diff options
author | Andrey Andreev <narf@devilix.net> | 2017-03-24 10:04:53 +0100 |
---|---|---|
committer | Andrey Andreev <narf@devilix.net> | 2017-03-24 10:04:53 +0100 |
commit | c7c0bdf4f7af7c4e71b073ee87ddb792087bdfac (patch) | |
tree | 5cfb825e1e0d67f30d4c8a91428cd52eb580695a /user_guide_src | |
parent | 1d9aaee34ea77fdb68d79d7add37f26dd2649c00 (diff) | |
parent | 0eb38af2eaf1127b9b82261b7ec3bf4d4b847318 (diff) |
Merge branch '3.1-stable' into develop
Conflicts resolved:
system/core/CodeIgniter.php
system/core/Common.php
system/core/Input.php
system/helpers/cookie_helper.php
tests/codeigniter/helpers/html_helper_test.php
user_guide_src/source/changelog.rst
user_guide_src/source/conf.py
user_guide_src/source/installation/downloads.rst
user_guide_src/source/installation/upgrading.rst
user_guide_src/source/libraries/input.rst
Diffstat (limited to 'user_guide_src')
-rw-r--r-- | user_guide_src/source/changelog.rst | 35 | ||||
-rw-r--r-- | user_guide_src/source/general/routing.rst | 3 | ||||
-rw-r--r-- | user_guide_src/source/helpers/cookie_helper.rst | 2 | ||||
-rw-r--r-- | user_guide_src/source/installation/downloads.rst | 3 | ||||
-rw-r--r-- | user_guide_src/source/installation/upgrade_315.rst | 14 | ||||
-rw-r--r-- | user_guide_src/source/installation/upgrading.rst | 1 | ||||
-rw-r--r-- | user_guide_src/source/libraries/input.rst | 6 | ||||
-rw-r--r-- | user_guide_src/source/libraries/security.rst | 11 | ||||
-rw-r--r-- | user_guide_src/source/libraries/typography.rst | 4 |
9 files changed, 64 insertions, 15 deletions
diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index f1f0b6834..2b8d65f4c 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -106,11 +106,25 @@ Release Date: Not Released - Removed the second (out of three) parameter from the :php:func:`form_upload()` function (it was never used). -Version 3.1.4 +Version 3.1.5 ============= Release Date: Not Released + +Version 3.1.4 +============= + +Release Date: March 20, 2017 + +- **Security** + + - Fixed a header injection vulnerability in :doc:`common function <general/common_functions>` :php:func:`set_status_header()` under Apache (thanks to Guillermo Caminer from `Flowgate <https://flowgate.net/>`_). + - Fixed byte-safety issues in :doc:`Encrypt Library <libraries/encrypt>` (DEPRECATED) when ``mbstring.func_overload`` is enabled. + - Fixed byte-safety issues in :doc:`Encryption Library <libraries/encryption>` when ``mbstring.func_overload`` is enabled. + - Fixed byte-safety issues in :doc:`compatibility functions <general/compatibility_functions>` ``password_hash()``, ``hash_pbkdf2()`` when ``mbstring.func_overload`` is enabled. + - Updated :doc:`Encrypt Library <libraries/encrypt>` (DEPRECATED) to call ``mcrypt_create_iv()`` with ``MCRYPT_DEV_URANDOM``. + - General Changes - Updated the :doc:`Image Manipulation Library <libraries/image_lib>` to work-around an issue with some JPEGs when using GD. @@ -119,6 +133,21 @@ Bug fixes for 3.1.4 ------------------- - Fixed a regression (#4975) - :doc:`Loader Library <libraries/loader>` couldn't handle objects passed as view variables. +- Fixed a bug (#4977) - :doc:`Loader Library <libraries/loader>` method ``helper()`` could accept any character as a filename extension separator. +- Fixed a regression where the :doc:`Session Library <libraries/sessions>` would fail on a ``session_regenerate_id(TRUE)`` call with the 'database' driver. +- Fixed a bug (#4987) - :doc:`Query Builder <database/query_builder>` caching didn't keep track of table aliases. +- Fixed a bug where :doc:`Text Helper <helpers/text_helper>` function ``ascii_to_entities()`` wasn't byte-safe when ``mbstring.func_overload`` is enabled. +- Fixed a bug where ``CI_Log``, ``CI_Output``, ``CI_Email`` and ``CI_Zip`` didn't handle strings in a byte-safe manner when ``mbstring.func_overload`` is enabled. +- Fixed a bug where :doc:`Session Library <libraries/sessions>` didn't read session data in a byte-safe manner when ``mbstring.func_overload`` is