7 files changed, 76 insertions, 15 deletions
diff --git a/application/config/config.php b/application/config/config.php
index 7554f994a..880393c29 100644
--- a/application/config/config.php
+++ b/application/config/config.php
@@ -296,11 +296,13 @@ $config['global_xss_filtering'] = FALSE;
 | 'csrf_token_name' = The token name
 | 'csrf_cookie_name' = The cookie name
 | 'csrf_expire' = The number in seconds the token should expire.
+| 'csrf_exclude_uris' = Array of URIs which ignore CSRF checks
 */
 $config['csrf_protection'] = FALSE;
 $config['csrf_token_name'] = 'csrf_test_name';
 $config['csrf_cookie_name'] = 'csrf_cookie_name';
 $config['csrf_expire'] = 7200;
+$config['csrf_exclude_uris'] = array();
 
 /*
 |--------------------------------------------------------------------------
diff --git a/application/config/mimes.php b/application/config/mimes.php
index 82767d7c8..90a1d18bb 100644
--- a/application/config/mimes.php
+++ b/application/config/mimes.php
@@ -8,10 +8,10 @@
 |
 */
 
-$mimes = array(	'hqx'	=>	'application/mac-binhex40',
+$mimes = array('hqx'   =>      array('application/mac-binhex40', 'application/mac-binhex', 'application/x-binhex40', 'application/x-mac-binhex40'),
 				'cpt'	=>	'application/mac-compactpro',
 				'csv'	=>	array('text/x-comma-separated-values', 'text/comma-separated-values', 'application/octet-stream', 'application/vnd.ms-excel', 'application/x-csv', 'text/x-csv', 'text/csv', 'application/csv', 'application/excel', 'application/vnd.msexcel'),
-				'bin'	=>	'application/macbinary',
+				'bin'	=>	array('application/macbinary', 'application/mac-binary', 'application/octet-stream', 'application/x-binary', 'application/x-macbinary'),
 				'dms'	=>	'application/octet-stream',
 				'lha'	=>	'application/octet-stream',
 				'lzh'	=>	'application/octet-stream',
@@ -39,6 +39,7 @@ $mimes = array(	'hqx'	=>	'application/mac-binhex40',
 				'dvi'	=>	'application/x-dvi',
 				'gtar'	=>	'application/x-gtar',
 				'gz'	=>	'application/x-gzip',
+				'gzip'  =>	'application/x-gzip',
 				'php'	=>	'application/x-httpd-php',
 				'php4'	=>	'application/x-httpd-php',
 				'php3'	=>	'application/x-httpd-php',
@@ -51,14 +52,14 @@ $mimes = array(	'hqx'	=>	'application/mac-binhex40',
 				'tgz'	=>	array('application/x-tar', 'application/x-gzip-compressed'),
 				'xhtml'	=>	'application/xhtml+xml',
 				'xht'	=>	'application/xhtml+xml',
-				'zip'	=>  array('application/x-zip', 'application/zip', 'application/x-zip-compressed'),
+				'zip'	=>	array('application/x-zip', 'application/zip', 'application/x-zip-compressed'),
 				'mid'	=>	'audio/midi',
 				'midi'	=>	'audio/midi',
 				'mpga'	=>	'audio/mpeg',
 				'mp2'	=>	'audio/mpeg',
 				'mp3'	=>	array('audio/mpeg', 'audio/mpg', 'audio/mpeg3', 'audio/mp3'),
-				'aif'	=>	'audio/x-aiff',
-				'aiff'	=>	'audio/x-aiff',
+				'aif'	=>	array('audio/x-aiff', 'audio/aiff'),
+				'aiff'	=>	array('audio/x-aiff', 'audio/aiff'),
 				'aifc'	=>	'audio/x-aiff',
 				'ram'	=>	'audio/x-pn-realaudio',
 				'rm'	=>	'audio/x-pn-realaudio',
@@ -66,7 +67,7 @@ $mimes = array(	'hqx'	=>	'application/mac-binhex40',
 				'ra'	=>	'audio/x-realaudio',
 				'rv'	=>	'video/vnd.rn-realvideo',
 				'wav'	=>	'audio/x-wav',
-				'bmp'	=>	'image/bmp',
+				'bmp'	=>	array('image/bmp', 'image/x-windows-bmp'),
 				'gif'	=>	'image/gif',
 				'jpeg'	=>	array('image/jpeg', 'image/pjpeg'),
 				'jpg'	=>	array('image/jpeg', 'image/pjpeg'),
@@ -90,7 +91,7 @@ $mimes = array(	'hqx'	=>	'application/mac-binhex40',
 				'mpe'	=>	'video/mpeg',
 				'qt'	=>	'video/quicktime',
 				'mov'	=>	'video/quicktime',
-				'avi'	=>	'video/x-msvideo',
+				'avi'	=>	array('video/x-msvideo', 'video/msvideo', 'video/avi', 'application/x-troff-msvideo'),
 				'movie'	=>	'video/x-sgi-movie',
 				'doc'	=>	'application/msword',
 				'docx'	=>	'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
@@ -98,7 +99,40 @@ $mimes = array(	'hqx'	=>	'application/mac-binhex40',
 				'word'	=>	array('application/msword', 'application/octet-stream'),
 				'xl'	=>	'application/excel',
 				'eml'	=>	'message/rfc822',
-				'json' => array('application/json', 'text/json')
+				'json'  =>	array('application/json', 'text/json'),
+				'pem'   =>	array('application/x-x509-user-cert', 'application/x-pem-file', 'application/octet-stream'),
+				'p10'   =>	array('application/x-pkcs10', 'application/pkcs10'),
+				'p12'   =>	'application/x-pkcs12',
+				'p7a'   =>	'application/x-pkcs7-signature',
+				'p7c'   =>	array('application/pkcs7-mime', 'application/x-pkcs7-mime'),
+				'p7m'   =>	array('application/pkcs7-mime', 'application/x-pkcs7-mime'),
+				'p7r'   =>	'application/x-pkcs7-certreqresp',
+				'p7s'   =>	'application/pkcs7-signature',
+				'crt'   =>	array('application/x-x509-ca-cert', 'application/x-x509-user-cert', 'application/pkix-cert'),
+				'crl'   =>	array('application/pkix-crl', 'application/pkcs-crl'),
+				'der'   =>	'application/x-x509-ca-cert',
+				'kdb'   =>	'application/octet-stream',
+				'pgp'   =>	'application/pgp',
+				'gpg'   =>	'application/gpg-keys',
+				'sst'   =>	'application/octet-stream',
+				'csr'   =>	'application/octet-stream',
+				'rsa'   =>	'application/x-pkcs7',
+				'cer'   =>	array('application/pkix-cert', 'application/x-x509-ca-cert'),
+				'3g2'   =>	'video/3gpp2',
+				'3gp'   =>	'video/3gp',
+				'mp4'   =>	'video/mp4',
+				'm4a'   =>	'audio/x-m4a',
+				'f4v'   =>	'video/mp4',
+				'aac'   =>	'audio/x-acc',
+				'm4u'   =>	'application/vnd.mpegurl',
+				'm3u'   =>	'text/plain',
+				'xspf'  =>	'application/xspf+xml',
+				'vlc'   =>	'application/videolan',
+				'wmv'   =>	'video/x-ms-wmv',
+				'au'    =>	'audio/x-au',
+				'ac3'   =>	'audio/ac3',
+				'flac'  =>	'audio/x-flac',
+				'ogg'   =>	'audio/ogg',
 			);
 
