diff options
author | Derek Jones <derek.jones@ellislab.com> | 2008-02-05 16:23:51 +0100 |
---|---|---|
committer | Derek Jones <derek.jones@ellislab.com> | 2008-02-05 16:23:51 +0100 |
commit | 0ea06fd2878d802b1e627ac3ec31b6a5b61d9f9d (patch) | |
tree | a65cd88c596e938077ea4d7cb1c713fad865c95a | |
parent | 4fbba22379267fd11965ba65f3efb6cf840e0306 (diff) |
* Fixed a bug (#3396) where certain POST variables would cause a PHP warning.
* Added $_SERVER, $_FILES, $_ENV, and $_SESSION to sanitization of globals.
-rw-r--r-- | system/libraries/Input.php | 21 | ||||
-rw-r--r-- | user_guide/changelog.html | 31 |
2 files changed, 33 insertions, 19 deletions
diff --git a/system/libraries/Input.php b/system/libraries/Input.php index 5832d2d80..1c5682eb7 100644 --- a/system/libraries/Input.php +++ b/system/libraries/Input.php @@ -72,16 +72,15 @@ class CI_Input { $protected = array('_SERVER', '_GET', '_POST', '_FILES', '_REQUEST', '_SESSION', '_ENV', 'GLOBALS', 'HTTP_RAW_POST_DATA',
'system_folder', 'application_folder', 'BM', 'EXT', 'CFG', 'URI', 'RTR', 'OUT', 'IN');
- // Unset globals for securiy.
+ // Unset globals for security.
// This is effectively the same as register_globals = off
- foreach (array($_GET, $_POST, $_COOKIE) as $global)
+ foreach (array($_GET, $_POST, $_COOKIE, $_SERVER, $_FILES, $_ENV, (isset($_SESSION) && is_array($_SESSION)) ? $_SESSION : array()) as $global)
{
if ( ! is_array($global))
{
if ( ! in_array($global, $protected))
{
- global $$global;
- $$global = NULL;
+ unset($GLOBALS[$global]);
}
}
else
@@ -90,8 +89,18 @@ class CI_Input { {
if ( ! in_array($key, $protected))
{
- global $$key;
- $$key = NULL;
+ unset($GLOBALS[$key]);
+ }
+
+ if (is_array($val))
+ {
+ foreach($val as $k => $v)
+ {
+ if ( ! in_array($k, $protected))
+ {
+ unset($GLOBALS[$k]);
+ }
+ }
}
}
}
diff --git a/user_guide/changelog.html b/user_guide/changelog.html index 550138ff8..c9586353e 100644 --- a/user_guide/changelog.html +++ b/user_guide/changelog.html @@ -63,24 +63,29 @@ Change Log <ul>
<li>Active Record
- <ul>
- <li>Added <a href="./database/active_record.html#caching">Active Record Caching</a>.</li>
- <li>Made Active Record fully database-prefix aware</li>
- </ul>
+ <ul>
+ <li>Added <a href="./database/active_record.html#caching">Active Record Caching</a>.</li>
+ <li>Made Active Record fully database-prefix aware</li>
+ </ul>
+ </li>
+ <li>Core Changes
+ <ul>
+ <li>Modified xss_clean() to be more intelligent with its handling of URL encoded strings.</li>
+ <li>Added $_SERVER, $_FILES, $_ENV, and $_SESSION to sanitization of globals.</li>
+ </ul>
</li>
- <li>Core Changes
- <ul>
- <li>Modified xss_clean() to be more intelligent with its handling of URL encoded strings.</li>
- </ul>
- </li>
- </ul>
+</ul>
<h3>Bugfixes for 1.6.1</h3>
<ul>
- <li> Made Active Record fully database prefix aware (#3384)</li>
- <li>Fixed a bug where DBForge was outputting invalid SQL in Postgres by adding brackets around the tables in FROM</li>
- </ul>
+ <li>Made Active Record fully database prefix aware (#3384)</li>
+ <li>Fixed a bug where DBForge was outputting invalid SQL in Postgres by adding brackets around the tables in FROM</li>
+ <li>Fixed a bug (#3396) where certain POST variables would cause a PHP warning.</li>
+</ul>
+
+
+
<h2>Version 1.6.0</h2>
<p>Release Date: January 30, 2008 </p>
<ul>
|