terrylinooo /
shieldon
@@ -10,11 +10,11 @@ |
||
| 10 | 10 | |
| 11 | 11 | namespace Shieldon\Security; |
| 12 | 12 | |
| 13 | - /** |
|
| 14 | - * WWW-Authenticate |
|
| 15 | - * |
|
| 16 | - * @since 3.0.0 |
|
| 17 | - */ |
|
| 13 | + /** |
|
| 14 | + * WWW-Authenticate |
|
| 15 | + * |
|
| 16 | + * @since 3.0.0 |
|
| 17 | + */ |
|
| 18 | 18 | class httpAuthentication |
| 19 | 19 | { |
| 20 | 20 | /** |
@@ -36,9 +36,9 @@ discard block |
||
| 36 | 36 | use function time; |
| 37 | 37 | use function version_compare; |
| 38 | 38 | |
| 39 | - /** |
|
| 40 | - * Cross-Site Scripting protection. |
|
| 41 | - */ |
|
| 39 | + /** |
|
| 40 | + * Cross-Site Scripting protection. |
|
| 41 | + */ |
|
| 42 | 42 | class Xss |
| 43 | 43 | { |
| 44 | 44 | /** |
@@ -285,7 +285,7 @@ discard block |
||
| 285 | 285 | unset($original); |
| 286 | 286 | |
| 287 | 287 | // Remove evil attributes such as style, onclick and xmlns |
| 288 | - $str = $this->removeEvilAttributes($str, $isImage); |
|
| 288 | + $str = $this->removeEvilAttributes($str, $isImage); |
|
| 289 | 289 | |
| 290 | 290 | /* |
| 291 | 291 | * Sanitize naughty HTML elements |
@@ -449,62 +449,62 @@ discard block |
||
| 449 | 449 | * @param boolean $is_image TRUE if this is an image |
| 450 | 450 | * @return string The string with the evil attributes removed |
| 451 | 451 | */ |
| 452 | - protected function removeEvilAttributes($str, $is_image) |
|
| 453 | - { |
|
| 454 | - // All javascript event handlers (e.g. onload, onclick, onmouseover), style, and xmlns |
|
| 455 | - $evilAttributes = array('on\w*', 'style', 'xmlns', 'formaction', 'form', 'xlink:href'); |
|
| 452 | + protected function removeEvilAttributes($str, $is_image) |
|
| 453 | + { |
|
| 454 | + // All javascript event handlers (e.g. onload, onclick, onmouseover), style, and xmlns |
|
| 455 | + $evilAttributes = array('on\w*', 'style', 'xmlns', 'formaction', 'form', 'xlink:href'); |
|
| 456 | 456 | |
| 457 | - if ($is_image) { |
|
| 458 | - /* |
|
| 457 | + if ($is_image) { |
|
| 458 | + /* |
|
| 459 | 459 | * Adobe Photoshop puts XML metadata into JFIF images, |
| 460 | 460 | * including namespacing, so we have to allow this for images. |
| 461 | 461 | */ |
| 462 | - unset($evilAttributes[array_search('xmlns', $evilAttributes)]); |
|
| 463 | - } |
|
| 462 | + unset($evilAttributes[array_search('xmlns', $evilAttributes)]); |
|
| 463 | + } |
|
| 464 | 464 | |
| 465 | - do { |
|
| 466 | - $count = 0; |
|
| 467 | - $attribs = array(); |
|
| 465 | + do { |
|
| 466 | + $count = 0; |
|
| 467 | + $attribs = array(); |
|
| 468 | 468 | |
| 469 | - // find occurrences of illegal attribute strings with quotes (042 and 047 are octal quotes) |
|
| 470 | - preg_match_all( |
|
| 469 | + // find occurrences of illegal attribute strings with quotes (042 and 047 are octal quotes) |
|
| 470 | + preg_match_all( |
|
| 471 | 471 | '/(?<!\w)(' . implode('|', $evilAttributes) . ')\s*=\s*(\042|\047)([^\\2]*?)(\\2)/is', |
| 472 | 472 | $str, |
| 473 | 473 | $matches, |
| 474 | 474 | PREG_SET_ORDER |
| 475 | 475 | ); |
| 476 | 476 | |
| 477 | - foreach ($matches as $attr) { |
|
| 478 | - $attribs[] = preg_quote($attr[0], '/'); |
|
| 479 | - } |
|
| 477 | + foreach ($matches as $attr) { |
|
| 478 | + $attribs[] = preg_quote($attr[0], '/'); |
|
| 479 | + } |
|
| 480 | 480 | |
| 481 | - // find occurrences of illegal attribute strings without quotes |
|
| 482 | - preg_match_all( |
|
| 481 | + // find occurrences of illegal attribute strings without quotes |
|
