diff options
Diffstat (limited to 'system/core')
| -rw-r--r-- | system/core/CodeIgniter.php | 2 | ||||
| -rw-r--r-- | system/core/Common.php | 2 | ||||
| -rw-r--r-- | system/core/Hooks.php | 2 | ||||
| -rw-r--r-- | system/core/Loader.php | 7 | ||||
| -rw-r--r-- | system/core/Router.php | 2 | ||||
| -rw-r--r-- | system/core/URI.php | 15 | ||||
| -rw-r--r-- | system/core/compat/hash.php | 51 |
7 files changed, 64 insertions, 17 deletions
diff --git a/system/core/CodeIgniter.php b/system/core/CodeIgniter.php index d830c1829..ddf322749 100644 --- a/system/core/CodeIgniter.php +++ b/system/core/CodeIgniter.php @@ -55,7 +55,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @var string * */ - define('CI_VERSION', '3.0-dev'); + define('CI_VERSION', '3.0.1-dev'); /* * ------------------------------------------------------ diff --git a/system/core/Common.php b/system/core/Common.php index f28272b5b..a96828e96 100644 --- a/system/core/Common.php +++ b/system/core/Common.php @@ -181,7 +181,7 @@ if ( ! function_exists('load_class')) // Did we find the class? if ($name === FALSE) { - // Note: We use exit() rather then show_error() in order to avoid a + // Note: We use exit() rather than show_error() in order to avoid a // self-referencing loop with the Exceptions class set_status_header(503); echo 'Unable to locate the specified class: '.$class.'.php'; diff --git a/system/core/Hooks.php b/system/core/Hooks.php index 08479b133..3b4fb2250 100644 --- a/system/core/Hooks.php +++ b/system/core/Hooks.php @@ -46,7 +46,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @subpackage Libraries * @category Libraries * @author EllisLab Dev Team - * @link http://codeigniter.com/user_guide/libraries/encryption.html + * @link http://codeigniter.com/user_guide/general/hooks.html */ class CI_Hooks { diff --git a/system/core/Loader.php b/system/core/Loader.php index 254ad0d6d..9205ad1b6 100644 --- a/system/core/Loader.php +++ b/system/core/Loader.php @@ -1118,7 +1118,7 @@ class CI_Loader { } else { - log_message('debug', APPPATH.'libraries/'.$file_path.$subclass.'.php exists, but does not declare '.$subclass); + log_message('debug', $path.' exists, but does not declare '.$subclass); } } } @@ -1307,10 +1307,7 @@ class CI_Loader { } // Load all other libraries - foreach ($autoload['libraries'] as $item) - { - $this->library($item); - } + $this->library($autoload['libraries']); } // Autoload models diff --git a/system/core/Router.php b/system/core/Router.php index eb3da2285..f91d3f6ec 100644 --- a/system/core/Router.php +++ b/system/core/Router.php @@ -493,7 +493,7 @@ class CI_Router { * Set directory name * * @param string $dir Directory name - * @param bool $appent Whether we're appending rather then setting the full value + * @param bool $appent Whether we're appending rather than setting the full value * @return void */ public function set_directory($dir, $append = FALSE) diff --git a/system/core/URI.php b/system/core/URI.php index e96749456..2211e3665 100644 --- a/system/core/URI.php +++ b/system/core/URI.php @@ -205,13 +205,16 @@ class CI_URI { $query = isset($uri['query']) ? $uri['query'] : ''; $uri = isset($uri['path']) ? $uri['path'] : ''; - if (strpos($uri, $_SERVER['SCRIPT_NAME']) === 0) + if (isset($_SERVER['SCRIPT_NAME'][0])) { - $uri = (string) substr($uri, strlen($_SERVER['SCRIPT_NAME'])); - } - elseif (strpos($uri, dirname($_SERVER['SCRIPT_NAME'])) === 0) - { - $uri = (string) substr($uri, strlen(dirname($_SERVER['SCRIPT_NAME']))); + if (strpos($uri, $_SERVER['SCRIPT_NAME']) === 0) + { + $uri = (string) substr($uri, strlen($_SERVER['SCRIPT_NAME'])); + } + elseif (strpos($uri, dirname($_SERVER['SCRIPT_NAME'])) === 0) + { + $uri = (string) substr($uri, strlen(dirname($_SERVER['SCRIPT_NAME']))); + } } // This section ensures that even on servers that require the URI to be in the query string (Nginx) a correct diff --git a/system/core/compat/hash.php b/system/core/compat/hash.php index 477535dca..15954559c 100644 --- a/system/core/compat/hash.php +++ b/system/core/compat/hash.php @@ -174,9 +174,56 @@ if ( ! function_exists('hash_pbkdf2')) } $hash_length = strlen(hash($algo, NULL, TRUE)); - if (empty($length)) + empty($length) && $length = $hash_length; + + // Pre-hash password inputs longer than the algorithm's block size + // (i.e. prepare HMAC key) to mitigate potential DoS attacks. + static $block_sizes; + empty($block_sizes) && $block_sizes = array( + 'gost' => 32, + 'haval128,3' => 128, + 'haval160,3' => 128, + 'haval192,3' => 128, + 'haval224,3' => 128, + 'haval256,3' => 128, + 'haval128,4' => 128, + 'haval160,4' => 128, + 'haval192,4' => 128, + 'haval224,4' => 128, + 'haval256,4' => 128, + 'haval128,5' => 128, + 'haval160,5' => 128, + 'haval192,5' => 128, + 'haval224,5' => 128, + 'haval256,5' => 128, + 'md2' => 16, + 'md4' => 64, + 'md5' => 64, + 'ripemd128' => 64, + 'ripemd160' => 64, + 'ripemd256' => 64, + 'ripemd320' => 64, + 'salsa10' => 64, + 'salsa20' => 64, + 'sha1' => 64, + 'sha224' => 64, + 'sha256' => 64, + 'sha384' => 128, + 'sha512' => 128, + 'snefru' => 32, + 'snefru256' => 32, + 'tiger128,3' => 64, + 'tiger160,3' => 64, + 'tiger192,3' => 64, + 'tiger128,4' => 64, + 'tiger160,4' => 64, + 'tiger192,4' => 64, + 'whirlpool' => 64 + ); + + if (isset($block_sizes[$algo]) && strlen($password) > $block_sizes[$algo]) { - $length = $hash_length; + $password = hash($algo, $password, TRUE); } $hash = ''; |