diff --git a/app/config.json b/app/config.json new file mode 100644 index 0000000..224b905 --- /dev/null +++ b/app/config.json @@ -0,0 +1,4 @@ +{ + "default_controller":"welcome", + "debug":true +} \ No newline at end of file diff --git a/app/core/Anvil.php b/app/core/Anvil.php new file mode 100755 index 0000000..5744247 --- /dev/null +++ b/app/core/Anvil.php @@ -0,0 +1,51 @@ +config = new Config(); + $this->helpers = new Helpers($this); + $this->request = new Request($this); + $this->response = new Response($this); + $this->security = new Security($this); + } + + /** + * Strike the Anvil! + */ + public function strike() { + ob_start(); + $uri_array = $this->request->uri_array; + $class_name = (!isset($uri_array[0]) || empty($uri_array[0])) + ? $this->config->item('default_controller') : array_shift($uri_array); + $start_token = $this->config->item('starting_token'); + while($start_token-- > 0) { array_shift($uri_array); } + $cc_name = ''; + if(!file_exists(APP_ROOT.'/controllers/'.$class_name.'_controller.php')) { + $class_name = $this->config->item('default_controller'); + } + $cc_name = $class_name.'_controller'; + $this->active_controller = $class_name; + // Ok, pull in the requested Controller + require_once(APP_ROOT.'/controllers/'.$cc_name.'.php'); + $c_class = new $cc_name($this); + $c_class->index(); + // The controller should take care of the rest. + + ob_end_flush(); + } +} diff --git a/app/core/Config.php b/app/core/Config.php new file mode 100755 index 0000000..d0128f1 --- /dev/null +++ b/app/core/Config.php @@ -0,0 +1,52 @@ +config_file = APP_ROOT.'/config.json'; + if(file_exists($this->config_file)) { + $cfg_raw = file_get_contents($this->config_file); + $this->_items = json_decode($cfg_raw, TRUE); + } + $this->_checkSetDefault('starting_token', 0); + $this->_checkSetDefault('charset', 'UTF-8'); + $this->_checkSetDefault('csrf_protection', TRUE); + $this->_checkSetDefault('global_models', array()); + $this->_checkSetDefault('global_libraries', array()); + } + + /** + * Checks to see if $this->_items[$key] is set, + * If not, sets it to $val + */ + private function _checkSetDefault($key, $val) { + if(!isset($this->_items[$key])) { + $this->_items[$key] = $val; + } + } + + public function item($key=NULL, $val=NULL) { + if(is_array($key)) { + foreach($key as $k => $v) { + $this->item($k, $v); + } + } + + if(isset($key)) { + if(isset($val)) { + // Setting + $this->_items[$key] = $val; + } + if(isset($this->_items[$key])) { + return $this->_items[$key]; + } + } + return FALSE; + } + + public function items() { + return $this->_items; + } +} diff --git a/app/core/Controller.php b/app/core/Controller.php old mode 100644 new mode 100755 index 9fe44b7..9d4c774 --- a/app/core/Controller.php +++ b/app/core/Controller.php @@ -1,7 +1,31 @@ anvil = $a; + } + + public function index() { + $func_name = $this->default_function; + if(isset($this->anvil->request->uri_array[0])) { + if($this->anvil->request->uri_array[0] == $this->anvil->active_controller) { + if(isset($this->anvil->request->uri_array[1])) { + $func_name = $this->anvil->request->uri_array[1]; + } + } else if(!empty($this->anvil->request->uri_array[0])) { + $func_name = $this->anvil->request->uri_array[0]; + } + } + if(method_exists($this, $func_name)) { + return $this->$func_name(); + } else { + header("HTTP/1.0 404 Not Found"); + echo "Page Not Found"; + exit; + } + } public function load_models($model=NULL) { $this->load_model($model); diff --git a/app/core/Helpers.php b/app/core/Helpers.php new file mode 100755 index 0000000..6580fe3 --- /dev/null +++ b/app/core/Helpers.php @@ -0,0 +1,49 @@ +html_escape($v); + } + } else { + return htmlspecialchars($var, ENT_QUOTES, $this->_anvil->config->item('charset')); + } + } +} diff --git a/app/core/Model.php b/app/core/Model.php old mode 100644 new mode 100755 diff --git a/app/core/Request.php b/app/core/Request.php new file mode 100755 index 0000000..d0f1f1a --- /dev/null +++ b/app/core/Request.php @@ -0,0 +1,156 @@ +_anvil = $a; + $this->createFromGlobals(); + } + + public function createFromGlobals() { + $this->type = strtoupper($_SERVER['REQUEST_METHOD']); + if($this->type == 'GET') { + $this->parameters = $_GET; + } else { + $this->parameters = $this->process_data(); + } + $this->cookie = $_COOKIE; + $this->files = $_FILES; + $this->server = $_SERVER; + $this->uri_array = $this->uriToArray(); + } + + /** Is this an HTTPS request? */ + public function isSecure() { + return !(!isset($this->server['HTTPS']) + || empty($this->server['HTTPS']) + || strtolower($this->server['HTTPS']) === 'off'); + } + + /** Pull the JSON Payload **/ + public function json() { + if(!self::$request_params) { + $payload = file_get_contents('php://input'); + if(is_array($payload)) { + self::$request_params = $payload; + } else if((substr($payload, 0, 1) == "{") + && (substr($payload, (strlen($payload)-1), 1) == "}")) { + self::$request_params = json_decode($payload); + } else { + parse_str($payload, self::$request_params); + } + } + return (object)self::$request_params; + } + + public function post($index=NULL, $xss_clean=FALSE) { + return $this->process_data($index, $xss_clean); + } + public function put($index=NULL, $xss_clean=FALSE) { + return $this->process_data($index, $xss_clean); + } + public function patch($index=NULL, $xss_clean=FALSE) { + return $this->process_data($index, $xss_clean); + } + public function delete($index=NULL, $xss_clean=FALSE) { + return $this->process_data($index, $xss_clean); + } + + public function process_data($index=NULL, $xss_clean=FALSE) { + $request_vars = (array)$this->json(); + if($index==NULL && !empty($request_vars)) { + $post = array(); + foreach(array_keys($request_vars) as $key) { + $post[$key] = $this->_fetch_from_array($request_vars, $key, $xss_clean); + } + return $post; + } + return $this->_fetch_from_array($request_vars, $index, $xss_clean); + } + + private function _fetch_from_array(&$array, $index = '', $xss_clean = FALSE) { + if(!isset($array[$index])) { + return FALSE; + } + + if($xss_clean === TRUE) { + + } + return $array[$index]; + } + + public function setCookie($key, $val, $expire=0, $path='/', $domain=NULL, $secure=0) { + if($expire == 'never') { + // We can't do never... Set it to 10 years, should be good enough. + $expire = time()+60*60*24*365*10; + } + if(!isset($path) && ($this->_anvil->config->item('cookie_path') !== FALSE)) { + $path = $this->_anvil->config->item('cookie_path'); + } + if(!isset($domain)) { + if($this->_anvil->config->item('cookie_domain') !== FALSE) { + $domain = $this->_anvil->config->item('cookie_domain'); + } else { + $domain = $this->_anvil->request->server['HTTP_HOST']; + } + } + setcookie($key, $val, $expire, $path, $domain, $secure); + } + + public function clearCookie($key) { + $this->setCookie($key, '', time()-3600*24*365); + } + + /** + * URI Parsing Functions + */ + public function uriToArray($st = 0, $uri=NULL) { + $uri = (isset($uri)?$uri:$this->server['REQUEST_URI']); + if(substr($uri,0,10)=='/index.php') { + $uri = substr($uri,10); + } + $uri=substr($uri,1); + $uri_array = preg_split('^[\/\?]^', $uri); + $uri_array = array_slice($uri_array, $st); + return $uri_array; + } + + /** + * Parse URI into key=>value pairs + */ + public function uriToPairs($st = 0, $uri=NULL) { + $uri = (isset($uri)?