PHP ESAPI::getAuditor方法代码示例

 /**
  * Encoder constructor.
  * 
  * @param array $_codecs An array of Codec instances which will be used for
  *                       canonicalization.
  *                    
  * @return does not return a value.
  */
 function __construct($_codecs = null)
 {
     $this->logger = ESAPI::getAuditor("Encoder");
     // initialise codecs
     $this->_base64Codec = new Base64Codec();
     $this->_cssCodec = new CSSCodec();
     $this->_htmlCodec = new HTMLEntityCodec();
     $this->_javascriptCodec = new JavaScriptCodec();
     $this->_percentCodec = new PercentCodec();
     $this->_vbscriptCodec = new VBScriptCodec();
     $this->_xmlCodec = new XMLEntityCodec();
     // initialise array of codecs for use by canonicalize
     if ($_codecs === null) {
         array_push($this->_codecs, $this->_htmlCodec);
         array_push($this->_codecs, $this->_javascriptCodec);
         array_push($this->_codecs, $this->_percentCodec);
         // leaving css and vbs codecs out - they eat / and " chars respectively
         // array_push($this->_codecs,$this->_cssCodec);
         // array_push($this->_codecs,$this->_vbscriptCodec);
     } else {
         if (!is_array($_codecs)) {
             throw new Exception('Invalid Argument. Codec list must be of type ' . 'Array.');
         } else {
             // check array contains only codec instances
             foreach ($_codecs as $codec) {
                 if ($codec instanceof Codec == false) {
                     throw new Exception('Invalid Argument. Codec list must ' . 'contain only Codec instances.');
                 }
             }
             $this->_codecs = array_merge($this->_codecs, $_codecs);
         }
     }
 }

 /**
  * Instantiates a new intrusion exception.
  *
  * @param string $userMessage The message displayed to the user
  * @param string $logMessage  the message logged
  *
  * @return does not return a value.
  */
 public function __construct($userMessage = '', $logMessage = '')
 {
     parent::__construct($userMessage);
     $this->logMessage = $logMessage;
     $logger = ESAPI::getAuditor("IntrusionException");
     $logger->error(DefaultAuditor::SECURITY, false, "INTRUSION - " . $logMessage);
 }

 /**
  * Constructor sets-up the validation rule with a descriptive name for this
  * validator, an optional Encoder instance (for canonicalization) and an
  * optional whitelist regex pattern to validate the input against prior to
  * HTML purification.
  * An instance of the HTMLPurifier class is created and stored too.
  *
  * @param string $typeName         descriptive name for this validator.
  * @param object $encoder          providing canonicalize method.
  * @param string $whitelistPattern Whitelist regex.
  *
  * @return does not return a value.
  */
 public function __construct($typeName, $encoder = null, $whitelistPattern = null)
 {
     parent::__construct($typeName, $encoder);
     $this->_auditor = ESAPI::getAuditor('HTMLValidationRule');
     try {
         $this->_purifier = new HTMLPurifier($this->_basicConfig());
     } catch (Exception $e) {
         throw new ValidationException('Could not initialize HTMLPurifier.', 'Caught ' . gettype($e) . ' attempting to instantiate HTMLPurifier: ' . $e->getMessage, 'HTMLValidationRule->construct');
     }
 }

 /**
  * Creates a new instance of EnterpriseSecurityException that includes a
  * root cause.
  *
  * @param string $userMessage The message displayed to the user
  * @param string $logMessage  the message logged
  */
 public function __construct($userMessage = '', $logMessage = '')
 {
     $cause = 0;
     if (empty($userMessage)) {
         $userMessage = null;
     }
     parent::__construct($userMessage);
     $this->logMessage = $logMessage;
     $this->logger = ESAPI::getAuditor("EnterpriseSecurityException");
     if (!ESAPI::getSecurityConfiguration()->getDisableIntrusionDetection()) {
         ESAPI::getIntrusionDetector()->addException($this);
     }
 }

