpos($proxy_ips[$i], '/') === FALSE) |
|
498 | { |
|
499 | // An IP address (and not a subnet) is specified. |
|
500 | // We can compare right away. |
|
501 | if ($proxy_ips[$i] === $this->ip_address) |
|
502 | { |
|
503 | $this->ip_address = $spoof; |
|
504 | break; |
|
505 | } |
|
506 | ||
507 | continue; |
|
508 | } |
|
509 | ||
510 | // We have a subnet ... now the heavy lifting begins |
|
511 | isset($separator) OR $separator = $this->valid_ip($this->ip_address, 'ipv6') ? ':' : '.'; |
|
512 | ||
513 | // If the proxy entry doesn't match the IP protocol - skip it |
|
514 | if (strpos($proxy_ips[$i], $separator) === FALSE) |
|
515 | { |
|
516 | continue; |
|
517 | } |
|
518 | ||
519 | // Convert the REMOTE_ADDR IP address to binary, if needed |
|
520 | if ( ! isset($ip, $sprintf)) |
|
521 | { |
|
522 | if ($separator === ':') |
|
523 | { |
|
524 | // Make sure we're have the "full" IPv6 format |
|
525 | $ip = explode(':', |
|
526 | str_replace('::', |
|
527 | str_repeat(':', 9 - substr_count($this->ip_address, ':')), |
|
528 | $this->ip_address |
|
529 | ) |
|
530 | ); |
|
531 | ||
532 | for ($j = 0; $j < 8; $j++) |
|
533 | { |
|
534 | $ip[$j] = intval($ip[$j], 16); |
|
535 | } |
|
536 | ||
537 | $sprintf = '%016b%016b%016b%016b%016b%016b%016b%016b'; |
|
538 | } |
|
539 | else |
|
540 | { |
|
541 | $ip = explode('.', $this->ip_address); |
|
542 | $sprintf = '%08b%08b%08b%08b'; |
|
543 | } |
|
544 | ||
545 | $ip = vsprintf($sprintf, $ip); |
|
546 | } |
|
547 | ||
548 | // Split the netmask length off the network address |
|
549 | sscanf($proxy_ips[$i], '%[^/]/%d', $netaddr, $masklen); |
|
550 | ||
551 | // Again, an IPv6 address is most likely in a compressed form |
|
552 | if ($separator === ':') |
|
553 | { |
|
554 | $netaddr = explode(':', str_replace('::', str_repeat(':', 9 - substr_count($netaddr, ':')), $netaddr)); |
|
555 | for ($j = 0; $j < 8; $j++) |
|
556 | { |
|
557 | $netaddr[$j] = intval($netaddr[$j], 16); |
|
558 | } |
|
559 | } |
|
560 | else |
|
561 | { |
|
562 | $netaddr = explode('.', $netaddr); |
|
563 | } |
|
564 | ||
565 | // Convert to binary and finally compare |
|
566 | if (strncmp($ip, vsprintf($sprintf, $netaddr), $masklen) === 0) |
|
567 | { |
|
568 | $this->ip_address = $spoof; |
|
569 | break; |
|
570 | } |
|
571 | } |
|
572 | } |
|
573 | } |
|
574 | ||
575 | if ( ! $this->valid_ip($this->ip_address)) |
|
576 | { |
|
577 | return $this->ip_address = '0.0.0.0'; |
|
578 | } |
|
579 | ||
580 | return $this->ip_address; |
|
581 | } |
|
582 | ||
583 | // -------------------------------------------------------------------- |
|
584 | ||
585 | /** |
|
586 | * Validate IP Address |
|
587 | * |
|
588 | * @param string $ip IP address |
|
589 | * @param string $which IP protocol: 'ipv4' or 'ipv6' |
|
590 | * @return bool |
|
591 | * |
|
592 | * @codeCoverageIgnore |
|
593 | */ |
|
594 | public function valid_ip($ip, $which = '') |
|
595 | { |
|
596 | switch (strtolower($which)) |
|
597 | { |
|
598 | case 'ipv4': |
|
599 | $which = FILTER_FLAG_IPV4; |
|
600 | break; |
|
601 | case 'ipv6': |
|
602 | $which = FILTER_FLAG_IPV6; |
|
603 | break; |
|
604 | default: |
|
605 | $which = NULL; |
|
606 | break; |
|
607 | } |
|
608 | ||
609 | return (bool) filter_var($ip, FILTER_VALIDATE_IP, $which); |
|
610 | } |
|
611 | ||
612 | // -------------------------------------------------------------------- |
|
613 | ||
614 | /** |
|
615 | * Fetch User Agent string |
|
616 | * |
|
617 | * @return string|null User Agent string or NULL if it doesn't exist |
|
618 | * |
|
619 | * @codeCoverageIgnore |
|
620 | */ |
|
621 | public function user_agent($xss_clean = NULL) |
|
622 | { |
|
623 | return $this->_fetch_from_array($_SERVER, 'HTTP_USER_AGENT', $xss_clean); |
|
624 | } |
|
625 | ||
626 | // -------------------------------------------------------------------- |
|
627 | ||
628 | /** |
|
629 | * Sanitize Globals |
|
630 | * |
|
631 | * Internal method serving for the following purposes: |
|
632 | * |
|
633 | * - Unsets $_GET data, if query strings are not enabled |
|
634 | * - Cleans POST, COOKIE and SERVER data |
|
635 | * - Standardizes newline characters to PHP_EOL |
|
636 | * |
|
637 | * @return void |
|
638 | * |
|
639 | * @codeCoverageIgnore |
|
640 | */ |
|
641 | protected function _sanitize_globals() |
|
642 | { |
|
643 | // Is $_GET data allowed? If not we'll set the $_GET to an empty array |
|
644 | if ($this->_allow_get_array === FALSE) |
|
645 | { |
|
646 | $_GET = array(); |
|
647 | } |
|
648 | elseif (is_array($_GET)) |
|
649 | { |
|
650 | foreach ($_GET as $key => $val) |
|
651 | { |
|
652 | $_GET[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); |
|
653 | } |
|
654 | } |
|
655 | ||
656 | // Clean $_POST Data |
|
657 | if (is_array($_POST)) |
|
658 | { |
|
659 | foreach ($_POST as $key => $val) |
|
660 | { |
|
661 | $_POST[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); |
|
662 | } |
|
663 | } |
|
664 | ||
665 | // Clean $_COOKIE Data |
|
666 | if (is_array($_COOKIE)) |
|
667 | { |
|
668 | // Also get rid of specially treated cookies that might be set by a server |
|
669 | // or silly application, that are of no use to a CI application anyway |
|
670 | // but that when present will trip our 'Disallowed Key Characters' alarm |
|
671 | // http://www.ietf.org/rfc/rfc2109.txt |
|
672 | // note that the key names below are single quoted strings, and are not PHP variables |
|
673 | unset( |
|
674 | $_COOKIE['$Version'], |
|
675 | $_COOKIE['$Path'], |
|
676 | $_COOKIE['$Domain'] |
|
677 | ); |
|
678 | ||
679 | foreach ($_COOKIE as $key => $val) |
|
680 | { |
|
681 | if (($cookie_key = $this->_clean_input_keys($key)) !== FALSE) |
|
682 | { |
|
683 | $_COOKIE[$cookie_key] = $this->_clean_input_data($val); |
|
684 | } |
|
685 | else |
|
686 | { |
|
687 | unset($_COOKIE[$key]); |
|
688 | } |
|
689 | } |
|
690 | } |
|
691 | ||
692 | // Sanitize PHP_SELF |
|
693 | $_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']); |
|
694 | ||
695 | log_message('debug', 'Global POST, GET and COOKIE data sanitized'); |
|
696 | } |
|
697 | ||
698 | // -------------------------------------------------------------------- |
|
699 | ||
700 | /** |
|
701 | * Clean Input Data |
|
702 | * |
|
703 | * Internal method that aids in escaping data and |
|
704 | * standardizing newline characters to PHP_EOL. |
|
705 | * |
|
706 | * @param string|string[] $str Input string(s) |
|
707 | * @return string |
|
708 | * |
|
709 | * @codeCoverageIgnore |
|
710 | */ |
|
711 | protected function _clean_input_data($str) |
|
712 | { |
|
713 | if (is_array($str)) |
|
714 | { |
|
715 | $new_array = array(); |
|
716 | foreach (array_keys($str) as $key) |
|
717 | { |
|
718 | $new_array[$this->_clean_input_keys($key)] = $this->_clean_input_data($str[$key]); |
|
719 | } |
|
720 | return $new_array; |
|
721 | } |
|
722 | ||
723 | /* We strip slashes if magic quotes is on to keep things consistent |
|
724 | ||
725 | NOTE: In PHP 5.4 get_magic_quotes_gpc() will always return 0 and |
|
726 | it will probably not exist in future versions at all. |
|
727 | */ |
|
728 | if ( ! is_php('5.4') && get_magic_quotes_gpc()) |
|
729 | { |
|
730 | $str = stripslashes($str); |
|
731 | } |
|
732 | ||
733 | // Clean UTF-8 if supported |
|
734 | if (UTF8_ENABLED === TRUE) |
|
735 | { |
|
736 | $str = $this->uni->clean_string($str); |
|
737 | } |
|
738 | ||
739 | // Remove control characters |
|
740 | $str = remove_invisible_characters($str, FALSE); |
|
741 | ||
742 | // Standardize newlines if needed |
|
743 | if ($this->_standardize_newlines === TRUE) |
|
744 | { |
|
745 | return preg_replace('/(?:\r\n|[\r\n])/', PHP_EOL, $str); |
|
746 | } |
|
747 | ||
748 | return $str; |
|
749 | } |
|
750 | ||
751 | // -------------------------------------------------------------------- |
|
752 | ||
753 | /** |
|
754 | * Clean Keys |
|
755 | * |
|
756 | * Internal method that helps to prevent malicious users |
|
757 | * from trying to exploit keys we make sure that keys are |
|
758 | * only named with alpha-numeric text and a few other items. |
|
759 | * |
|
760 | * @param string $str Input string |
|
761 | * @param bool $fatal Whether to terminate script exection |
|
762 | * or to return FALSE if an invalid |
|
763 | * key is encountered |
|
764 | * @return string|bool |
|
765 | * |
|
766 | * @codeCoverageIgnore |
|
767 | */ |
|
768 | protected function _clean_input_keys($str, $fatal = TRUE) |
|
769 | { |
|
770 | if ( ! preg_match('/^[a-z0-9:_\/|-]+$/i', $str)) |
|
771 | { |
|
772 | if ($fatal === TRUE) |
|
773 | { |
|
774 | return FALSE; |
|
775 | } |
|
776 | else |
|
777 | { |
|
778 | set_status_header(503); |
|
779 | echo 'Disallowed Key Characters.'; |
|
780 | exit(7); // EXIT_USER_INPUT |
|
781 | } |
|
782 | } |
|
783 | ||
784 | // Clean UTF-8 if supported |
|
785 | if (UTF8_ENABLED === TRUE) |
|
786 | { |
