diff options
| author | Greg Aker <greg@gregaker.net> | 2011-08-30 02:31:48 +0200 |
|---|---|---|
| committer | Greg Aker <greg@gregaker.net> | 2011-08-30 02:31:48 +0200 |
| commit | b50df5f018176c0cd0ad498e9c710a2b0b016a80 (patch) | |
| tree | 95733dbbcc348a92aad5d979db2e5da471859c25 /system | |
| parent | c964e72aabc3a646dbb82f6bf609e9532e75d011 (diff) | |
| parent | d7a28663344fbb760134b5623b8cb441f4875f80 (diff) | |
Merge branch 'develop' of github.com:EllisLab/CodeIgniter into develop
Diffstat (limited to 'system')
| -rwxr-xr-x | system/core/CodeIgniter.php | 2 | ||||
| -rw-r--r-- | system/core/Common.php | 30 | ||||
| -rwxr-xr-x | system/core/Input.php | 8 | ||||
| -rwxr-xr-x | system/core/Lang.php | 4 | ||||
| -rwxr-xr-x | system/core/Loader.php | 2 | ||||
| -rwxr-xr-x | system/core/Security.php | 38 | ||||
| -rwxr-xr-x | system/core/URI.php | 4 | ||||
| -rw-r--r-- | system/database/drivers/mysql/mysql_result.php | 4 | ||||
| -rw-r--r-- | system/database/drivers/mysqli/mysqli_result.php | 4 | ||||
| -rw-r--r-- | system/database/drivers/oci8/oci8_driver.php | 1 | ||||
| -rw-r--r-- | system/database/drivers/odbc/odbc_driver.php | 2 | ||||
| -rw-r--r-- | system/helpers/form_helper.php | 7 | ||||
| -rw-r--r-- | system/helpers/typography_helper.php | 10 | ||||
| -rwxr-xr-x[-rw-r--r--] | system/helpers/url_helper.php | 4 | ||||
| -rw-r--r-- | system/libraries/Image_lib.php | 2 | ||||
| -rw-r--r-- | system/libraries/Migration.php | 2 |
16 files changed, 86 insertions, 38 deletions
diff --git a/system/core/CodeIgniter.php b/system/core/CodeIgniter.php index 0a1391d18..aca4fb23c 100755 --- a/system/core/CodeIgniter.php +++ b/system/core/CodeIgniter.php @@ -39,7 +39,7 @@ * @var string * */ - define('CI_VERSION', '2.0.2'); + define('CI_VERSION', '2.1.0-dev'); /** * CodeIgniter Branch (Core = TRUE, Reactor = FALSE) diff --git a/system/core/Common.php b/system/core/Common.php index db9fbeb9f..d79375475 100644 --- a/system/core/Common.php +++ b/system/core/Common.php @@ -132,9 +132,9 @@ if ( ! function_exists('load_class')) $name = FALSE; - // Look for the class first in the native system/libraries folder - // thenin the local application/libraries folder - foreach (array(BASEPATH, APPPATH) as $path) + // Look for the class first in the local application/libraries folder + // then in the native system/libraries folder + foreach (array(APPPATH, BASEPATH) as $path) { if (file_exists($path.$directory.'/'.$class.'.php')) { @@ -536,5 +536,29 @@ if ( ! function_exists('remove_invisible_characters')) } } +// ------------------------------------------------------------------------ + +/** +* Returns HTML escaped variable +* +* @access public +* @param mixed +* @return mixed +*/ +if ( ! function_exists('html_escape')) +{ + function html_escape($var) + { + if (is_array($var)) + { + return array_map('html_escape', $var); + } + else + { + return htmlspecialchars($var, ENT_QUOTES, config_item('charset')); + } + } +} + /* End of file Common.php */ /* Location: ./system/core/Common.php */
\ No newline at end of file diff --git a/system/core/Input.php b/system/core/Input.php index 5a033e7b8..0dc2c4550 100755 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -323,13 +323,13 @@ class CI_Input { $this->ip_address = in_array($_SERVER['REMOTE_ADDR'], $proxies) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']; } - elseif ($this->server('REMOTE_ADDR') AND $this->server('HTTP_CLIENT_IP')) + elseif (! $this->server('HTTP_CLIENT_IP') AND $this->server('REMOTE_ADDR')) { - $this->ip_address = $_SERVER['HTTP_CLIENT_IP']; + $this->ip_address = $_SERVER['REMOTE_ADDR']; } - elseif ($this->server('REMOTE_ADDR')) + elseif ($this->server('REMOTE_ADDR') AND $this->server('HTTP_CLIENT_IP')) { - $this->ip_address = $_SERVER['REMOTE_ADDR']; + $this->ip_address = $_SERVER['HTTP_CLIENT_IP']; } elseif ($this->server('HTTP_CLIENT_IP')) { diff --git a/system/core/Lang.php b/system/core/Lang.php index 5ac671838..d61d1029a 100755 --- a/system/core/Lang.php +++ b/system/core/Lang.php @@ -112,7 +112,7 @@ class CI_Lang { } - if ( ! isset($lang)) + if ( ! isset($lang) OR ! is_array($lang)) { log_message('error', 'Language file contains no data: language/'.$idiom.'/'.$langfile); return; @@ -124,7 +124,7 @@ class CI_Lang { } $this->is_loaded[] = $langfile; - $this->language = array_merge($this->language, $lang); + $this->language = $this->language + $lang; unset($lang); log_message('debug', 'Language file loaded: language/'.