diff options
| author | Alexander Hofstede <alexander@mobbr.com> | 2012-05-17 00:28:08 +0200 |
|---|---|---|
| committer | Alexander Hofstede <alexander@mobbr.com> | 2012-05-17 00:28:08 +0200 |
| commit | e2c374fc474f91cc1c04aaae68e15cef6984f494 (patch) | |
| tree | 1784d0c398b01d1d60a51d5345f14077b62bc602 | |
| parent | 55ac2138482154c3aed7d6a6a2b6f196d0a04d9e (diff) | |
Check cookie against md5 regex.
Otherwise, cookie can contain arbitrary injected code that gets sent
back directly to the browser.
| -rwxr-xr-x | system/core/Security.php | 2 | ||||
| -rw-r--r-- | user_guide/changelog.html | 1 |
2 files changed, 2 insertions, 1 deletions
diff --git a/system/core/Security.php b/system/core/Security.php index a3e227437..6f5ac1ed8 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -848,7 +848,7 @@ class CI_Security { // each page load since a page could contain embedded // sub-pages causing this feature to fail if (isset($_COOKIE[$this->_csrf_cookie_name]) && - $_COOKIE[$this->_csrf_cookie_name] != '') + preg_match('#^[0-9a-f]{32}$#iS', $_COOKIE[$this->_csrf_cookie_name]) === 1) { return $this->_csrf_hash = $_COOKIE[$this->_csrf_cookie_name]; } diff --git a/user_guide/changelog.html b/user_guide/changelog.html index 613c4e65d..38275955b 100644 --- a/user_guide/changelog.html +++ b/user_guide/changelog.html @@ -85,6 +85,7 @@ Change Log <li>Fixed a bug - CI_Upload::_file_mime_type() could've failed if mime_content_type() is used for the detection and returns FALSE.</li> <li>Fixed a bug (#538) - Windows paths were ignored when using the <a href="libraries/image_lib.html">Image Manipulation Class</a> to create a new file.</li> <li>Fixed a bug - When database caching was enabled, $this->db->query() checked the cache before binding variables which resulted in cached queries never being found.</li> + <li>Fixed a bug - CSRF cookie value was allowed to be any (non-empty) string before being written to the output, making code injection a risk.</li> </ul> |