diff options
-rwxr-xr-x | system/core/Input.php | 17 | ||||
-rwxr-xr-x | system/core/Security.php | 4 | ||||
-rw-r--r-- | system/helpers/captcha_helper.php | 13 | ||||
-rw-r--r-- | system/libraries/Form_validation.php | 20 | ||||
-rw-r--r-- | user_guide_src/source/changelog.rst | 3 | ||||
-rw-r--r-- | user_guide_src/source/libraries/input.rst | 16 |
6 files changed, 50 insertions, 23 deletions
diff --git a/system/core/Input.php b/system/core/Input.php index ee15f4013..5a4659a5a 100755 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -699,6 +699,23 @@ class CI_Input { return (php_sapi_name() === 'cli' OR defined('STDIN')); } + // -------------------------------------------------------------------- + + /** + * Get Request Method + * + * Return the Request Method + * + * @param bool uppercase or lowercase + * @return bool + */ + public function method($upper = FALSE) + { + return ($upper) + ? strtoupper($this->server('REQUEST_METHOD')) + : strtolower($this->server('REQUEST_METHOD')); + } + } /* End of file Input.php */ diff --git a/system/core/Security.php b/system/core/Security.php index 6f25fb5bb..2bffa41b7 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -138,8 +138,8 @@ class CI_Security { */ public function csrf_verify() { - // If no POST data exists we will set the CSRF cookie - if (count($_POST) === 0) + // If it's not a POST request we will set the CSRF cookie + if (strtoupper($_SERVER['REQUEST_METHOD']) !== 'POST') { return $this->csrf_set_cookie(); } diff --git a/system/helpers/captcha_helper.php b/system/helpers/captcha_helper.php index 668b034d4..4a48df27e 100644 --- a/system/helpers/captcha_helper.php +++ b/system/helpers/captcha_helper.php @@ -5,9 +5,9 @@ * An open source application development framework for PHP 5.1.6 or newer * * NOTICE OF LICENSE - * + * * Licensed under the Open Software License version 3.0 - * + * * This source file is subject to the Open Software License (OSL 3.0) that is * bundled with this package in the files license.txt / license.rst. It is * also available through the world wide web at this URL: @@ -94,16 +94,15 @@ if ( ! function_exists('create_captcha')) // Remove old images // ----------------------------------- - list($usec, $sec) = explode(" ", microtime()); - $now = ((float)$usec + (float)$sec); + $now = microtime(TRUE); $current_dir = @opendir($img_path); while ($filename = @readdir($current_dir)) { - if ($filename != "." and $filename != ".." and $filename != "index.html") + if ($filename != '.' && $filename != '..' && $filename != 'index.html') { - $name = str_replace(".jpg", "", $filename); + $name = str_replace('.jpg', '', $filename); if (($name + $expiration) < $now) { @@ -198,7 +197,7 @@ if ( ! function_exists('create_captcha')) // Write the text // ----------------------------------- - $use_font = ($font_path != '' AND file_exists($font_path) AND function_exists('imagettftext')) ? TRUE : FALSE; + $use_font = ($font_path != '' && file_exists($font_path) && function_exists('imagettftext')) ? TRUE : FALSE; if ($use_font == FALSE) { diff --git a/system/libraries/Form_validation.php b/system/libraries/Form_validation.php index 3e16d69ed..7e8cac6b0 100644 --- a/system/libraries/Form_validation.php +++ b/system/libraries/Form_validation.php @@ -77,7 +77,7 @@ class CI_Form_validation { mb_internal_encoding($this->CI->config->item('charset')); } - log_message('debug', "Form Validation Class Initialized"); + log_message('debug', 'Form Validation Class Initialized'); } // -------------------------------------------------------------------- @@ -96,7 +96,7 @@ class CI_Form_validation { { // No reason to set rules if we have no POST data // or a validation array has not been specified - if (count($_POST) === 0 && count($this->validation_data) === 0) + if ($this->CI->input->method() !