Beispiel #1
0
 /**
  * Save the raw input data
  * @Developer brandon
  * @Date Apr 22, 2010
  */
 public function __construct()
 {
     if (!self::$raw) {
         self::$raw = $_POST;
     }
     parent::__construct();
 }
Beispiel #2
0
 public function __construct()
 {
     $preserve = array('_REQUEST', '_GET', '_POST', '_FILES', '_COOKIE', '_SERVER', '_ENV', '_SESSION');
     foreach ($preserve as $input) {
         if (!isset($GLOBALS[$input])) {
             continue;
         }
         $this->unfiltered_inputs[strtolower($input)] = $GLOBALS[$input];
     }
     parent::__construct();
     // loop each of the request vars
     foreach ($_REQUEST as $key => $value) {
         // if we find a var that begins with __ that is a marker for a
         // checkbox
         if (substr($key, 0, 2) == '__') {
             // setup and array removing the __ in the key
             $uncheckedValue = array(substr($key, 2) => $value);
             // merge this into the request array, NOT replacing any existing value
             $_REQUEST = arr::merge_recursive_distinct($uncheckedValue, $_REQUEST);
             // remove our temporary tracker
             unset($_REQUEST[$key]);
             // see if this var came from a post
             if (array_key_exists($key, $_POST)) {
                 // merge this into the post array, NOT replacing any existing value
                 $_POST = arr::merge_recursive_distinct($uncheckedValue, $_POST);
                 unset($_POST[$key]);
             }
             // see if this var came from a get
             if (array_key_exists($key, $_GET)) {
                 // merge this into the get array, NOT replacing any existing value
                 $_GET = arr::merge_recursive_distinct($uncheckedValue, $_GET);
                 unset($_GET[$key]);
             }
         }
     }
 }
Beispiel #3
0
 /**
  * Sanitizes global GET, POST and COOKIE data. Also takes care of
  * magic_quotes and register_globals, if they have been enabled.
  *
  * @return  void
  */
 public function __construct()
 {
     // Use XSS clean?
     $this->use_xss_clean = (bool) Kohana::config('core.global_xss_filtering');
     if (self::$instance === NULL) {
         // magic_quotes_runtime is enabled
         if (get_magic_quotes_runtime()) {
             set_magic_quotes_runtime(0);
             Kohana::log('debug', 'Disable magic_quotes_runtime! It is evil and deprecated: http://php.net/magic_quotes');
         }
         // magic_quotes_gpc is enabled
         if (get_magic_quotes_gpc()) {
             $this->magic_quotes_gpc = TRUE;
             Kohana::log('debug', 'Disable magic_quotes_gpc! It is evil and deprecated: http://php.net/magic_quotes');
         }
         // register_globals is enabled
         if (ini_get('register_globals')) {
             if (isset($_REQUEST['GLOBALS'])) {
                 // Prevent GLOBALS override attacks
                 exit('Global variable overload attack.');
             }
             // Destroy the REQUEST global
             $_REQUEST = array();
             // These globals are standard and should not be removed
             $preserve = array('GLOBALS', '_REQUEST', '_GET', '_POST', '_FILES', '_COOKIE', '_SERVER', '_ENV', '_SESSION');
             // This loop has the same effect as disabling register_globals
             foreach (array_diff(array_keys($GLOBALS), $preserve) as $key) {
                 global ${$key};
                 ${$key} = NULL;
                 // Unset the global variable
                 unset($GLOBALS[$key], ${$key});
             }
             // Warn the developer about register globals
             Kohana::log('debug', 'Disable register_globals! It is evil and deprecated: http://php.net/register_globals');
         }
         if (is_array($_GET)) {
             foreach ($_GET as $key => $val) {
                 // Sanitize $_GET
                 $_GET[$this->clean_input_keys($key)] = $this->clean_input_data($val);
             }
         } else {
             $_GET = array();
         }
         if (is_array($_POST)) {
             foreach ($_POST as $key => $val) {
                 // Sanitize $_POST
                 $_POST[$this->clean_input_keys($key)] = $this->clean_input_data($val);
             }
         } else {
             $_POST = array();
         }
         if (is_array($_COOKIE)) {
             foreach ($_COOKIE as $key => $val) {
                 // Ignore special attributes in RFC2109 compliant cookies
                 if ($key == '$Version' or $key == '$Path' or $key == '$Domain') {
                     continue;
                 }
                 // Sanitize $_COOKIE
                 $_COOKIE[$this->clean_input_keys($key)] = $this->clean_input_data($val);
             }
         } else {
             $_COOKIE = array();
         }
         // Create a singleton
         self::$instance = $this;
         Kohana::log('debug', 'Global GET, POST and COOKIE data sanitized');
     }
 }
Beispiel #4
0
 /**
  * Sanitizes global GET, POST and COOKIE data. Also takes care of
  * magic_quotes and register_globals, if they have been enabled.
  *
  * @return  void
  */
 public function __construct()
 {
     // Use XSS clean?
     $this->use_xss_clean = (bool) Eight::config('core.global_xss_filtering');
     if (self::$instance === nil) {
         // Convert all global variables to UTF-8.