|
787 | return $this->uni->clean_string($str); |
|
788 | } |
|
789 | ||
790 | return $str; |
|
791 | } |
|
792 | ||
793 | // -------------------------------------------------------------------- |
|
794 | ||
795 | /** |
|
796 | * Request Headers |
|
797 | * |
|
798 | * @param bool $xss_clean Whether to apply XSS filtering |
|
799 | * @return array |
|
800 | * |
|
801 | * @codeCoverageIgnore |
|
802 | */ |
|
803 | public function request_headers($xss_clean = FALSE) |
|
804 | { |
|
805 | // If header is already defined, return it immediately |
|
806 | if ( ! empty($this->headers)) |
|
807 | { |
|
808 | return $this->_fetch_from_array($this->headers, NULL, $xss_clean); |
|
809 | } |
|
810 | ||
811 | // In Apache, you can simply call apache_request_headers() |
|
812 | if (function_exists('apache_request_headers')) |
|
813 | { |
|
814 | $this->headers = apache_request_headers(); |
|
815 | } |
|
816 | else |
|
817 | { |
|
818 | isset($_SERVER['CONTENT_TYPE']) && $this->headers['Content-Type'] = $_SERVER['CONTENT_TYPE']; |
|
819 | ||
820 | foreach ($_SERVER as $key => $val) |
|
821 | { |
|
822 | if (sscanf($key, 'HTTP_%s', $header) === 1) |
|
823 | { |
|
824 | // take SOME_HEADER and turn it into Some-Header |
|
825 | $header = str_replace('_', ' ', strtolower($header)); |
|
826 | $header = str_replace(' ', '-', ucwords($header)); |
|
827 | ||
828 | $this->headers[$header] = $_SERVER[$key]; |
|
829 | } |
|
830 | } |
|
831 | } |
|
832 | ||
833 | return $this->_fetch_from_array($this->headers, NULL, $xss_clean); |
|
834 | } |
|
835 | ||
836 | // -------------------------------------------------------------------- |
|
837 | ||
838 | /** |
|
839 | * Get Request Header |
|
840 | * |
|
841 | * Returns the value of a single member of the headers class member |
|
842 | * |
|
843 | * @param string $index Header name |
|
844 | * @param bool $xss_clean Whether to apply XSS filtering |
|
845 | * @return string|null The requested header on success or NULL on failure |
|
846 | * |
|
847 | * modified by ci-phpunit-test |
|
848 | */ |
|
849 | public function get_request_header($index, $xss_clean = FALSE) |
|
850 | { |
|
851 | // static $headers; |
|
852 | ||
853 | if ( ! isset($headers)) |
|
854 | { |
|
855 | empty($this->headers) && $this->request_headers(); |
|
856 | foreach ($this->headers as $key => $value) |
|
857 | { |
|
858 | $headers[strtolower($key)] = $value; |
|
859 | } |
|
860 | } |
|
861 | ||
862 | $index = strtolower($index); |
|
863 | ||
864 | if ( ! isset($headers[$index])) |
|
865 | { |
|
866 | return NULL; |
|
867 | } |
|
868 | ||
869 | return ($xss_clean === TRUE) |
|
870 | ? $this->security->xss_clean($headers[$index]) |
|
871 | : $headers[$index]; |
|
872 | } |
|
873 | ||
874 | // -------------------------------------------------------------------- |
|
875 | ||
876 | /** |
|
877 | * Is AJAX request? |
|
878 | * |
|
879 | * Test to see if a request contains the HTTP_X_REQUESTED_WITH header. |
|
880 | * |
|
881 | * @return bool |
|
882 | * |
|
883 | * @codeCoverageIgnore |
|
884 | */ |
|
885 | public function is_ajax_request() |
|
886 | { |
|
887 | return ( ! empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) === 'xmlhttprequest'); |
|
888 | } |
|
889 | ||
890 | // -------------------------------------------------------------------- |
|
891 | ||
892 | /** |
|
893 | * Is CLI request? |
|
894 | * |
|
895 | * Test to see if a request was made from the command line. |
|
896 | * |
|
897 | * @deprecated 3.0.0 Use is_cli() instead |
|
898 | * @return bool |
|
899 | * |
|
900 | * @codeCoverageIgnore |
|
901 | */ |
|
902 | public function is_cli_request() |
|
903 | { |
|
904 | return is_cli(); |
|
905 | } |
|
906 | ||
907 | // -------------------------------------------------------------------- |
|
908 | ||
909 | /** |
|
910 | * Get Request Method |
|
911 | * |
|
912 | * Return the request method |
|
913 | * |
|
914 | * @param bool $upper Whether to return in upper or lower case |
|
915 | * (default: FALSE) |
|
916 | * @return string |
|
917 | * |
|
918 | * @codeCoverageIgnore |
|
919 | */ |
|
920 | public function method($upper = FALSE) |
|
921 | { |
|
922 | return ($upper) |
|
923 | ? strtoupper($this->server('REQUEST_METHOD')) |
|
924 | : strtolower($this->server('REQUEST_METHOD')); |
|
925 | } |
|
926 | ||
927 | // ------------------------------------------------------------------------ |
|
928 | ||
929 | /** |
|
930 | * Magic __get() |
|
931 | * |
|
932 | * Allows read access to protected properties |
|
933 | * |
|
934 | * @param string $name |
|
935 | * @return mixed |
|
936 | * |
|
937 | * @codeCoverageIgnore |
|
938 | */ |
|
939 | public function __get($name) |
|
940 | { |
|
941 | if ($name === 'raw_input_stream') |
|
942 | { |
|
943 | isset($this->_raw_input_stream) OR $this->_raw_input_stream = file_get_contents('php://input'); |
|
944 | return $this->_raw_input_stream; |
|
945 | } |
|
946 | elseif ($name === 'ip_address') |
|
947 | { |
|
948 | return $this->ip_address; |
|
949 | } |
|
950 | } |
|
951 | ||
952 | } |
|
953 |
@@ 51-952 (lines=902) @@ | ||
48 | * @author EllisLab Dev Team |
|
49 | * @link https://codeigniter.com/user_guide/libraries/input.html |
|
50 | */ |
|
51 | class CI_Input { |
|
52 | ||
53 | /** |
|
54 | * IP address of the current user |
|
55 | * |
|
56 | * @var string |
|
57 | */ |
|
58 | protected $ip_address = FALSE; |
|
59 | ||
60 | /** |
|
61 | * Allow GET array flag |
|
62 | * |
|
63 | * If set to FALSE, then $_GET will be set to an empty array. |
|
64 | * |
|
65 | * @var bool |
|
66 | */ |
|
67 | protected $_allow_get_array = TRUE; |
|
68 | ||
69 | /** |
|
70 | * Standardize new lines flag |
|
71 | * |
|
72 | * If set to TRUE, then newlines are standardized. |
|
73 | * |
|
74 | * @var bool |
|
75 | */ |
|
76 | protected $_standardize_newlines; |
|
77 | ||
78 | /** |
|
79 | * Enable XSS flag |
|
80 | * |
|
81 | * Determines whether the XSS filter is always active when |
|
82 | * GET, POST or COOKIE data is encountered. |
|
83 | * Set automatically based on config setting. |
|
84 | * |
|
85 | * @var bool |
|
86 | */ |
|
87 | protected $_enable_xss = FALSE; |
|
88 | ||
89 | /** |
|
90 | * Enable CSRF flag |
|
91 | * |
|
92 | * Enables a CSRF cookie token to be set. |
|
93 | * Set automatically based on config setting. |
|
94 | * |
|
95 | * @var bool |
|
96 | */ |
|
97 | protected $_enable_csrf = FALSE; |
|
98 | ||
99 | /** |
|
100 | * List of all HTTP request headers |
|
101 | * |
|
102 | * @var array |
|
103 | */ |
|
104 | protected $headers = array(); |
|
105 | ||
106 | /** |
|
107 | * Raw input stream data |
|
108 | * |
|
109 | * Holds a cache of php://input contents |
|
110 | * |
|
111 | * @var string |
|
112 | */ |
|
113 | protected $_raw_input_stream; |
|
114 | ||
115 | /** |
|
116 | * Parsed input stream data |
|
117 | * |
|
118 | * Parsed from php://input at runtime |
|
119 | * |
|
120 | * @see CI_Input::input_stream() |
|
121 | * @var array |
|
122 | */ |
|
123 | protected $_input_stream; |
|
124 | ||
125 | protected $security; |
|
126 | protected $uni; |
|
127 | ||
128 | // -------------------------------------------------------------------- |
|
129 | ||
130 | /** |
|
131 | * Class constructor |
|
132 | * |
|
133 | * Determines whether to globally enable the XSS processing |
|
134 | * and whether to allow the $_GET array. |
|
135 | * |
|
136 | * @return void |
|
137 | * |
|
138 | * @codeCoverageIgnore |
|
139 | */ |
|
140 | public function __construct() |
|
141 | { |
|
142 | $this->_allow_get_array = (config_item('allow_get_array') !== FALSE); |
|
143 | $this->_enable_xss = (config_item('global_xss_filtering') === TRUE); |
|
144 | $this->_enable_csrf = (config_item('csrf_protection') === TRUE); |
|
145 | $this->_standardize_newlines = (bool) config_item('standardize_newlines'); |
|
146 | ||
147 | $this->security =& load_class('Security', 'core'); |
|
148 | ||
149 | // Do we need the UTF-8 class? |
|
150 | if (UTF8_ENABLED === TRUE) |
|
151 | { |
|
152 | $this->uni =& load_class('Utf8', 'core'); |
|
153 | } |
|
154 | ||
155 | // Sanitize global arrays |
|
156 | $this->_sanitize_globals(); |
|
157 | ||
158 | // CSRF Protection check |
|
159 | if ($this->_enable_csrf === TRUE && ! is_cli()) |
|
160 | { |
|
161 | $this->security->csrf_verify(); |
|
162 | } |
|
163 | ||
164 | log_message('info', 'Input Class Initialized'); |
|
165 | } |
|
166 | ||
167 | // -------------------------------------------------------------------- |
|
168 | ||
169 | /** |
|
170 | * Fetch from array |
|
171 | * |
|
172 | * Internal method used to retrieve values from global arrays. |
|
173 | * |
|
174 | * @param array &$array $_GET, $_POST, $_COOKIE, $_SERVER, etc. |
|
175 | * @param mixed $index Index for item to be fetched from $array |
|
176 | * @param bool $xss_clean Whether to apply XSS filtering |
|
177 | * @return mixed |
|
178 | * |
|
