2012-11-22 03:25:06 +00:00
|
|
|
<?php defined('SYSPATH') OR die('No direct script access.');
|
2011-01-13 14:49:56 +00:00
|
|
|
/**
|
|
|
|
* Security helper class.
|
|
|
|
*
|
|
|
|
* @package Kohana
|
|
|
|
* @category Security
|
|
|
|
* @author Kohana Team
|
2012-11-22 03:25:06 +00:00
|
|
|
* @copyright (c) 2007-2012 Kohana Team
|
2011-01-13 14:49:56 +00:00
|
|
|
* @license http://kohanaframework.org/license
|
|
|
|
*/
|
|
|
|
class Kohana_Security {
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @var string key name used for token storage
|
|
|
|
*/
|
|
|
|
public static $token_name = 'security_token';
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Generate and store a unique token which can be used to help prevent
|
|
|
|
* [CSRF](http://wikipedia.org/wiki/Cross_Site_Request_Forgery) attacks.
|
|
|
|
*
|
|
|
|
* $token = Security::token();
|
|
|
|
*
|
|
|
|
* You can insert this token into your forms as a hidden field:
|
|
|
|
*
|
|
|
|
* echo Form::hidden('csrf', Security::token());
|
|
|
|
*
|
2011-05-16 12:47:16 +00:00
|
|
|
* And then check it when using [Validation]:
|
2011-01-13 14:49:56 +00:00
|
|
|
*
|
|
|
|
* $array->rules('csrf', array(
|
|
|
|
* 'not_empty' => NULL,
|
|
|
|
* 'Security::check' => NULL,
|
|
|
|
* ));
|
|
|
|
*
|
|
|
|
* This provides a basic, but effective, method of preventing CSRF attacks.
|
|
|
|
*
|
2012-11-22 03:25:06 +00:00
|
|
|
* @param boolean $new force a new token to be generated?
|
2011-01-13 14:49:56 +00:00
|
|
|
* @return string
|
|
|
|
* @uses Session::instance
|
|
|
|
*/
|
|
|
|
public static function token($new = FALSE)
|
|
|
|
{
|
|
|
|
$session = Session::instance();
|
|
|
|
|
|
|
|
// Get the current token
|
|
|
|
$token = $session->get(Security::$token_name);
|
|
|
|
|
|
|
|
if ($new === TRUE OR ! $token)
|
|
|
|
{
|
|
|
|
// Generate a new unique token
|
2011-05-16 12:47:16 +00:00
|
|
|
$token = sha1(uniqid(NULL, TRUE));
|
2011-01-13 14:49:56 +00:00
|
|
|
|
|
|
|
// Store the new token
|
|
|
|
$session->set(Security::$token_name, $token);
|
|
|
|
}
|
|
|
|
|
|
|
|
return $token;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Check that the given token matches the currently stored security token.
|
|
|
|
*
|
|
|
|
* if (Security::check($token))
|
|
|
|
* {
|
|
|
|
* // Pass
|
|
|
|
* }
|
|
|
|
*
|
2012-11-22 03:25:06 +00:00
|
|
|
* @param string $token token to check
|
2011-01-13 14:49:56 +00:00
|
|
|
* @return boolean
|
|
|
|
* @uses Security::token
|
|
|
|
*/
|
|
|
|
public static function check($token)
|
|
|
|
{
|
|
|
|
return Security::token() === $token;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Remove image tags from a string.
|
|
|
|
*
|
|
|
|
* $str = Security::strip_image_tags($str);
|
|
|
|
*
|
2012-11-22 03:25:06 +00:00
|
|
|
* @param string $str string to sanitize
|
2011-01-13 14:49:56 +00:00
|
|
|
* @return string
|
|
|
|
*/
|
|
|
|
public static function strip_image_tags($str)
|
|
|
|
{
|
|
|
|
return preg_replace('#<img\s.*?(?:src\s*=\s*["\']?([^"\'<>\s]*)["\']?[^>]*)?>#is', '$1', $str);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Encodes PHP tags in a string.
|
|
|
|
*
|
|
|
|
* $str = Security::encode_php_tags($str);
|
|
|
|
*
|
2012-11-22 03:25:06 +00:00
|
|
|
* @param string $str string to sanitize
|
2011-01-13 14:49:56 +00:00
|
|
|
* @return string
|
|
|
|
*/
|
|
|
|
public static function encode_php_tags($str)
|
|
|
|
{
|
|
|
|
return str_replace(array('<?', '?>'), array('<?', '?>'), $str);
|
|
|
|
}
|
|
|
|
|
|
|
|
} // End security
|