== 'post' && empty($this->validation_data)) { return $this; } @@ -177,9 +177,9 @@ class CI_Form_validation { * * If an array is set through this method, then this array will * be used instead of the $_POST array - * - * Note that if you are validating multiple arrays, then the - * reset_validation() function should be called after validating + * + * Note that if you are validating multiple arrays, then the + * reset_validation() function should be called after validating * each array due to the limitations of CI's singleton * * @param array $data @@ -1168,15 +1168,14 @@ class CI_Form_validation { } // -------------------------------------------------------------------- - + /** * Equal to or Greater than * - * @access public * @param string * @return bool */ - function greater_than_equal_to($str, $min) + public function greater_than_equal_to($str, $min) { if ( ! is_numeric($str)) { @@ -1207,11 +1206,10 @@ class CI_Form_validation { /** * Equal to or Less than * - * @access public * @param string * @return bool */ - function less_than_equal_to($str, $max) + public function less_than_equal_to($str, $max) { if ( ! is_numeric($str)) { @@ -1363,7 +1361,7 @@ class CI_Form_validation { * Prevents subsequent validation routines from being affected by the * results of any previous validation routine due to the CI singleton. * - * @return void + * @return void */ public function reset_validation() { diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index ed151bfdb..a21ef2531 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -98,6 +98,7 @@ Release Date: Not Released - Added method get_vars() to CI_Loader to retrieve all variables loaded with $this->load->vars(). - is_loaded() function from system/core/Commons.php now returns a reference. - $config['rewrite_short_tags'] now has no effect when using PHP 5.4 as *<?=* will always be available. + - Added method() to CI_Input to retrieve $_SERVER['REQUEST_METHOD']. Bug fixes for 3.0 ------------------ @@ -147,6 +148,8 @@ Bug fixes for 3.0 - Fixed a bug in Oracle's DB_result class where the cursor id passed to it was always NULL. - Fixed a bug (#64) - Regular expression in DB_active_rec.php failed to handle queries containing SQL bracket delimiters in the join condition. - Fixed a bug in the :doc:`Session Library <libraries/sessions>` where a PHP E_NOTICE error was triggered by _unserialize() due to results from databases such as MSSQL and Oracle being space-padded on the right. +- Fixed a bug (#501) - set_rules() to check if the request method is not 'POST' before aborting, instead of depending on count($_POST) in the :doc:`Form Validation Library <libraries/form_validation>`. +- Fixed a bug (#940) - csrf_verify() used to set the CSRF cookie while processing a POST request with no actual POST data, which resulted in validating a request that should be considered invalid. Version 2.1.1 ============= diff --git a/user_guide_src/source/libraries/input.rst b/user_guide_src/source/libraries/input.rst index bcf117358..1f2ea650a 100644 --- a/user_guide_src/source/libraries/input.rst +++ b/user_guide_src/source/libraries/input.rst @@ -99,7 +99,7 @@ The function returns FALSE (boolean) if there are no items in the POST. :: - $this->input->post(NULL, TRUE); // returns all POST items with XSS filter + $this->input->post(NULL, TRUE); // returns all POST items with XSS filter $this->input->post(); // returns all POST items without XSS filter $this->input->get() @@ -119,9 +119,9 @@ The function returns FALSE (boolean) if there are no items in the GET. :: - $this->input->get(NULL, TRUE); // returns all GET items with XSS filter + $this->input->get(NULL, TRUE); // returns all GET items with XSS filter $this->input->get(); // returns all GET items without XSS filtering - + $this->input->get_post() ========================= @@ -298,3 +298,13 @@ see if PHP is being run on the command line. $this->input->is_cli_request() +$this->input->method(); +===================================== + +Returns the $_SERVER['REQUEST_METHOD'], optional set uppercase or lowercase (default lowercase). + +:: + + echo $this->input->method(TRUE); // Outputs: POST + echo $this->input->method(FALSE); // Outputs: post + echo $this->input->method(); // Outputs: post |