| 482 | + preg_match_all( |
|
| 483 | 483 | '/(?<!\w)(' . implode('|', $evilAttributes) . ')\s*=\s*([^\s>]*)/is', |
| 484 | 484 | $str, |
| 485 | 485 | $matches, |
| 486 | 486 | PREG_SET_ORDER |
| 487 | 487 | ); |
| 488 | 488 | |
| 489 | - foreach ($matches as $attr) { |
|
| 490 | - $attribs[] = preg_quote($attr[0], '/'); |
|
| 491 | - } |
|
| 489 | + foreach ($matches as $attr) { |
|
| 490 | + $attribs[] = preg_quote($attr[0], '/'); |
|
| 491 | + } |
|
| 492 | 492 | |
| 493 | - // replace illegal attribute strings that are inside an html tag |
|
| 494 | - if (count($attribs) > 0) { |
|
| 495 | - $str = preg_replace( |
|
| 493 | + // replace illegal attribute strings that are inside an html tag |
|
| 494 | + if (count($attribs) > 0) { |
|
| 495 | + $str = preg_replace( |
|
| 496 | 496 | '/(<?)(\/?[^><]+?)([^A-Za-z<>\-])(.*?)(' . implode('|', $attribs) . ')(.*?)([\s><]?)([><]*)/i', |
| 497 | 497 | '$1$2 $4$6$7$8', |
| 498 | 498 | $str, |
| 499 | 499 | -1, |
| 500 | 500 | $count |
| 501 | 501 | ); |
| 502 | - } |
|
| 502 | + } |
|
| 503 | 503 | |
| 504 | - } while ($count); |
|
| 504 | + } while ($count); |
|
| 505 | 505 | |
| 506 | - return $str; |
|
| 507 | - } |
|
| 506 | + return $str; |
|
| 507 | + } |
|
| 508 | 508 | |
| 509 | 509 | /** |
| 510 | 510 | * Random Hash for protecting URLs |
@@ -895,16 +895,16 @@ discard block |
||
| 895 | 895 | * @return bool |
| 896 | 896 | */ |
| 897 | 897 | protected function isPHP($version): bool |
| 898 | - { |
|
| 898 | + { |
|
| 899 | 899 | static $_isPHP; |
| 900 | 900 | |
| 901 | - $version = (string) $version; |
|
| 901 | + $version = (string) $version; |
|
| 902 | 902 | |
| 903 | - if (! isset($_isPHP[$version])) { |
|
| 904 | - $_isPHP[$version] = version_compare(PHP_VERSION, $version, '>='); |
|
| 905 | - } |
|
| 903 | + if (! isset($_isPHP[$version])) { |
|
| 904 | + $_isPHP[$version] = version_compare(PHP_VERSION, $version, '>='); |
|
| 905 | + } |
|
| 906 | 906 | |
| 907 | - return $_isPHP[$version]; |
|
| 908 | - } |
|
| 907 | + return $_isPHP[$version]; |
|
| 908 | + } |
|
| 909 | 909 | } |
| 910 | 910 | |
@@ -19,9 +19,9 @@ |
||
| 19 | 19 | use function time; |
| 20 | 20 | use function uniqid; |
| 21 | 21 | |
| 22 | - /** |
|
| 23 | - * Cross Site Request Forgery protection. |
|
| 24 | - */ |
|
| 22 | + /** |
|
| 23 | + * Cross Site Request Forgery protection. |
|
| 24 | + */ |
|
| 25 | 25 | class Csrf |
| 26 | 26 | { |
| 27 | 27 | /** |
@@ -146,7 +146,7 @@ |
||
| 146 | 146 | return $results; |
| 147 | 147 | } |
| 148 | 148 | |
| 149 | - /** |
|
| 149 | + /** |
|
| 150 | 150 | * {@inheritDoc} |
| 151 | 151 | */ |
| 152 | 152 | protected function doFetchAll(string $type = 'filter_log'): array |
@@ -27,11 +27,11 @@ |
||
| 27 | 27 | parent::__construct($pdo, $debug); |
| 28 | 28 | } |
| 29 | 29 | |
| 30 | - /** |
|
| 31 | - * Create SQL tables that Shieldon needs. |
|
| 32 | - * |
|
| 33 | - * @return bool |
|
| 34 | - */ |
|
| 30 | + /** |
|
| 31 | + * Create SQL tables that Shieldon needs. |
|
| 32 | + * |
|
| 33 | + * @return bool |
|
| 34 | + */ |
|
| 35 | 35 | protected function installSql(): bool |
| 36 | 36 | { |
| 37 | 37 | try { |
@@ -192,7 +192,7 @@ discard block |
||
| 192 | 192 | } |
| 193 | 193 | } |
| 194 | 194 | |
| 195 | - // @codeCoverageIgnoreStart |
|
| 195 | + // @codeCoverageIgnoreStart |
|
| 196 | 196 | |
| 197 | 197 | /** |
| 198 | 198 | * Display pages. |
@@ -1308,7 +1308,7 @@ discard block |
||
| 1308 | 1308 | $iptablesQueueFile = $iptablesWatchingFolder . '/iptables_queue.log'; |
