Index: Input.php =================================================================== --- Input.php (revision 167) +++ Input.php (working copy) @@ -31,6 +31,7 @@ var $ip_address = FALSE; var $user_agent = FALSE; var $allow_get_array = FALSE; + var $clear_get_array = FALSE; /** * Constructor @@ -45,8 +46,9 @@ log_message('debug', "Input Class Initialized"); $CFG =& load_class('Config'); - $this->use_xss_clean = ($CFG->item('global_xss_filtering') === TRUE) ? TRUE : FALSE; - $this->allow_get_array = ($CFG->item('enable_query_strings') === TRUE) ? TRUE : FALSE; + $this->use_xss_clean = (bool)$CFG->item('global_xss_filtering'); + $this->allow_get_array = $CFG->item('allow_get_array'); + $this->clear_get_array = (!$this->allow_get_array && !$CFG->item('enable_query_strings')); $this->_sanitize_globals(); } @@ -84,11 +86,18 @@ } } - // Is $_GET data allowed? If not we'll set the $_GET to an empty array - if ($this->allow_get_array == FALSE) + // Clean $_GET data, or if we're not using get, set it to an empty array + if ($this->clear_get_array) { $_GET = array(); } + else + { + foreach($_GET as $key => $val) + { + $_GET[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); + } + } // Clean $_POST Data if (is_array($_POST) AND count($_POST) > 0) @@ -96,7 +105,7 @@ foreach($_POST as $key => $val) { $_POST[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); - } + } } // Clean $_COOKIE Data @@ -184,27 +193,31 @@ */ function post($index = '', $xss_clean = FALSE) { - if ( ! isset($_POST[$index])) + return $this->_get_input_value($_POST, $index, $xss_clean); + } + + // -------------------------------------------------------------------- + + /** + * Fetch an item from the GET array + * + * @access public + * @param string + * @param bool + * @return string + */ + function get($index = '', $xss_clean = FALSE) + { + if (!$this->allow_get_array) { + /** + * GET array is not enabled, but in case $_GET itself is not empty + * (eg, enable_query_strings is on), we return false here + */ return FALSE; } - - if ($xss_clean === TRUE) - { - if (is_array($_POST[$index])) - { - foreach($_POST[$index] as $key => $val) - { - $_POST[$index][$key] = $this->xss_clean($val); - } - } - else - { - return $this->xss_clean($_POST[$index]); - } - } - - return $_POST[$index]; + + return $this->_get_input_value($_GET, $index, $xss_clean); } // -------------------------------------------------------------------- @@ -219,37 +232,27 @@ */ function cookie($index = '', $xss_clean = FALSE) { - if ( ! isset($_COOKIE[$index])) - { - return FALSE; - } - - if ($xss_clean === TRUE) - { - if (is_array($_COOKIE[$index])) - { - $cookie = array(); - foreach($_COOKIE[$index] as $key => $val) - { - $cookie[$key] = $this->xss_clean($val); - } - - return $cookie; - } - else - { - return $this->xss_clean($_COOKIE[$index]); - } - } - else - { - return $_COOKIE[$index]; - } + return $this->_get_input_value($_COOKIE, $index, $xss_clean); } - + // -------------------------------------------------------------------- /** + * Fetch an item from the ENV array + * + * @access public + * @param string + * @param bool + * @return string + */ + function env($index = '', $xss_clean = FALSE) + { + return $this->_get_input_value($_ENV, $index, $xss_clean); + } + +// -------------------------------------------------------------------- + + /** * Fetch an item from the SERVER array * * @access public @@ -258,22 +261,12 @@ * @return string */ function server($index = '', $xss_clean = FALSE) - { - if ( ! isset($_SERVER[$index])) - { - return FALSE; - } - - if ($xss_clean === TRUE) - { - return $this->xss_clean($_SERVER[$index]); - } - - return $_SERVER[$index]; + { + return $this->_get_input_value($_SERVER, $index, $xss_clean); } // -------------------------------------------------------------------- - + /** * Fetch the IP Address * @@ -360,6 +353,29 @@ // -------------------------------------------------------------------- + /** Gets a value from one of the superglobal input arrays. + * + * This should not be used directly, instead call get() post() cookie() + * server() or env() + * + * @access private + * @param string The name of the input superglobal (eg '_GET') + * @param mixed The index to get + * @param bool If the input should be cleaned for XSS vulnerabilities + * @return mixed + */ + + function _get_input_value(&$array, $index, $xss_clean) { + if ( ! isset($array[$index])) + { + return FALSE; + } + + return ($xss_clean ? $this->xss_clean($array[$index]) : $array[$index]); + } + + // -------------------------------------------------------------------- + /** * XSS Clean * @@ -383,11 +399,21 @@ * http://ha.ckers.org/xss.html * * @access public - * @param string - * @return string + * @param mixed + * @return mixed */ - function xss_clean($str, $charset = 'ISO-8859-1') + function xss_clean($input, $charset = 'ISO-8859-1') { + // if it's an array, recursively parse it + if (is_array($input)) { + foreach ($input as $key=>$val) { + $input[$key] = $this->xss_clean($val); + } + return $input; + } + + // if we get here, it's a string - clean it + /* * Remove Null Characters * @@ -395,7 +421,7 @@ * between ascii characters, like Java\0script. * */ - $str = preg_replace('/\0+/', '', $str); + $str = preg_replace('/\0+/', '', $input); $str = preg_replace('/(\\\\0)+/', '', $str); /* Index: Router.php =================================================================== --- Router.php (revision 167) +++ Router.php (working copy) @@ -289,18 +289,6 @@ { if (strtoupper($this->config->item('uri_protocol')) == 'AUTO') { - // If the URL has a question mark then it's simplest to just - // build the URI string from the zero index of the $_GET array. - // This avoids having to deal with $_SERVER variables, which - // can be unreliable in some environments - if (is_array($_GET) AND count($_GET) == 1) - { - // Note: Due to a bug in current() that affects some versions - // of PHP we can not pass function call directly into it - $keys = array_keys($_GET); - return current($keys); - } - // Is there a PATH_INFO variable? // Note: some servers seem to have trouble with getenv() so we'll test it two ways $path = (isset($_SERVER['PATH_INFO'])) ? $_SERVER['PATH_INFO'] : @getenv('PATH_INFO');