summaryrefslogtreecommitdiffstats
path: root/system/core
diff options
context:
space:
mode:
authorJoël Cox <joel@joelcox.nl>2011-10-09 18:45:09 +0200
committerJoël Cox <joel@joelcox.nl>2011-10-09 18:45:09 +0200
commit8ffcb2c8c7ef3da54d7e46c29d502533e413c820 (patch)
tree1f94e2e81b4d20f2df827b8a84eeda27032161a1 /system/core
parentf4fb1db458fab52d0493ead52c9ea7e01206eaa7 (diff)
parent6858c0753a7221796d6a5a1d7fea93cc2f9feb2e (diff)
Merged develop branch in tutorial.
Diffstat (limited to 'system/core')
-rwxr-xr-xsystem/core/CodeIgniter.php22
-rw-r--r--system/core/Common.php30
-rwxr-xr-xsystem/core/Input.php50
-rwxr-xr-xsystem/core/Lang.php4
-rwxr-xr-xsystem/core/Loader.php2
-rwxr-xr-xsystem/core/Security.php83
-rwxr-xr-xsystem/core/URI.php4
7 files changed, 101 insertions, 94 deletions
diff --git a/system/core/CodeIgniter.php b/system/core/CodeIgniter.php
index 0a1391d18..9f88384b1 100755
--- a/system/core/CodeIgniter.php
+++ b/system/core/CodeIgniter.php
@@ -33,27 +33,7 @@
* @var string
*
*/
- /**
- * CodeIgniter Version
- *
- * @var string
- *
- */
- define('CI_VERSION', '2.0.2');
-
-/**
- * CodeIgniter Branch (Core = TRUE, Reactor = FALSE)
- *
- * @var boolean
- *
- */
- /**
- * CodeIgniter Branch (Core = TRUE, Reactor = FALSE)
- *
- * @var string
- *
- */
- define('CI_CORE', FALSE);
+ define('CI_VERSION', '2.1.0-dev');
/*
* ------------------------------------------------------
diff --git a/system/core/Common.php b/system/core/Common.php
index db9fbeb9f..d79375475 100644
--- a/system/core/Common.php
+++ b/system/core/Common.php
@@ -132,9 +132,9 @@ if ( ! function_exists('load_class'))
$name = FALSE;
- // Look for the class first in the native system/libraries folder
- // thenin the local application/libraries folder
- foreach (array(BASEPATH, APPPATH) as $path)
+ // Look for the class first in the local application/libraries folder
+ // then in the native system/libraries folder
+ foreach (array(APPPATH, BASEPATH) as $path)
{
if (file_exists($path.$directory.'/'.$class.'.php'))
{
@@ -536,5 +536,29 @@ if ( ! function_exists('remove_invisible_characters'))
}
}
+// ------------------------------------------------------------------------
+
+/**
+* Returns HTML escaped variable
+*
+* @access public
+* @param mixed
+* @return mixed
+*/
+if ( ! function_exists('html_escape'))
+{
+ function html_escape($var)
+ {
+ if (is_array($var))
+ {
+ return array_map('html_escape', $var);
+ }
+ else
+ {
+ return htmlspecialchars($var, ENT_QUOTES, config_item('charset'));
+ }
+ }
+}
+
/* End of file Common.php */
/* Location: ./system/core/Common.php */ \ No newline at end of file
diff --git a/system/core/Input.php b/system/core/Input.php
index 5a033e7b8..6f8442107 100755
--- a/system/core/Input.php
+++ b/system/core/Input.php
@@ -110,13 +110,13 @@ class CI_Input {
*
* This is a helper function to retrieve values from global arrays
*
- * @access private
+ * @access protected
* @param array
* @param string
* @param bool
* @return string
*/
- function _fetch_from_array(&$array, $index = '', $xss_clean = FALSE)
+ protected function _fetch_from_array(&$array, $index = '', $xss_clean = FALSE)
{
if ( ! isset($array[$index]))
{
@@ -141,7 +141,7 @@ class CI_Input {
* @param bool
* @return string
*/
- function get($index = NULL, $xss_clean = FALSE)
+ public function get($index = NULL, $xss_clean = FALSE)
{
// Check if a field has been provided
if ($index === NULL AND ! empty($_GET))
@@ -169,7 +169,7 @@ class CI_Input {
* @param bool
* @return string
*/
- function post($index = NULL, $xss_clean = FALSE)
+ public function post($index = NULL, $xss_clean = FALSE)
{
// Check if a field has been provided