179 | * @codeCoverageIgnore |
|
180 | */ |
|
181 | protected function _fetch_from_array(&$array, $index = NULL, $xss_clean = NULL) |
|
182 | { |
|
183 | is_bool($xss_clean) OR $xss_clean = $this->_enable_xss; |
|
184 | ||
185 | // If $index is NULL, it means that the whole $array is requested |
|
186 | isset($index) OR $index = array_keys($array); |
|
187 | ||
188 | // allow fetching multiple keys at once |
|
189 | if (is_array($index)) |
|
190 | { |
|
191 | $output = array(); |
|
192 | foreach ($index as $key) |
|
193 | { |
|
194 | $output[$key] = $this->_fetch_from_array($array, $key, $xss_clean); |
|
195 | } |
|
196 | ||
197 | return $output; |
|
198 | } |
|
199 | ||
200 | if (isset($array[$index])) |
|
201 | { |
|
202 | $value = $array[$index]; |
|
203 | } |
|
204 | elseif (($count = preg_match_all('/(?:^[^\[]+)|\[[^]]*\]/', $index, $matches)) > 1) // Does the index contain array notation |
|
205 | { |
|
206 | $value = $array; |
|
207 | for ($i = 0; $i < $count; $i++) |
|
208 | { |
|
209 | $key = trim($matches[0][$i], '[]'); |
|
210 | if ($key === '') // Empty notation will return the value as array |
|
211 | { |
|
212 | break; |
|
213 | } |
|
214 | ||
215 | if (isset($value[$key])) |
|
216 | { |
|
217 | $value = $value[$key]; |
|
218 | } |
|
219 | else |
|
220 | { |
|
221 | return NULL; |
|
222 | } |
|
223 | } |
|
224 | } |
|
225 | else |
|
226 | { |
|
227 | return NULL; |
|
228 | } |
|
229 | ||
230 | return ($xss_clean === TRUE) |
|
231 | ? $this->security->xss_clean($value) |
|
232 | : $value; |
|
233 | } |
|
234 | ||
235 | // -------------------------------------------------------------------- |
|
236 | ||
237 | /** |
|
238 | * Fetch an item from the GET array |
|
239 | * |
|
240 | * @param mixed $index Index for item to be fetched from $_GET |
|
241 | * @param bool $xss_clean Whether to apply XSS filtering |
|
242 | * @return mixed |
|
243 | * |
|
244 | * @codeCoverageIgnore |
|
245 | */ |
|
246 | public function get($index = NULL, $xss_clean = NULL) |
|
247 | { |
|
248 | return $this->_fetch_from_array($_GET, $index, $xss_clean); |
|
249 | } |
|
250 | ||
251 | // -------------------------------------------------------------------- |
|
252 | ||
253 | /** |
|
254 | * Fetch an item from the POST array |
|
255 | * |
|
256 | * @param mixed $index Index for item to be fetched from $_POST |
|
257 | * @param bool $xss_clean Whether to apply XSS filtering |
|
258 | * @return mixed |
|
259 | * |
|
260 | * @codeCoverageIgnore |
|
261 | */ |
|
262 | public function post($index = NULL, $xss_clean = NULL) |
|
263 | { |
|
264 | return $this->_fetch_from_array($_POST, $index, $xss_clean); |
|
265 | } |
|
266 | ||
267 | // -------------------------------------------------------------------- |
|
268 | ||
269 | /** |
|
270 | * Fetch an item from POST data with fallback to GET |
|
271 | * |
|
272 | * @param string $index Index for item to be fetched from $_POST or $_GET |
|
273 | * @param bool $xss_clean Whether to apply XSS filtering |
|
274 | * @return mixed |
|
275 | * |
|
276 | * @codeCoverageIgnore |
|
277 | */ |
|
278 | public function post_get($index, $xss_clean = NULL) |
|
279 | { |
|
280 | return isset($_POST[$index]) |
|
281 | ? $this->post($index, $xss_clean) |
|
282 | : $this->get($index, $xss_clean); |
|
283 | } |
|
284 | ||
285 | // -------------------------------------------------------------------- |
|
286 | ||
287 | /** |
|
288 | * Fetch an item from GET data with fallback to POST |
|
289 | * |
|
290 | * @param string $index Index for item to be fetched from $_GET or $_POST |
|
291 | * @param bool $xss_clean Whether to apply XSS filtering |
|
292 | * @return mixed |
|
293 | * |
|
294 | * @codeCoverageIgnore |
|
295 | */ |
|
296 | public function get_post($index, $xss_clean = NULL) |
|
297 | { |
|
298 | return isset($_GET[$index]) |
|
299 | ? $this->get($index, $xss_clean) |
|
300 | : $this->post($index, $xss_clean); |
|
301 | } |
|
302 | ||
303 | // -------------------------------------------------------------------- |
|
304 | ||
305 | /** |
|
306 | * Fetch an item from the COOKIE array |
|
307 | * |
|
308 | * @param mixed $index Index for item to be fetched from $_COOKIE |
|
309 | * @param bool $xss_clean Whether to apply XSS filtering |
|
310 | * @return mixed |
|
311 | * |
|
312 | * @codeCoverageIgnore |
|
313 | */ |
|
314 | public function cookie($index = NULL, $xss_clean = NULL) |
|
315 | { |
|
316 | return $this->_fetch_from_array($_COOKIE, $index, $xss_clean); |
|
317 | } |
|
318 | ||
319 | // -------------------------------------------------------------------- |
|
320 | ||
321 | /** |
|
322 | * Fetch an item from the SERVER array |
|
323 | * |
|
324 | * @param mixed $index Index for item to be fetched from $_SERVER |
|
325 | * @param bool $xss_clean Whether to apply XSS filtering |
|
326 | * @return mixed |
|
327 | * |
|
328 | * @codeCoverageIgnore |
|
329 | */ |
|
330 | public function server($index, $xss_clean = NULL) |
|
331 | { |
|
332 | return $this->_fetch_from_array($_SERVER, $index, $xss_clean); |
|
333 | } |
|
334 | ||
335 | // ------------------------------------------------------------------------ |
|
336 | ||
337 | /** |
|
338 | * Fetch an item from the php://input stream |
|
339 | * |
|
340 | * Useful when you need to access PUT, DELETE or PATCH request data. |
|
341 | * |
|
342 | * @param string $index Index for item to be fetched |
|
343 | * @param bool $xss_clean Whether to apply XSS filtering |
|
344 | * @return mixed |
|
345 | * |
|
346 | * @codeCoverageIgnore |
|
347 | */ |
|
348 | public function input_stream($index = NULL, $xss_clean = NULL) |
|
349 | { |
|
350 | // Prior to PHP 5.6, the input stream can only be read once, |
|
351 | // so we'll need to check if we have already done that first. |
|
352 | if ( ! is_array($this->_input_stream)) |
|
353 | { |
|
354 | // $this->raw_input_stream will trigger __get(). |
|
355 | parse_str($this->raw_input_stream, $this->_input_stream); |
|
356 | is_array($this->_input_stream) OR $this->_input_stream = array(); |
|
357 | } |
|
358 | ||
359 | return $this->_fetch_from_array($this->_input_stream, $index, $xss_clean); |
|
360 | } |
|
361 | ||
362 | // ------------------------------------------------------------------------ |
|
363 | ||
364 | /** |
|
365 | * Set cookie |
|
366 | * |
|
367 | * Accepts an arbitrary number of parameters (up to 7) or an associative |
|
368 | * array in the first parameter containing all the values. |
|
369 | * |
|
370 | * @param string|mixed[] $name Cookie name or an array containing parameters |
|
371 | * @param string $value Cookie value |
|
372 | * @param int $expire Cookie expiration time in seconds |
|
373 | * @param string $domain Cookie domain (e.g.: '.yourdomain.com') |
|
374 | * @param string $path Cookie path (default: '/') |
|
375 | * @param string $prefix Cookie name prefix |
|
376 | * @param bool $secure Whether to only transfer cookies via SSL |
|
377 | * @param bool $httponly Whether to only makes the cookie accessible via HTTP (no javascript) |
|
378 | * @return void |
|
379 | * |
|
380 | * modified by ci-phpunit-test |
|
381 | */ |
|
382 | public function set_cookie($name, $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = NULL, $httponly = NULL) |
|
383 | { |
|
384 | if (is_array($name)) |
|
385 | { |
|
386 | // always leave 'name' in last place, as the loop will break otherwise, due to $$item |
|
387 | foreach (array('value', 'expire', 'domain', 'path', 'prefix', 'secure', 'httponly', 'name') as $item) |
|
388 | { |
|
389 | if (isset($name[$item])) |
|
390 | { |
|
391 | $$item = $name[$item]; |
|
392 | } |
|
393 | } |
|
394 | } |
|
395 | ||
396 | if ($prefix === '' && config_item('cookie_prefix') !== '') |
|
397 | { |
|
398 | $prefix = config_item('cookie_prefix'); |
|
399 | } |
|
400 | ||
401 | if ($domain == '' && config_item('cookie_domain') != '') |
|
402 | { |
|
403 | $domain = config_item('cookie_domain'); |
|
404 | } |
|
405 | ||
406 | if ($path === '/' && config_item('cookie_path') !== '/') |
|
407 | { |
|
408 | $path = config_item('cookie_path'); |
|
409 | } |
|
410 | ||
411 | $secure = ($secure === NULL && config_item('cookie_secure') !== NULL) |
|
412 | ? (bool) config_item('cookie_secure') |
|
413 | : (bool) $secure; |
|
414 | ||
415 | $httponly = ($httponly === NULL && config_item('cookie_httponly') !== NULL) |
|
416 | ? (bool) config_item('cookie_httponly') |
|
417 | : (bool) $httponly; |
|
418 | ||
419 | if ( ! is_numeric($expire)) |
|
420 | { |
|
421 | $expire = time() - 86500; |
|
422 | } |
|
423 | else |
|
424 | { |
|
425 | $expire = ($expire > 0) ? time() + $expire : 0; |
|
426 | } |
|
427 | ||
428 | // setcookie($prefix.$name, $value, $expire, $path, $domain, $secure, $httponly); |
|
429 | ||
430 | // Save cookie in Output object |
|
431 | // added by ci-phpunit-test |
|
432 | $CI =& get_instance(); |
|