enabled. +- Fixed a bug (#4990) - :doc:`Profiler <general/profiling>` didn't close ``<pre>`` tags it generated. +- Fixed a bug (#4990) - :doc:`Profiler <general/profiling>` didn't HTML-escape quotes for ``$_SESSION`` variables. +- Fixed a bug where :doc:`Input Library <libraries/input>` method ``set_cookie()`` didn't allow its *httponly* and *secure* parameters to be overriden to ``FALSE``. +- Fixed a bug (#5006) - :doc:`common function <general/common_functions>` :php:func:`get_mimes()` didn't load *application/config/mimes.php* if an environment specific config exists. +- Fixed a bug (#5006) - :doc:`common function <general/common_functions>` :php:func:`remove_invisible_characters()` didn't remove URL-encoded ``0x7F``. +- Fixed a bug (#4815) - :doc:`Database Library <database/index>` stripped URL-encoded sequences while escaping strings with the 'mssql' driver. +- Fixed a bug (#5044) - :doc:`HTML Helper <helpers/html_helper>` function :php:func:`img()` didn't accept ``data:`` URI schemes for the image source. +- Fixed a bug (#5050) - :doc:`Database Library <database/index>` tried to access an undefined property in a number of error handling cases. +- Fixed a bug (#5057) - :doc:`Database <database/index>` driver 'postgre' didn't actually apply extra options (such as 'connect_timeout') to its DSN. Version 3.1.3 ============= @@ -183,7 +212,7 @@ Bug fixes for 3.1.2 - Fixed a regression (#4874) - :doc:`Session Library <libraries/sessions>` didn't take into account ``session.hash_bits_per_character`` when validating session IDs. - Fixed a bug (#4871) - :doc:`Query Builder <database/query_builder>` method ``update_batch()`` didn't properly handle identifier escaping. - Fixed a bug (#4884) - :doc:`Query Builder <database/query_builder>` didn't properly parse field names ending in 'is' when used inside WHERE and HAVING statements. -- Fixed a bug where ``CI_Log``, ``CI_Output``, ``CI_Email`` and ``CI_Zip`` didn't handle strings in a byte-safe manner when ``mbstring.func_override`` is enabled. +- Fixed a bug where ``CI_Log``, ``CI_Output``, ``CI_Email`` and ``CI_Zip`` didn't handle strings in a byte-safe manner when ``mbstring.func_overload`` is enabled. Version 3.1.1 ============= @@ -220,7 +249,7 @@ Bug fixes for 3.1.1 - Fixed a bug where :doc:`Query Builder <database/query_builder>` method ``insert_batch()`` tried to execute an unsupported SQL query with the 'ibase' and 'pdo/firebird' drivers. - Fixed a bug (#4809) - :doc:`Database <database/index>` driver 'pdo/mysql' didn't turn off ``AUTOCOMMIT`` when starting a transaction. - Fixed a bug (#4822) - :doc:`CAPTCHA Helper <helpers/captcha_helper>` didn't clear expired PNG images. -- Fixed a bug (#4823) - :doc:`Session Library <libraries/sessions>` 'files' driver could enter an infinite loop if ``mbstring.func_override`` is enabled. +- Fixed a bug (#4823) - :doc:`Session Library <libraries/sessions>` 'files' driver could enter an infinite loop if ``mbstring.func_overload`` is enabled. - Fixed a bug (#4851) - :doc:`Database Forge <database/forge>` didn't quote schema names passed to its ``create_database()`` method. - Fixed a bug (#4863) - :doc:`HTML Table Library <libraries/table>` method ``set_caption()`` was missing method chaining support. - Fixed a bug (#4843) - :doc:`XML-RPC Library <libraries/xmlrpc>` client class didn't set a read/write socket timeout. diff --git a/user_guide_src/source/general/routing.rst b/user_guide_src/source/general/routing.rst index b53a85d31..909289d8d 100644 --- a/user_guide_src/source/general/routing.rst +++ b/user_guide_src/source/general/routing.rst @@ -205,6 +205,3 @@ underscores in the controller and method URI segments, thus saving you additional route entries if you need to do that. This is required, because the dash isn't a valid class or method name character and would cause a fatal error if you try to use it. - -.. important:: The reserved routes must come before any wildcard or - regular expression routes.