$idiom.'/'.$langfile); diff --git a/system/core/Loader.php b/system/core/Loader.php index 452dc0b4c..de0fc06d2 100755 --- a/system/core/Loader.php +++ b/system/core/Loader.php @@ -1106,7 +1106,7 @@ class CI_Loader { * @param array * @return void */ - private function _ci_autoloader() + protected function _ci_autoloader() { if (defined('ENVIRONMENT') AND file_exists(APPPATH.'config/'.ENVIRONMENT.'/autoload.php')) { diff --git a/system/core/Security.php b/system/core/Security.php index dcc680a11..e99418bdd 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -33,6 +33,7 @@ class CI_Security { * @access protected */ protected $_xss_hash = ''; + /** * Random Hash for Cross Site Request Forgery Protection Cookie * @@ -40,6 +41,7 @@ class CI_Security { * @access protected */ protected $_csrf_hash = ''; + /** * Expiration time for Cross Site Request Forgery Protection Cookie * Defaults to two hours (in seconds) @@ -48,6 +50,7 @@ class CI_Security { * @access protected */ protected $_csrf_expire = 7200; + /** * Token name for Cross Site Request Forgery Protection Cookie * @@ -55,6 +58,7 @@ class CI_Security { * @access protected */ protected $_csrf_token_name = 'ci_csrf_token'; + /** * Cookie name for Cross Site Request Forgery Protection Cookie * @@ -62,12 +66,14 @@ class CI_Security { * @access protected */ protected $_csrf_cookie_name = 'ci_csrf_token'; + /** * List of never allowed strings * * @var array * @access protected */ + protected $_never_allowed_str = array( 'document.cookie' => '[removed]', 'document.write' => '[removed]', @@ -80,7 +86,6 @@ class CI_Security { '<![CDATA[' => '<![CDATA[' ); - /* never allowed, regex replacement */ /** * List of never allowed regex replacement * @@ -134,6 +139,16 @@ class CI_Security { { return $this->csrf_set_cookie(); } + + // Check if URI has been whitelisted from CSRF checks + if ($exclude_uris = config_item('csrf_exclude_uris')) + { + $uri = load_class('URI', 'core'); + if (in_array($uri->uri_string(), $exclude_uris)) + { + return $this; + } + } // Do the tokens exist in both the _POST and _COOKIE arrays? if ( ! isset($_POST[$this->_csrf_token_name]) OR @@ -156,9 +171,9 @@ class CI_Security { unset($_COOKIE[$this->_csrf_cookie_name]); $this->_csrf_set_hash(); $this->csrf_set_cookie(); - - log_message('debug', "CSRF token verified "); - + + log_message('debug', "CSRF token verified"); + return $this; } @@ -510,9 +525,17 @@ class CI_Security { * @param string * @return string */ - public function entity_decode($str, $charset='UTF-8') + public function entity_decode($str, $charset = NULL) { - if (stristr($str, '&') === FALSE) return $str; + if (stristr($str, '&') === FALSE) + { + return $str; + } + + if (empty($charset)) + { + $charset = config_item('charset'); + } // The reason we are not using html_entity_decode() by itself is because // while it is not technically correct to leave out the semicolon @@ -869,7 +892,6 @@ class CI_Security { } } -// END Security Class /* End of file Security.php */ -/* Location: ./system/libraries/Security.php */ +/* Location: ./system/libraries/Security.php */
\ No newline at end of file diff --git a/system/core/URI.php b/system/core/URI.php index a3ae20cc3..8946bc76b 100755 --- a/system/core/URI.php +++ b/system/core/URI.php @@ -175,7 +175,7 @@ class CI_URI { * @access private * @return string */ - private function _detect_uri() + protected function _detect_uri() { if ( ! isset($_SERVER['REQUEST_URI']) OR ! isset($_SERVER['SCRIPT_NAME'])) { @@ -232,7 +232,7 @@ class CI_URI { * @access private * @return string */ - private function _parse_cli_args() + protected function _parse_cli_args() { $args = array_slice($_SERVER['argv'], 1); diff --git a/system/database/drivers/mysql/mysql_result.php b/system/database/drivers/mysql/mysql_result.php index 2d2905c98..6ceaf4b9b 100644 --- a/system/database/drivers/mysql/mysql_result.php +++ b/system/database/drivers/mysql/mysql_result.php @@ -86,10 +86,10 @@ class CI_DB_mysql_result extends CI_DB_result { $retval = array(); while ($field = mysql_fetch_object($this->result_id)) { - preg_match('/([a-zA-Z]+)\((\d+)\)/', $field->Type, $matches); + preg_match('/([a-zA-Z]+)(\((\d+)\))?