CodeIgniter框架源码学习之安全类--Security.php
文件位置:./system/core/Security.php
/**
* CodeIgniter
*
* An open source application development framework for PHP
*
* This content is released under the MIT License (MIT)
*
* Copyright (c) 2014 - 2017, British Columbia Institute of Technology
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*
* @package CodeIgniter
* @author EllisLab Dev Team
* @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (https://ellislab.com/)
* @copyright Copyright (c) 2014 - 2017, British Columbia Institute of Technology (http://bcit.ca/)
* @license http://opensource.org/licenses/MIT MIT License
* @link https://codeigniter.com
* @since Version 1.0.0
* @filesource
*/
defined('BASEPATH') OR exit('No direct script access allowed');
/**
* Security Class
*
* @package CodeIgniter
* @subpackage Libraries
* @category Security
* @author EllisLab Dev Team
* @link https://codeigniter.com/user_guide/libraries/security.html
*/
class CI_Security {
/**
* List of sanitize filename strings
*
文件名中需要被删除字符的数组
* @var array
*/
public $filename_bad_chars = array(
'../', '', '<', '>',
"'", '"', '&', '$', '#',
'{', '}', '[', ']', '=',
';', '?', '%20', '%22',
'%3c', // <
'%253c', // <
'%3e', // >
'%0e', // >
'%28', // (
'%29', // )
'%2528', // (
'%26', // &
'%24', // $
'%3f', // ?
'%3b', // ;
'%3d' // =
);
/**
* Character set
*
* Will be overridden by the constructor.
*
编码设置,将会被构造器中的设置所替代
* @var string
*/
public $charset = 'UTF-8';
/**
* XSS Hash
*
* Random Hash for protecting URLs.
*
随机的哈希数保护url
* @var string
*/
protected $_xss_hash;
/**
csrf
跨站请求伪造
* CSRF Hash
*
* Random hash for Cross Site Request Forgery protection cookie
*
随机的哈希数保护cookie防止被csrf攻击
* @var string
*/
protected $_csrf_hash;
/**
* CSRF Expire time
*
* Expiration time for Cross Site Request Forgery protection cookie.
* Defaults to two hours (in seconds).
*
保护cookie被csrf攻击的过期时间,默认是两个小时7200秒
* @var int
*/
protected $_csrf_expire = 7200;
/**
* CSRF Token name
*
* Token name for Cross Site Request Forgery protection cookie.
*
保护cookie被csrf攻击的token名
* @var string
*/
protected $_csrf_token_name = 'ci_csrf_token';
/**
* CSRF Cookie name
*
* Cookie name for Cross Site Request Forgery protection cookie.
*
保护cookie被csrf攻击的cookie名
* @var string
*/
protected $_csrf_cookie_name = 'ci_csrf_token';
/**
* List of never allowed strings
*
不被允许的字符串列表
* @var array
*/
protected $_never_allowed_str = array(
'document.cookie' => '[removed]',
'document.write' => '[removed]',
'.parentNode' => '[removed]',
'.innerHTML' => '[removed]',
'-moz-binding' => '[removed]',
'' => '-->',
' '<![CDATA[',
'' => '<comment>',
'<%' => '<%'
);
/**
* List of never allowed regex replacements
*
不允许的正则替换字符串列表
* @var array
*/
protected $_never_allowed_regex = array(
'javascript\s*:',
'(document|(document\.)?window)\.(location|on\w*)',
'expression\s*(\(|&\#40;)', // CSS and IE
'vbscript\s*:', // IE, surprise!
'wscript\s*:', // IE
'jscript\s*:', // IE
'vbs\s*:', // IE
'Redirect\s+30\d',
"([\"'])?data\s*:[^\\1]*?base64[^\\1]*?,[^\\1]*?\\1?"
);
/**
* Class constructor
*
* @return void
*/
public function __construct()
{
// Is CSRF protection enabled?
是否开启跨站请求伪造,如果开启则将配置文件中csrf配置项赋值给安全类作为全局变量
if (config_item('csrf_protection'))
{
// CSRF config
foreach (array('csrf_expire', 'csrf_token_name', 'csrf_cookie_name') as $key)
{
if (NULL !== ($val = config_item($key)))
{
$this->{'_'.$key} = $val;
}
}
// Append application specific cookie prefix
扩展应用指定的cookie前缀,如果这个前缀存在
if ($cookie_prefix = config_item('cookie_prefix'))
{
$this->_csrf_cookie_name = $cookie_prefix.$this->_csrf_cookie_name;
}
// Set the CSRF hash
设置CSRF保护的hash数
$this->_csrf_set_hash();
}
$this->charset = strtoupper(config_item('charset'));
log_message('info', 'Security Class Initialized');
}
// --------------------------------------------------------------------
/**
* CSRF Verify
*
跨站请求伪造
* @return CI_Security
*/
public function csrf_verify()
{
// If it's not a POST request we will set the CSRF cookie
如果不是post请求,我们将设置CSRFcookie
if (strtoupper($_SERVER['REQUEST_METHOD']) !== 'POST')
{
return $this->csrf_set_cookie();
}
// Check if URI has been whitelisted from CSRF checks
检查uri是不是属于CSRF保护的白名单中
if ($exclude_uris = config_item('csrf_exclude_uris'))
{
$uri = load_class('URI', 'core');
foreach ($exclude_uris as $excluded)
{
if (preg_match('#^'.$excluded.'$#i'.(UTF8_ENABLED ? 'u' : ''), $uri->uri_string()))
{
return $this;
}
}
}
检查SCSRF token 是否正确,但是在不匹配时报错,我们将重新生成
// Check CSRF token validity, but don't error on mismatch just yet - we'll want to regenerate
$valid = isset($_POST[$this->_csrf_token_name], $_COOKIE[$this->_csrf_cookie_name])
&& hash_equals($_POST[$this->_csrf_token_name], $_COOKIE[$this->_csrf_cookie_name]);
// We kill this since we're done and we don't want to pollute the _POST array
我们一完成操作就释放掉,不会污染$_POST数组
unset($_POST[$this->_csrf_token_name]);
// Regenerate on every submission?
