summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDerek Jones <derek.jones@ellislab.com>2010-10-07 16:31:40 +0200
committerDerek Jones <derek.jones@ellislab.com>2010-10-07 16:31:40 +0200
commitaa7d3f9c04c165f6514aff58596ad7cff89ebe65 (patch)
tree45dcf3255ecdbf74965a844e7e66a8aac560cdd7
parentdd6719738936be31cdaa1758ca86d5eb14dcab3d (diff)
parent124ac667046bfb662f4165934d953c0c8bded284 (diff)
Automated merge with https://bitbucket.org/barrymieny/codeigniter
-rw-r--r--application/config/config.php4
-rw-r--r--index.php2
-rw-r--r--system/core/Router.php4
-rw-r--r--system/libraries/Javascript.php2
-rw-r--r--system/libraries/Security.php10
-rw-r--r--system/libraries/Session.php2
-rw-r--r--user_guide/libraries/security.html5
7 files changed, 19 insertions, 10 deletions
diff --git a/application/config/config.php b/application/config/config.php
index e318a2ab7..2a084ac22 100644
--- a/application/config/config.php
+++ b/application/config/config.php
@@ -274,9 +274,9 @@ $config['global_xss_filtering'] = FALSE;
/*
|--------------------------------------------------------------------------
-| Cross Site Forgery Request
+| Cross Site Request Forgery
|--------------------------------------------------------------------------
-| Enables a CSFR cookie token to be set. When set to TRUE, token will be
+| Enables a CSRF cookie token to be set. When set to TRUE, token will be
| checked on a submitted form. If you are accepting user data, it is strongly
| recommended CSRF protection be enabled.
*/
diff --git a/index.php b/index.php
index 6ac782215..5bb53d2f2 100644
--- a/index.php
+++ b/index.php
@@ -6,7 +6,7 @@
*---------------------------------------------------------------
*
* By default CI runs with error reporting set to ALL. For security
- * reasons you are encouraged to change this when your site goes live.
+ * reasons you are encouraged to change this to 0 when your site goes live.
* For more info visit: http://www.php.net/error_reporting
*
*/
diff --git a/system/core/Router.php b/system/core/Router.php
index 1db1ad836..918ea24bf 100644
--- a/system/core/Router.php
+++ b/system/core/Router.php
@@ -345,7 +345,7 @@ class CI_Router {
*/
function set_class($class)
{
- $this->class = $class;
+ $this->class = str_replace(array('/', '.'), '', $class);
}
// --------------------------------------------------------------------
@@ -404,7 +404,7 @@ class CI_Router {
*/
function set_directory($dir)
{
- $this->directory = trim($dir, '/').'/';
+ $this->directory = str_replace(array('/', '.'), '', $dir).'/';
}
// --------------------------------------------------------------------
diff --git a/system/libraries/Javascript.php b/system/libraries/Javascript.php
index b4f33e309..30b62e1c2 100644
--- a/system/libraries/Javascript.php
+++ b/system/libraries/Javascript.php
@@ -22,7 +22,7 @@
* @subpackage Libraries
* @category Javascript
* @author ExpressionEngine Dev Team
- * @link http://codeigniter.com/user_guide/general/errors.html
+ * @link http://codeigniter.com/user_guide/libraries/javascript.html
*/
class CI_Javascript {
diff --git a/system/libraries/Security.php b/system/libraries/Security.php
index 2db8ee9b3..fa5317ea3 100644
--- a/system/libraries/Security.php
+++ b/system/libraries/Security.php
@@ -680,11 +680,10 @@ class CI_Security {
* @param string
* @return string
*/
- function sanitize_filename($str)
+ function sanitize_filename($str, $relative_path = FALSE)
{
$bad = array(
"../",
- "./",
"<!--",
"-->",
"<",
@@ -701,7 +700,6 @@ class CI_Security {
'=',
';',
'?',
- '/',
"%20",
"%22",
"%3c", // <
@@ -717,6 +715,12 @@ class CI_Security {
"%3b", // ;
"%3d" // =
);
+
+ if ( ! $relative_path)
+ {
+ $bad[] = './';
+ $bad[] = '/';
+ }
return stripslashes(str_replace($bad, '', $str));
}
diff --git a/system/libraries/Session.php b/system/libraries/Session.php
index 342c301e3..1e606de9c 100644
--- a/system/libraries/Session.php
+++ b/system/libraries/Session.php
@@ -61,7 +61,7 @@ class CI_Session {
// Set all the session preferences, which can either be set
// manually via the $params array above or via the config file
- foreach (array('sess_encrypt_cookie', 'sess_use_database', 'sess_table_name', 'sess_expiration', 'sess_match_ip', 'sess_match_useragent', 'sess_cookie_name', 'cookie_path', 'cookie_domain', 'sess_time_to_update', 'time_reference', 'cookie_prefix', 'encryption_key') as $key)
+ foreach (array('sess_encrypt_cookie', 'sess_use_database', 'sess_table_name', 'sess_expiration', 'sess_expire_on_close', 'sess_match_ip', 'sess_match_useragent', 'sess_cookie_name', 'cookie_path', 'cookie_domain', 'sess_time_to_update', 'time_reference', 'cookie_prefix', 'encryption_key') as $key)
{
$this->$key = (isset($params[$key])) ? $params[$key] : $this->CI->config->item($key);
}
diff --git a/user_guide/libraries/security.html b/user_guide/libraries/security.html
index a50d94846..6d6216d95 100644
--- a/user_guide/libraries/security.html
+++ b/user_guide/libraries/security.html
@@ -102,6 +102,11 @@ Note: This function should only be used to deal with data upon submission. It's
<code>$filename = $this->security->sanitize_filename($this->input->post('filename'));</code>
+<p>If it is acceptable for the user input to include relative paths, e.g. <kbd>file/in/some/approved/folder.txt</kbd>, you can set the second optional parameter,
+ <samp>$relative_path</samp> to TRUE.</p>
+
+<code>$filename = $this->security->sanitize_filename($this->input->post('filename'), TRUE);</code>
+
<!-- @todo write docs for CSRF methods -->
</div>