$uri:$this->server['REQUEST_URI']); + $uri_array = $this->uriToArray($st, $uri); + $pair_array = array(); + $key = ''; + foreach($uri_array as $a_val) { + if(empty($key)) { + $key = $a_val; + } else { + $pair_array[$key] = $a_val; + $key = ''; + } + } + if(!empty($key)) { + $pair_array[$key] = ''; + } + return $pair_array; + } +} + + +?> diff --git a/app/core/Response.php b/app/core/Response.php new file mode 100644 index 0000000..ebb956e --- /dev/null +++ b/app/core/Response.php @@ -0,0 +1,16 @@ +_anvil = $a; + } + + public function redirect($url) { + header('Location: '.$url); + } +} + + +?> diff --git a/app/core/Security.php b/app/core/Security.php new file mode 100755 index 0000000..163d0bb --- /dev/null +++ b/app/core/Security.php @@ -0,0 +1,546 @@ + '[removed]', + 'document.write' => '[removed]', + '.parentNode' => '[removed]', + '.innerHTML' => '[removed]', + 'window.location' => '[removed]', + '-moz-binding' => '[removed]', + '' => '-->', + ' '<![CDATA[', + '' => '<comment>' + ); + + /* List of never allowed regex replacement */ + protected $_never_allowed_regex = array( + 'javascript\s*:', + 'expression\s*(\(|&\#40;)', // CSS and IE + 'vbscript\s*:', // IE, surprise! + 'Redirect\s+302', + "([\"'])?data\s*:[^\\1]*?base64[^\\1]*?,[^\\1]*?,[^\\1]*?\\1?" + ); + + protected $_anvil; + /* Constructor */ + public function __construct($a) { + $this->_anvil = $a; + // Is CSRF protection enabled? + if($this->_anvil->config->item('csrf_protection')===TRUE) { + // Set the CSRF hash + $this->_csrf_set_hash(); + } + // Security class initialized + } + + /** + * Verify CSRF Protection + */ + public function csrf_verify() { + // If it's not a POST request we will set the CSRF cookie + if($this->_anvil->request->type !== 'POST') { + return $this->csrf_set_cookie(); + } + + // Do the tokens exist in both the POST params and COOKIE array? + if(isset($this->_anvil->request->parameters[$this->_csrf_token_name], + $this->_anvil->cookie[$this->_csrf_cookie_name])) { + $this->csrf_show_error(); + } + + // Do the tokens match? + if($this->_anvil->request->parameters[$this->_csrf_token_name] != + $this->_anvil->request->cookie[$this->_csrf_cookie_name]) { + $this->csrf_show_error(); + } + + // We kill this since we're done and we don't want to polute the POST array + unset($this->_anvil->request->parameters[$this->_csrf_token_name]); + + // None of these things should last forever + unset($this->_anvil->request->cookie[$this->_csrf_cookie_name]); + $this->_csrf_set_hash(); + $this->csrf_set_cookie(); + + return $this; + } + + /** Set CSRF Protection Cookie */ + public function csrf_set_cookie() { + $expire = time() + $this->_csrf_expire; + $secure_cookie = ($this->_anvil->config->item('cookie_secure') === TRUE ? 1 : 0); + if($secure_cookie && !$this->_anvil->request->isSecure()) { + return FALSE; + } + + $this->_anvil->request->setCookie($this->_csrf_cookie_name, $this->_csrf_hash, $expire, NULL, NULL, $secure_cookie); + return $this; + } + + /* Get CSRF Hash */ + public function get_csrf_hash() { + return $this->_csrf_hash; + } + + /* Get CSRF Token Name */ + public function get_csrf_token_name() { + return $this->_csrf_token_name; + } + + /** + * XSS Clean + * Sanitizes data so that CSS hacks can be prevented. + * This function does a fair amount of work but it is + * extremely thorough, designed to prevent even the + * most obscure XSS attempts. Nothing is ever 100% + * foolproof, of course, but I haven't been able to + * get anything passed the filter. + * + * Note: This function should only be used