summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrey Andreev <narf@bofh.bg>2012-10-09 12:11:15 +0200
committerAndrey Andreev <narf@bofh.bg>2012-10-09 12:11:15 +0200
commite45ad2b74d9534395616d661cf4656d6f259943b (patch)
tree97683ed56c1d8de9d727fa803d2100d320773434
parente78f81537c0859c6ee5b80a09fe63fa946122f01 (diff)
Merge changes from 2.1-stable
-rw-r--r--system/core/Input.php97
-rw-r--r--user_guide_src/source/changelog.rst27
2 files changed, 69 insertions, 55 deletions
diff --git a/system/core/Input.php b/system/core/Input.php
index 657fce625..4bb08f808 100644
--- a/system/core/Input.php
+++ b/system/core/Input.php
@@ -328,66 +328,65 @@ class CI_Input {
return $this->ip_address;
}
- if (config_item('proxy_ips') != '' && $this->server('HTTP_X_FORWARDED_FOR') && $this->server('REMOTE_ADDR'))
- {
- $has_ranges = strpos($proxies, '/') !== FALSE;
- $proxies = preg_split('/[\s,]/', config_item('proxy_ips'), -1, PREG_SPLIT_NO_EMPTY);
- $proxies = is_array($proxies) ? $proxies : array($proxies);
+ $this->ip_address = $_SERVER['REMOTE_ADDR'];
+ $proxy_ips = config_item('proxy_ips');
- if ($has_ranges)
+ if ( ! empty($proxy_ips))
+ {
+ foreach (array('HTTP_X_FORWARDED_FOR', 'HTTP_CLIENT_IP', 'HTTP_X_CLIENT_IP', 'HTTP_X_CLUSTER_CLIENT_IP') as $header)
{
- $long_ip = ip2long($_SERVER['REMOTE_ADDR']);
- $bit_32 = 1 << 32;
-
- // Go through each of the IP Addresses to check for and
- // test against range notation
- foreach ($proxies as $ip)
+ if (($spoof = $this->server($header)) !== FALSE)
{
- list($address, $mask_length) = explode('/', $ip, 2);
+ // Some proxies typically list the whole chain of IP
+ // addresses through which the client has reached us.
+ // e.g. client_ip, proxy_ip1, proxy_ip2, etc.
+ if (strpos($spoof, ',') !== FALSE)
+ {
+ $spoof = explode(',', $spoof, 2);
+ $spoof = $spoof[0];
+ }
- // Generate the bitmask for a 32 bit IP Address
- $bitmask = $bit_32 - (1 << (32 - (int) $mask_length));
- if (($long_ip & $bitmask) === $address)
+ if ( ! $this->valid_ip($spoof))
+ {
+ $spoof = FALSE;
+ }
+ else
{
- $this->ip_address = $_SERVER['HTTP_X_FORWARDED_FOR'];
break;
}
}
-
}
- else
+
+ if ($spoof)
{
- $this->ip_address = in_array($_SERVER['REMOTE_ADDR'], $proxies)
- ? $_SERVER['HTTP_X_FORWARDED_FOR']
- : $_SERVER['REMOTE_ADDR'];
- }
- }
- elseif ( ! $this->server('HTTP_CLIENT_IP') && $this->server('REMOTE_ADDR'))
- {
- $this->ip_address = $_SERVER['REMOTE_ADDR'];
- }
- elseif ($this->server('REMOTE_ADDR') && $this->server('HTTP_CLIENT_IP'))
- {
- $this->ip_address = $_SERVER['HTTP_CLIENT_IP'];
- }
- elseif ($this->server('HTTP_CLIENT_IP'))
- {
- $this->ip_address = $_SERVER['HTTP_CLIENT_IP'];
- }
- elseif ($this->server('HTTP_X_FORWARDED_FOR'))
- {
- $this->ip_address = $_SERVER['HTTP_X_FORWARDED_FOR'];
- }
+ $has_ranges = (strpos($proxy_ips, '/') !== FALSE);
+ $proxy_ips = explode(',', str_replace(' ', '', $proxy_ips));
- if ($this->ip_address === FALSE)
- {
- return $this->ip_address = '0.0.0.0';
- }
+ if ($has_ranges)
+ {
+ $long_ip = ip2long($_SERVER['REMOTE_ADDR']);
+ $bit_32 = 1 << 32;
- if (strpos($this->ip_address, ',') !== FALSE)
- {
- $x = explode(',', $this->ip_address);
- $this->ip_address = trim($x[0]);
+ // Go through each of the IP Addresses to check for and
+ // test against range notation
+ foreach ($proxy_ips as $ip)
+ {
+ list($address, $mask_length) = explode('/', $ip, 2);
+
+ // Generate the bitmask for a 32 bit IP Address
+ $bitmask = $bit_32 - (1 << (32 - (int) $mask_length));
+ if (($long_ip & $bitmask) === $address)
+ {
+ $this->ip_address = $spoof;
