diff options
| author | Andrey Andreev <narf@devilix.net> | 2014-01-08 17:32:05 +0100 |
|---|---|---|
| committer | Andrey Andreev <narf@devilix.net> | 2014-01-08 17:32:05 +0100 |
| commit | bfb635b276d880336db795f1a603de66ccfc80f6 (patch) | |
| tree | 1f1edf4376188523c79ff9e5084492b6af713923 | |
| parent | 80a16b1cd0d4716b5ea41497685a8fac02e34333 (diff) | |
Make newline standardization configurable
Added ['standardize_newlines']
Also altered the Session cookie driver, which experienced issues with this
feature due to it's HMAC verification failing after the Input class alters
newlines in non-encrypted session cookies.
Supersedes PR #2470
| -rw-r--r-- | application/config/config.php | 14 | ||||
| -rw-r--r-- | system/core/Input.php | 9 | ||||
| -rw-r--r-- | system/libraries/Session/drivers/Session_cookie.php | 25 | ||||
| -rw-r--r-- | user_guide_src/source/changelog.rst | 1 | ||||
| -rw-r--r-- | user_guide_src/source/libraries/input.rst | 3 |
5 files changed, 46 insertions, 6 deletions
diff --git a/application/config/config.php b/application/config/config.php index 8d08a7401..cd2ca479b 100644 --- a/application/config/config.php +++ b/application/config/config.php @@ -327,6 +327,20 @@ $config['cookie_httponly'] = FALSE; /* |-------------------------------------------------------------------------- +| Standardize newlines +|-------------------------------------------------------------------------- +| +| Determines whether to standardize newline characters in input data, +| meaning to replace \r\n, \r, \n occurences with the PHP_EOL value. +| +| This is particularly useful for portability between UNIX-based OSes, +| (usually \n) and Windows (\r\n). +| +*/ +$config['standardize_newlines'] = TRUE; + +/* +|-------------------------------------------------------------------------- | Global XSS Filtering |-------------------------------------------------------------------------- | diff --git a/system/core/Input.php b/system/core/Input.php index f5123fa5b..ccb70daec 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -63,7 +63,7 @@ class CI_Input { protected $_allow_get_array = TRUE; /** - * Standartize new lines flag + * Standardize new lines flag * * If set to TRUE, then newlines are standardized. * @@ -121,9 +121,10 @@ class CI_Input { { log_message('debug', 'Input Class Initialized'); - $this->_allow_get_array = (config_item('allow_get_array') === TRUE); - $this->_enable_xss = (config_item('global_xss_filtering') === TRUE); - $this->_enable_csrf = (config_item('csrf_protection') === TRUE); + $this->_allow_get_array = (config_item('allow_get_array') === TRUE); + $this->_enable_xss = (config_item('global_xss_filtering') === TRUE); + $this->_enable_csrf = (config_item('csrf_protection') === TRUE); + $this->_sandardize_newlines = (bool) config_item('standardize_newlines'); global $SEC; $this->security =& $SEC; diff --git a/system/libraries/Session/drivers/Session_cookie.php b/system/libraries/Session/drivers/Session_cookie.php index dc75d8e8e..65debcb44 100644 --- a/system/libraries/Session/drivers/Session_cookie.php +++ b/system/libraries/Session/drivers/Session_cookie.php @@ -165,6 +165,8 @@ class CI_Session_cookie extends CI_Session_driver { */ public $now; + // ------------------------------------------------------------------------ + /** * Default userdata keys * @@ -185,6 +187,15 @@ class CI_Session_cookie extends CI_Session_driver { protected $data_dirty = FALSE; /** + * Standardize newlines flag + * + * @var bool + */ + protected $_standardize_newlines; + + // ------------------------------------------------------------------------ + + /** * Initialize session driver object * * @return void @@ -209,9 +220,11 @@ class CI_Session_cookie extends CI_Session_driver { 'sess_time_to_update', 'time_reference', 'cookie_prefix', - 'encryption_key' + 'encryption_key', ); + $this->_standardize_newlines = (bool) $config['standardize_newlines']; + foreach ($prefs as $key) { $this->$key = isset($this->_parent->params[$key]) @@ -695,6 +708,16 @@ class CI_Session_cookie extends CI_Session_driver { ? array_intersect_key($this->userdata, $this->defaults) : $this->userdata; + // The Input class will do this and since we use HMAC verification, + // unless we standardize here as well, the hash won't match. + if ($this->_standardize_newlines) + { + foreach (array_keys($this->userdata) as $key) + { + $this->userdata[$key] = preg_replace('/(?:\r\n|[\r\n])/', PHP_EOL, $this->userdata[$key]); + } + } + // Serialize the userdata for the cookie $cookie_data = serialize($cookie_data); diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 85cd60293..906c303a4 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -58,6 +58,7 @@ Release Date: Not Released - Added support non-HTML error templates for CLI applications. - Added availability checks where usage of dangerous functions like ``eval()`` and ``exec()`` is required. - Added support for changing the file extension of log files using ``$config['log_file_extension']``. + - Added support for turning newline standardization on/off via ``$config['standardize_newlines']``. - Helpers diff --git a/user_guide_src/source/libraries/input.rst b/user_guide_src/source/libraries/input.rst index b58ed2f0d..72746c147 100644 --- a/user_guide_src/source/libraries/input.rst +++ b/user_guide_src/source/libraries/input.rst @@ -25,7 +25,8 @@ following: (and a few other) characters. - Provides XSS (Cross-site Scripting Hacks) filtering. This can be enabled globally, or upon request. -- Standardizes newline characters to \\n(In Windows \\r\\n) +- Standardizes newline characters to ``PHP_EOL`` (\\n in UNIX-based OSes, + \\r\\n under Windows). This is configurable. XSS Filtering ============= |