Security
extends Kohana_Security
Security helper class.
Information
This class is a transparent base class for Kohana_Security
Constants
- None
Properties
Properties
-
public static string $token_name
-
key name used for token storage
-
string(14) "security_token"
Methods
public static check(string $token ) (defined in Kohana_Security)
Check that the given token matches the currently stored security token.
if (Security::check($token))
{
// Pass
}
Parameters
- string $token required - Token to check
Tags
Return Values
- boolean
Source Code
public static function check($token)
{
return Security::slow_equals(Security::token(), $token);
}
public static encode_php_tags(string $str ) (defined in Kohana_Security)
Encodes PHP tags in a string.
$str = Security::encode_php_tags($str);
Parameters
- string $str required - String to sanitize
Return Values
- string
Source Code
public static function encode_php_tags($str)
{
return str_replace(['<?', '?>'], ['<?', '?>'], $str);
}
public static slow_equals(string $a , string $b ) (defined in Kohana_Security)
Compare two hashes in a time-invariant manner. Prevents cryptographic side-channel attacks (timing attacks, specifically)
Parameters
- string $a required - Cryptographic hash
- string $b required - Cryptographic hash
Return Values
- boolean
Source Code
public static function slow_equals($a, $b)
{
$diff = strlen($a) ^ strlen($b);
for($i = 0; $i < strlen($a) AND $i < strlen($b); $i++)
{
$diff |= ord($a[$i]) ^ ord($b[$i]);
}
return $diff === 0;
}
public static strip_image_tags(string $str ) (defined in Kohana_Security)
Deprecated for security reasons. See https://github.com/kohana/kohana/issues/107
Remove image tags from a string.
$str = Security::strip_image_tags($str);
Parameters
- string $str required - String to sanitize
Tags
Return Values
- string
Source Code
public static function strip_image_tags($str)
{
return preg_replace('#<img\s.*?(?:src\s*=\s*["\']?([^"\'<>\s]*)["\']?[^>]*)?>#is', '$1', $str);
}
public static token([ boolean $new = bool FALSE ] ) (defined in Kohana_Security)
Generate and store a unique token which can be used to help prevent CSRF attacks.
$token = Security::token();
You can insert this token into your forms as a hidden field:
echo Form::hidden('csrf', Security::token());
And then check it when using Validation:
$array->rules('csrf', array(
array('not_empty'),
array('Security::check'),
));
This provides a basic, but effective, method of preventing CSRF attacks.
Parameters
- boolean $new = bool FALSE - Force a new token to be generated?
Tags
Return Values
- string
Source Code
public static function token($new = FALSE)
{
$session = Session::instance();
// Get the current token
$token = $session->get(Security::$token_name);
if ($new === TRUE OR ! $token)
{
$token = Security::_generate_token();
// Store the new token
$session->set(Security::$token_name, $token);
}
return $token;
}
protected static _generate_token() (defined in Kohana_Security)
Generate a unique token.
Return Values
- string
Source Code
protected static function _generate_token()
{
if (function_exists('random_bytes'))
{
try
{
return bin2hex(random_bytes(24));
}
catch (Exception $e)
{
// Random bytes function is available but no sources of randomness are available
// so rather than allowing the exception to be thrown - fall back to other methods.
// @see http://php.net/manual/en/function.random-bytes.php
}
}
if (function_exists('openssl_random_pseudo_bytes'))
{
// Generate a random pseudo bytes token if openssl_random_pseudo_bytes is available
// This is more secure than uniqid, because uniqid relies on microtime, which is predictable
return base64_encode(openssl_random_pseudo_bytes(32));
}
else
{
// Otherwise, fall back to a hashed uniqid
return sha1(uniqid(NULL, TRUE));
}
}
