diff options
-rw-r--r-- | system/core/Common.php | 37 | ||||
-rw-r--r-- | system/database/drivers/mssql/mssql_driver.php | 5 | ||||
-rw-r--r-- | system/database/drivers/oci8/oci8_driver.php | 5 | ||||
-rw-r--r-- | system/database/drivers/odbc/odbc_driver.php | 5 | ||||
-rw-r--r-- | system/libraries/Security.php | 42 | ||||
-rw-r--r-- | user_guide/changelog.html | 3 | ||||
-rw-r--r-- | user_guide/general/common_functions.html | 6 |
7 files changed, 50 insertions, 53 deletions
diff --git a/system/core/Common.php b/system/core/Common.php index 6e2f72509..9dee591e6 100644 --- a/system/core/Common.php +++ b/system/core/Common.php @@ -479,6 +479,43 @@ $_error->log_exception($severity, $message, $filepath, $line); } + // -------------------------------------------------------------------- + + /** + * Remove Invisible Characters + * + * This prevents sandwiching null characters + * between ascii characters, like Java\0script. + * + * @access public + * @param string + * @return string + */ + function remove_invisible_characters($str) + { + static $non_displayables; + + if ( ! isset($non_displayables)) + { + // every control character except newline (dec 10), carriage return (dec 13), and horizontal tab (dec 09), + $non_displayables = array( + '/%0[0-8bcef]/', // url encoded 00-08, 11, 12, 14, 15 + '/%1[0-9a-f]/', // url encoded 16-31 + '/[\x00-\x08]/', // 00-08 + '/\x0b/', '/\x0c/', // 11, 12 + '/[\x0e-\x1f]/' // 14-31 + ); + } + + do + { + $cleaned = $str; + $str = preg_replace($non_displayables, '', $str); + } + while ($cleaned != $str); + + return $str; + } /* End of file Common.php */ diff --git a/system/database/drivers/mssql/mssql_driver.php b/system/database/drivers/mssql/mssql_driver.php index 0c74726a2..40900e832 100644 --- a/system/database/drivers/mssql/mssql_driver.php +++ b/system/database/drivers/mssql/mssql_driver.php @@ -260,12 +260,9 @@ class CI_DB_mssql_driver extends CI_DB { return $str; } - - // Access the CI object - $CI =& get_instance(); // Escape single quotes - $str = str_replace("'", "''", $CI->input->_remove_invisible_characters($str)); + $str = str_replace("'", "''", remove_invisible_characters($str)); // escape LIKE condition wildcards if ($like === TRUE) diff --git a/system/database/drivers/oci8/oci8_driver.php b/system/database/drivers/oci8/oci8_driver.php index cd0e09577..6f317d2e6 100644 --- a/system/database/drivers/oci8/oci8_driver.php +++ b/system/database/drivers/oci8/oci8_driver.php @@ -403,10 +403,7 @@ class CI_DB_oci8_driver extends CI_DB { return $str; } - // Access the CI object - $CI =& get_instance(); - - $str = $CI->input->_remove_invisible_characters($str); + $str = remove_invisible_characters($str); // escape LIKE condition wildcards if ($like === TRUE) diff --git a/system/database/drivers/odbc/odbc_driver.php b/system/database/drivers/odbc/odbc_driver.php index d5df8ef8c..6e682313f 100644 --- a/system/database/drivers/odbc/odbc_driver.php +++ b/system/database/drivers/odbc/odbc_driver.php @@ -271,12 +271,9 @@ class CI_DB_odbc_driver extends CI_DB { return $str; } - - // Access the CI object - $CI =& get_instance(); // ODBC doesn't require escaping - $str = $CI->input->_remove_invisible_characters($str); + $str = remove_invisible_characters($str); // escape LIKE condition wildcards if ($like === TRUE) diff --git a/system/libraries/Security.php b/system/libraries/Security.php index 60adf0a27..cdae50168 100644 --- a/system/libraries/Security.php +++ b/system/libraries/Security.php @@ -198,7 +198,7 @@ class CI_Security { /* * Remove Invisible Characters */ - $str = $this->_remove_invisible_characters($str); + $str = remove_invisible_characters($str); /* * Protect GET variables in URLs @@ -258,7 +258,7 @@ class CI_Security { /* * Remove Invisible Characters Again! */ - $str = $this->_remove_invisible_characters($str); + $str = remove_invisible_characters($str); /* * Convert all tabs to spaces @@ -481,44 +481,6 @@ class CI_Security { // -------------------------------------------------------------------- /** - * Remove Invisible Characters - * - * This prevents sandwiching null characters - * between ascii characters, like Java\0script. - * - * @access public - * @param string - * @return string - */ - function _remove_invisible_characters($str) - { - static $non_displayables; - - if ( ! isset($non_displayables)) - { - // every control character except newline (dec 10), carriage return (dec 13), and horizontal tab (dec 09), - $non_displayables = array( - '/%0[0-8bcef]/', // url encoded 00-08, 11, 12, 14, 15 - '/%1[0-9a-f]/', // url encoded 16-31 - '/[\x00-\x08]/', // 00-08 - '/\x0b/', '/\x0c/', // 11, 12 - '/[\x0e-\x1f]/' // 14-31 - ); - } - - do - { - $cleaned = $str; - $str = preg_replace($non_displayables, '', $str); - } - while ($cleaned != $str); - - return $str; - } - - // -------------------------------------------------------------------- - - /** * Compact Exploded Words * * Callback function for xss_clean() to remove whitespace from diff --git a/user_guide/changelog.html b/user_guide/changelog.html index 02cf6d06f..5e0f5ae05 100644 --- a/user_guide/changelog.html +++ b/user_guide/changelog.html @@ -133,7 +133,8 @@ Hg Tag: </p> <li>Eliminated a call to is_really_writable() on each request unless it is really needed (Output caching)</li> <li>Documented <kbd>append_output()</kbd> in the <a href="libraries/output.html">Output Class</a>.</li> <li>Documented a second argument in the <kbd>decode()</kbd> function for the <a href="libraries/encryption.html">Encryption Class</a>.</li> - <li>Documentd db->close().</li> + <li>Documented db->close().</li> + <li>Moved _remove_invisible_characters() function from the <a href="libraries/security.html">Security Library</a> to <a href="general/common_functions.html">common functions.</a></li> </ul> </li> </ul> diff --git a/user_guide/general/common_functions.html b/user_guide/general/common_functions.html index 196e3777e..0e68d1113 100644 --- a/user_guide/general/common_functions.html +++ b/user_guide/general/common_functions.html @@ -99,6 +99,12 @@ else<br /> <p><a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html">See here</a> for a full list of headers.</p> + +<h2>remove_invisible_characters(<var>$str</var>)</h2> +<p>This function prevents inserting null characters between ascii characters, like Java\0script.</p> + + + </div> |