diff options
| -rwxr-xr-x | system/core/Security.php | 7 | ||||
| -rw-r--r-- | system/database/DB_forge.php | 2 | ||||
| -rw-r--r-- | tests/codeigniter/libraries/Encrypt_test.php | 34 | ||||
| -rw-r--r-- | user_guide_src/source/changelog.rst | 4 | ||||
| -rw-r--r-- | user_guide_src/source/libraries/security.rst | 7 |
5 files changed, 23 insertions, 31 deletions
diff --git a/system/core/Security.php b/system/core/Security.php index 741ff229b..bb0670500 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -203,9 +203,12 @@ class CI_Security { if ($exclude_uris = config_item('csrf_exclude_uris')) { $uri = load_class('URI', 'core'); - if (in_array($uri->uri_string(), $exclude_uris)) + foreach ($exclude_uris as $excluded) { - return $this; + if (preg_match('#^'.$excluded.'$#i'.(UTF8_ENABLED ? 'u' : ''), $uri->uri_string())) + { + return $this; + } } } diff --git a/system/database/DB_forge.php b/system/database/DB_forge.php index 111546ecc..2dd243cae 100644 --- a/system/database/DB_forge.php +++ b/system/database/DB_forge.php @@ -929,7 +929,7 @@ abstract class CI_DB_forge { $field['default'] = empty($this->_null) ? '' : $this->_default.$this->_null; // Override the NULL attribute if that's our default - $attributes['NULL'] = NULL; + $attributes['NULL'] = TRUE; $field['null'] = empty($this->_null) ? '' : ' '.$this->_null; } else diff --git a/tests/codeigniter/libraries/Encrypt_test.php b/tests/codeigniter/libraries/Encrypt_test.php index a08db8ed0..ced763301 100644 --- a/tests/codeigniter/libraries/Encrypt_test.php +++ b/tests/codeigniter/libraries/Encrypt_test.php @@ -1,15 +1,21 @@ <?php - +/** + * @requires extension mcrypt + */ class Encrypt_test extends CI_TestCase { public function set_up() { + if ( ! extension_loaded('mcrypt')) + { + return; + } + $this->encrypt = new Mock_Libraries_Encrypt(); $this->ci_instance_var('encrypt', $this->encrypt); $this->ci_set_config('encryption_key', "Encryptin'glike@boss!"); $this->msg = 'My secret message'; - $this->mcrypt = extension_loaded('mcrypt'); } // -------------------------------------------------------------------- @@ -40,12 +46,6 @@ class Encrypt_test extends CI_TestCase { public function test_default_cipher() { - if ( ! $this->mcrypt) - { - $this->markTestSkipped('MCrypt not available'); - return; - } - $this->assertEquals('rijndael-256', $this->encrypt->get_cipher()); } @@ -53,12 +53,6 @@ class Encrypt_test extends CI_TestCase { public function test_set_cipher() { - if ( ! $this->mcrypt) - { - $this->markTestSkipped('MCrypt not available'); - return; - } - $this->encrypt->set_cipher(MCRYPT_BLOWFISH); $this->assertEquals('blowfish', $this->encrypt->get_cipher()); } @@ -67,12 +61,6 @@ class Encrypt_test extends CI_TestCase { public function test_default_mode() { - if ( ! $this->mcrypt) - { - $this->markTestSkipped('MCrypt not available'); - return; - } - $this->assertEquals('cbc', $this->encrypt->get_mode()); } @@ -80,12 +68,6 @@ class Encrypt_test extends CI_TestCase { public function test_set_mode() { - if ( ! $this->mcrypt) - { - $this->markTestSkipped('MCrypt not available'); - return; - } - $this->encrypt->set_mode(MCRYPT_MODE_CFB); $this->assertEquals('cfb', $this->encrypt->get_mode()); } diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 2ed2275ac..c4360aae4 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -506,8 +506,8 @@ Release Date: Not Released - :doc:`Security Library <libraries/security>` changes include: - Added method ``strip_image_tags()``. - - Added ``$config['csrf_regeneration']``, which makes token regeneration optional. - - Added ``$config['csrf_exclude_uris']``, which allows you list URIs which will not have the CSRF validation methods run. + - Added ``$config['csrf_regeneration']``, which makes CSRF token regeneration optional. + - Added ``$config['csrf_exclude_uris']``, allowing for exclusion of URIs from the CSRF protection (regular expressions are supported). - Modified method ``sanitize_filename()`` to read a public ``$filename_bad_chars`` property for getting the invalid characters list. - Return status code of 403 instead of a 500 if CSRF protection is enabled but a token is missing from a request. diff --git a/user_guide_src/source/libraries/security.rst b/user_guide_src/source/libraries/security.rst index fb875a0d9..c8d69d16f 100644 --- a/user_guide_src/source/libraries/security.rst +++ b/user_guide_src/source/libraries/security.rst @@ -97,6 +97,13 @@ by editing the 'csrf_exclude_uris' config parameter:: $config['csrf_exclude_uris'] = array('api/person/add'); +Regular expressions are also supported (case-insensitive):: + + $config['csrf_exclude_uris'] = array( + 'api/record/[0-9]+', + 'api/title/[a-z]+' + ); + *************** Class Reference *************** |