to deal + * with data upon submission. It's not something that + * should be used for general runtime processing. + * + * @param mixed string or array + * @param bool + * @return string + */ + public function xss_clean($str, $is_image = FALSE) { + /* Is the string an array? */ + if(is_array($str)) { + while(list($key) = each($str)) { + $str[$key] = $this->xss_clean($str[$key]); + } + return $str; + } + + /* Remove Invisible Characters */ + $str = remove_invisible_characters($str); + + /* Validate Entities in URLs */ + $str = $this->_validate_entities($str); + + /* URL Decode + * Note: Use rawurldecode() so it does not remove plus signs + */ + $str = rawurldecode($str); + + /* Convert character entities to ASCII + * This permits our tests below to work reliably + * We only convert entities that are within tags since + * these are the ones that will pose security problems + */ + $str = preg_replace_callback("/[a-z]+=([\'\"]).*?\\1/si", array($this, '_convert_attribute'), $str); + $str = preg_replace_callback("/<\w+.*?(?=>|<|$)/si", array($this, '_decode_entity'), $str); + + /* Remove Invisible Characters AGAIN! */ + $str = remove_invisible_characters($str); + + /* Convert all tabs to spaces + * This prevents strings like this: ja vascript + * NOTE: we deal with spaces between characters later. + * NOTE: preg_replace was found to be amazingly slow here on + * large blocks of data, so we use str_replace. + */ + if(strpos($str, "\t") !== FALSE) { + $str = str_replace("\t", ' ', $str); + } + + /* Capture converted string for later comparison */ + $converted_string = $str; + + /* Remove Strings that are never allowed */ + $str = $this->_do_never_allowed($str); + + /* Makes PHP tags safe + * Note: XML tags are inadvertently replaced too: + * '), array('<?', '?>'), $str); + } + + /* Compact any exploded words + * This corrects words like: j a v a s c r i p t + * These words are compacted back to their correct state. + */ + $words = array( + 'javascript', 'expression', 'vbscript', 'script', 'base64', + 'applet', 'alert', 'document', 'write', 'cookie', 'window' + ); + + foreach($words as $word) { + $temp = ''; + for($i = 0, $wordlen = strlen($word); $i < $wordlen; $i++) { + $temp .= substr($word, $i, 1)."\s*"; + } + + // We only want to do this when it is followed by a non-word character + // That way valid stuff like "dealer to" does not become "dealerto" + $str = preg_replace_callback('#('.substr($temp, 0, -3).')(\W)#is', array($this, '_compact_exploded_words'), $str); + } + + /* Remove disallowed Javascript in links or img tags */ + do { + $original = $str; + if(preg_match("/]*?)(>|$)#si", array($this, '_js_link_removal'), $str); + } + if(preg_match("/]*?)(\s?/?\>|$)#si", array($this, '_js_img_removal'), $str); + } + if(preg_match("/script/i", $str) || preg_match("/xss/i", $str)) { + $str = preg_replace("#<(/*)(script|xss)(.*?)\>#si", '[removed]', $str); + } + } while($original != $str); + unset($original); + + // Remove evil attributes such as style, onclick and xmlns + $str = $this->_remove_evil_attributes($str, $is_image); + + /* Sanitize naughty HTML elements + * If a tag containing any of the words in the list + * below is found, the tag gets converted to entities. + * so this: + * becoms: <blink> + */ + $naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|isindex|layer|link|meta|object|plaintext|style|script|textarea|title|video|xml|xss'; + $str = preg_replace_callback('#<(/*\s*)('.$naughty.')