summaryrefslogtreecommitdiffstats
path: root/system/core
diff options
context:
space:
mode:
authorEric Barnes <eric@ericlbarnes.com>2011-08-25 05:19:49 +0200
committerEric Barnes <eric@ericlbarnes.com>2011-08-25 05:19:49 +0200
commitc696253dd044fc8d7de5acf835a9d1a6c144e0b3 (patch)
tree74e9c60a2eceb9386c04b3cf13ae6863b56863e1 /system/core
parent0ba26c731cf8838b5239c1a7957bc18f58fe2f7d (diff)
parent6a93995f2a24c0ac8d636ecac5f3eb0d0243e23d (diff)
Merge remote-tracking branch 'alexbilbie/csrf-override' into feature/csrf-verify
Conflicts: system/core/Security.php
Diffstat (limited to 'system/core')
-rwxr-xr-xsystem/core/Security.php26
1 files changed, 20 insertions, 6 deletions
diff --git a/system/core/Security.php b/system/core/Security.php
index dcc680a11..342455f27 100755
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -33,6 +33,7 @@ class CI_Security {
* @access protected
*/
protected $_xss_hash = '';
+
/**
* Random Hash for Cross Site Request Forgery Protection Cookie
*
@@ -40,6 +41,7 @@ class CI_Security {
* @access protected
*/
protected $_csrf_hash = '';
+
/**
* Expiration time for Cross Site Request Forgery Protection Cookie
* Defaults to two hours (in seconds)
@@ -48,6 +50,7 @@ class CI_Security {
* @access protected
*/
protected $_csrf_expire = 7200;
+
/**
* Token name for Cross Site Request Forgery Protection Cookie
*
@@ -55,6 +58,7 @@ class CI_Security {
* @access protected
*/
protected $_csrf_token_name = 'ci_csrf_token';
+
/**
* Cookie name for Cross Site Request Forgery Protection Cookie
*
@@ -62,12 +66,14 @@ class CI_Security {
* @access protected
*/
protected $_csrf_cookie_name = 'ci_csrf_token';
+
/**
* List of never allowed strings
*
* @var array
* @access protected
*/
+
protected $_never_allowed_str = array(
'document.cookie' => '[removed]',
'document.write' => '[removed]',
@@ -80,7 +86,6 @@ class CI_Security {
'<![CDATA[' => '&lt;![CDATA['
);
- /* never allowed, regex replacement */
/**
* List of never allowed regex replacement
*
@@ -134,6 +139,16 @@ class CI_Security {
{
return $this->csrf_set_cookie();
}
+
+ // Check if URI has been whitelisted from CSRF checks
+ if ($exclude_uris = config_item('csrf_exclude_uris'))
+ {
+ $uri = load_class('URI', 'core');
+ if (in_array($uri->uri_string(), $exclude_uris))
+ {
+ return $this;
+ }
+ }
// Do the tokens exist in both the _POST and _COOKIE arrays?
if ( ! isset($_POST[$this->_csrf_token_name]) OR
@@ -156,9 +171,9 @@ class CI_Security {
unset($_COOKIE[$this->_csrf_cookie_name]);
$this->_csrf_set_hash();
$this->csrf_set_cookie();
-
- log_message('debug', "CSRF token verified ");
-
+
+ log_message('debug', "CSRF token verified");
+
return $this;
}
@@ -869,7 +884,6 @@ class CI_Security {
}
}
-// END Security Class
/* End of file Security.php */
-/* Location: ./system/libraries/Security.php */
+/* Location: ./system/libraries/Security.php */ \ No newline at end of file