 
diff --git a/readme.md b/readme.md
index dfcf856f2..be807dbea 100644
--- a/readme.md
+++ b/readme.md
@@ -6,5 +6,6 @@ CodeIgniter is an Application Development Framework - a toolkit - for people who
 
  * [User Guide](http://codeigniter.com/user_guide/)
  * [Community Forums](http://codeigniter.com/forums/)
+ * [User Voice](http://codeigniter.uservoice.com/forums/40508-codeigniter-reactor)
  * [Community Wiki](http://codeigniter.com/wiki/)
  * [Community IRC](http://webchat.freenode.net/?channels=codeigniter&uio=d4)
 \ No newline at end of file
diff --git a/system/core/Loader.php b/system/core/Loader.php
index 452dc0b4c..de0fc06d2 100755
--- a/system/core/Loader.php
+++ b/system/core/Loader.php
@@ -1106,7 +1106,7 @@ class CI_Loader {
 	 * @param	array
 	 * @return	void
 	 */
-	private function _ci_autoloader()
+	protected function _ci_autoloader()
 	{
 		if (defined('ENVIRONMENT') AND file_exists(APPPATH.'config/'.ENVIRONMENT.'/autoload.php'))
 		{
diff --git a/system/core/Security.php b/system/core/Security.php
index dcc680a11..342455f27 100755
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -33,6 +33,7 @@ class CI_Security {
 	 * @access protected
 	 */
 	protected $_xss_hash			= '';
+	
 	/**
 	 * Random Hash for Cross Site Request Forgery Protection Cookie
 	 *
@@ -40,6 +41,7 @@ class CI_Security {
 	 * @access protected
 	 */
 	protected $_csrf_hash			= '';
+	
 	/**
 	 * Expiration time for Cross Site Request Forgery Protection Cookie
 	 * Defaults to two hours (in seconds)
@@ -48,6 +50,7 @@ class CI_Security {
 	 * @access protected
 	 */
 	protected $_csrf_expire			= 7200;
+	
 	/**
 	 * Token name for Cross Site Request Forgery Protection Cookie
 	 *
@@ -55,6 +58,7 @@ class CI_Security {
 	 * @access protected
 	 */
 	protected $_csrf_token_name		= 'ci_csrf_token';
+	
 	/**
 	 * Cookie name for Cross Site Request Forgery Protection Cookie
 	 *
@@ -62,12 +66,14 @@ class CI_Security {
 	 * @access protected
 	 */
 	protected $_csrf_cookie_name	= 'ci_csrf_token';
+	
 	/**
 	 * List of never allowed strings
 	 *
 	 * @var array
 	 * @access protected
 	 */
+	
 	protected $_never_allowed_str = array(
 					'document.cookie'	=> '[removed]',
 					'document.write'	=> '[removed]',
@@ -80,7 +86,6 @@ class CI_Security {
 					'<![CDATA['			=> '&lt;![CDATA['
 	);
 
