summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrey Andreev <narf@devilix.net>2017-01-04 16:01:44 +0100
committerAndrey Andreev <narf@devilix.net>2017-01-04 16:01:44 +0100
commitec8dbbb79bb083acd1cf6beff5abea055b583db5 (patch)
treecac3926b5266c2868b4c9b82bce3346f1bfe53e9
parentcfd52edad6a4ae84b0c34755455b5b7b164878be (diff)
Fix a possible file inclusion vulnerability in CI_Loader::vars()
-rw-r--r--system/core/Loader.php58
-rw-r--r--user_guide_src/source/changelog.rst1
2 files changed, 29 insertions, 30 deletions
diff --git a/system/core/Loader.php b/system/core/Loader.php
index 0515723b4..17ff2362c 100644
--- a/system/core/Loader.php
+++ b/system/core/Loader.php
@@ -486,7 +486,7 @@ class CI_Loader {
*/
public function view($view, $vars = array(), $return = FALSE)
{
- return $this->_ci_load(array('_ci_view' => $view, '_ci_vars' => $this->_ci_object_to_array($vars), '_ci_return' => $return));
+ return $this->_ci_load(array('_ci_view' => $view, '_ci_vars' => $this->_ci_prepare_view_vars($vars), '_ci_return' => $return));
}
// --------------------------------------------------------------------
@@ -519,19 +519,13 @@ class CI_Loader {
*/
public function vars($vars, $val = '')
{
- if (is_string($vars))
- {
- $vars = array($vars => $val);
- }
-
- $vars = $this->_ci_object_to_array($vars);
+ $vars = is_string($vars)
+ ? array($vars => $val)
+ : $this->_ci_prepare_view_vars($vars);
- if (is_array($vars) && count($vars) > 0)
+ foreach ($vars as $key => $val)
{
- foreach ($vars as $key => $val)
- {
- $this->_ci_cached_vars[$key] = $val;
- }
+ $this->_ci_cached_vars[$key] = $val;
}
return $this;
@@ -940,18 +934,7 @@ class CI_Loader {
* the two types and cache them so that views that are embedded within
* other views can have access to these variables.
*/
- if (is_array($_ci_vars))
- {
- foreach (array_keys($_ci_vars) as $key)
- {
- if (strncmp($key, '_ci_', 4) === 0)
- {
- unset($_ci_vars[$key]);
- }
- }
-
- $this->_ci_cached_vars = array_merge($this->_ci_cached_vars, $_ci_vars);
- }
+ empty($_ci_vars) OR $this->_ci_cached_vars = array_merge($this->_ci_cached_vars, $_ci_vars);
extract($this->_ci_cached_vars);
/*
@@ -1382,17 +1365,32 @@ class CI_Loader {
// --------------------------------------------------------------------
/**
- * CI Object to Array translator
+ * Prepare variables for _ci_vars, to be later extract()-ed inside views
*
- * Takes an object as input and converts the class variables to
- * an associative array with key/value pairs.
+ * Converts objects to associative arrays and filters-out internal
+ * variable names (i.e. keys prexied with '_ci_').
*
- * @param object $object Object data to translate
+ * @param mixed $vars
* @return array
*/
- protected function _ci_object_to_array($object)
+ protected function _ci_prepare_view_vars($vars)
{
- return is_object($object) ? get_object_vars($object) : $object;
+ if ( ! is_array($vars))
+ {
+ $vars = is_object($vars)
+ ? get_object_vars($object)
+ : array();
+ }
+
+ foreach (array_keys($vars) as $key)
+ {
+ if (strncmp($key, '_ci_', 4) === 0)
+ {
+ unset($vars[$key]);
+ }
+ }
+
+ return $vars;
}
// --------------------------------------------------------------------
diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst
index d889d4b28..fff17110e 100644
--- a/user_guide_src/source/changelog.rst
+++ b/user_guide_src/source/changelog.rst
@@ -10,6 +10,7 @@ Release Date: Not Released
- **Security**
- Fixed an XSS vulnerability in :doc:`Security Library <libraries/security>` method ``xss_clean()``.
+ - Fixed a possible file inclusion vulnerability in :doc:`Loader Library <libraries/loader>` method ``vars()``.
- Added protection against timing side-channel attacks in :doc:`Security Library <libraries/security>` method ``csrf_verify()``.
- Added protection against BREACH attacks targeting the CSRF token field generated by :doc:`Form Helper <helpers/form_helper>` function :php:func:`form_open()`.