([^><]*)([><]*)#is', array($this, '_sanitize_naughty_html'), $str); + + /* Sanitize naughty scripting elements + * Similar to above, only instead of looking for + * tags it looks for PHP and JavaScript commands + * that are disallowed. Rather than removing the + * code, it simply converts the parenthesis to + * entities rendering the code un-executable. + * so this: eval('some code') + * becomes: eval('some code') + */ + $str = preg_replace('#(alert|cmd|passthru|eval|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)\((.*?)\)#si', "\\1\\2(\\3)", $str); + + /* Final clean up + * This adds a bit of extra precaution in case + * something got through the above filters + */ + $str = $this->_do_never_allowed($str); + + /* Images are handled in a special way + * - Essentially, we want to know that after all of the character + * conversion is done whether any unwanted, likely XSS, code was found. + * If not, we return TRUE, as the image is clean. + * However, if the string post-conversion does not match the + * string post-removal of XSS, then it fails, as there was unwanted XSS + * code found and removed/changed during processing + */ + if($is_image === TRUE) { + return ($str == $converted_string)?TRUE:FALSE; + } + + return $str; + } + + /** + * Random Hash for protecting URLs + * @return string + */ + public function xss_hash() { + if($this->_xss_hash == '') { + mt_srand(); + $this->_xss_hash = md5(time() + mt_rand(0, 1999999999)); + } + return $this->_xss_hash; + } + + /** + * HTML Entities Decode + * This function is a replacement for html_entity_decode() + * The reason we are not using html_entity_decode() by itself is + * because while it is not technically correct to leave out the + * semicolon at the end of an entity most browsers will still interpret + * the entity correctly. html_entity_decode() does not convert entities + * without semicolons, so we are left with our own little solution here. + * + * @param string + * @param string + * @return string + */ + public function entity_decode($str, $charset='UTF-8') { + if(stristr($str, '&') === FALSE) { + return $str; + } + $str = html_entity_decode($str, ENT_COMPAT, $charset); + $str = preg_replace('~&#x(0*[0-9a-f]{2,5})~ei', 'chr(hexdec("\\1"))', $str); + return preg_replace('~&#([0-9]{2,4})~e', 'chr(\\1)', $str); + } + + /** + * Filename Security + * + * @param string + * @param bool + * @return string + */ + public function sanitize_filename($str, $relative_path = FALSE) { + $bad = array( "../", "", "<", + ">", "'", '"', '&', '$', '#', + '{', '}', '[', ']', '=', ';', + '?', "%20", "%22", "%3c", "%253c", + "%3e", "%0e", "%28", "%29", "%2528", + "%26", "%24", "%3f", "%3b", "%3d" + ); + + if(!$relateive_path) { + $bad[] = './'; + $bad[] = '/'; + } + $str = remove_invisible_characters($str, FALSE); + return stripslashes(str_replace($bad, '', $str)); + } + + /** + * Compact Exploded Words + * Callback function for xss_clean() to remove whitespace from + * things like j a v a s c r i p t + * + * @param type + * @return type + */ + protected function _compact_exploded_words($matches) { + return preg_replace('/\s+/s', '', $matches[1]).$matches[2]; + } + + /** + * Remove Evil HTML Attributes (like eventhandlers and style) + * Removes the evil attribute and either: + * - Everything up until a space + * For example, everything between the pipes: + * + * - Everything inside the quotes + * For example, everything between the pipes: + * + * + * @param string $str The string to check + * @param boolean $is_image TRUE if this is an image + * @return string The string with the evil attributes removed + */ + protected function _remove_evil_attributes($str, $is_image) { + // All javascript event handlers (e.g. onload, onclick, onmouseover), style, and xmlns + $evil_attributes = array('on\w*', 'style', 'xmlns', 'formaction'); + if($is_image===TRUE) { + /* Adobe Photoshop puts XML metadata into JFIF images, + * including namespacing, so we have to allow this for images. + */ + unset($evil_attributes[array_search('xmlns', $evil_attributes)]); + } + do { + $count = 0; + $attribs = array(); + // Find occurrences of illegal attribute string with quotes (042 and 047 are octal quotes) +preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*(\042|\047)([^\\2]*?)