/**
* Initialize the security instance parametred
*/
private static function init() {
self::$cfg = new config(factory::loadCfg(__CLASS__));
self::$instance = factory::get('security_'.self::$cfg->use);
}
/**
* Constructor. Sanitizes global data GET, POST and COOKIE data.
* Also makes sure those pesty magic quotes and register globals
* don't bother us. This is protected because it really only needs
* to be run once.
*
* @return void
*/
public function __construct()
{
//setcookie ("message", "", time() - 3600);
if ($this->_csrf_token_name == '') {
$this->_csrf_token_name = config_item('csrf_name');
}
$this->_csrf_cookie_name = config_item('cookie_prefix') ? config_item('cookie_prefix') . $this->_csrf_token_name : $this->_csrf_token_name;
/*if($_SESSION[$this->_csrf_cookie_name] != ''){
$_SESSION[$this->_csrf_cookie_name] = md5(uniqid(rand(), TRUE));
}*/
//$this->csrf_set_hash();
if ($_COOKIE[$this->_csrf_token_name] == '') {
$this->_csrf_hash = md5(uniqid() . microtime() . rand());
setcookie($this->_csrf_token_name, $this->_csrf_hash, time() + 3600 * 24);
} else {
$this->_csrf_hash = $_COOKIE[$this->_csrf_token_name];
}
if (self::$instance === NULL) {
// Check for magic quotes
if (get_magic_quotes_runtime()) {
// Dear lord!! This is bad and deprected. Sort it out ;)
set_magic_quotes_runtime(0);
}
if (get_magic_quotes_gpc()) {
// This is also bad and deprected. See http://php.net/magic_quotes for more information.
$this->magic_quotes_gpc = TRUE;
}
// Check for register globals and prevent security issues from arising.
if (ini_get('register_globals')) {
if (isset($_REQUEST['GLOBALS'])) {
// No no no.. just kill the script here and now
// exit('Illegal attack on global variable.');
}
// Get rid of REQUEST
$_REQUEST = array();
// The following globals are standard and shouldn't really be removed
$preserve = array('GLOBALS', '_REQUEST', '_GET', '_POST', '_FILES', '_COOKIE', '_SERVER', '_ENV', '_SESSION');
// Same effect as disabling register_globals
foreach ($GLOBALS as $key => $value) {
if (!in_array($key, $preserve)) {
global ${$key};
${$key} = NULL;
unset($GLOBALS[$key], ${$key});
}
}
}
// Sanitize global data
if (is_array($_POST)) {
foreach ($_POST as $key => $value) {
$_POST[$this->clean_input_keys($key)] = $this->clean_input_data($value);
}
} else {
$_POST = array();
}
if (is_array($_GET)) {
foreach ($_GET as $key => $value) {
$_GET[$this->clean_input_keys($key)] = $this->clean_input_data($value);
}
} else {
$_GET = array();
}
if (is_array($_COOKIE)) {
foreach ($_COOKIE as $key => $value) {
$_COOKIE[$this->clean_input_keys($key)] = $this->clean_input_data($value);
}
} else {
$_COOKIE = array();
}
// Just make REQUEST a merge of POST and GET. Who really wants cookies in it anyway?
$_REQUEST = array_merge($_GET, $_POST);
self::$instance = $this;
}
}