433 | $output = $CI->output; |
|
434 | $output->_cookies[$prefix.$name][] = [ |
|
435 | 'value' => $value, |
|
436 | 'expire' => $expire, |
|
437 | 'path' => $path, |
|
438 | 'domain' => $domain, |
|
439 | 'secure' => $secure, |
|
440 | 'httponly' => $httponly, |
|
441 | ]; |
|
442 | } |
|
443 | ||
444 | // -------------------------------------------------------------------- |
|
445 | ||
446 | /** |
|
447 | * Fetch the IP Address |
|
448 | * |
|
449 | * Determines and validates the visitor's IP address. |
|
450 | * |
|
451 | * @return string IP address |
|
452 | * |
|
453 | * @codeCoverageIgnore |
|
454 | */ |
|
455 | public function ip_address() |
|
456 | { |
|
457 | if ($this->ip_address !== FALSE) |
|
458 | { |
|
459 | return $this->ip_address; |
|
460 | } |
|
461 | ||
462 | $proxy_ips = config_item('proxy_ips'); |
|
463 | if ( ! empty($proxy_ips) && ! is_array($proxy_ips)) |
|
464 | { |
|
465 | $proxy_ips = explode(',', str_replace(' ', '', $proxy_ips)); |
|
466 | } |
|
467 | ||
468 | $this->ip_address = $this->server('REMOTE_ADDR'); |
|
469 | ||
470 | if ($proxy_ips) |
|
471 | { |
|
472 | foreach (array('HTTP_X_FORWARDED_FOR', 'HTTP_CLIENT_IP', 'HTTP_X_CLIENT_IP', 'HTTP_X_CLUSTER_CLIENT_IP') as $header) |
|
473 | { |
|
474 | if (($spoof = $this->server($header)) !== NULL) |
|
475 | { |
|
476 | // Some proxies typically list the whole chain of IP |
|
477 | // addresses through which the client has reached us. |
|
478 | // e.g. client_ip, proxy_ip1, proxy_ip2, etc. |
|
479 | sscanf($spoof, '%[^,]', $spoof); |
|
480 | ||
481 | if ( ! $this->valid_ip($spoof)) |
|
482 | { |
|
483 | $spoof = NULL; |
|
484 | } |
|
485 | else |
|
486 | { |
|
487 | break; |
|
488 | } |
|
489 | } |
|
490 | } |
|
491 | ||
492 | if ($spoof) |
|
493 | { |
|
494 | for ($i = 0, $c = count($proxy_ips); $i < $c; $i++) |
|
495 | { |
|
496 | // Check if we have an IP address or a subnet |
|
497 | if (strpos($proxy_ips[$i], '/') === FALSE) |
|
498 | { |
|
499 | // An IP address (and not a subnet) is specified. |
|
500 | // We can compare right away. |
|
501 | if ($proxy_ips[$i] === $this->ip_address) |
|
502 | { |
|
503 | $this->ip_address = $spoof; |
|
504 | break; |
|
505 | } |
|
506 | ||
507 | continue; |
|
508 | } |
|
509 | ||
510 | // We have a subnet ... now the heavy lifting begins |
|
511 | isset($separator) OR $separator = $this->valid_ip($this->ip_address, 'ipv6') ? ':' : '.'; |
|
512 | ||
513 | // If the proxy entry doesn't match the IP protocol - skip it |
|
514 | if (strpos($proxy_ips[$i], $separator) === FALSE) |
|
515 | { |
|
516 | continue; |
|
517 | } |
|
518 | ||
519 | // Convert the REMOTE_ADDR IP address to binary, if needed |
|
520 | if ( ! isset($ip, $sprintf)) |
|
521 | { |
|
522 | if ($separator === ':') |
|
523 | { |
|
524 | // Make sure we're have the "full" IPv6 format |
|
525 | $ip = explode(':', |
|
526 | str_replace('::', |
|
527 | str_repeat(':', 9 - substr_count($this->ip_address, ':')), |
|
528 | $this->ip_address |
|
529 | ) |
|
530 | ); |
|
531 | ||
532 | for ($j = 0; $j < 8; $j++) |
|
533 | { |
|
534 | $ip[$j] = intval($ip[$j], 16); |
|
535 | } |
|
536 | ||
537 | $sprintf = '%016b%016b%016b%016b%016b%016b%016b%016b'; |
|
538 | } |
|
539 | else |
|
540 | { |
|
541 | $ip = explode('.', $this->ip_address); |
|
542 | $sprintf = '%08b%08b%08b%08b'; |
|
543 | } |
|
544 | ||
545 | $ip = vsprintf($sprintf, $ip); |
|
546 | } |
|
547 | ||
548 | // Split the netmask length off the network address |
|
549 | sscanf($proxy_ips[$i], '%[^/]/%d', $netaddr, $masklen); |
|
550 | ||
551 | // Again, an IPv6 address is most likely in a compressed form |
|
552 | if ($separator === ':') |
|
553 | { |
|
554 | $netaddr = explode(':', str_replace('::', str_repeat(':', 9 - substr_count($netaddr, ':')), $netaddr)); |
|
555 | for ($j = 0; $j < 8; $j++) |
|
556 | { |
|
557 | $netaddr[$j] = intval($netaddr[$j], 16); |
|
558 | } |
|
559 | } |
|
560 | else |
|
561 | { |
|
562 | $netaddr = explode('.', $netaddr); |
|
563 | } |
|
564 | ||
565 | // Convert to binary and finally compare |
|
566 | if (strncmp($ip, vsprintf($sprintf, $netaddr), $masklen) === 0) |
|
567 | { |
|
568 | $this->ip_address = $spoof; |
|
569 | break; |
|
570 | } |
|
571 | } |
|
572 | } |
|
573 | } |
|
574 | ||
575 | if ( ! $this->valid_ip($this->ip_address)) |
|
576 | { |
|
577 | return $this->ip_address = '0.0.0.0'; |
|
578 | } |
|
579 | ||
580 | return $this->ip_address; |
|
581 | } |
|
582 | ||
583 | // -------------------------------------------------------------------- |
|
584 | ||
585 | /** |
|
586 | * Validate IP Address |
|
587 | * |
|
588 | * @param string $ip IP address |
|
589 | * @param string $which IP protocol: 'ipv4' or 'ipv6' |
|
590 | * @return bool |
|
591 | * |
|
592 | * @codeCoverageIgnore |
|
593 | */ |
|
594 | public function valid_ip($ip, $which = '') |
|
595 | { |
|
596 | switch (strtolower($which)) |
|
597 | { |
|
598 | case 'ipv4': |
|
599 | $which = FILTER_FLAG_IPV4; |
|
600 | break; |
|
601 | case 'ipv6': |
|
602 | $which = FILTER_FLAG_IPV6; |
|
603 | break; |
|
604 | default: |
|
605 | $which = NULL; |
|
606 | break; |
|
607 | } |
|
608 | ||
609 | return (bool) filter_var($ip, FILTER_VALIDATE_IP, $which); |
|
610 | } |
|
611 | ||
612 | // -------------------------------------------------------------------- |
|
613 | ||
614 | /** |
|
615 | * Fetch User Agent string |
|
616 | * |
|
617 | * @return string|null User Agent string or NULL if it doesn't exist |
|
618 | * |
|
619 | * @codeCoverageIgnore |
|
620 | */ |
|
621 | public function user_agent($xss_clean = NULL) |
|
622 | { |
|
623 | return $this->_fetch_from_array($_SERVER, 'HTTP_USER_AGENT', $xss_clean); |
|
624 | } |
|
625 | ||
626 | // -------------------------------------------------------------------- |
|
627 | ||
628 | /** |
|
629 | * Sanitize Globals |
|
630 | * |
|
631 | * Internal method serving for the following purposes: |
|
632 | * |
|
633 | * - Unsets $_GET data, if query strings are not enabled |
|
634 | * - Cleans POST, COOKIE and SERVER data |
|
635 | * - Standardizes newline characters to PHP_EOL |
|
636 | * |
|
637 | * @return void |
|
638 | * |
|
639 | * @codeCoverageIgnore |
|
640 | */ |
|
641 | protected function _sanitize_globals() |
|
642 | { |
|
643 | // Is $_GET data allowed? If not we'll set the $_GET to an empty array |
|
644 | if ($this->_allow_get_array === FALSE) |
|
645 | { |
|
646 | $_GET = array(); |
|
647 | } |
|
648 | elseif (is_array($_GET)) |
|
649 | { |
|
650 | foreach ($_GET as $key => $val) |
|
651 | { |
|
652 | $_GET[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); |
|
653 | } |
|
654 | } |
|
655 | ||
656 | // Clean $_POST Data |
|
657 | if (is_array($_POST)) |
|
658 | { |
|
659 | foreach ($_POST as $key => $val) |
|
660 | { |
|
661 | $_POST[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); |
|
662 | } |
|
663 | } |
|
664 | ||
665 | // Clean $_COOKIE Data |
|
666 | if (is_array($_COOKIE)) |
|
667 | { |
|
668 | // Also get rid of specially treated cookies that might be set by a server |
|
669 | // or silly application, that are of no use to a CI application anyway |
|
670 | // but that when present will trip our 'Disallowed Key Characters' alarm |
|
671 | // http://www.ietf.org/rfc/rfc2109.txt |
|
672 | // note that the key names below are single quoted strings, and are not PHP variables |
|
673 | unset( |
|
674 | $_COOKIE['$Version'], |
|
675 | $_COOKIE['$Path'], |
|
676 | $_COOKIE['$Domain'] |
|
677 | ); |
|
678 | ||
679 | foreach ($_COOKIE as $key => $val) |
|
680 | { |
|
681 | if (($cookie_key = $this->_clean_input_keys($key)) !== FALSE) |
|
682 | { |
|
683 | $_COOKIE[$cookie_key] = $this->_clean_input_data($val); |
|
684 | } |
|
685 | else |
|
686 | { |
|
687 | unset($_COOKIE[$key]); |
|
688 | } |
|
689 | } |
|
690 | } |
|
691 | ||
692 | // Sanitize PHP_SELF |
|
693 | $_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']); |
|
694 | ||
695 | log_message('debug', 'Global POST, GET and COOKIE data sanitized'); |
|
696 | } |
|
697 | ||
698 | // -------------------------------------------------------------------- |
|
699 | ||
700 | /** |
|
701 | * Clean Input Data |
|
702 | * |
|
703 | * Internal method that aids in escaping data and |
|
704 | * standardizing newline characters to PHP_EOL. |
|
705 | * |
|
706 | * @param string|string[] $str Input string(s) |
|
707 | * @return string |
|
708 | * |
|
709 | * @codeCoverageIgnore |
|
710 | */ |
|
711 | protected function _clean_input_data($str) |
|
712 | { |
|
713 | if (is_array($str)) |
|
714 | { |
|
715 | $new_array = array(); |
|
716 | foreach (array_keys($str) as $key) |
|
717 | { |
|
718 | $new_array[$this->_clean_input_keys($key)] = $this->_clean_input_data($str[$key]); |
|
719 | } |
|
720 | return $new_array; |
|
721 | } |
|
722 | ||
723 | /* We strip slashes if magic quotes is on to keep things consistent |
|
724 | ||
