Class Kohana_Security

Kohana_Security

Security helper class.

package
Kohana
category
Security
author
Kohana Team
copyright
(c) Kohana Team
license
https://koseven.ga/LICENSE.md


Properties

public static string $token_name

key name used for token storage

string(14) "security_token"

Methods

public static check(string $token ) (defined in Kohana_Security)

Check that the given token matches the currently stored security token.

if (Security::check($token))
{
    // Pass
}

Parameters

  • string $token required - Token to check

Tags

Return Values

  • boolean

Source Code

public static function check($token)
{
	return Security::slow_equals(Security::token(), $token);
}

public static encode_php_tags(string $str ) (defined in Kohana_Security)

Encodes PHP tags in a string.

$str = Security::encode_php_tags($str);

Parameters

  • string $str required - String to sanitize

Return Values

  • string

Source Code

public static function encode_php_tags($str)
{
	return str_replace(['<?', '?>'], ['&lt;?', '?&gt;'], $str);
}

public static slow_equals(string $a , string $b ) (defined in Kohana_Security)

Compare two hashes in a time-invariant manner. Prevents cryptographic side-channel attacks (timing attacks, specifically)

Parameters

  • string $a required - Cryptographic hash
  • string $b required - Cryptographic hash

Return Values

  • boolean

Source Code

public static function slow_equals($a, $b)
{
	$diff = strlen($a) ^ strlen($b);
	for($i = 0; $i < strlen($a) AND $i < strlen($b); $i++)
	{
		$diff |= ord($a[$i]) ^ ord($b[$i]);
	}
	return $diff === 0;
}

public static strip_image_tags(string $str ) (defined in Kohana_Security)

Deprecated for security reasons. See https://github.com/kohana/kohana/issues/107

Remove image tags from a string.

$str = Security::strip_image_tags($str);

Parameters

  • string $str required - String to sanitize

Tags

  • Deprecated - since version 3.3.6

Return Values

  • string

Source Code

public static function strip_image_tags($str)
{
	return preg_replace('#<img\s.*?(?:src\s*=\s*["\']?([^"\'<>\s]*)["\']?[^>]*)?>#is', '$1', $str);
}

public static token([ boolean $new = bool FALSE ] ) (defined in Kohana_Security)

Generate and store a unique token which can be used to help prevent CSRF attacks.

$token = Security::token();

You can insert this token into your forms as a hidden field:

echo Form::hidden('csrf', Security::token());

And then check it when using Validation:

$array->rules('csrf', array(
    array('not_empty'),
    array('Security::check'),
));

This provides a basic, but effective, method of preventing CSRF attacks.

Parameters

  • boolean $new = bool FALSE - Force a new token to be generated?

Tags

Return Values

  • string

Source Code

public static function token($new = FALSE)
{
	$session = Session::instance();

	// Get the current token
	$token = $session->get(Security::$token_name);

	if ($new === TRUE OR ! $token)
	{
		$token = Security::_generate_token();

		// Store the new token
		$session->set(Security::$token_name, $token);
	}

	return $token;
}

protected static _generate_token() (defined in Kohana_Security)

Generate a unique token.

Return Values

  • string

Source Code

protected static function _generate_token()
{
	if (function_exists('random_bytes'))
	{
		try
		{
			return bin2hex(random_bytes(24));
		}
		catch (Exception $e)
		{
			// Random bytes function is available but no sources of randomness are available
			// so rather than allowing the exception to be thrown - fall back to other methods.
			// @see http://php.net/manual/en/function.random-bytes.php
		}
	}

	if (function_exists('openssl_random_pseudo_bytes'))
	{
		// Generate a random pseudo bytes token if openssl_random_pseudo_bytes is available
		// This is more secure than uniqid, because uniqid relies on microtime, which is predictable
		return base64_encode(openssl_random_pseudo_bytes(32));
	}
	else
	{
		// Otherwise, fall back to a hashed uniqid
		return sha1(uniqid(NULL, TRUE));
	}
}

Do you want to contribute to Koseven?

We need YOUR help!

This project is open source. What does this mean? YOU can help:
  • Found a bug? Report it on Github
  • Need a feature? Add it Here
  • Want to help? Join the Forum
Go to Github