         $_GET = Input::clean($_GET);
         $_POST = Input::clean($_POST);
         $_COOKIE = Input::clean($_COOKIE);
         $_SERVER = Input::clean($_SERVER);
         if (PHP_SAPI == 'cli') {
             // Convert command line arguments
             $_SERVER['argv'] = Input::clean($_SERVER['argv']);
         }
         // magic_quotes_runtime is enabled
         if (get_magic_quotes_runtime()) {
             exit('Disable magic_quotes_runtime! It is evil and deprecated: http://php.net/magic_quotes');
         }
         // magic_quotes_gpc is enabled
         if (get_magic_quotes_gpc()) {
             exit('Disable magic_quotes_gpc! It is evil and deprecated: http://php.net/magic_quotes');
         }
         // register_globals is enabled
         if (ini_get('register_globals')) {
             exit('Disable register_globals! It is evil and deprecated: http://php.net/register_globals');
         }
         if (is_array($_GET)) {
             foreach ($_GET as $key => $val) {
                 // Sanitize $_GET
                 $_GET[$this->clean_input_keys($key)] = $this->clean_input_data($val);
             }
         } else {
             $_GET = array();
         }
         if (is_array($_POST)) {
             foreach ($_POST as $key => $val) {
                 // Sanitize $_POST
                 $_POST[$this->clean_input_keys($key)] = $this->clean_input_data($val);
             }
         } else {
             $_POST = array();
         }
         if (is_array($_COOKIE)) {
             foreach ($_COOKIE as $key => $val) {
                 // Sanitize $_COOKIE
                 $_COOKIE[$this->clean_input_keys($key)] = $this->clean_input_data($val);
             }
         } else {
             $_COOKIE = array();
         }
         // Create a singleton
         self::$instance = $this;
         Eight::log('debug', 'Global GET, POST and COOKIE data sanitized');
     }
     // Assign global vars to request helper vars
     request::$get = $_GET;
     request::$post = $_POST;
     request::$input = array_merge(URI::instance()->segments(2, YES), $_REQUEST);
 }
Beispiel #5
0
 /**
  * Sanitizes global GET, POST and COOKIE data. Also takes care of
  * magic_quotes and register_globals, if they have been enabled.
  *
  * @return  void
  */
 public function __construct()
 {
     // Use XSS clean?
     $this->use_xss_clean = (bool) Eight::config('core.global_xss_filtering');
     if (self::$instance === nil) {
         // Convert all global variables to UTF-8.
         $_GET = Input::clean($_GET);
         $_POST = Input::clean($_POST);
         $_COOKIE = Input::clean($_COOKIE);
         $_SERVER = Input::clean($_SERVER);
         if (PHP_SAPI == 'cli') {
             // Convert command line arguments
             $_SERVER['argv'] = Input::clean($_SERVER['argv']);
         }
         // magic_quotes_runtime is enabled
         if (get_magic_quotes_runtime()) {
             set_magic_quotes_runtime(0);
             Eight::log('debug', 'Disable magic_quotes_runtime! It is evil and deprecated: http://php.net/magic_quotes');
         }
         // magic_quotes_gpc is enabled
         if (get_magic_quotes_gpc()) {
             $this->magic_quotes_gpc = YES;
             Eight::log('debug', 'Disable magic_quotes_gpc! It is evil and deprecated: http://php.net/magic_quotes');
         }
         // register_globals is enabled
         if (ini_get('register_globals')) {
             if (isset($_REQUEST['GLOBALS'])) {
                 // Prevent GLOBALS override attacks
                 exit('Global variable overload attack.');
             }
             // Destroy the REQUEST global
             $_REQUEST = array();
             // These globals are standard and should not be removed
             $preserve = array('GLOBALS', '_REQUEST', '_GET', '_POST', '_FILES', '_COOKIE', '_SERVER', '_ENV', '_SESSION');
             // This loop has the same effect as disabling register_globals
             foreach ($GLOBALS as $key => $val) {
                 if (!in_array($key, $preserve)) {
                     global ${$key};
                     ${$key} = nil;
                     // Unset the global variable
                     unset($GLOBALS[$key], ${$key});
                 }
             }
             // Warn the developer about register globals
             Eight::log('debug', 'Disable register_globals! It is evil and deprecated: http://php.net/register_globals');
         }
         if (is_array($_GET)) {
             foreach ($_GET as $key => $val) {
                 // Sanitize $_GET
                 $_GET[$this->clean_input_keys($key)] = $this->clean_input_data($val);
             }
         } else {
             $_GET = array();
         }
         if (is_array($_POST)) {
             foreach ($_POST as $key => $val) {
                 // Sanitize $_POST
                 $_POST[$this->clean_input_keys($key)] = $this->clean_input_data($val);
             }
         } else {
             $_POST = array();
         }
         if (is_array($_COOKIE)) {
             foreach ($_COOKIE as $key => $val) {
                 // Sanitize $_COOKIE
                 $_COOKIE[$this->clean_input_keys($key)] = $this->clean_input_data($val);
             }
         } else {
             $_COOKIE = array();
         }
         // Create a singleton
         self::$instance = $this;
         Eight::log('debug', 'Global GET, POST and COOKIE data sanitized');
     }
     // Assign global vars to request helper vars
     request::$get = $_GET;
     request::$post = $_POST;
     request::$input = array_merge(URI::instance()->segments(2, YES), $_REQUEST);
 }