725 | NOTE: In PHP 5.4 get_magic_quotes_gpc() will always return 0 and |
|
726 | it will probably not exist in future versions at all. |
|
727 | */ |
|
728 | if ( ! is_php('5.4') && get_magic_quotes_gpc()) |
|
729 | { |
|
730 | $str = stripslashes($str); |
|
731 | } |
|
732 | ||
733 | // Clean UTF-8 if supported |
|
734 | if (UTF8_ENABLED === TRUE) |
|
735 | { |
|
736 | $str = $this->uni->clean_string($str); |
|
737 | } |
|
738 | ||
739 | // Remove control characters |
|
740 | $str = remove_invisible_characters($str, FALSE); |
|
741 | ||
742 | // Standardize newlines if needed |
|
743 | if ($this->_standardize_newlines === TRUE) |
|
744 | { |
|
745 | return preg_replace('/(?:\r\n|[\r\n])/', PHP_EOL, $str); |
|
746 | } |
|
747 | ||
748 | return $str; |
|
749 | } |
|
750 | ||
751 | // -------------------------------------------------------------------- |
|
752 | ||
753 | /** |
|
754 | * Clean Keys |
|
755 | * |
|
756 | * Internal method that helps to prevent malicious users |
|
757 | * from trying to exploit keys we make sure that keys are |
|
758 | * only named with alpha-numeric text and a few other items. |
|
759 | * |
|
760 | * @param string $str Input string |
|
761 | * @param bool $fatal Whether to terminate script exection |
|
762 | * or to return FALSE if an invalid |
|
763 | * key is encountered |
|
764 | * @return string|bool |
|
765 | * |
|
766 | * @codeCoverageIgnore |
|
767 | */ |
|
768 | protected function _clean_input_keys($str, $fatal = TRUE) |
|
769 | { |
|
770 | if ( ! preg_match('/^[a-z0-9:_\/|-]+$/i', $str)) |
|
771 | { |
|
772 | if ($fatal === TRUE) |
|
773 | { |
|
774 | return FALSE; |
|
775 | } |
|
776 | else |
|
777 | { |
|
778 | set_status_header(503); |
|
779 | echo 'Disallowed Key Characters.'; |
|
780 | exit(7); // EXIT_USER_INPUT |
|
781 | } |
|
782 | } |
|
783 | ||
784 | // Clean UTF-8 if supported |
|
785 | if (UTF8_ENABLED === TRUE) |
|
786 | { |
|
787 | return $this->uni->clean_string($str); |
|
788 | } |
|
789 | ||
790 | return $str; |
|
791 | } |
|
792 | ||
793 | // -------------------------------------------------------------------- |
|
794 | ||
795 | /** |
|
796 | * Request Headers |
|
797 | * |
|
798 | * @param bool $xss_clean Whether to apply XSS filtering |
|
799 | * @return array |
|
800 | * |
|
801 | * @codeCoverageIgnore |
|
802 | */ |
|
803 | public function request_headers($xss_clean = FALSE) |
|
804 | { |
|
805 | // If header is already defined, return it immediately |
|
806 | if ( ! empty($this->headers)) |
|
807 | { |
|
808 | return $this->_fetch_from_array($this->headers, NULL, $xss_clean); |
|
809 | } |
|
810 | ||
811 | // In Apache, you can simply call apache_request_headers() |
|
812 | if (function_exists('apache_request_headers')) |
|
813 | { |
|
814 | $this->headers = apache_request_headers(); |
|
815 | } |
|
816 | else |
|
817 | { |
|
818 | isset($_SERVER['CONTENT_TYPE']) && $this->headers['Content-Type'] = $_SERVER['CONTENT_TYPE']; |
|
819 | ||
820 | foreach ($_SERVER as $key => $val) |
|
821 | { |
|
822 | if (sscanf($key, 'HTTP_%s', $header) === 1) |
|
823 | { |
|
824 | // take SOME_HEADER and turn it into Some-Header |
|
825 | $header = str_replace('_', ' ', strtolower($header)); |
|
826 | $header = str_replace(' ', '-', ucwords($header)); |
|
827 | ||
828 | $this->headers[$header] = $_SERVER[$key]; |
|
829 | } |
|
830 | } |
|
831 | } |
|
832 | ||
833 | return $this->_fetch_from_array($this->headers, NULL, $xss_clean); |
|
834 | } |
|
835 | ||
836 | // -------------------------------------------------------------------- |
|
837 | ||
838 | /** |
|
839 | * Get Request Header |
|
840 | * |
|
841 | * Returns the value of a single member of the headers class member |
|
842 | * |
|
843 | * @param string $index Header name |
|
844 | * @param bool $xss_clean Whether to apply XSS filtering |
|
845 | * @return string|null The requested header on success or NULL on failure |
|
846 | * |
|
847 | * modified by ci-phpunit-test |
|
848 | */ |
|
849 | public function get_request_header($index, $xss_clean = FALSE) |
|
850 | { |
|
851 | // static $headers; |
|
852 | ||
853 | if ( ! isset($headers)) |
|
854 | { |
|
855 | empty($this->headers) && $this->request_headers(); |
|
856 | foreach ($this->headers as $key => $value) |
|
857 | { |
|
858 | $headers[strtolower($key)] = $value; |
|
859 | } |
|
860 | } |
|
861 | ||
862 | $index = strtolower($index); |
|
863 | ||
864 | if ( ! isset($headers[$index])) |
|
865 | { |
|
866 | return NULL; |
|
867 | } |
|
868 | ||
869 | return ($xss_clean === TRUE) |
|
870 | ? $this->security->xss_clean($headers[$index]) |
|
871 | : $headers[$index]; |
|
872 | } |
|
873 | ||
874 | // -------------------------------------------------------------------- |
|
875 | ||
876 | /** |
|
877 | * Is AJAX request? |
|
878 | * |
|
879 | * Test to see if a request contains the HTTP_X_REQUESTED_WITH header. |
|
880 | * |
|
881 | * @return bool |
|
882 | * |
|
883 | * @codeCoverageIgnore |
|
884 | */ |
|
885 | public function is_ajax_request() |
|
886 | { |
|
887 | return ( ! empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) === 'xmlhttprequest'); |
|
888 | } |
|
889 | ||
890 | // -------------------------------------------------------------------- |
|
891 | ||
892 | /** |
|
893 | * Is CLI request? |
|
894 | * |
|
895 | * Test to see if a request was made from the command line. |
|
896 | * |
|
897 | * @deprecated 3.0.0 Use is_cli() instead |
|
898 | * @return bool |
|
899 | * |
|
900 | * @codeCoverageIgnore |
|
901 | */ |
|
902 | public function is_cli_request() |
|
903 | { |
|
904 | return is_cli(); |
|
905 | } |
|
906 | ||
907 | // -------------------------------------------------------------------- |
|
908 | ||
909 | /** |
|
910 | * Get Request Method |
|
911 | * |
|
912 | * Return the request method |
|
913 | * |
|
914 | * @param bool $upper Whether to return in upper or lower case |
|
915 | * (default: FALSE) |
|
916 | * @return string |
|
917 | * |
|
918 | * @codeCoverageIgnore |
|
919 | */ |
|
920 | public function method($upper = FALSE) |
|
921 | { |
|
922 | return ($upper) |
|
923 | ? strtoupper($this->server('REQUEST_METHOD')) |
|
924 | : strtolower($this->server('REQUEST_METHOD')); |
|
925 | } |
|
926 | ||
927 | // ------------------------------------------------------------------------ |
|
928 | ||
929 | /** |
|
930 | * Magic __get() |
|
931 | * |
|
932 | * Allows read access to protected properties |
|
933 | * |
|
934 | * @param string $name |
|
935 | * @return mixed |
|
936 | * |
|
937 | * @codeCoverageIgnore |
|
938 | */ |
|
939 | public function __get($name) |
|
940 | { |
|
941 | if ($name === 'raw_input_stream') |
|
942 | { |
|
943 | isset($this->_raw_input_stream) OR $this->_raw_input_stream = file_get_contents('php://input'); |
|
944 | return $this->_raw_input_stream; |
|
945 | } |
|
946 | elseif ($name === 'ip_address') |
|
947 | { |
|
948 | return $this->ip_address; |
|
949 | } |
|
950 | } |
|
951 | ||
952 | } |
|
953 |
@@ 51-952 (lines=902) @@ | ||
48 | * @author EllisLab Dev Team |
|
49 | * @link https://codeigniter.com/user_guide/libraries/input.html |
|
50 | */ |
|
51 | class CI_Input { |
|
52 | ||
53 | /** |
|
54 | * IP address of the current user |
|
55 | * |
|
56 | * @var string |
|
57 | */ |
|
58 | protected $ip_address = FALSE; |
|
59 | ||
60 | /** |
|
61 | * Allow GET array flag |
|
62 | * |
|
63 | * If set to FALSE, then $_GET will be set to an empty array. |
|
64 | * |
|
65 | * @var bool |
|
66 | */ |
|
67 | protected $_allow_get_array = TRUE; |
|
68 | ||
69 | /** |
|
70 | * Standardize new lines flag |
|
71 | * |
|
72 | * If set to TRUE, then newlines are standardized. |
|
73 | * |
|
74 | * @var bool |
|
75 | */ |
|
76 | protected $_standardize_newlines; |
|
77 | ||
78 | /** |
|
79 | * Enable XSS flag |
|
80 | * |
|
81 | * Determines whether the XSS filter is always active when |
|
82 | * GET, POST or COOKIE data is encountered. |
|
83 | * Set automatically based on config setting. |
|
84 | * |
|
85 | * @var bool |
|
86 | */ |
|
87 | protected $_enable_xss = FALSE; |
|
88 | ||
89 | /** |
|
90 | * Enable CSRF flag |
|
91 | * |
|
92 | * Enables a CSRF cookie token to be set. |
|
93 | * Set automatically based on config setting. |
|
94 | * |
|
95 | * @var bool |
|
96 | */ |
|
97 | protected $_enable_csrf = FALSE; |
|
98 | ||
99 | /** |
|
100 | * List of all HTTP request headers |
|
101 | * |
|
102 | * @var array |
|
103 | */ |
|
104 | protected $headers = array(); |
|
105 | ||
106 | /** |
|
107 | * Raw input stream data |
|
108 | * |
|
109 | * Holds a cache of php://input contents |
|
110 | * |
|
111 | * @var string |
|
112 | */ |
|
113 | protected $_raw_input_stream; |
|
114 | ||
115 | /** |
|
116 | * Parsed input stream data |
|
117 | * |
|
118 | * Parsed from php://input at runtime |
|
119 | * |
|
120 | * @see CI_Input::input_stream() |
|
121 | * @var array |
|
122 | */ |
