summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrey Andreev <narf@devilix.net>2014-01-08 17:32:05 +0100
committerAndrey Andreev <narf@devilix.net>2014-01-08 17:32:05 +0100
commitbfb635b276d880336db795f1a603de66ccfc80f6 (patch)
tree1f1edf4376188523c79ff9e5084492b6af713923
parent80a16b1cd0d4716b5ea41497685a8fac02e34333 (diff)
Make newline standardization configurable
Added ['standardize_newlines'] Also altered the Session cookie driver, which experienced issues with this feature due to it's HMAC verification failing after the Input class alters newlines in non-encrypted session cookies. Supersedes PR #2470
-rw-r--r--application/config/config.php14
-rw-r--r--system/core/Input.php9
-rw-r--r--system/libraries/Session/drivers/Session_cookie.php25
-rw-r--r--user_guide_src/source/changelog.rst1
-rw-r--r--user_guide_src/source/libraries/input.rst3
5 files changed, 46 insertions, 6 deletions
diff --git a/application/config/config.php b/application/config/config.php
index 8d08a7401..cd2ca479b 100644
--- a/application/config/config.php
+++ b/application/config/config.php
@@ -327,6 +327,20 @@ $config['cookie_httponly'] = FALSE;
/*
|--------------------------------------------------------------------------
+| Standardize newlines
+|--------------------------------------------------------------------------
+|
+| Determines whether to standardize newline characters in input data,
+| meaning to replace \r\n, \r, \n occurences with the PHP_EOL value.
+|
+| This is particularly useful for portability between UNIX-based OSes,
+| (usually \n) and Windows (\r\n).
+|
+*/
+$config['standardize_newlines'] = TRUE;
+
+/*
+|--------------------------------------------------------------------------
| Global XSS Filtering
|--------------------------------------------------------------------------
|
diff --git a/system/core/Input.php b/system/core/Input.php
index f5123fa5b..ccb70daec 100644
--- a/system/core/Input.php
+++ b/system/core/Input.php
@@ -63,7 +63,7 @@ class CI_Input {
protected $_allow_get_array = TRUE;
/**
- * Standartize new lines flag
+ * Standardize new lines flag
*
* If set to TRUE, then newlines are standardized.
*
@@ -121,9 +121,10 @@ class CI_Input {
{
log_message('debug', 'Input Class Initialized');
- $this->_allow_get_array = (config_item('allow_get_array') === TRUE);
- $this->_enable_xss = (config_item('global_xss_filtering') === TRUE);
- $this->_enable_csrf = (config_item('csrf_protection') === TRUE);
+ $this->_allow_get_array = (config_item('allow_get_array') === TRUE);
+ $this->_enable_xss = (config_item('global_xss_filtering') === TRUE);
+ $this->_enable_csrf = (config_item('csrf_protection') === TRUE);
+ $this->_sandardize_newlines = (bool) config_item('standardize_newlines');
global $SEC;
$this->security =& $SEC;
diff --git a/system/libraries/Session/drivers/Session_cookie.php b/system/libraries/Session/drivers/Session_cookie.php
index dc75d8e8e..65debcb44 100644
--- a/system/libraries/Session/drivers/Session_cookie.php
+++ b/system/libraries/Session/drivers/Session_cookie.php
@@ -165,6 +165,8 @@ class CI_Session_cookie extends CI_Session_driver {
*/
public $now;
+ // ------------------------------------------------------------------------
+
/**
* Default userdata keys
*
@@ -185,6 +187,15 @@ class CI_Session_cookie extends CI_Session_driver {
protected $data_dirty = FALSE;
/**
+ * Standardize newlines flag
+ *
+ * @var bool
+ */
+ protected $_standardize_newlines;
+
+ // ------------------------------------------------------------------------
+
+ /**
* Initialize session driver object
*
* @return void
@@ -209,9 +220,11 @@ class CI_Session_cookie extends CI_Session_driver {
'sess_time_to_update',
'time_reference',
'cookie_prefix',
- 'encryption_key'
+ 'encryption_key',
);
+ $this->_standardize_newlines = (bool) $config['standardize_newlines'];
+
foreach ($prefs as $key)
{
$this->$key = isset($this->_parent->params[$key])
@@ -695,6 +708,16 @@ class CI_Session_cookie extends CI_Session_driver {
? array_intersect_key($this->userdata, $this->defaults)
: $this->userdata;
+ // The Input class will do this and since we use HMAC verification,
+ // unless we standardize here as well, the hash won't match.
+ if ($this->_standardize_newlines)
+ {
+ foreach (array_keys($this->userdata) as $key)
+ {
+ $this->userdata[$key] = preg_replace('/(?:\r\n|[\r\n])/', PHP_EOL, $this->userdata[$key]);
+ }
+ }
+
// Serialize the userdata for the cookie
$cookie_data = serialize($cookie_data);
diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst
index 85cd60293..906c303a4 100644
--- a/user_guide_src/source/changelog.rst
+++ b/user_guide_src/source/changelog.rst
@@ -58,6 +58,7 @@ Release Date: Not Released
- Added support non-HTML error templates for CLI applications.
- Added availability checks where usage of dangerous functions like ``eval()`` and ``exec()`` is required.
- Added support for changing the file extension of log files using ``$config['log_file_extension']``.
+ - Added support for turning newline standardization on/off via ``$config['standardize_newlines']``.
- Helpers
diff --git a/user_guide_src/source/libraries/input.rst b/user_guide_src/source/libraries/input.rst
index b58ed2f0d..72746c147 100644
--- a/user_guide_src/source/libraries/input.rst
+++ b/user_guide_src/source/libraries/input.rst
@@ -25,7 +25,8 @@ following:
(and a few other) characters.
- Provides XSS (Cross-site Scripting Hacks) filtering. This can be
enabled globally, or upon request.
-- Standardizes newline characters to \\n(In Windows \\r\\n)
+- Standardizes newline characters to ``PHP_EOL`` (\\n in UNIX-based OSes,
+ \\r\\n under Windows). This is configurable.
XSS Filtering
=============