+ break;
+ }
+ }
+ }
+ elseif (in_array($_SERVER['REMOTE_ADDR'], $proxy_ips, TRUE))
+ {
+ $this->ip_address = $spoof;
+ }
+ }
}
if ( ! $this->valid_ip($this->ip_address))
@@ -545,7 +544,7 @@ class CI_Input {
$_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']);
// CSRF Protection check
- if ($this->_enable_csrf === TRUE)
+ if ($this->_enable_csrf === TRUE && ! $this->is_cli_request())
{
$this->security->csrf_verify();
}
diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst
index 3e1cfcac4..20585d9bf 100644
--- a/user_guide_src/source/changelog.rst
+++ b/user_guide_src/source/changelog.rst
@@ -219,7 +219,6 @@ Release Date: Not Released
- Added autoloading of drivers with $autoload['drivers'].
- CI_Loader::library() will now load drivers as well, for backward compatibility of converted libraries (like Session).
- :doc:`Common functions <general/common_functions>` changes include:
- - ``is_loaded()`` function now returns a reference.
- Added ``get_mimes()`` function to return the *config/mimes.php* array.
- Added support for HTTP code 303 ("See Other") in ``set_status_header()``.
- Removed redundant conditional to determine HTTP server protocol in ``set_status_header()``.
@@ -279,17 +278,14 @@ Bug fixes for 3.0
- Fixed a bug in CUBRID's affected_rows() method where a connection resource was passed to cubrid_affected_rows() instead of a result.
- Fixed a bug (#638) - db_set_charset() ignored its arguments and always used the configured charset instead.
- Fixed a bug (#413) - Oracle's error handling methods used to only return connection-related errors.
-- Fixed a bug (#804) - Profiler library was trying to handle objects as strings in some cases, resulting in warnings being issued by htmlspecialchars().
- Fixed a bug (#1101) - MySQL/MySQLi result method field_data() was implemented as if it was handling a DESCRIBE result instead of the actual result set.
- Fixed a bug in Oracle's :doc:`Database Forge Class <database/forge>` method _create_table() where it failed with AUTO_INCREMENT as it's not supported.
- Fixed a bug (#1080) - When using the SMTP protocol, the :doc:`Email Library <libraries/email>` send() method was returning TRUE even if the connection/authentication against the server failed.
-- Fixed a bug (#499) - a CSRF cookie was created even with CSRF protection being disabled.
- Fixed a bug (#306) - ODBC's insert_id() method was calling non-existent function odbc_insert_id(), which resulted in a fatal error.
- Fixed a bug in Oracle's DB_result class where the cursor id passed to it was always NULL.
- Fixed a bug (#64) - Regular expression in DB_query_builder.php failed to handle queries containing SQL bracket delimiters in the join condition.
- Fixed a bug in the :doc:`Session Library <libraries/sessions>` where a PHP E_NOTICE error was triggered by _unserialize() due to results from databases such as MSSQL and Oracle being space-padded on the right.
- Fixed a bug (#501) - set_rules() to check if the request method is not 'POST' before aborting, instead of depending on count($_POST) in the :doc:`Form Validation Library <libraries/form_validation>`.
-- Fixed a bug (#940) - csrf_verify() used to set the CSRF cookie while processing a POST request with no actual POST data, which resulted in validating a request that should be considered invalid.
- Fixed a bug (#136) - PostgreSQL, MySQL and MySQLi's escape_str() method didn't properly escape LIKE wild characters.
- Fixed a bug in the library loader where some PHP versions wouldn't execute the class constructor.