|
123 | protected $_input_stream; |
|
124 | ||
125 | protected $security; |
|
126 | protected $uni; |
|
127 | ||
128 | // -------------------------------------------------------------------- |
|
129 | ||
130 | /** |
|
131 | * Class constructor |
|
132 | * |
|
133 | * Determines whether to globally enable the XSS processing |
|
134 | * and whether to allow the $_GET array. |
|
135 | * |
|
136 | * @return void |
|
137 | * |
|
138 | * @codeCoverageIgnore |
|
139 | */ |
|
140 | public function __construct() |
|
141 | { |
|
142 | $this->_allow_get_array = (config_item('allow_get_array') !== FALSE); |
|
143 | $this->_enable_xss = (config_item('global_xss_filtering') === TRUE); |
|
144 | $this->_enable_csrf = (config_item('csrf_protection') === TRUE); |
|
145 | $this->_standardize_newlines = (bool) config_item('standardize_newlines'); |
|
146 | ||
147 | $this->security =& load_class('Security', 'core'); |
|
148 | ||
149 | // Do we need the UTF-8 class? |
|
150 | if (UTF8_ENABLED === TRUE) |
|
151 | { |
|
152 | $this->uni =& load_class('Utf8', 'core'); |
|
153 | } |
|
154 | ||
155 | // Sanitize global arrays |
|
156 | $this->_sanitize_globals(); |
|
157 | ||
158 | // CSRF Protection check |
|
159 | if ($this->_enable_csrf === TRUE && ! is_cli()) |
|
160 | { |
|
161 | $this->security->csrf_verify(); |
|
162 | } |
|
163 | ||
164 | log_message('info', 'Input Class Initialized'); |
|
165 | } |
|
166 | ||
167 | // -------------------------------------------------------------------- |
|
168 | ||
169 | /** |
|
170 | * Fetch from array |
|
171 | * |
|
172 | * Internal method used to retrieve values from global arrays. |
|
173 | * |
|
174 | * @param array &$array $_GET, $_POST, $_COOKIE, $_SERVER, etc. |
|
175 | * @param mixed $index Index for item to be fetched from $array |
|
176 | * @param bool $xss_clean Whether to apply XSS filtering |
|
177 | * @return mixed |
|
178 | * |
|
179 | * @codeCoverageIgnore |
|
180 | */ |
|
181 | protected function _fetch_from_array(&$array, $index = NULL, $xss_clean = NULL) |
|
182 | { |
|
183 | is_bool($xss_clean) OR $xss_clean = $this->_enable_xss; |
|
184 | ||
185 | // If $index is NULL, it means that the whole $array is requested |
|
186 | isset($index) OR $index = array_keys($array); |
|
187 | ||
188 | // allow fetching multiple keys at once |
|
189 | if (is_array($index)) |
|
190 | { |
|
191 | $output = array(); |
|
192 | foreach ($index as $key) |
|
193 | { |
|
194 | $output[$key] = $this->_fetch_from_array($array, $key, $xss_clean); |
|
195 | } |
|
196 | ||
197 | return $output; |
|
198 | } |
|
199 | ||
200 | if (isset($array[$index])) |
|
201 | { |
|
202 | $value = $array[$index]; |
|
203 | } |
|
204 | elseif (($count = preg_match_all('/(?:^[^\[]+)|\[[^]]*\]/', $index, $matches)) > 1) // Does the index contain array notation |
|
205 | { |
|
206 | $value = $array; |
|
207 | for ($i = 0; $i < $count; $i++) |
|
208 | { |
|
209 | $key = trim($matches[0][$i], '[]'); |
|
210 | if ($key === '') // Empty notation will return the value as array |
|
211 | { |
|
212 | break; |
|
213 | } |
|
214 | ||
215 | if (isset($value[$key])) |
|
216 | { |
|
217 | $value = $value[$key]; |
|
218 | } |
|
219 | else |
|
220 | { |
|
221 | return NULL; |
|
222 | } |
|
223 | } |
|
224 | } |
|
225 | else |
|
226 | { |
|
227 | return NULL; |
|
228 | } |
|
229 | ||
230 | return ($xss_clean === TRUE) |
|
231 | ? $this->security->xss_clean($value) |
|
232 | : $value; |
|
233 | } |
|
234 | ||
235 | // -------------------------------------------------------------------- |
|
236 | ||
237 | /** |
|
238 | * Fetch an item from the GET array |
|
239 | * |
|
240 | * @param mixed $index Index for item to be fetched from $_GET |
|
241 | * @param bool $xss_clean Whether to apply XSS filtering |
|
242 | * @return mixed |
|
243 | * |
|
244 | * @codeCoverageIgnore |
|
245 | */ |
|
246 | public function get($index = NULL, $xss_clean = NULL) |
|
247 | { |
|
248 | return $this->_fetch_from_array($_GET, $index, $xss_clean); |
|
249 | } |
|
250 | ||
251 | // -------------------------------------------------------------------- |
|
252 | ||
253 | /** |
|
254 | * Fetch an item from the POST array |
|
255 | * |
|
256 | * @param mixed $index Index for item to be fetched from $_POST |
|
257 | * @param bool $xss_clean Whether to apply XSS filtering |
|
258 | * @return mixed |
|
259 | * |
|
260 | * @codeCoverageIgnore |
|
261 | */ |
|
262 | public function post($index = NULL, $xss_clean = NULL) |
|
263 | { |
|
264 | return $this->_fetch_from_array($_POST, $index, $xss_clean); |
|
265 | } |
|
266 | ||
267 | // -------------------------------------------------------------------- |
|
268 | ||
269 | /** |
|
270 | * Fetch an item from POST data with fallback to GET |
|
271 | * |
|
272 | * @param string $index Index for item to be fetched from $_POST or $_GET |
|
273 | * @param bool $xss_clean Whether to apply XSS filtering |
|
274 | * @return mixed |
|
275 | * |
|
276 | * @codeCoverageIgnore |
|
277 | */ |
|
278 | public function post_get($index, $xss_clean = NULL) |
|
279 | { |
|
280 | return isset($_POST[$index]) |
|
281 | ? $this->post($index, $xss_clean) |
|
282 | : $this->get($index, $xss_clean); |
|
283 | } |
|
284 | ||
285 | // -------------------------------------------------------------------- |
|
286 | ||
287 | /** |
|
288 | * Fetch an item from GET data with fallback to POST |
|
289 | * |
|
290 | * @param string $index Index for item to be fetched from $_GET or $_POST |
|
291 | * @param bool $xss_clean Whether to apply XSS filtering |
|
292 | * @return mixed |
|
293 | * |
|
294 | * @codeCoverageIgnore |
|
295 | */ |
|
296 | public function get_post($index, $xss_clean = NULL) |
|
297 | { |
|
298 | return isset($_GET[$index]) |
|
299 | ? $this->get($index, $xss_clean) |
|
300 | : $this->post($index, $xss_clean); |
|
301 | } |
|
302 | ||
303 | // -------------------------------------------------------------------- |
|
304 | ||
305 | /** |
|
306 | * Fetch an item from the COOKIE array |
|
307 | * |
|
308 | * @param mixed $index Index for item to be fetched from $_COOKIE |
|
309 | * @param bool $xss_clean Whether to apply XSS filtering |
|
310 | * @return mixed |
|
311 | * |
|
312 | * @codeCoverageIgnore |
|
313 | */ |
|
314 | public function cookie($index = NULL, $xss_clean = NULL) |
|
315 | { |
|
316 | return $this->_fetch_from_array($_COOKIE, $index, $xss_clean); |
|
317 | } |
|
318 | ||
319 | // -------------------------------------------------------------------- |
|
320 | ||
321 | /** |
|
322 | * Fetch an item from the SERVER array |
|
323 | * |
|
324 | * @param mixed $index Index for item to be fetched from $_SERVER |
|
325 | * @param bool $xss_clean Whether to apply XSS filtering |
|
326 | * @return mixed |
|
327 | * |
|
328 | * @codeCoverageIgnore |
|
329 | */ |
|
330 | public function server($index, $xss_clean = NULL) |
|
331 | { |
|
332 | return $this->_fetch_from_array($_SERVER, $index, $xss_clean); |
|
333 | } |
|
334 | ||
335 | // ------------------------------------------------------------------------ |
|
336 | ||
337 | /** |
|
338 | * Fetch an item from the php://input stream |
|
339 | * |
|
340 | * Useful when you need to access PUT, DELETE or PATCH request data. |
|
341 | * |
|
342 | * @param string $index Index for item to be fetched |
|
343 | * @param bool $xss_clean Whether to apply XSS filtering |
|
344 | * @return mixed |
|
345 | * |
|
346 | * @codeCoverageIgnore |
|
347 | */ |
|
348 | public function input_stream($index = NULL, $xss_clean = NULL) |
|
349 | { |
|
350 | // Prior to PHP 5.6, the input stream can only be read once, |
|
351 | // so we'll need to check if we have already done that first. |
|
352 | if ( ! is_array($this->_input_stream)) |
|
353 | { |
|
354 | // $this->raw_input_stream will trigger __get(). |
|
355 | parse_str($this->raw_input_stream, $this->_input_stream); |
|
356 | is_array($this->_input_stream) OR $this->_input_stream = array(); |
|
357 | } |
|
358 | ||
359 | return $this->_fetch_from_array($this->_input_stream, $index, $xss_clean); |
|
360 | } |
|
361 | ||
362 | // ------------------------------------------------------------------------ |
|
363 | ||
364 | /** |
|
365 | * Set cookie |
|
366 | * |
|
367 | * Accepts an arbitrary number of parameters (up to 7) or an associative |
|
368 | * array in the first parameter containing all the values. |
|
369 | * |
|
370 | * @param string|mixed[] $name Cookie name or an array containing parameters |
|
371 | * @param string $value Cookie value |
|
372 | * @param int $expire Cookie expiration time in seconds |
|
373 | * @param string $domain Cookie domain (e.g.: '.yourdomain.com') |
|
374 | * @param string $path Cookie path (default: '/') |
|
375 | * @param string $prefix Cookie name prefix |
|
376 | * @param bool $secure Whether to only transfer cookies via SSL |
|