/i', $field->Type, $matches); $type = $matches[1]; - $length = (int)$matches[2]; + $length = isset($matches[3]) ? (int) $matches[3] : NULL; $F = new stdClass(); $F->name = $field->Field; diff --git a/system/database/drivers/mysqli/mysqli_result.php b/system/database/drivers/mysqli/mysqli_result.php index ac863056a..bbfb8481a 100644 --- a/system/database/drivers/mysqli/mysqli_result.php +++ b/system/database/drivers/mysqli/mysqli_result.php @@ -86,10 +86,10 @@ class CI_DB_mysqli_result extends CI_DB_result { $retval = array(); while ($field = mysqli_fetch_object($this->result_id)) { - preg_match('/([a-zA-Z]+)\((\d+)\)/', $field->Type, $matches); + preg_match('/([a-zA-Z]+)(\((\d+)\))?/i', $field->Type, $matches); $type = $matches[1]; - $length = (int)$matches[2]; + $length = isset($matches[3]) ? (int) $matches[3] : NULL; $F = new stdClass(); $F->name = $field->Field; diff --git a/system/database/drivers/oci8/oci8_driver.php b/system/database/drivers/oci8/oci8_driver.php index 42cfaaefb..d4adfd528 100644 --- a/system/database/drivers/oci8/oci8_driver.php +++ b/system/database/drivers/oci8/oci8_driver.php @@ -404,6 +404,7 @@ class CI_DB_oci8_driver extends CI_DB { } $str = remove_invisible_characters($str); + $str = str_replace("'", "''", $str); // escape LIKE condition wildcards if ($like === TRUE) diff --git a/system/database/drivers/odbc/odbc_driver.php b/system/database/drivers/odbc/odbc_driver.php index 5e764e071..08cd27b6c 100644 --- a/system/database/drivers/odbc/odbc_driver.php +++ b/system/database/drivers/odbc/odbc_driver.php @@ -50,7 +50,7 @@ class CI_DB_odbc_driver extends CI_DB { function CI_DB_odbc_driver($params) { - parent::CI_DB($params); + parent::CI_DB_driver($params); $this->_random_keyword = ' RND('.time().')'; // database specific random keyword } diff --git a/system/helpers/form_helper.php b/system/helpers/form_helper.php index d9305c00b..130daee6a 100644 --- a/system/helpers/form_helper.php +++ b/system/helpers/form_helper.php @@ -642,11 +642,8 @@ if ( ! function_exists('form_prep')) { return $str; } - - $str = htmlspecialchars($str); - - // In case htmlspecialchars misses these. - $str = str_replace(array("'", '"'), array("'", """), $str); + + $str = html_escape($str); if ($field_name != '') { diff --git a/system/helpers/typography_helper.php b/system/helpers/typography_helper.php index 19b4eec03..82e686e53 100644 --- a/system/helpers/typography_helper.php +++ b/system/helpers/typography_helper.php @@ -39,9 +39,7 @@ if ( ! function_exists('nl2br_except_pre')) function nl2br_except_pre($str) { $CI =& get_instance(); - $CI->load->library('typography'); - return $CI->typography->nl2br_except_pre($str); } } @@ -82,9 +80,15 @@ if ( ! function_exists('auto_typography')) */ if ( ! function_exists('entity_decode')) { - function entity_decode($str, $charset='UTF-8') + function entity_decode($str, $charset = NULL) { global $SEC; + + if (empty($charset)) + { + $charset = config_item('charset'); + } + return $SEC->entity_decode($str, $charset); } } diff --git a/system/helpers/url_helper.php b/system/helpers/url_helper.php index 9f4b85248..c524dddd1 100644..100755 --- a/system/helpers/url_helper.php +++ b/system/helpers/url_helper.php @@ -512,7 +512,7 @@ if ( ! function_exists('url_title')) $str = strtolower($str); } - return trim(stripslashes($str)); + return trim(trim(stripslashes($str)), $replace); } } @@ -527,7 +527,7 @@ if ( ! function_exists('url_title')) * * @access public * @param string the URL - * @param string the method: location or redirect + * @param string the method: location or refresh * @return string */ if ( ! function_exists('redirect')) diff --git a/system/libraries/Image_lib.php b/system/libraries/Image_lib.php index 8902f524d..a8a0387d8 100644 --- a/system/libraries/Image_lib.php +++ b/system/libraries/Image_lib.php @@ -1334,7 +1334,7 @@ class CI_Image_lib { return FALSE; } - $vals = @getimagesize($path); + $vals = getimagesize($path); $types = array(1 => 'gif', 2 => 'jpeg', 3 => 'png'); diff --git a/system/libraries/Migration.php b/system/libraries/Migration.php index 3943ec130..3734e18f5 100644 --- a/system/libraries/Migration.php +++ b/system/libraries/Migration.php @@ -57,7 +57,7 @@ class CI_Migration { } // If not set, set it - $this->_migration_path == '' OR $this->_migration_path = APPPATH . 'migrations/'; + $this->_migration_path == '' AND $this->_migration_path = APPPATH . 'migrations/'; // Add trailing slash if not set $this->_migration_path = rtrim($this->_migration_path, '/').'/'; |