 /**
  * Constructor sets-up the validation rule with a descriptive name for this
  * validator, an optional Encoder instance (for canonicalization) and an
  * optional whitelist regex pattern to validate the input against prior to
  * email address purification.
  * An instance of the HTMLPurifier class is created and stored too.
  *
  * @param string $typeName         descriptive name for this validator.
  * @param object $encoder          object providing canonicalize method.
  * @param string $whitelistPattern Whitelist regex.
  *
  * @return does not return a value.
  */
 public function __construct($typeName, $encoder = null, $whitelistPattern = null)
 {
     parent::__construct($typeName, $encoder);
     $this->_auditor = ESAPI::getAuditor("EmailAddressValidationRule");
 }

 /**
  * Helper function.
  *
  * @param string $msg Message to output to the console.
  *
  * @return does not return a value.
  */
 private function _logSpecial($msg)
 {
     ESAPI::getAuditor('DefaultSecurityConfiguration')->warning(Auditor::SECURITY, false, $msg);
 }

 /**
  * _addString is called by addEncodedString or addUnencodedString and adds
  * Codec input to the buffer character by character.  It also adds some
  * backtrace information to the buffer before adding any characters.
  *
  * @param string $string is a UTF-32 encoded string.
  * 
  * @return null
  */
 private function _addString($string)
 {
     if ($this->_enabled == false || !ESAPI::getAuditor(CD_LOG)->isDebugEnabled() || !$this->_allowRecurse) {
         return;
     }
     // start with some details about the caller
     if ($this->_buf === null) {
         $caller = null;
         try {
             $caller = $this->_shortTrace();
         } catch (Exception $e) {
             $caller = $this->_verb . 'ing';
         }
         $this->_buf = $caller . ":\n";
     }
     // add the string, char by char
     $len = mb_strlen($string, 'UTF-32');
     if ($len == 0) {
         $this->_addNormalized('');
         return;
     }
     for ($i = 0; $i < $len; $i++) {
         $char = mb_substr($string, $i, 1, 'UTF-32');
         $this->_addNormalized($char);
     }
 }

 /**
  * The constructor stores an instance of Auditor for the purpose of logging.
  */
 public function __construct()
 {
     $this->_auditor = ESAPI::getAuditor('DefaultHTTPUtilities');
     $this->_validator = ESAPI::getValidator();
 }

 /**
  * Constructor stores an instance of Auditor for logging and initialises the
  * storage for events generated for a user.
  *
  * @return null
  */
 function __construct()
 {
     $this->_auditor = ESAPI::getAuditor('IntrusionDetector');
     $this->_userEvents = array();
 }

 /**
  * Validator constructor.
  *
  * @return does not return a value.
  */
 public function __construct()
 {
     $this->_auditor = ESAPI::getAuditor('DefaultValidator');
     $this->_encoder = ESAPI::getEncoder();
     $this->_fileValidator = new DefaultEncoder(array(new HTMLEntityCodec(), new PercentCodec()));
 }

 /**
  * Add a reCaptcha element to the form assuming that:
  * o we have an ini file
  * o the 'use' options is not set to 'off'
  * o the 'use' option is set to 'on', and conditionallyUseCaptcha is not
  *   false.
  *
  * @return null
  */
 public function setCaptcha()
 {
     $bs = Zend_Controller_Front::getInstance()->getParam('bootstrap');
     $captchaConfigLoc = $bs->getOption('captchaconfigloc');
     // return if captcha should not be used.
     $captchaConfig = null;
     if (!empty($captchaConfigLoc)) {
         $captchaConfig = new Zend_Config_Ini($captchaConfigLoc, APPLICATION_ENV, false);
         if ($captchaConfig instanceof Zend_Config) {
             if (strtolower($captchaConfig->recaptcha->use) == 'on' && $this->_conditionallyUseCaptcha === false || strtolower($captchaConfig->recaptcha->use) == 'off') {
                 return;
             }
         } else {
             return;
         }
     } else {
         return;
     }
     // Recaptcha key pairs can be used at a single domain (and subdomains).
     // See if there are multiple key pairs (one per domain) and select the
     // correct pair. {@see matchDomianName}
     $keyConfig = null;
     foreach ($captchaConfig->recaptcha as $_ => $keypair) {
         if ($_ == 'use') {
             continue;
         }
         if (!isset($keypair->domain)) {
             ESAPI::getAuditor('Form_Contact')->error(Auditor::SECURITY, false, 'Misconfiguration in captcha.ini - missing domain name from key pair set - Captcha Not Initialised!');
             return;
         }
         if ($this->_matchDomainName($keypair->domain) === true) {
             $keyConfig = $keypair;
             break;
         }
     }
     if ($keyConfig instanceof Zend_Config === false) {
         ESAPI::getAuditor('Form_Contact')->error(Auditor::SECURITY, false, 'Misconfiguration in captcha.ini - could not find key pairs for this host - Captcha Not Initialised!');
         return;
     }
     $this->addElement(new Zend_Form_Element_Captcha('challenge', array('order' => 750, 'captcha' => 'ReCaptcha', 'captchaOptions' => array('captcha' => 'ReCaptcha', 'service' => new Zend_Service_ReCaptcha($keyConfig->publicKey, $keyConfig->privateKey)))));
 }