377 | * @param bool $httponly Whether to only makes the cookie accessible via HTTP (no javascript) |
|
378 | * @return void |
|
379 | * |
|
380 | * modified by ci-phpunit-test |
|
381 | */ |
|
382 | public function set_cookie($name, $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = NULL, $httponly = NULL) |
|
383 | { |
|
384 | if (is_array($name)) |
|
385 | { |
|
386 | // always leave 'name' in last place, as the loop will break otherwise, due to $$item |
|
387 | foreach (array('value', 'expire', 'domain', 'path', 'prefix', 'secure', 'httponly', 'name') as $item) |
|
388 | { |
|
389 | if (isset($name[$item])) |
|
390 | { |
|
391 | $$item = $name[$item]; |
|
392 | } |
|
393 | } |
|
394 | } |
|
395 | ||
396 | if ($prefix === '' && config_item('cookie_prefix') !== '') |
|
397 | { |
|
398 | $prefix = config_item('cookie_prefix'); |
|
399 | } |
|
400 | ||
401 | if ($domain == '' && config_item('cookie_domain') != '') |
|
402 | { |
|
403 | $domain = config_item('cookie_domain'); |
|
404 | } |
|
405 | ||
406 | if ($path === '/' && config_item('cookie_path') !== '/') |
|
407 | { |
|
408 | $path = config_item('cookie_path'); |
|
409 | } |
|
410 | ||
411 | $secure = ($secure === NULL && config_item('cookie_secure') !== NULL) |
|
412 | ? (bool) config_item('cookie_secure') |
|
413 | : (bool) $secure; |
|
414 | ||
415 | $httponly = ($httponly === NULL && config_item('cookie_httponly') !== NULL) |
|
416 | ? (bool) config_item('cookie_httponly') |
|
417 | : (bool) $httponly; |
|
418 | ||
419 | if ( ! is_numeric($expire)) |
|
420 | { |
|
421 | $expire = time() - 86500; |
|
422 | } |
|
423 | else |
|
424 | { |
|
425 | $expire = ($expire > 0) ? time() + $expire : 0; |
|
426 | } |
|
427 | ||
428 | // setcookie($prefix.$name, $value, $expire, $path, $domain, $secure, $httponly); |
|
429 | ||
430 | // Save cookie in Output object |
|
431 | // added by ci-phpunit-test |
|
432 | $CI =& get_instance(); |
|
433 | $output = $CI->output; |
|
434 | $output->_cookies[$prefix.$name][] = [ |
|
435 | 'value' => $value, |
|
436 | 'expire' => $expire, |
|
437 | 'path' => $path, |
|
438 | 'domain' => $domain, |
|
439 | 'secure' => $secure, |
|
440 | 'httponly' => $httponly, |
|
441 | ]; |
|
442 | } |
|
443 | ||
444 | // -------------------------------------------------------------------- |
|
445 | ||
446 | /** |
|
447 | * Fetch the IP Address |
|
448 | * |
|
449 | * Determines and validates the visitor's IP address. |
|
450 | * |
|
451 | * @return string IP address |
|
452 | * |
|
453 | * @codeCoverageIgnore |
|
454 | */ |
|
455 | public function ip_address() |
|
456 | { |
|
457 | if ($this->ip_address !== FALSE) |
|
458 | { |
|
459 | return $this->ip_address; |
|
460 | } |
|
461 | ||
462 | $proxy_ips = config_item('proxy_ips'); |
|
463 | if ( ! empty($proxy_ips) && ! is_array($proxy_ips)) |
|
464 | { |
|
465 | $proxy_ips = explode(',', str_replace(' ', '', $proxy_ips)); |
|
466 | } |
|
467 | ||
468 | $this->ip_address = $this->server('REMOTE_ADDR'); |
|
469 | ||
470 | if ($proxy_ips) |
|
471 | { |
|
472 | foreach (array('HTTP_X_FORWARDED_FOR', 'HTTP_CLIENT_IP', 'HTTP_X_CLIENT_IP', 'HTTP_X_CLUSTER_CLIENT_IP') as $header) |
|
473 | { |
|
474 | if (($spoof = $this->server($header)) !== NULL) |
|
475 | { |
|
476 | // Some proxies typically list the whole chain of IP |
|
477 | // addresses through which the client has reached us. |
|
478 | // e.g. client_ip, proxy_ip1, proxy_ip2, etc. |
|
479 | sscanf($spoof, '%[^,]', $spoof); |
|
480 | ||
481 | if ( ! $this->valid_ip($spoof)) |
|
482 | { |
|
483 | $spoof = NULL; |
|
484 | } |
|
485 | else |
|
486 | { |
|
487 | break; |
|
488 | } |
|
489 | } |
|
490 | } |
|
491 | ||
492 | if ($spoof) |
|
493 | { |
|
494 | for ($i = 0, $c = count($proxy_ips); $i < $c; $i++) |
|
495 | { |
|
496 | // Check if we have an IP address or a subnet |
|
497 | if (strpos($proxy_ips[$i], '/') === FALSE) |
|
498 | { |
|
499 | // An IP address (and not a subnet) is specified. |
|
500 | // We can compare right away. |
|
501 | if ($proxy_ips[$i] === $this->ip_address) |
|
502 | { |
|
503 | $this->ip_address = $spoof; |
|
504 | break; |
|
505 | } |
|
506 | ||
507 | continue; |
|
508 | } |
|
509 | ||
510 | // We have a subnet ... now the heavy lifting begins |
|
511 | isset($separator) OR $separator = $this->valid_ip($this->ip_address, 'ipv6') ? ':' : '.'; |
|
512 | ||
513 | // If the proxy entry doesn't match the IP protocol - skip it |
|
514 | if (strpos($proxy_ips[$i], $separator) === FALSE) |
|
515 | { |
|
516 | continue; |
|
517 | } |
|
518 | ||
519 | // Convert the REMOTE_ADDR IP address to binary, if needed |
|
520 | if ( ! isset($ip, $sprintf)) |
|
521 | { |
|
522 | if ($separator === ':') |
|
523 | { |
|
524 | // Make sure we're have the "full" IPv6 format |
|
525 | $ip = explode(':', |
|
526 | str_replace('::', |
|
527 | str_repeat(':', 9 - substr_count($this->ip_address, ':')), |
|
528 | $this->ip_address |
|
529 | ) |
|
530 | ); |
|
531 | ||
532 | for ($j = 0; $j < 8; $j++) |
|
533 | { |
|
534 | $ip[$j] = intval($ip[$j], 16); |
|
535 | } |
|
536 | ||
537 | $sprintf = '%016b%016b%016b%016b%016b%016b%016b%016b'; |
|
538 | } |
|
539 | else |
|
540 | { |
|
541 | $ip = explode('.', $this->ip_address); |
|
542 | $sprintf = '%08b%08b%08b%08b'; |
|
543 | } |
|
544 | ||
545 | $ip = vsprintf($sprintf, $ip); |
|
546 | } |
|
547 | ||
548 | // Split the netmask length off the network address |
|
549 | sscanf($proxy_ips[$i], '%[^/]/%d', $netaddr, $masklen); |
|
550 | ||
551 | // Again, an IPv6 address is most likely in a compressed form |
|
552 | if ($separator === ':') |
|
553 | { |
|
554 | $netaddr = explode(':', str_replace('::', str_repeat(':', 9 - substr_count($netaddr, ':')), $netaddr)); |
|
555 | for ($j = 0; $j < 8; $j++) |
|
556 | { |
|
557 | $netaddr[$j] = intval($netaddr[$j], 16); |
|
558 | } |
|
559 | } |
|
560 | else |
|
561 | { |
|
562 | $netaddr = explode('.', $netaddr); |
|
563 | } |
|
564 | ||
565 | // Convert to binary and finally compare |
|
566 | if (strncmp($ip, vsprintf($sprintf, $netaddr), $masklen) === 0) |
|
567 | { |
|
568 | $this->ip_address = $spoof; |
|
569 | break; |
|
570 | } |
|
571 | } |
|
572 | } |
|
573 | } |
|
574 | ||
575 | if ( ! $this->valid_ip($this->ip_address)) |
|
576 | { |
|
577 | return $this->ip_address = '0.0.0.0'; |
|
578 | } |
|
579 | ||
580 | return $this->ip_address; |
|
581 | } |
|
582 | ||
583 | // -------------------------------------------------------------------- |
|
584 | ||
585 | /** |
|
586 | * Validate IP Address |
|
587 | * |
|
588 | * @param string $ip IP address |
|
589 | * @param string $which IP protocol: 'ipv4' or 'ipv6' |
|
590 | * @return bool |
|
591 | * |
|
592 | * @codeCoverageIgnore |
|
593 | */ |
|
594 | public function valid_ip($ip, $which = '') |
|
595 | { |
|
596 | switch (strtolower($which)) |
|
597 | { |
|
598 | case 'ipv4': |
|
599 | $which = FILTER_FLAG_IPV4; |
|
600 | break; |
|
601 | case 'ipv6': |
|
602 | $which = FILTER_FLAG_IPV6; |
|
603 | break; |
|
604 | default: |
|
605 | $which = NULL; |
|
606 | break; |
|
607 | } |
|
608 | ||
609 | return (bool) filter_var($ip, FILTER_VALIDATE_IP, $which); |
|
610 | } |
|
611 | ||
612 | // -------------------------------------------------------------------- |
|
613 | ||
614 | /** |
|
615 | * Fetch User Agent string |
|
616 | * |
|
617 | * @return string|null User Agent string or NULL if it doesn't exist |
|
618 | * |
|
619 | * @codeCoverageIgnore |
|
620 | */ |
|
621 | public function user_agent($xss_clean = NULL) |
|
622 | { |
|
623 | return $this->_fetch_from_array($_SERVER, 'HTTP_USER_AGENT', $xss_clean); |
|
624 | } |
|
625 | ||
626 | // -------------------------------------------------------------------- |
|
627 | ||
628 | /** |
|
629 | * Sanitize Globals |
|
630 | * |
|
631 | * Internal method serving for the following purposes: |
|
632 | * |
|
633 | * - Unsets $_GET data, if query strings are not enabled |
|
634 | * - Cleans POST, COOKIE and SERVER data |
|
635 | * - Standardizes newline characters to PHP_EOL |
|
636 | * |
|
637 | * @return void |
|
638 | * |
|
639 | * @codeCoverageIgnore |
|
640 | */ |
|
641 | protected function _sanitize_globals() |
|
642 | { |
|
643 | // Is $_GET data allowed? If not we'll set the $_GET to an empty array |
|
644 | if ($this->_allow_get_array === FALSE) |
|
645 | { |
|
646 | $_GET = array(); |
|
647 | } |
|
648 | elseif (is_array($_GET)) |
|
649 | { |
|
650 | foreach ($_GET as $key => $val) |
|
651 | { |
|
652 | $_GET[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); |
|
653 | } |
|
654 | } |
|
655 | ||
656 | // Clean $_POST Data |
|
657 | if (is_array($_POST)) |
|
658 | { |
|
659 | foreach ($_POST as $key => $val) |
|
660 | { |
|
661 | $_POST[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); |
|
662 | } |
|
663 | } |
|
664 | ||
665 | // Clean $_COOKIE Data |
|
666 | if (is_array($_COOKIE)) |
|
667 | { |
|