| 1309 | 1309 | |
| 1310 | 1310 | if ( |
| 1311 | - (isset($_POST['ip']) && (filter_var(explode('/', $_POST['ip'])[0], FILTER_VALIDATE_IP))) |
|
| 1311 | + (isset($_POST['ip']) && (filter_var(explode('/', $_POST['ip'])[0], FILTER_VALIDATE_IP))) |
|
| 1312 | 1312 | && (isset($_POST['port']) && (is_numeric($_POST['port']) || ($_POST['port'] === 'all') || ($_POST['port'] === 'custom'))) |
| 1313 | 1313 | && (isset($_POST['subnet']) && (is_numeric($_POST['subnet']) || ($_POST['subnet'] === 'null'))) |
| 1314 | 1314 | && (isset($_POST['protocol']) && (in_array($_POST['protocol'], ['tcp', 'udp', 'all']))) |
@@ -2252,7 +2252,7 @@ discard block |
||
| 2252 | 2252 | $channel = $_GET['channel'] ?? ''; |
| 2253 | 2253 | |
| 2254 | 2254 | if ( |
| 2255 | - ! empty($serverUrl) |
|
| 2255 | + ! empty($serverUrl) |
|
| 2256 | 2256 | && ! empty($userId) |
| 2257 | 2257 | && ! empty($accessToken) |
| 2258 | 2258 | && ! empty($channel) |
@@ -257,7 +257,7 @@ discard block |
||
| 257 | 257 | $ip = $ipData[0]; |
| 258 | 258 | $cidr = (int) $ipData[1] ?? 32; |
| 259 | 259 | |
| 260 | - $result[0] = long2ip((ip2long($ip)) & ((-1 << (32 - $cidr)))); |
|
| 260 | + $result[0] = long2ip((ip2long($ip)) & ((-1 << (32 - $cidr)))); |
|
| 261 | 261 | $result[1] = long2ip((ip2long($ip)) + pow(2, (32 - $cidr)) - 1); |
| 262 | 262 | |
| 263 | 263 | if ($isDecimal) { |
@@ -265,7 +265,7 @@ discard block |
||
| 265 | 265 | $result[1] = ip2long($result[1]); |
| 266 | 266 | } |
| 267 | 267 | |
| 268 | - return $result; |
|
| 268 | + return $result; |
|
| 269 | 269 | } |
| 270 | 270 | |
| 271 | 271 | /** |
@@ -43,41 +43,41 @@ |
||
| 43 | 43 | } |
| 44 | 44 | } |
| 45 | 45 | |
| 46 | - /** |
|
| 46 | + /** |
|
| 47 | 47 | * Shieldon middleware invokable class. |
| 48 | 48 | * |
| 49 | - * @param Request $request |
|
| 50 | - * |
|
| 51 | - * @return mixed |
|
| 52 | - */ |
|
| 53 | - public function before(Request $request) |
|
| 54 | - { |
|
| 55 | - if ($request->isCLI()) { |
|
| 56 | - return; |
|
| 57 | - } |
|
| 49 | + * @param Request $request |
|
| 50 | + * |
|
| 51 | + * @return mixed |
|
| 52 | + */ |
|
| 53 | + public function before(Request $request) |
|
| 54 | + { |
|
| 55 | + if ($request->isCLI()) { |
|
| 56 | + return; |
|
| 57 | + } |
|
| 58 | 58 | |
| 59 | 59 | $firewall = new Firewall($this->storage); |
| 60 | 60 | |
| 61 | 61 | // Pass CodeIgniter CSRF Token to Captcha form. |
| 62 | 62 | $firewall->getShieldon()->setCaptcha(new \Shieldon\Captcha\Csrf([ |
| 63 | - 'name' => csrf_token(), |
|
| 64 | - 'value' => csrf_hash(), |
|
| 63 | + 'name' => csrf_token(), |
|
| 64 | + 'value' => csrf_hash(), |
|
| 65 | 65 | ])); |
| 66 | 66 | |
| 67 | 67 | $firewall->restful(); |
| 68 | 68 | $firewall->run(); |
| 69 | - } |
|
| 69 | + } |
|
| 70 | 70 | |
| 71 | - /** |
|
| 72 | - * We don't have anything to do here. |
|
| 73 | - * |
|
| 74 | - * @param Response $request |
|
| 75 | - * @param Response $response |
|
| 76 | - * |
|
| 77 | - * @return mixed |
|
| 78 | - */ |
|
| 79 | - public function after(Request $request, Response $response) |
|
| 80 | - { |
|
| 71 | + /** |
|
| 72 | + * We don't have anything to do here. |
|
| 73 | + * |
|
| 74 | + * @param Response $request |
|
| 75 | + * @param Response $response |
|
| 76 | + * |
|
| 77 | + * @return mixed |
|
| 78 | + */ |
|
| 79 | + public function after(Request $request, Response $response) |
|
| 80 | + { |
|
| 81 | 81 | |
| 82 | 82 | } |
| 83 | 83 | } |
| 84 | 84 | \ No newline at end of file |