if ($index === NULL AND ! empty($_POST))
@@ -198,7 +198,7 @@ class CI_Input {
* @param bool XSS cleaning
* @return string
*/
- function get_post($index = '', $xss_clean = FALSE)
+ public function get_post($index = '', $xss_clean = FALSE)
{
if ( ! isset($_POST[$index]) )
{
@@ -220,7 +220,7 @@ class CI_Input {
* @param bool
* @return string
*/
- function cookie($index = '', $xss_clean = FALSE)
+ public function cookie($index = '', $xss_clean = FALSE)
{
return $this->_fetch_from_array($_COOKIE, $index, $xss_clean);
}
@@ -243,7 +243,7 @@ class CI_Input {
* @param bool true makes the cookie secure
* @return void
*/
- function set_cookie($name = '', $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = FALSE)
+ public function set_cookie($name = '', $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = FALSE)
{
if (is_array($name))
{
@@ -296,7 +296,7 @@ class CI_Input {
* @param bool
* @return string
*/
- function server($index = '', $xss_clean = FALSE)
+ public function server($index = '', $xss_clean = FALSE)
{
return $this->_fetch_from_array($_SERVER, $index, $xss_clean);
}
@@ -309,7 +309,7 @@ class CI_Input {
* @access public
* @return string
*/
- function ip_address()
+ public function ip_address()
{
if ($this->ip_address !== FALSE)
{
@@ -323,13 +323,13 @@ class CI_Input {
$this->ip_address = in_array($_SERVER['REMOTE_ADDR'], $proxies) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];
}
- elseif ($this->server('REMOTE_ADDR') AND $this->server('HTTP_CLIENT_IP'))
+ elseif (! $this->server('HTTP_CLIENT_IP') AND $this->server('REMOTE_ADDR'))
{
- $this->ip_address = $_SERVER['HTTP_CLIENT_IP'];
+ $this->ip_address = $_SERVER['REMOTE_ADDR'];
}
- elseif ($this->server('REMOTE_ADDR'))
+ elseif ($this->server('REMOTE_ADDR') AND $this->server('HTTP_CLIENT_IP'))
{
- $this->ip_address = $_SERVER['REMOTE_ADDR'];
+ $this->ip_address = $_SERVER['HTTP_CLIENT_IP'];
}
elseif ($this->server('HTTP_CLIENT_IP'))
{
@@ -369,10 +369,16 @@ class CI_Input {
*
* @access public
* @param string
- * @return string
+ * @return bool
*/
- function valid_ip($ip)
+ public function valid_ip($ip)
{
+ // if php version >= 5.2, use filter_var to check validate ip.
+ if (function_exists('filter_var'))
+ {
+ return (bool) filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4);
+ }
+
$ip_segments = explode('.', $ip);
// Always 4 segments needed
@@ -407,7 +413,7 @@ class CI_Input {
* @access public
* @return string
*/
- function user_agent()
+ public function user_agent()
{
if ($this->user_agent !== FALSE)
{
@@ -435,7 +441,7 @@ class CI_Input {
* @access private
* @return void
*/
- function _sanitize_globals()
+ private function _sanitize_globals()
{
// It would be "wrong" to unset any of these GLOBALS.
$protected = array('_SERVER', '_GET', '_POST', '_FILES', '_REQUEST',
@@ -536,7 +542,7 @@ class CI_Input {
* @param string
* @return string
*/
- function _clean_input_data($str)
+ private function _clean_input_data($str)
{
if (is_array($str))
{
@@ -549,7 +555,7 @@ class CI_Input {
}
// We strip slashes if magic quotes is on to keep things consistent
- if (function_exists('get_magic_quotes_gpc') AND get_magic_quotes_gpc())
+ if (function_exists('get_magic_quotes_gpc') AND @get_magic_quotes_gpc())
{
$str = stripslashes($str);
}
@@ -594,7 +600,7 @@ class CI_Input {
* @param string
* @return string
*/
- function _clean_input_keys($str)
+ private function _clean_input_keys($str)
{
if ( ! preg_match("/^[a-z0-9:_\/-]+$/i", $str))
{
@@ -618,6 +624,7 @@ class CI_Input {
* In Apache, you can simply call apache_request_headers(), however for
* people running other webservers the function is undefined.
