/usr/share/php/kohana3.1/system/classes/kohana/security.php is in libkohana3.1-core-php 3.1.4-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 | <?php defined('SYSPATH') or die('No direct script access.');
/**
* Security helper class.
*
* @package Kohana
* @category Security
* @author Kohana Team
* @copyright (c) 2007-2011 Kohana Team
* @license http://kohanaframework.org/license
*/
class Kohana_Security {
/**
* @var string key name used for token storage
*/
public static $token_name = 'security_token';
/**
* Generate and store a unique token which can be used to help prevent
* [CSRF](http://wikipedia.org/wiki/Cross_Site_Request_Forgery) attacks.
*
* $token = Security::token();
*
* You can insert this token into your forms as a hidden field:
*
* echo Form::hidden('csrf', Security::token());
*
* And then check it when using [Validation]:
*
* $array->rules('csrf', array(
* 'not_empty' => NULL,
* 'Security::check' => NULL,
* ));
*
* This provides a basic, but effective, method of preventing CSRF attacks.
*
* @param boolean force a new token to be generated?
* @return string
* @uses Session::instance
*/
public static function token($new = FALSE)
{
$session = Session::instance();
// Get the current token
$token = $session->get(Security::$token_name);
if ($new === TRUE OR ! $token)
{
// Generate a new unique token
$token = sha1(uniqid(NULL, TRUE));
// Store the new token
$session->set(Security::$token_name, $token);
}
return $token;
}
/**
* Check that the given token matches the currently stored security token.
*
* if (Security::check($token))
* {
* // Pass
* }
*
* @param string token to check
* @return boolean
* @uses Security::token
*/
public static function check($token)
{
return Security::token() === $token;
}
/**
* Remove image tags from a string.
*
* $str = Security::strip_image_tags($str);
*
* @param string string to sanitize
* @return string
*/
public static function strip_image_tags($str)
{
return preg_replace('#<img\s.*?(?:src\s*=\s*["\']?([^"\'<>\s]*)["\']?[^>]*)?>#is', '$1', $str);
}
/**
* Encodes PHP tags in a string.
*
* $str = Security::encode_php_tags($str);
*
* @param string string to sanitize
* @return string
*/
public static function encode_php_tags($str)
{
return str_replace(array('<?', '?>'), array('<?', '?>'), $str);
}
} // End security
|