    $util->killAllCookies($req);
    $view .= '<p>The response should have requested your User Agent to delete your cookies. Let us see if it will honour that request.';
    $view .= " <a href=\"{$uri}?req=test2\">click me!</a></p>";
} elseif ($req->getParameter('req') == 'test2') {
    $view .= '<p>Cookies received in that request: ';
    $view .= ESAPI::getEncoder()->encodeForHTML(print_r($req->getCookies(), true));
    $view .= '</p>';
    $view .= '<p>';
    if ($req->getCookie('testcookie') === null) {
        $view .= 'It worked! testcookie was not received in that request.';
    } else {
        $view .= 'It did not work. testcookie was received in that request.';
    }
    $view .= '</p>';
    $tests['cookie'] .= ' - DONE';
    $a = ESAPI::getAuditor('HTTPUtilsExtraTests');
    $log = $util->logHTTPRequest($req, $a);
    $logO = $util->logHTTPRequestObfuscate($req, $a, array('req'));
    $view .= '<p>Please check the ESAPI Auditor logfile for two INFO entries which log that request.  The second entry will contain the obfuscated "req" parameter.';
    $view .= '</p>';
    $tests['log'] .= ' - DONE';
    $tests['logo'] .= ' - DONE';
    session_destroy();
} else {
    $href = $util->addCSRFToken("{$uri}?req=test1");
    $view .= '<p>testcookie has been set with a value \'testcookieValue\'. now <a href="';
    $view .= $href;
    $view .= '">click me</a> to have it deleted. (Please ensure logging is on before you continue!)</p>';
    setcookie('testcookie', 'testcookieValue');
}
$view .= '<p>Under Test:</p>';

 /**
  * Validates the POST half of a double submit cookie against the COOKIE half
  * and both against string length and character set constraints.
  *
  * @param string $value The POST half of a double submit cookie from, for
  *                      example a hidden HTML form field.
  *
  * @return null
  */
 public function isValid($value)
 {
     $auditor = ESAPI::getAuditor('App_Validate_Token');
     $canonicalPostToken = ESAPI::getEncoder()->canonicalize($value, false);
     $this->_setValue($canonicalPostToken);
     $isValid = false;
     $v_len = new Zend_Validate_StringLength($this->_expectedLen, $this->_expectedLen);
     if ($v_len->isValid($canonicalPostToken) !== true) {
         $this->_error(self::POST_BAD_LENGTH);
         $auditor->warning(Auditor::SECURITY, false, $this->_messageTemplates[self::POST_BAD_LENGTH]);
         return false;
     }
     $v_regex = new Custom_Validate_Charset($this->_expectedCharset);
     if ($v_regex->isValid($canonicalPostToken) !== true) {
         $this->_error(self::POST_BAD_CHARSET);
         $auditor->warning(Auditor::SECURITY, false, $this->_messageTemplates[self::POST_BAD_CHARSET]);
         return false;
     }
     $controller = Zend_Controller_Front::getInstance();
     $req = $controller->getRequest();
     $cookieVal = $req->getCookie($this->_cookieName);
     $canonicalCookie = ESAPI::getEncoder()->canonicalize($cookieVal, false);
     if ($canonicalCookie === null) {
         $this->_error(self::MISSING_COOKIE);
         $auditor->warning(Auditor::SECURITY, false, $this->_messageTemplates[self::MISSING_COOKIE]);
         return false;
     }
     if ($v_len->isValid($canonicalCookie) !== true) {
         $this->_error(self::COOKIE_BAD_LENGTH);
         $auditor->warning(Auditor::SECURITY, false, $this->_messageTemplates[self::COOKIE_BAD_LENGTH]);
         return false;
     }
     if ($v_regex->isValid($canonicalCookie) !== true) {
         $this->_error(self::COOKIE_BAD_CHARSET);
         $auditor->warning(Auditor::SECURITY, false, $this->_messageTemplates[self::COOKIE_BAD_CHARSET]);
         return false;
     }
     $v_identical = new Zend_Validate_Identical($this->_value);
     if ($v_identical->isValid($canonicalCookie) !== true) {
         $this->_error(self::TOKENS_DIFFER);
         $auditor->warning(Auditor::SECURITY, false, $this->_messageTemplates[self::TOKENS_DIFFER]);
         return false;
     }
     return true;
 }

