summaryrefslogtreecommitdiffstats
path: root/system/core/Security.php
diff options
context:
space:
mode:
Diffstat (limited to 'system/core/Security.php')
-rw-r--r--system/core/Security.php43
1 files changed, 10 insertions, 33 deletions
diff --git a/system/core/Security.php b/system/core/Security.php
index d1d4f8432..aac308194 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -169,10 +169,12 @@ class CI_Security {
*
* @return void
*/
- public function __construct()
+ public function __construct($charset)
{
+ $this->charset = $charset;
+
// Is CSRF protection enabled?
- if (config_item('csrf_protection'))
+ if (config_item('csrf_protection') && ! is_cli())
{
// CSRF config
foreach (array('csrf_expire', 'csrf_token_name', 'csrf_cookie_name') as $key)
@@ -191,10 +193,9 @@ class CI_Security {
// Set the CSRF hash
$this->_csrf_set_hash();
+ $this->csrf_verify();
}
- $this->charset = strtoupper((string) config_item('charset'));
-
log_message('info', 'Security Class Initialized');
}
@@ -659,7 +660,7 @@ class CI_Security {
if (is_readable('/dev/urandom') && ($fp = fopen('/dev/urandom', 'rb')) !== FALSE)
{
// Try not to waste entropy ...
- is_php('5.4') && stream_set_chunk_size($fp, $length);
+ stream_set_chunk_size($fp, $length);
$output = fread($fp, $length);
fclose($fp);
if ($output !== FALSE)
@@ -689,7 +690,7 @@ class CI_Security {
* correctly. html_entity_decode() does not convert entities without
* semicolons, so we are left with our own little solution here. Bummer.
*
- * @link http://php.net/html-entity-decode
+ * @link https://secure.php.net/html-entity-decode
*
* @param string $str Input
* @param string $charset Character set
@@ -704,26 +705,8 @@ class CI_Security {
static $_entities;
- isset($charset) OR $charset = $this->charset;
- $flag = is_php('5.4')
- ? ENT_COMPAT | ENT_HTML5
- : ENT_COMPAT;
-
- if ( ! isset($_entities))
- {
- $_entities = array_map('strtolower', get_html_translation_table(HTML_ENTITIES, $flag, $charset));
-
- // If we're not on PHP 5.4+, add the possibly dangerous HTML 5
- // entities to the array manually
- if ($flag === ENT_COMPAT)
- {
- $_entities[':'] = ':';
- $_entities['('] = '(';
- $_entities[')'] = ')';
- $_entities["\n"] = '
';
- $_entities["\t"] = '	';
- }
- }
+ isset($charset) OR $charset = $this->charset;
+ isset($_entities) OR $_entities = array_map('strtolower', get_html_translation_table(HTML_ENTITIES, ENT_COMPAT | ENT_HTML5, $charset));
do
{
@@ -748,14 +731,9 @@ class CI_Security {
// Decode numeric & UTF16 two byte entities
$str = html_entity_decode(
preg_replace('/(&#(?:x0*[0-9a-f]{2,5}(?![0-9a-f;])|(?:0*\d{2,4}(?![0-9;]))))/iS', '$1;', $str),
- $flag,
+ ENT_COMPAT | ENT_HTML5,
$charset
);
-
- if ($flag === ENT_COMPAT)
- {
- $str = str_replace(array_values($_entities), array_keys($_entities), $str);
- }
}
while ($str_compare !== $str);
return $str;
@@ -1107,5 +1085,4 @@ class CI_Security {
return $this->_csrf_hash;
}
-
}