diff options
author | Timothy Warren <tim@timshomepage.net> | 2011-09-06 20:40:34 +0200 |
---|---|---|
committer | Timothy Warren <tim@timshomepage.net> | 2011-09-06 20:40:34 +0200 |
commit | f22ce8f368e64b1c343e06427e8dad1ab1cef2a4 (patch) | |
tree | f0552e9318a541e82c3375646fc870490d835e12 /system/core/Security.php | |
parent | 36fb8de7bf385036f3145dd1fbd9537f6a01ac36 (diff) | |
parent | 40d1a7684444f6a8eb4cda23d8822f0b258f0c3e (diff) |
Merge branch 'develop' of git://github.com/EllisLab/CodeIgniter into develop
Diffstat (limited to 'system/core/Security.php')
-rwxr-xr-x | system/core/Security.php | 38 |
1 files changed, 30 insertions, 8 deletions
diff --git a/system/core/Security.php b/system/core/Security.php index dcc680a11..e99418bdd 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -33,6 +33,7 @@ class CI_Security { * @access protected */ protected $_xss_hash = ''; + /** * Random Hash for Cross Site Request Forgery Protection Cookie * @@ -40,6 +41,7 @@ class CI_Security { * @access protected */ protected $_csrf_hash = ''; + /** * Expiration time for Cross Site Request Forgery Protection Cookie * Defaults to two hours (in seconds) @@ -48,6 +50,7 @@ class CI_Security { * @access protected */ protected $_csrf_expire = 7200; + /** * Token name for Cross Site Request Forgery Protection Cookie * @@ -55,6 +58,7 @@ class CI_Security { * @access protected */ protected $_csrf_token_name = 'ci_csrf_token'; + /** * Cookie name for Cross Site Request Forgery Protection Cookie * @@ -62,12 +66,14 @@ class CI_Security { * @access protected */ protected $_csrf_cookie_name = 'ci_csrf_token'; + /** * List of never allowed strings * * @var array * @access protected */ + protected $_never_allowed_str = array( 'document.cookie' => '[removed]', 'document.write' => '[removed]', @@ -80,7 +86,6 @@ class CI_Security { '<![CDATA[' => '<![CDATA[' ); - /* never allowed, regex replacement */ /** * List of never allowed regex replacement * @@ -134,6 +139,16 @@ class CI_Security { { return $this->csrf_set_cookie(); } + + // Check if URI has been whitelisted from CSRF checks + if ($exclude_uris = config_item('csrf_exclude_uris')) + { + $uri = load_class('URI', 'core'); + if (in_array($uri->uri_string(), $exclude_uris)) + { + return $this; + } + } // Do the tokens exist in both the _POST and _COOKIE arrays? if ( ! isset($_POST[$this->_csrf_token_name]) OR @@ -156,9 +171,9 @@ class CI_Security { unset($_COOKIE[$this->_csrf_cookie_name]); $this->_csrf_set_hash(); $this->csrf_set_cookie(); - - log_message('debug', "CSRF token verified "); - + + log_message('debug', "CSRF token verified"); + return $this; } @@ -510,9 +525,17 @@ class CI_Security { * @param string * @return string */ - public function entity_decode($str, $charset='UTF-8') + public function entity_decode($str, $charset = NULL) { - if (stristr($str, '&') === FALSE) return $str; + if (stristr($str, '&') === FALSE) + { + return $str; + } + + if (empty($charset)) + { + $charset = config_item('charset'); + } // The reason we are not using html_entity_decode() by itself is because // while it is not technically correct to leave out the semicolon @@ -869,7 +892,6 @@ class CI_Security { } } -// END Security Class /* End of file Security.php */ -/* Location: ./system/libraries/Security.php */ +/* Location: ./system/libraries/Security.php */
\ No newline at end of file |