diff options
author | Andrey Andreev <narf@devilix.net> | 2013-09-23 12:18:20 +0200 |
---|---|---|
committer | Andrey Andreev <narf@devilix.net> | 2013-09-23 12:18:20 +0200 |
commit | fd0aabb1e6f3db088ad9b3079adc0f9bba9b6c2b (patch) | |
tree | fbcecff4407f882d3da95be31e6756aa1fb554e2 /system/core/Input.php | |
parent | 461acc4b5eee836b99466107e40d7dd59b13e12d (diff) |
Fix issue #33
Diffstat (limited to 'system/core/Input.php')
-rw-r--r-- | system/core/Input.php | 31 |
1 files changed, 24 insertions, 7 deletions
diff --git a/system/core/Input.php b/system/core/Input.php index 24e21ea08..8c32e459e 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -693,7 +693,14 @@ class CI_Input { foreach ($_COOKIE as $key => $val) { - $_COOKIE[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); + if (($cookie_key = $this->_clean_input_keys($key)) !== FALSE) + { + $_COOKIE[$cookie_key] = $this->_clean_input_data($val); + } + else + { + unset($_COOKIE[$key]); + } } } @@ -706,7 +713,7 @@ class CI_Input { $this->security->csrf_verify(); } - log_message('debug', 'Global POST and COOKIE data sanitized'); + log_message('debug', 'Global POST, GET and COOKIE data sanitized'); } // -------------------------------------------------------------------- @@ -776,15 +783,25 @@ class CI_Input { * only named with alpha-numeric text and a few other items. * * @param string $str Input string - * @return string + * @param string $fatal Whether to terminate script exection + * or to return FALSE if an invalid + * key is encountered + * @return string|bool */ - protected function _clean_input_keys($str) + protected function _clean_input_keys($str, $fatal = TRUE) { if ( ! preg_match('/^[a-z0-9:_\/|-]+$/i', $str)) { - set_status_header(503); - echo 'Disallowed Key Characters.'; - exit(EXIT_USER_INPUT); + if ($fatal === TRUE) + { + return FALSE; + } + else + { + set_status_header(503); + echo 'Disallowed Key Characters.'; + exit(EXIT_USER_INPUT); + } } // Clean UTF-8 if supported |