(\\2)/is', $str, $matches, PREG_SET_ORDER); + + foreach ($matches as $attr) { + $attribs[] = preg_quote($attr[0], '/'); + } + + // find occurrences of illegal attribute strings without quotes + preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*([^\s>]*)/is', $str, $matches, PREG_SET_ORDER); + + foreach ($matches as $attr) { + $attribs[] = preg_quote($attr[0], '/'); + } + + // replace illegal attribute strings that are inside an html tag + if (count($attribs) > 0) { + $str = preg_replace('/(<]+?)([^A-Za-z<>\-])(.*?)('.implode('|', $attribs).')(.*?)([\s><]?)([><]*)/i', '$1$2 $4$6$7$8', $str, -1, $count); + } + } while($count); + + return $str; + } + + /** + * Sanitize Naughty HTML + * Callback function for xss_clean() to remove naughty HTML elements + * + * @param array + * @return string + */ + protected function _sanitize_naughty_html($matches) { + // encode opening brace + $str = '<'.$matches[1].$matches[2].$matches[3]; + + // encode captured opening or closing brace to prevent recursive vectors + $str .= str_replace(array('>', '<'), array('>', '<'), + $matches[4]); + return $str; + } + + /** + * JS Link Removal + * Callback function for xss_clean() to sanitize links + * This limits the PCRE backtracks, making it more performance friendly + * and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in + * PHP 5.2+ on link-heavy strings + * + * @param array + * @return string + */ + protected function _js_link_removal($match) { + return str_replace( + $match[1], + preg_replace( + '#href=.*?(alert\(|alert&\#40;|javascript\:|livescript\:|mocha\:|charset\=|window\.|document\.|\.cookie|_filter_attributes(str_replace(array('<', '>'), '', $match[1])) + ), + $match[0] + ); + } + + /** + * JS Image Removal + * Callback function for xss_clean() to sanitize image tags + * This limits the PCRE backtracks, making it more performance friendly + * and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in + * PHP 5.2+ on image tag heavy strings + * + * @param array + * @return string + */ + protected function _js_img_removal($match) { + return str_replace( + $match[1], + preg_replace( + '#src=.*?(alert\(|alert&\#40;|javascript\:|livescript\:|mocha\:|charset\=|window\.|document\.|\.cookie|_filter_attributes(str_replace(array('<', '>'), '', $match[1])) + ), + $match[0] + ); + } + + /** + * Attribute Conversion + * Used as a callback for XSS Clean + * + * @param array + * @return string + */ + protected function _convert_attribute($match) { + return str_replace(array('>', '<', '\\'), array('>', '<', '\\\\'), $match[0]); + } + + /** + * Filter Attributes + * Filters tag attributes for consistency and safety + * + * @param string + * @return string + */ + protected function _filter_attributes($str) { + $out = ''; + + if (preg_match_all('#\s*[a-z\-]+\s*=\s*(\042|\047)([^\\1]*?)\\1#is', $str, $matches)) { + foreach ($matches[0] as $match) { + $out .= preg_replace("#/\*.*?