 /**
  * Encoder constructor.
  *
  * @param array $codecs An array of Codec instances which will be used for
  *                      canonicalization.
  *
  * @throws InvalidArgumentException
  *
  * @return does not return a value.
  */
 public function __construct($codecs = null)
 {
     $this->logger = ESAPI::getAuditor("Encoder");
     // initialise codecs
     $this->_base64Codec = new Base64Codec();
     $this->_cssCodec = new CSSCodec();
     $this->_htmlCodec = new HTMLEntityCodec();
     $this->_javascriptCodec = new JavaScriptCodec();
     $this->_percentCodec = new PercentCodec();
     $this->_vbscriptCodec = new VBScriptCodec();
     $this->_xmlCodec = new XMLEntityCodec();
     // initialise array of codecs for use by canonicalize
     if ($codecs === null) {
         array_push($this->_codecs, $this->_htmlCodec);
         array_push($this->_codecs, $this->_javascriptCodec);
         array_push($this->_codecs, $this->_percentCodec);
         // leaving css and vbs codecs out - they eat / and " chars respectively
         // array_push($this->_codecs,$this->_cssCodec);
         // array_push($this->_codecs,$this->_vbscriptCodec);
     } elseif (!is_array($codecs)) {
         throw new InvalidArgumentException('Expected the $codecs array parameter to be an array of instances of Codec.');
     } else {
         // check array contains only codec instances
         foreach ($codecs as $codec) {
             if ($codec instanceof Codec == false) {
                 throw new InvalidArgumentException('Expected every member of the $codecs array parameter to be an instance of Codec.');
             }
         }
         $this->_codecs = array_merge($this->_codecs, $codecs);
     }
 }

 /**
  * SafeRequest can be forced to use the supplied cookies, headers and server
  * globals by passing an array containing the following keys: 'cookies',
  * 'headers', 'env'.  The values for each of the keys should be an associative
  * array e.g. 'headers' => array('REQUEST_METHOD' => 'GET').
  * If any of the three options keys are not supplied then those elements will be
  * extracted from the actual request.
  * TODO accept a string like: 'GET / HTTP/1.1\r\nHost:example.com\r\n\r\n'
  * TODO accept GET and REQUEST parameters.
  *
  * @param NULL|array $options Array (optional) of HTTP Request elements.
  */
 public function __construct($options = null)
 {
     $codecs = array(new HTMLEntityCodec(), new PercentCodec());
     $this->_encoder = new DefaultEncoder($codecs);
     $this->_auditor = ESAPI::getAuditor('SafeRequest');
     $this->_validator = ESAPI::getValidator();
     if ($options !== null && is_array($options)) {
         if (array_key_exists('cookies', $options)) {
             $this->_cookies = $this->_validateCookies($options['cookies']);
         }
         if (array_key_exists('headers', $options)) {
             $this->_headers = $this->_validateHeaders($options['headers']);
         }
         if (array_key_exists('env', $options)) {
             $this->_serverGlobals = $this->_canonicalizeServerGlobals($options['env']);
         }
     }
 }