diff options
Diffstat (limited to 'system/core/Security.php')
-rw-r--r-- | system/core/Security.php | 43 |
1 files changed, 10 insertions, 33 deletions
diff --git a/system/core/Security.php b/system/core/Security.php index d1d4f8432..aac308194 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -169,10 +169,12 @@ class CI_Security { * * @return void */ - public function __construct() + public function __construct($charset) { + $this->charset = $charset; + // Is CSRF protection enabled? - if (config_item('csrf_protection')) + if (config_item('csrf_protection') && ! is_cli()) { // CSRF config foreach (array('csrf_expire', 'csrf_token_name', 'csrf_cookie_name') as $key) @@ -191,10 +193,9 @@ class CI_Security { // Set the CSRF hash $this->_csrf_set_hash(); + $this->csrf_verify(); } - $this->charset = strtoupper((string) config_item('charset')); - log_message('info', 'Security Class Initialized'); } @@ -659,7 +660,7 @@ class CI_Security { if (is_readable('/dev/urandom') && ($fp = fopen('/dev/urandom', 'rb')) !== FALSE) { // Try not to waste entropy ... - is_php('5.4') && stream_set_chunk_size($fp, $length); + stream_set_chunk_size($fp, $length); $output = fread($fp, $length); fclose($fp); if ($output !== FALSE) @@ -689,7 +690,7 @@ class CI_Security { * correctly. html_entity_decode() does not convert entities without * semicolons, so we are left with our own little solution here. Bummer. * - * @link http://php.net/html-entity-decode + * @link https://secure.php.net/html-entity-decode * * @param string $str Input * @param string $charset Character set @@ -704,26 +705,8 @@ class CI_Security { static $_entities; - isset($charset) OR $charset = $this->charset; - $flag = is_php('5.4') - ? ENT_COMPAT | ENT_HTML5 - : ENT_COMPAT; - - if ( ! isset($_entities)) - { - $_entities = array_map('strtolower', get_html_translation_table(HTML_ENTITIES, $flag, $charset)); - - // If we're not on PHP 5.4+, add the possibly dangerous HTML 5 - // entities to the array manually - if ($flag === ENT_COMPAT) - { - $_entities[':'] = ':'; - $_entities['('] = '('; - $_entities[')'] = ')'; - $_entities["\n"] = '
'; - $_entities["\t"] = '	'; - } - } + isset($charset) OR $charset = $this->charset; + isset($_entities) OR $_entities = array_map('strtolower', get_html_translation_table(HTML_ENTITIES, ENT_COMPAT | ENT_HTML5, $charset)); do { @@ -748,14 +731,9 @@ class CI_Security { // Decode numeric & UTF16 two byte entities $str = html_entity_decode( preg_replace('/(&#(?:x0*[0-9a-f]{2,5}(?![0-9a-f;])|(?:0*\d{2,4}(?![0-9;]))))/iS', '$1;', $str), - $flag, + ENT_COMPAT | ENT_HTML5, $charset ); - - if ($flag === ENT_COMPAT) - { - $str = str_replace(array_values($_entities), array_keys($_entities), $str); - } } while ($str_compare !== $str); return $str; @@ -1107,5 +1085,4 @@ class CI_Security { return $this->_csrf_hash; } - } |