\*/#s", '', $match); + } + } + + return $out; + } + + /** + * HTML Entity Decode Callback + * Used as a callback for XSS Clean + * + * @param array + * @return string + */ + protected function _decode_entity($match) { + return $this->entity_decode($match[0], strtoupper(config_item('charset'))); + } + + /** + * Validate URL entities + * Called by xss_clean() + * + * @param string + * @return string + */ + protected function _validate_entities($str) { + /* Protect GET variables in URLs */ + // 901119URL5918AMP18930PROTECT8198 + $str = preg_replace('|\&([a-z\_0-9\-]+)\=([a-z\_0-9\-]+)|i', $this->xss_hash()."\\1=\\2", $str); + /* Validate standard character entities + * Add a semicolon if missing. We do this to enable + * the conversion of entities to ASCII later. + */ + $str = preg_replace('#(&\#?[0-9a-z]{2,})([\x00-\x20])*;?#i', "\\1;\\2", $str); + /* Validate UTF16 two byte encoding (x00) + * Just as above, adds a semicolon if missing. + */ + $str = preg_replace('#(&\#x?)([0-9A-F]+);?#i',"\\1\\2;",$str); + /* Un-Protect GET variables in URLs */ + $str = str_replace($this->xss_hash(), '&', $str); + + return $str; + } + + /** + * Do Never Allowed + * A utility function for xss_clean() + * + * @param string + * @return string + */ + protected function _do_never_allowed($str) { + $str = str_replace(array_keys($this->_never_allowed_str), $this->_never_allowed_str, $str); + foreach ($this->_never_allowed_regex as $regex) { + $str = preg_replace('#'.$regex.'#is', '[removed]', $str); + } + return $str; + } + + /** + * Set Cross Site Request Forgery Protection Cookie + * + * @return string + */ + protected function _csrf_set_hash() { + if ($this->_csrf_hash == '') { + // If the cookie exists we will use it's value. + // We don't necessarily want to regenerate it with + // each page load since a page could contain embedded + // sub-pages causing this feature to fail + if (isset($_COOKIE[$this->_csrf_cookie_name]) && + preg_match('#^[0-9a-f]{32}$#iS', $_COOKIE[$this->_csrf_cookie_name]) === 1) { + return $this->_csrf_hash = $_COOKIE[$this->_csrf_cookie_name]; + } + + return $this->_csrf_hash = md5(uniqid(rand(), TRUE)); + } + return $this->_csrf_hash; + } +} \ No newline at end of file diff --git a/app/core/index.php b/app/core/index.php old mode 100644 new mode 100755 diff --git a/app/core/uri_library.php b/app/core/uri_library.php old mode 100644 new mode 100755 diff --git a/index.php b/index.php deleted file mode 100644 index 77eabe6..0000000 --- a/index.php +++ /dev/null @@ -1,58 +0,0 @@ -getFullArray(); - -$class_name = (!isset($uri_array[0]) || empty($uri_array[0]))?$default_controller:array_shift($uri_array); - -while($starting_token-- > 0) { array_shift($uri_array); } -// Check if $uri->getItem(0) is a controller -if(file_exists(APP_ROOT.'/controllers/'.$class_name.'_controller.php')) { - // File exists, set the cc_name and pop the uri_array - $cc_name = $class_name."_controller"; -} else { - // Not a valid controller, so 404d! - header("HTTP/1.0 404 Not Found"); - echo "Page Not Found"; - exit; -// $cc_name = $default_controller."_controller"; -} -// Pull in the requested Controller -require_once(APP_ROOT.'/controllers/'.$cc_name.'.php'); - -$c_class = new $cc_name; -// Were we provided a method? -$c_func = (!isset($uri_array[0]) || empty($uri_array[0]))?"index":array_shift($uri_array); -if($c_func!==false && method_exists($c_class, $c_func)) { - call_user_func_array(array($c_class, $c_func), $uri_array); -} else { - // Nope, hit the controller's index - if(method_exists($c_class, 'index')) { - call_user_func_array(array($c_class, "index"), $uri_array); - } -} - -// Flush the buffer -ob_end_flush(); - -?> diff --git a/public/index.php b/public/index.php new file mode 100644 index 0000000..0113272 --- /dev/null +++ b/public/index.php @@ -0,0 +1,10 @@ +strike(); + +return;