\ No newline at end of file diff --git a/user_guide_src/source/helpers/cookie_helper.rst b/user_guide_src/source/helpers/cookie_helper.rst index 71e40a33c..25c4c3a0b 100644 --- a/user_guide_src/source/helpers/cookie_helper.rst +++ b/user_guide_src/source/helpers/cookie_helper.rst @@ -25,7 +25,7 @@ Available Functions The following functions are available: -.. php:function:: set_cookie($name[, $value = ''[, $expire = ''[, $domain = ''[, $path = '/'[, $prefix = ''[, $secure = FALSE[, $httponly = FALSE]]]]]]]) +.. php:function:: set_cookie($name[, $value = ''[, $expire = 0[, $domain = ''[, $path = '/'[, $prefix = ''[, $secure = NULL[, $httponly = NULL]]]]]]]) :param mixed $name: Cookie name *or* associative array of all of the parameters available to this function :param string $value: Cookie value diff --git a/user_guide_src/source/installation/downloads.rst b/user_guide_src/source/installation/downloads.rst index d36296e35..f36857e57 100644 --- a/user_guide_src/source/installation/downloads.rst +++ b/user_guide_src/source/installation/downloads.rst @@ -3,7 +3,8 @@ Downloading CodeIgniter ####################### - `CodeIgniter v3.2.0-dev (Current version) <https://codeload.github.com/bcit-ci/CodeIgniter/zip/develop>`_ -- `CodeIgniter v3.1.4-dev <https://codeload.github.com/bcit-ci/CodeIgniter/zip/3.1-stable>`_ +- `CodeIgniter v3.1.5-dev <https://codeload.github.com/bcit-ci/CodeIgniter/zip/3.1-stable>`_ +- `CodeIgniter v3.1.4 <https://codeload.github.com/bcit-ci/CodeIgniter/zip/3.1.4>`_ - `CodeIgniter v3.1.3 <https://codeload.github.com/bcit-ci/CodeIgniter/zip/3.1.3>`_ - `CodeIgniter v3.1.2 <https://codeload.github.com/bcit-ci/CodeIgniter/zip/3.1.2>`_ - `CodeIgniter v3.1.1 <https://codeload.github.com/bcit-ci/CodeIgniter/zip/3.1.1>`_ diff --git a/user_guide_src/source/installation/upgrade_315.rst b/user_guide_src/source/installation/upgrade_315.rst new file mode 100644 index 000000000..cf673abbb --- /dev/null +++ b/user_guide_src/source/installation/upgrade_315.rst @@ -0,0 +1,14 @@ +############################# +Upgrading from 3.1.4 to 3.1.5 +############################# + +Before performing an update you should take your site offline by +replacing the index.php file with a static one. + +Step 1: Update your CodeIgniter files +===================================== + +Replace all files and directories in your *system/* directory. + +.. note:: If you have any custom developed files in these directories, + please make copies of them first. diff --git a/user_guide_src/source/installation/upgrading.rst b/user_guide_src/source/installation/upgrading.rst index ca7677ba9..b76392d05 100644 --- a/user_guide_src/source/installation/upgrading.rst +++ b/user_guide_src/source/installation/upgrading.rst @@ -9,6 +9,7 @@ upgrading from. :titlesonly: Upgrading from 3.1.3+ to 3.2.x <upgrade_320> + Upgrading from 3.1.4 to 3.1.5 <upgrade_315> Upgrading from 3.1.3 to 3.1.4 <upgrade_314> Upgrading from 3.1.2 to 3.1.3 <upgrade_313> Upgrading from 3.1.1 to 3.1.2 <upgrade_312> diff --git a/user_guide_src/source/libraries/input.rst b/user_guide_src/source/libraries/input.rst index 8a0b5f286..7f762e9f0 100644 --- a/user_guide_src/source/libraries/input.rst +++ b/user_guide_src/source/libraries/input.rst @@ -242,7 +242,7 @@ Class Reference This method is identical to ``get()``, ``post()`` and ``cookie()``, only it fetches the *php://input* stream data. - .. php:method:: set_cookie($name = ''[, $value = ''[, $expire = 0[, $domain = ''[, $path = '/'[, $prefix = ''[, $secure = FALSE[, $httponly = FALSE]]]]]]]) + .. php:method:: set_cookie($name = ''[, $value = ''[, $expire = 0[, $domain = ''[, $path = '/'[, $prefix = ''[, $secure = NULL[, $httponly = NULL]]]]]]]) :param mixed $name: Cookie name or an array of parameters :param string $value: Cookie value @@ -295,8 +295,8 @@ Class Reference The prefix is only needed if you need to avoid name collisions with other identically named cookies for your server. - The secure boolean is only needed if you want to make it a secure cookie - by setting it to TRUE. + The *httponly* and *secure* flags, when omitted, will default to your + ``$config['cookie_httponly']`` and ``$config['cookie_secure']`` settings. **Discrete Parameters** diff --git a/user_guide_src/source/libraries/security.rst b/user_guide_src/source/libraries/security.rst index f7604ef00..fc5cba19d 100644 --- a/user_guide_src/source/libraries/security.rst +++ b/user_guide_src/source/libraries/security.rst @@ -40,6 +40,9 @@ browser may attempt to execute. // file failed the XSS test } +.. important:: If you want to filter HTML attribute values, use + :php:func:`html_escape()` instead! + ********************************* Cross-site request forgery (CSRF) ********************************* @@ -101,7 +104,11 @@ Class Reference :rtype: mixed Tries to remove XSS exploits from the input data and returns the cleaned string. - If the optional second parameter is set to true, it will return boolean TRUE if the image is safe to use and FALSE if malicious data was detected in it. + If the optional second parameter is set to true, it will return boolean TRUE if + the image is safe to use and FALSE if malicious data was detected in it. + + .. important:: This method is not suitable for filtering HTML attribute vales! + Use :php:func:`html_escape()` for that instead. .. php:method:: sanitize_filename($str[, $relative_path = FALSE]) @@ -162,4 +169,4 @@ Class Reference Used for generating CSRF and XSS tokens. .. note:: The output is NOT guaranteed to be cryptographically secure, - just the best attempt at that.
\ No newline at end of file + just the best attempt at that. diff --git a/user_guide_src/source/libraries/typography.rst b/user_guide_src/source/libraries/typography.rst index 1d1e4f3c4..9e1386835 100644 --- a/user_guide_src/source/libraries/typography.rst +++ b/user_guide_src/source/libraries/typography.rst @@ -44,7 +44,7 @@ Class Reference $this->load->library('typography'); $this->typography->protect_braced_quotes = TRUE; - .. method auto_typography($str[, $reduce_linebreaks = FALSE]) + .. php:method:: auto_typography($str[, $reduce_linebreaks = FALSE]) :param string $str: Input string :param bool $reduce_linebreaks: Whether to reduce consequitive linebreaks @@ -104,4 +104,4 @@ Class Reference Usage example:: - $string = $this->typography->nl2br_except_pre($string);
\ No newline at end of file + $string = $this->typography->nl2br_except_pre($string); |