http 
[ doc home ] [ class tree: http ] [ index: http ] [ all elements ]
Tutorials:
Table Of Contents
Packages:
acl
app
http
mail
session
sql
template
ui
util
xml
Classes:
IsterHttpCookie
IsterHttpHeader
IsterHttpRedirect
IsterHttpRequest
IsterHttpRequestGET
IsterHttpRequestHeader
IsterHttpRequestPathInfo
IsterHttpRequestPOST
IsterHttpResponse
IsterHttpResponseFilter
IsterHttpResponseHeader
IsterHttpSecureObject
IsterHttpSecurityPolicy
Files:
IsterHttpCookie.php
IsterHttpHeader.php
IsterHttpRedirect.php
IsterHttpRequest.php
IsterHttpRequestGET.php
IsterHttpRequestHeader.php
IsterHttpRequestPathInfo.php
IsterHttpRequestPOST.php
IsterHttpResponse.php
IsterHttpResponseFilter.php
IsterHttpResponseHeader.php
IsterHttpSecureObject.php
IsterHttpSecurityPolicy.php

Class: IsterHttpSecurityPolicy

Source Location: /IsterHttpSecurityPolicy.php

Class Overview

IsterObject
   |
   --IsterHttpSecurityPolicy

Class representing a secutrity policy to apply to http reuqest data.


Author(s): Ingo Schramm   

Copyright: Copyright (c) 2005 Ister.ORG Ingo Schramm

Methods

Inherited Constants

Inherited Variables

Inherited Methods

Class: IsterObject

IsterObject::IsterObject()
Constructor
IsterObject::abstractMethodError()
Report attempt to call an abstract method.
IsterObject::addLogger()
Add an IsterLogger to process log messages.
IsterObject::deleteLogger()
Delete an already registered IsterLogger.
IsterObject::getLoggerNames()
Fetch the names of all currently registered IsterLoggers.
IsterObject::getMem()
Return maximum amount of memory an application has allocated at this point.
IsterObject::log()
Trigger a log message.
IsterObject::passPHPmessage()
Catch PHP E_WARNING and E_NOTICE messages.
IsterObject::serialize()
Serialize the object.
IsterObject::setLogLocal()
Set logging local for the current object.
IsterObject::setupLogger()
Setup a logger.
IsterObject::triggerError()
Alias for log();
IsterObject::unserialize()
Unserialize the object.
IsterObject::__sleep()
Executed prior to serialize().
IsterObject::__wakeup()
Executed prior to unserialize().

Class Details

Class representing a secutrity policy to apply to http reuqest data.

copyright:  Copyright (c) 2005 Ister.ORG Ingo Schramm
author:  Ingo Schramm


[ Top ]

Class Methods

constructor IsterHttpSecurityPolicy

IsterHttpSecurityPolicy IsterHttpSecurityPolicy( object IsterHttpRequest &$owner, [mixed $defaultaction = 0])

Constructor

Parameters:

object IsterHttpRequest   &$owner   An IsterHttpSecureObject or a subclass, passed by reference.

[ Top ]

method addConstraint

boolean addConstraint( integer $type, string $name, string $value, [integer $action = 0], [string $default = ''])

Add a new constraint to the security policy.

Constraints are checked for each variable in the order of their definition. If a constraint is violated, the specified action is applied to the variable. If the action is to discard the variable, further checks are skiped.

Valid constraint types are:

  • HTTPSP_T_EXISTS - check if the request variable is set at all; if $value=true the action will be entered if it exists, if $value=false the action will be entered if not
  • HTTPSP_T_EQUAL - string comparison, pass if strings are equal
  • HTTPSP_T_REGEXOK - regular expression comparison, pass if regex matches
  • HTTPSP_T_REGEXFAIL - regular expression comparison, reject if regex matches
  • HTTPSP_T_LEN_MAX - pass if strlen($name) is less or equal $value
  • HTTPSP_T_LEN_MIN - pass if strlen($name) is at least $value
  • HTTPSP_T_LEN_EQU - pass if strlen($name) equals $value
  • HTTPSP_T_NUM_MIN - pass if (number) $name is at least $value
  • HTTPSP_T_NUM_MAX - pass if (number) $name is less or equal $value
  • HTTPSP_T_NUM_EQU - pass if (number) $name equals $value
  • HTTPSP_T_SQL_NJC - experimental: check for possible SQL injection; this will warn immediately if SQL keywords are found ($value is not used)

Valid actions are:

  • HTTPSP_A_PASS - let the data pass (use with care!)
  • HTTPSP_A_WARN - trigger a warning
  • HTTPSP_A_EXIT - trigger a fatal error and exit
  • HTTPSP_A_DISCARD - discard the broken variable and trigger a warning
  • HTTPSP_A_RESET - reset the variable to the default value and trigger a warning
  • HTTPSP_A_STRIPTAGS - keep the variable but strip tags (prevent XSS); you may use $default to define a list of allowed tags (see PHP strip_tags() function)
  • HTTPSP_A_FILTER - apply a regular expression as a filter; everything matching the perl compatible regular expression $default will be replaced by the empty string
  • HTTPSP_A_MARK - mark the current field; useful for checks of consistency
The default action is to discard broken variables.

Note: Warnings will be thrown with an additional context of the form 'SECURITY:IsterHttpSecurityPolicy:<classname of owner>:<num of constraint type>'.


Parameters:

integer   $type   The type of the constraint.
string   $name   The name of a request variable to check.
string   $value   The value of the constraint.
integer   $action   The action to apply if the constraint is violated.
string   $default   The default value of the request variable.

[ Top ]

method apply

boolean apply( [boolean $strict = true])

Apply the policy to the owner object.

If the default action of the IsterHttpSecurityPolicy not equals HTTPSP_A_PASS, each parameter with no assigned constraint will be deleted silently in the owner object. This behavior is the default.


Parameters:

boolean   $strict  

[ Top ]

method getMarked

array getMarked( )

Get an array with the names all marked request parameters in values.

[ Top ]

method getNumFailed

integer getNumFailed( )

Get number of violated constraints.

[ Top ]

Documentation generated on Tue, 20 Dec 2005 11:20:52 +0100 by phpDocumentor 1.3.0RC4