668 | // Also get rid of specially treated cookies that might be set by a server |
|
669 | // or silly application, that are of no use to a CI application anyway |
|
670 | // but that when present will trip our 'Disallowed Key Characters' alarm |
|
671 | // http://www.ietf.org/rfc/rfc2109.txt |
|
672 | // note that the key names below are single quoted strings, and are not PHP variables |
|
673 | unset( |
|
674 | $_COOKIE['$Version'], |
|
675 | $_COOKIE['$Path'], |
|
676 | $_COOKIE['$Domain'] |
|
677 | ); |
|
678 | ||
679 | foreach ($_COOKIE as $key => $val) |
|
680 | { |
|
681 | if (($cookie_key = $this->_clean_input_keys($key)) !== FALSE) |
|
682 | { |
|
683 | $_COOKIE[$cookie_key] = $this->_clean_input_data($val); |
|
684 | } |
|
685 | else |
|
686 | { |
|
687 | unset($_COOKIE[$key]); |
|
688 | } |
|
689 | } |
|
690 | } |
|
691 | ||
692 | // Sanitize PHP_SELF |
|
693 | $_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']); |
|
694 | ||
695 | log_message('debug', 'Global POST, GET and COOKIE data sanitized'); |
|
696 | } |
|
697 | ||
698 | // -------------------------------------------------------------------- |
|
699 | ||
700 | /** |
|
701 | * Clean Input Data |
|
702 | * |
|
703 | * Internal method that aids in escaping data and |
|
704 | * standardizing newline characters to PHP_EOL. |
|
705 | * |
|
706 | * @param string|string[] $str Input string(s) |
|
707 | * @return string |
|
708 | * |
|
709 | * @codeCoverageIgnore |
|
710 | */ |
|
711 | protected function _clean_input_data($str) |
|
712 | { |
|
713 | if (is_array($str)) |
|
714 | { |
|
715 | $new_array = array(); |
|
716 | foreach (array_keys($str) as $key) |
|
717 | { |
|
718 | $new_array[$this->_clean_input_keys($key)] = $this->_clean_input_data($str[$key]); |
|
719 | } |
|
720 | return $new_array; |
|
721 | } |
|
722 | ||
723 | /* We strip slashes if magic quotes is on to keep things consistent |
|
724 | ||
725 | NOTE: In PHP 5.4 get_magic_quotes_gpc() will always return 0 and |
|
726 | it will probably not exist in future versions at all. |
|
727 | */ |
|
728 | if ( ! is_php('5.4') && get_magic_quotes_gpc()) |
|
729 | { |
|
730 | $str = stripslashes($str); |
|
731 | } |
|
732 | ||
733 | // Clean UTF-8 if supported |
|
734 | if (UTF8_ENABLED === TRUE) |
|
735 | { |
|
736 | $str = $this->uni->clean_string($str); |
|
737 | } |
|
738 | ||
739 | // Remove control characters |
|
740 | $str = remove_invisible_characters($str, FALSE); |
|
741 | ||
742 | // Standardize newlines if needed |
|
743 | if ($this->_standardize_newlines === TRUE) |
|
744 | { |
|
745 | return preg_replace('/(?:\r\n|[\r\n])/', PHP_EOL, $str); |
|
746 | } |
|
747 | ||
748 | return $str; |
|
749 | } |
|
750 | ||
751 | // -------------------------------------------------------------------- |
|
752 | ||
753 | /** |
|
754 | * Clean Keys |
|
755 | * |
|
756 | * Internal method that helps to prevent malicious users |
|
757 | * from trying to exploit keys we make sure that keys are |
|
758 | * only named with alpha-numeric text and a few other items. |
|
759 | * |
|
760 | * @param string $str Input string |
|
761 | * @param bool $fatal Whether to terminate script exection |
|
762 | * or to return FALSE if an invalid |
|
763 | * key is encountered |
|
764 | * @return string|bool |
|
765 | * |
|
766 | * @codeCoverageIgnore |
|
767 | */ |
|
768 | protected function _clean_input_keys($str, $fatal = TRUE) |
|
769 | { |
|
770 | if ( ! preg_match('/^[a-z0-9:_\/|-]+$/i', $str)) |
|
771 | { |
|
772 | if ($fatal === TRUE) |
|
773 | { |
|
774 | return FALSE; |
|
775 | } |
|
776 | else |
|
777 | { |
|
778 | set_status_header(503); |
|
779 | echo 'Disallowed Key Characters.'; |
|
780 | exit(7); // EXIT_USER_INPUT |
|
781 | } |
|
782 | } |
|
783 | ||
784 | // Clean UTF-8 if supported |
|
785 | if (UTF8_ENABLED === TRUE) |
|
786 | { |
|
787 | return $this->uni->clean_string($str); |
|
788 | } |
|
789 | ||
790 | return $str; |
|
791 | } |
|
792 | ||
793 | // -------------------------------------------------------------------- |
|
794 | ||
795 | /** |
|
796 | * Request Headers |
|
797 | * |
|
798 | * @param bool $xss_clean Whether to apply XSS filtering |
|
799 | * @return array |
|
800 | * |
|
801 | * @codeCoverageIgnore |
|
802 | */ |
|
803 | public function request_headers($xss_clean = FALSE) |
|
804 | { |
|
805 | // If header is already defined, return it immediately |
|
806 | if ( ! empty($this->headers)) |
|
807 | { |
|
808 | return $this->_fetch_from_array($this->headers, NULL, $xss_clean); |
|
809 | } |
|
810 | ||
811 | // In Apache, you can simply call apache_request_headers() |
|
812 | if (function_exists('apache_request_headers')) |
|
813 | { |
|
814 | $this->headers = apache_request_headers(); |
|
815 | } |
|
816 | else |
|
817 | { |
|
818 | isset($_SERVER['CONTENT_TYPE']) && $this->headers['Content-Type'] = $_SERVER['CONTENT_TYPE']; |
|
819 | ||
820 | foreach ($_SERVER as $key => $val) |
|
821 | { |
|
822 | if (sscanf($key, 'HTTP_%s', $header) === 1) |
|
823 | { |
|
824 | // take SOME_HEADER and turn it into Some-Header |
|
825 | $header = str_replace('_', ' ', strtolower($header)); |
|
826 | $header = str_replace(' ', '-', ucwords($header)); |
|
827 | ||
828 | $this->headers[$header] = $_SERVER[$key]; |
|
829 | } |
|
830 | } |
|
831 | } |
|
832 | ||
833 | return $this->_fetch_from_array($this->headers, NULL, $xss_clean); |
|
834 | } |
|
835 | ||
836 | // -------------------------------------------------------------------- |
|
837 | ||
838 | /** |
|
839 | * Get Request Header |
|
840 | * |
|
841 | * Returns the value of a single member of the headers class member |
|
842 | * |
|
843 | * @param string $index Header name |
|
844 | * @param bool $xss_clean Whether to apply XSS filtering |
|
845 | * @return string|null The requested header on success or NULL on failure |
|
846 | * |
|
847 | * modified by ci-phpunit-test |
|
848 | */ |
|
849 | public function get_request_header($index, $xss_clean = FALSE) |
|
850 | { |
|
851 | // static $headers; |
|
852 | ||
853 | if ( ! isset($headers)) |
|
854 | { |
|
855 | empty($this->headers) && $this->request_headers(); |
|
856 | foreach ($this->headers as $key => $value) |
|
857 | { |
|
858 | $headers[strtolower($key)] = $value; |
|
859 | } |
|
860 | } |
|
861 | ||
862 | $index = strtolower($index); |
|
863 | ||
864 | if ( ! isset($headers[$index])) |
|
865 | { |
|
866 | return NULL; |
|
867 | } |
|
868 | ||
869 | return ($xss_clean === TRUE) |
|
870 | ? $this->security->xss_clean($headers[$index]) |
|
871 | : $headers[$index]; |
|
872 | } |
|
873 | ||
874 | // -------------------------------------------------------------------- |
|
875 | ||
876 | /** |
|
877 | * Is AJAX request? |
|
878 | * |
|
879 | * Test to see if a request contains the HTTP_X_REQUESTED_WITH header. |
|
880 | * |
|
881 | * @return bool |
|
882 | * |
|
883 | * @codeCoverageIgnore |
|
884 | */ |
|
885 | public function is_ajax_request() |
|
886 | { |
|
887 | return ( ! empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) === 'xmlhttprequest'); |
|
888 | } |
|
889 | ||
890 | // -------------------------------------------------------------------- |
|
891 | ||
892 | /** |
|
893 | * Is CLI request? |
|
894 | * |
|
895 | * Test to see if a request was made from the command line. |
|
896 | * |
|
897 | * @deprecated 3.0.0 Use is_cli() instead |
|
898 | * @return bool |
|
899 | * |
|
900 | * @codeCoverageIgnore |
|
901 | */ |
|
902 | public function is_cli_request() |
|
903 | { |
|
904 | return is_cli(); |
|
905 | } |
|
906 | ||
907 | // -------------------------------------------------------------------- |
|
908 | ||
909 | /** |
|
910 | * Get Request Method |
|
911 | * |
|
912 | * Return the request method |
|
913 | * |
|
914 | * @param bool $upper Whether to return in upper or lower case |
|
915 | * (default: FALSE) |
|
916 | * @return string |
|
917 | * |
|
918 | * @codeCoverageIgnore |
|
919 | */ |
|
920 | public function method($upper = FALSE) |
|
921 | { |
|
922 | return ($upper) |
|
923 | ? strtoupper($this->server('REQUEST_METHOD')) |
|
924 | : strtolower($this->server('REQUEST_METHOD')); |
|
925 | } |
|
926 | ||
927 | // ------------------------------------------------------------------------ |
|
928 | ||
929 | /** |
|
930 | * Magic __get() |
|
931 | * |
|
932 | * Allows read access to protected properties |
|
933 | * |
|
934 | * @param string $name |
|
935 | * @return mixed |
|
936 | * |
|
937 | * @codeCoverageIgnore |
|
938 | */ |
|
939 | public function __get($name) |
|
940 | { |
|
941 | if ($name === 'raw_input_stream') |
|
942 | { |
|
943 | isset($this->_raw_input_stream) OR $this->_raw_input_stream = file_get_contents('php://input'); |
|
944 | return $this->_raw_input_stream; |
|
945 | } |
|
946 | elseif ($name === 'ip_address') |
|
947 | { |
|
948 | return $this->ip_address; |
|
949 | } |
|
950 | } |
|
951 | ||
952 | } |
|
953 |