*
+ * @access public
* @param bool XSS cleaning
*
* @return array
@@ -661,6 +668,7 @@ class CI_Input {
*
* Returns the value of a single member of the headers class member
*
+ * @access public
* @param string array key for $this->headers
* @param boolean XSS Clean or not
* @return mixed FALSE on failure, string on success
@@ -692,6 +700,7 @@ class CI_Input {
*
* Test to see if a request contains the HTTP_X_REQUESTED_WITH header
*
+ * @access public
* @return boolean
*/
public function is_ajax_request()
@@ -706,6 +715,7 @@ class CI_Input {
*
* Test to see if a request was made from the command line
*
+ * @access public
* @return boolean
*/
public function is_cli_request()
diff --git a/system/core/Lang.php b/system/core/Lang.php
index 5ac671838..d61d1029a 100755
--- a/system/core/Lang.php
+++ b/system/core/Lang.php
@@ -112,7 +112,7 @@ class CI_Lang {
}
- if ( ! isset($lang))
+ if ( ! isset($lang) OR ! is_array($lang))
{
log_message('error', 'Language file contains no data: language/'.$idiom.'/'.$langfile);
return;
@@ -124,7 +124,7 @@ class CI_Lang {
}
$this->is_loaded[] = $langfile;
- $this->language = array_merge($this->language, $lang);
+ $this->language = $this->language + $lang;
unset($lang);
log_message('debug', 'Language file loaded: language/'.$idiom.'/'.$langfile);
diff --git a/system/core/Loader.php b/system/core/Loader.php
index 452dc0b4c..de0fc06d2 100755
--- a/system/core/Loader.php
+++ b/system/core/Loader.php
@@ -1106,7 +1106,7 @@ class CI_Loader {
* @param array
* @return void
*/
- private function _ci_autoloader()
+ protected function _ci_autoloader()
{
if (defined('ENVIRONMENT') AND file_exists(APPPATH.'config/'.ENVIRONMENT.'/autoload.php'))
{
diff --git a/system/core/Security.php b/system/core/Security.php
index dcc680a11..65338ced3 100755
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -33,6 +33,7 @@ class CI_Security {
* @access protected
*/
protected $_xss_hash = '';
+
/**
* Random Hash for Cross Site Request Forgery Protection Cookie
*
@@ -40,6 +41,7 @@ class CI_Security {
* @access protected
*/
protected $_csrf_hash = '';
+
/**
* Expiration time for Cross Site Request Forgery Protection Cookie
* Defaults to two hours (in seconds)
@@ -48,6 +50,7 @@ class CI_Security {
* @access protected
*/
protected $_csrf_expire = 7200;
+
/**
* Token name for Cross Site Request Forgery Protection Cookie
*
@@ -55,6 +58,7 @@ class CI_Security {
* @access protected
*/
protected $_csrf_token_name = 'ci_csrf_token';
+
/**
* Cookie name for Cross Site Request Forgery Protection Cookie
*
@@ -62,12 +66,14 @@ class CI_Security {
* @access protected
*/
protected $_csrf_cookie_name = 'ci_csrf_token';
+
/**
* List of never allowed strings
*
* @var array
* @access protected
*/
+
protected $_never_allowed_str = array(
'document.cookie' => '[removed]',
'document.write' => '[removed]',
@@ -80,7 +86,6 @@ class CI_Security {
'<![CDATA[' => '&lt;![CDATA['
);
- /* never allowed, regex replacement */
/**
* List of never allowed regex replacement
*
@@ -135,6 +140,16 @@ class CI_Security {
return $this->csrf_set_cookie();
}
+ // Check if URI has been whitelisted from CSRF checks
+ if ($exclude_uris = config_item('csrf_exclude_uris'))
+ {
+ $uri = load_class('URI', 'core');
+ if (in_array($uri->uri_string(), $exclude_uris))
+ {
+ return $this;
+ }
+ }
+
// Do the tokens exist in both the _POST and _COOKIE arrays?
if ( ! isset($_POST[$this->_csrf_token_name]) OR
! isset($_COOKIE[$this->_csrf_cookie_name]))
@@ -154,10 +169,11 @@ class CI_Security {
// Nothing should last forever
unset($_COOKIE[$this->_csrf_cookie_name]);
+ $this->_csrf_hash = '';
$this->_csrf_set_hash();
$this->csrf_set_cookie();
- log_message('debug', "CSRF token verified ");
+ log_message('debug', "CSRF token verified");
return $this;
}
@@ -172,7 +188,7 @@ class CI_Security {
public function csrf_set_cookie()
{
$expire = time() + $this->_csrf_expire;
- $secure_cookie = (config_item('cookie_secure') === TRUE) ? 1 : 0;
+ $secure_cookie = (bool) config_item('cookie_secure');
if ($secure_cookie)
{
@@ -369,16 +385,11 @@ class CI_Security {
foreach ($words as $word)
{
- $temp = '';
-
- for ($i = 0, $wordlen = strlen($word); $i < $wordlen; $i++)
- {
- $temp .= substr($word, $i, 1)."\s*";
- }
+ $word = implode("\s*", str_split($word)) . "\s*";
// We only want to do this when it is followed by a non-word character
// That way valid stuff like "dealer to" does not become "dealerto"
- $str = preg_replace_callback('#('.substr($temp, 0, -3).')(\W)#is', array($this, '_compact_exploded_words'), $str);
+ $str = preg_replace_callback('#('.substr($word, 0, -3).')(\W)#is', array($this, '_compact_exploded_words'), $str);
}
/*
@@ -457,7 +468,7 @@ class CI_Security {
if ($is_image === TRUE)
{
- return ($str == $converted_string) ? TRUE: FALSE;
+ return ($str === $converted_string) ? TRUE : FALSE;
}
log_message('debug', "XSS Filtering completed");
@@ -497,48 +508,30 @@ class CI_Security {
*
* This function is a replacement for html_entity_decode()
*
- * In some versions of PHP the native function does not work
- * when UTF-8 is the specified character set, so this gives us
- * a work-around. More info here:
- * http://bugs.php.net/bug.php?id=25670
- *
- * NOTE: html_entity_decode() has a bug in some PHP versions when UTF-8 is the
- * character set, and the PHP developers said they were not back porting the
- * fix to versions other than PHP 5.x.