- Fixed a bug (#88) - An unexisting property was used for configuration of the Memcache cache driver.
@@ -308,7 +304,6 @@ Bug fixes for 3.0
- Fixed a bug (#1265) - Database connections were always closed, regardless of the 'pconnect' option value.
- Fixed a bug (#128) - :doc:`Language Library <libraries/language>` did not correctly keep track of loaded language files.
- Fixed a bug (#1242) - Added Windows path compatibility to function read_dir of ZIP library.
-- Fixed a bug (#1314) - sess_destroy() did not destroy userdata.
- Fixed a bug (#1349) - get_extension() in the :doc:`File Uploading Library <libraries/file_uploading>` returned the original filename when it didn't have an actual extension.
- Fixed a bug (#1273) - E_NOTICE being generated by :doc:`Query Builder <database/query_builder>`'s set_update_batch() method.
- Fixed a bug (#44, #110) - :doc:`Upload library <libraries/file_uploading>`'s clean_file_name() method didn't clear '!' and '#' characters.
@@ -329,7 +324,6 @@ Bug fixes for 3.0
- Fixed a bug (#1264) - :doc:`Database Forge <database/forge>` and :doc:`Database Utilities <database/utilities>` didn't update/reset the databases and tables list cache when a table or a database is created, dropped or renamed.
- Fixed a bug (#7) - :doc:`Query Builder <database/query_builder>`'s ``join()`` method only escaped one set of conditions.
- Fixed a bug (#1321) - Core Exceptions class couldn't find the errors/ folder in some cases.
-- Fixed a bug in the File-based :doc:`Cache Library <libraries/caching>` driver's get_metadata() method where a non-existent array key was accessed for the TTL value.
- Fixed a bug (#1202) - :doc:`Encryption Library <libraries/encryption>` encode_from_legacy() didn't set back the encrypt mode on failure.
- Fixed a bug (#145) - compile_binds() failed when the bind marker was present in a literal string within the query.
- Fixed a bug in protect_identifiers() where if passed along with the field names, operators got escaped as well.
@@ -361,6 +355,27 @@ Bug fixes for 3.0
- Fixed a bug (#1257) - :doc:`Query Builder <database/query_builder>` used to (unnecessarily) group FROM clause contents, which breaks certain queries and is invalid for some databases.
- Fixed a bug (#1709) - :doc:`Email <libraries/email>` headers were broken when using long email subjects and \r\n as CRLF.
+Version 2.1.3
+=============
+
+Release Date: October 8, 2012
+
+- Core
+ - :doc:`Common function <general/common_functions>` ``is_loaded()`` now returns a reference.
+
+Bug fixes for 2.1.3
+-------------------
+
+- Fixed a bug (#1543) - File-based :doc:`Caching <libraries/caching>` method ``get_metadata()`` used a non-existent array key to look for the TTL value.
+- Fixed a bug (#1314) - :doc:`Session Library <libraries/session>` method ``sess_destroy()`` didn't destroy the userdata array.
+- Fixed a bug (#804) - Profiler library was trying to handle objects as strings in some cases, resulting in *E_WARNING* messages being issued by ``htmlspecialchars()``.
+- Fixed a bug (#1699) - :doc:`Migration Library <libraries/migration>` ignored the ``$config['migration_path']`` setting.
+- Fixed a bug (#227) - :doc:`Input Library <libraries/input>` allowed unconditional spoofing of HTTP clients' IP addresses through the *HTTP_CLIENT_IP* header.
+- Fixed a bug (#907) - :doc:`Input Library <libraries/input>` ignored *HTTP_X_CLUSTER_CLIENT_IP* and *HTTP_X_CLIENT_IP* headers when checking for proxies.
+- Fixed a bug (#940) - ``csrf_verify()`` used to set the CSRF cookie while processing a POST request with no actual POST data, which resulted in validating a request that should be considered invalid.
+- Fixed a bug (#499) - :doc:`Security Library <libraries/security>` where a CSRF cookie was created even if ``$config['csrf_protection']`` is set tot FALSE.
+- Fixed a bug (#1715) - :doc:`Input Library <libraries/input>` triggered ``csrf_verify()`` on CLI requests.
+
Version 2.1.2
=============