是否在每次提交都重新生成,主要取决于配置数组中的设置
if (config_item('csrf_regenerate'))
{
// Nothing should last forever
unset($_COOKIE[$this->_csrf_cookie_name]);
$this->_csrf_hash = NULL;
}
$this->_csrf_set_hash();
$this->csrf_set_cookie();
if ($valid !== TRUE)
{
$this->csrf_show_error();
}
log_message('info', 'CSRF token verified');
return $this;
}
// --------------------------------------------------------------------
/**
* CSRF Set Cookie
*
跨站请求伪造设置cookie
* @codeCoverageIgnore
* @return CI_Security
*/
public function csrf_set_cookie()
{
$expire = time() + $this->_csrf_expire;
$secure_cookie = (bool) config_item('cookie_secure');
if ($secure_cookie && ! is_https())
{
return FALSE;
}
setcookie(
$this->_csrf_cookie_name,
$this->_csrf_hash,
$expire,
config_item('cookie_path'),
config_item('cookie_domain'),
$secure_cookie,
config_item('cookie_httponly')
);
log_message('info', 'CSRF cookie sent');
return $this;
}
// --------------------------------------------------------------------
/**
* Show CSRF Error
*
显示CSRF错误
* @return void
*/
public function csrf_show_error()
{
show_error('The action you have requested is not allowed.', 403);
}
// --------------------------------------------------------------------
/**
* Get CSRF Hash
*
得到CSRF哈希数
* @see CI_Security::$_csrf_hash
* @return string CSRF hash
*/
public function get_csrf_hash()
{
return $this->_csrf_hash;
}
// --------------------------------------------------------------------
/**
* Get CSRF Token Name
*
得到CSRF token名
* @see CI_Security::$_csrf_token_name
* @return string CSRF token name
*/
public function get_csrf_token_name()
{
return $this->_csrf_token_name;
}
// --------------------------------------------------------------------
/**
* XSS Clean
*
* Sanitizes(净化) data so that Cross Site Scripting Hacks(
跨站脚本) can be
* prevented. This method does a fair amount of work but
* it is extremely(非常) thorough(彻底), designed to prevent even the
* most obscure(鲜为人知的) XSS attempts. Nothing is ever 100% foolproof,
* of course, but I haven't been able to get anything passed
* the filter.
*
* Note: Should only be used to deal with data upon submission.
* It's not something that should be used for general
* runtime processing.
*
* @link http://channel.bitflux.ch/wiki/XSS_Prevention
* Based in part on some code and ideas from Bitflux.
*
* @link http://ha.ckers.org/xss.html
* To help develop this script I used this great list of
* vulnerabilities along with a few other hacks I've
* harvested from examining vulnerabilities in other programs.
*
* @param string|string[] $str Input data
* @param bool $is_image Whether the input is an image
* @return string
*/
public function xss_clean($str, $is_image = FALSE)
{
// Is the string an array?
if (is_array($str))
{
foreach ($str as $key => &$value)
{
$str[$key] = $this->xss_clean($value);
}
return $str;
}
// Remove Invisible Characters
$str = remove_invisible_characters($str);
/*
* URL Decode
*
* Just in case stuff like this is submitted:
*
* Google
*
* Note: Use rawurldecode() so it does not remove plus signs
*/
if (stripos($str, '%') !== false)
{
do
{
$oldstr = $str;
$str = rawurldecode($str);
$str = preg_replace_callback('#%(?:\s*[0-9a-f]){2,}#i', array($this, '_urldecodespaces'), $str);
}
while ($oldstr !== $str);
unset($oldstr);
}
/*
* Convert character entities to ASCII
*
* This permits our tests below to work reliably.
* We only convert entities that are within tags since
* these are the ones that will pose security problems.
*/
$str = preg_replace_callback("/[^a-z0-9>]+[a-z0-9]+=([\'\"]).*?\\1/si", array($this, '_convert_attribute'), $str);
$str = preg_replace_callback('/<\w+.*/si', array($this, '_decode_entity'), $str);
// Remove Invisible Characters Again!
$str = remove_invisible_characters($str);
/*
* Convert all tabs to spaces
*
* This prevents strings like this: ja vascript
* NOTE: we deal with spaces between characters later.
* NOTE: preg_replace was found to be amazingly slow here on
* large blocks of data, so we use str_replace.
*/
$str = str_replace("\t", ' ', $str);
// Capture converted string for later comparison
$converted_string = $str;
// Remove Strings that are never allowed
$str = $this->_do_never_allowed($str);
/*
* Makes PHP tags safe
*
* Note: XML tags are inadvertently(不经意间的) replaced too:
*