-	/* never allowed, regex replacement */
 	/**
 	 * List of never allowed regex replacement
 	 *
@@ -134,6 +139,16 @@ class CI_Security {
 		{
 			return $this->csrf_set_cookie();
 		}
+		
+		// Check if URI has been whitelisted from CSRF checks
+		if ($exclude_uris = config_item('csrf_exclude_uris'))
+		{
+			$uri = load_class('URI', 'core');
+			if (in_array($uri->uri_string(), $exclude_uris))
+			{
+				return $this;
+			}
+		}
 
 		// Do the tokens exist in both the _POST and _COOKIE arrays?
 		if ( ! isset($_POST[$this->_csrf_token_name]) OR
@@ -156,9 +171,9 @@ class CI_Security {
 		unset($_COOKIE[$this->_csrf_cookie_name]);
 		$this->_csrf_set_hash();
 		$this->csrf_set_cookie();
-
-		log_message('debug', "CSRF token verified ");
-
+		
+		log_message('debug', "CSRF token verified");
+		
 		return $this;
 	}
 
@@ -869,7 +884,6 @@ class CI_Security {
 	}
 
 }
-// END Security Class
 
 /* End of file Security.php */
-/* Location: ./system/libraries/Security.php */
+/* Location: ./system/libraries/Security.php */
+\ No newline at end of file
diff --git a/user_guide/changelog.html b/user_guide/changelog.html
index d095c2f5f..6a76a4fd0 100644
--- a/user_guide/changelog.html
+++ b/user_guide/changelog.html
@@ -91,6 +91,7 @@ Change Log
 			<li class="reactor">Added a <a href="libraries/migration.html">Migration Library</a> to assist with applying incremental updates to your database schema.</li>
 			<li class="reactor">Driver children can be located in any package path.</li>
 			<li class="reactor">Added max_filename_increment config setting for Upload library.</li>
+			<li><samp>CI_Loader::_ci_autoloader()</samp> is now a protected method.</li>
 		</ul>
 	</li>
 </ul>
@@ -125,7 +126,13 @@ Change Log
 			<li>Visual updates to the welcome_message view file and default error templates. Thanks to <a href="https://bitbucket.org/danijelb">danijelb</a> for the pull request.</li>
 			<li class="reactor">Added <samp>insert_batch()</samp> function to the PostgreSQL database driver.  Thanks to epallerols for the patch.</li>
 			<li class="reactor">Added "application/x-csv" to mimes.php.</li>
+			<li class="reactor">Added CSRF protection URI whitelisting.</li>
 			<li>Fixed a bug where <a href="libraries/email.html">Email library</a> attachments with a "." in the name would using invalid MIME-types.</li>
+            <li>Added support for pem,p10,p12,p7a,p7c,p7m,p7r,p7s,crt,crl,der,kdb,rsa,cer,sst,csr Certs to mimes.php.</li>
+            <li>Added support pgp,gpg to mimes.php.</li>
+            <li>Added support 3gp, 3g2, mp4, wmv, f4v, vlc Video files to mimes.php.</li>
+            <li>Added support m4a, aac, m4u, xspf, au, ac3, flac, ogg Audio files to mimes.php.</li>
+
 		</ul>
 	</li>
 	<li>Helpers
diff --git a/user_guide/libraries/security.html b/user_guide/libraries/security.html
index dd62a4386..cbe12d852 100644
--- a/user_guide/libraries/security.html
+++ b/user_guide/libraries/security.html
@@ -116,6 +116,9 @@ Note: This function should only be used to deal with data upon submission. It's
 
 <p>If you use the <a href="../helpers/form_helper.html">form helper</a> the <var>form_open()</var> function will automatically insert a hidden csrf field in your forms.</p>
 
+<p>Select URIs can be whitelisted from csrf protection (for example API endpoints expecting externally POSTed content). You can add these URIs by editing the 'csrf_exclude_uris' config parameter:</p>
+<code>$config['csrf_exclude_uris'] = array('api/person/add');</code>
+
 </div>
 <!-- END CONTENT -->