/** * Initialize the security instance parametred */ private static function init() { self::$cfg = new config(factory::loadCfg(__CLASS__)); self::$instance = factory::get('security_'.self::$cfg->use); }
/** * Constructor. Sanitizes global data GET, POST and COOKIE data. * Also makes sure those pesty magic quotes and register globals * don't bother us. This is protected because it really only needs * to be run once. * * @return void */ public function __construct() { //setcookie ("message", "", time() - 3600); if ($this->_csrf_token_name == '') { $this->_csrf_token_name = config_item('csrf_name'); } $this->_csrf_cookie_name = config_item('cookie_prefix') ? config_item('cookie_prefix') . $this->_csrf_token_name : $this->_csrf_token_name; /*if($_SESSION[$this->_csrf_cookie_name] != ''){ $_SESSION[$this->_csrf_cookie_name] = md5(uniqid(rand(), TRUE)); }*/ //$this->csrf_set_hash(); if ($_COOKIE[$this->_csrf_token_name] == '') { $this->_csrf_hash = md5(uniqid() . microtime() . rand()); setcookie($this->_csrf_token_name, $this->_csrf_hash, time() + 3600 * 24); } else { $this->_csrf_hash = $_COOKIE[$this->_csrf_token_name]; } if (self::$instance === NULL) { // Check for magic quotes if (get_magic_quotes_runtime()) { // Dear lord!! This is bad and deprected. Sort it out ;) set_magic_quotes_runtime(0); } if (get_magic_quotes_gpc()) { // This is also bad and deprected. See http://php.net/magic_quotes for more information. $this->magic_quotes_gpc = TRUE; } // Check for register globals and prevent security issues from arising. if (ini_get('register_globals')) { if (isset($_REQUEST['GLOBALS'])) { // No no no.. just kill the script here and now // exit('Illegal attack on global variable.'); } // Get rid of REQUEST $_REQUEST = array(); // The following globals are standard and shouldn't really be removed $preserve = array('GLOBALS', '_REQUEST', '_GET', '_POST', '_FILES', '_COOKIE', '_SERVER', '_ENV', '_SESSION'); // Same effect as disabling register_globals foreach ($GLOBALS as $key => $value) { if (!in_array($key, $preserve)) { global ${$key}; ${$key} = NULL; unset($GLOBALS[$key], ${$key}); } } } // Sanitize global data if (is_array($_POST)) { foreach ($_POST as $key => $value) { $_POST[$this->clean_input_keys($key)] = $this->clean_input_data($value); } } else { $_POST = array(); } if (is_array($_GET)) { foreach ($_GET as $key => $value) { $_GET[$this->clean_input_keys($key)] = $this->clean_input_data($value); } } else { $_GET = array(); } if (is_array($_COOKIE)) { foreach ($_COOKIE as $key => $value) { $_COOKIE[$this->clean_input_keys($key)] = $this->clean_input_data($value); } } else { $_COOKIE = array(); } // Just make REQUEST a merge of POST and GET. Who really wants cookies in it anyway? $_REQUEST = array_merge($_GET, $_POST); self::$instance = $this; } }