- *
* @param string
* @param string
* @return string
*/
- public function entity_decode($str, $charset='UTF-8')
+ public function entity_decode($str, $charset = NULL)
{
- if (stristr($str, '&') === FALSE) return $str;
-
- // The reason we are not using html_entity_decode() by itself is because
- // while it is not technically correct to leave out the semicolon
- // at the end of an entity most browsers will still interpret the entity
- // correctly. html_entity_decode() does not convert entities without
- // semicolons, so we are left with our own little solution here. Bummer.
-
- if (function_exists('html_entity_decode') &&
- (strtolower($charset) != 'utf-8'))
+ if (strpos($str, '&') === FALSE)
{
- $str = html_entity_decode($str, ENT_COMPAT, $charset);
- $str = preg_replace('~&#x(0*[0-9a-f]{2,5})~ei', 'chr(hexdec("\\1"))', $str);
- return preg_replace('~&#([0-9]{2,4})~e', 'chr(\\1)', $str);
+ return $str;
}
- // Numeric Entities
- $str = preg_replace('~&#x(0*[0-9a-f]{2,5});{0,1}~ei', 'chr(hexdec("\\1"))', $str);
- $str = preg_replace('~&#([0-9]{2,4});{0,1}~e', 'chr(\\1)', $str);
-
- // Literal Entities - Slightly slow so we do another check
- if (stristr($str, '&') === FALSE)
+ if (empty($charset))
{
- $str = strtr($str, array_flip(get_html_translation_table(HTML_ENTITIES)));
+ $charset = config_item('charset');
}
- return $str;
+ // The reason we are not using html_entity_decode() by itself is because
+ // while it is not technically correct to leave out the semicolon
+ // at the end of an entity most browsers will still interpret the entity
+ // correctly. html_entity_decode() does not convert entities without
+ // semicolons, so we are left with our own little solution here. Bummer.
+ $str = html_entity_decode($str, ENT_COMPAT, $charset);
+ $str = preg_replace('~&#x(0*[0-9a-f]{2,5})~ei', 'chr(hexdec("\\1"))', $str);
+ return preg_replace('~&#([0-9]{2,4})~e', 'chr(\\1)', $str);
}
// --------------------------------------------------------------------
@@ -862,14 +855,14 @@ class CI_Security {
return $this->_csrf_hash = $_COOKIE[$this->_csrf_cookie_name];
}
- return $this->_csrf_hash = md5(uniqid(rand(), TRUE));
+ $this->_csrf_hash = md5(uniqid(rand(), TRUE));
+ $this->csrf_set_cookie();
}
return $this->_csrf_hash;
}
}
-// END Security Class
/* End of file Security.php */
-/* Location: ./system/libraries/Security.php */
+/* Location: ./system/core/Security.php */
diff --git a/system/core/URI.php b/system/core/URI.php
index a3ae20cc3..8946bc76b 100755
--- a/system/core/URI.php
+++ b/system/core/URI.php
@@ -175,7 +175,7 @@ class CI_URI {
* @access private
* @return string
*/
- private function _detect_uri()
+ protected function _detect_uri()
{
if ( ! isset($_SERVER['REQUEST_URI']) OR ! isset($_SERVER['SCRIPT_NAME']))
{
@@ -232,7 +232,7 @@ class CI_URI {
* @access private
* @return string
*/
- private function _parse_cli_args()
+ protected function _parse_cli_args()
{
$args = array_slice($_SERVER['argv'], 1);