diff options
Diffstat (limited to 'system/core')
| -rw-r--r-- | system/core/CodeIgniter.php | 2 | ||||
| -rw-r--r-- | system/core/Common.php | 8 | ||||
| -rw-r--r-- | system/core/Hooks.php | 2 | ||||
| -rw-r--r-- | system/core/Input.php | 18 | ||||
| -rw-r--r-- | system/core/Loader.php | 7 | ||||
| -rw-r--r-- | system/core/Output.php | 2 | ||||
| -rw-r--r-- | system/core/Router.php | 4 | ||||
| -rw-r--r-- | system/core/Security.php | 2 | ||||
| -rw-r--r-- | system/core/URI.php | 15 | ||||
| -rw-r--r-- | system/core/compat/hash.php | 51 |
10 files changed, 85 insertions, 26 deletions
diff --git a/system/core/CodeIgniter.php b/system/core/CodeIgniter.php index d830c1829..ddf322749 100644 --- a/system/core/CodeIgniter.php +++ b/system/core/CodeIgniter.php @@ -55,7 +55,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @var string * */ - define('CI_VERSION', '3.0-dev'); + define('CI_VERSION', '3.0.1-dev'); /* * ------------------------------------------------------ diff --git a/system/core/Common.php b/system/core/Common.php index f28272b5b..b850fd39a 100644 --- a/system/core/Common.php +++ b/system/core/Common.php @@ -181,7 +181,7 @@ if ( ! function_exists('load_class')) // Did we find the class? if ($name === FALSE) { - // Note: We use exit() rather then show_error() in order to avoid a + // Note: We use exit() rather than show_error() in order to avoid a // self-referencing loop with the Exceptions class set_status_header(503); echo 'Unable to locate the specified class: '.$class.'.php'; @@ -506,6 +506,9 @@ if ( ! function_exists('set_status_header')) { is_int($code) OR $code = (int) $code; $stati = array( + 100 => 'Continue', + 101 => 'Switching Protocols', + 200 => 'OK', 201 => 'Created', 202 => 'Accepted', @@ -524,6 +527,7 @@ if ( ! function_exists('set_status_header')) 400 => 'Bad Request', 401 => 'Unauthorized', + 402 => 'Payment Required', 403 => 'Forbidden', 404 => 'Not Found', 405 => 'Method Not Allowed', @@ -745,7 +749,7 @@ if ( ! function_exists('html_escape')) { return $var; } - + if (is_array($var)) { return array_map('html_escape', $var, array_fill(0, count($var), $double_encode)); diff --git a/system/core/Hooks.php b/system/core/Hooks.php index 08479b133..3b4fb2250 100644 --- a/system/core/Hooks.php +++ b/system/core/Hooks.php @@ -46,7 +46,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @subpackage Libraries * @category Libraries * @author EllisLab Dev Team - * @link http://codeigniter.com/user_guide/libraries/encryption.html + * @link http://codeigniter.com/user_guide/general/hooks.html */ class CI_Hooks { diff --git a/system/core/Input.php b/system/core/Input.php index 12332cf51..b0bbb7b8d 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -799,19 +799,27 @@ class CI_Input { */ public function get_request_header($index, $xss_clean = FALSE) { - if (empty($this->headers)) + static $headers; + + if ( ! isset($headers)) { - $this->request_headers(); + empty($this->headers) OR $this->request_headers(); + foreach ($this->headers as $key => $value) + { + $headers[strtolower($key)] = $value; + } } - if ( ! isset($this->headers[$index])) + $index = strtolower($index); + + if ( ! isset($headers[$index])) { return NULL; } return ($xss_clean === TRUE) - ? $this->security->xss_clean($this->headers[$index]) - : $this->headers[$index]; + ? $this->security->xss_clean($headers[$index]) + : $headers[$index]; } // -------------------------------------------------------------------- diff --git a/system/core/Loader.php b/system/core/Loader.php index 254ad0d6d..9205ad1b6 100644 --- a/system/core/Loader.php +++ b/system/core/Loader.php @@ -1118,7 +1118,7 @@ class CI_Loader { } else { - log_message('debug', APPPATH.'libraries/'.$file_path.$subclass.'.php exists, but does not declare '.$subclass); + log_message('debug', $path.' exists, but does not declare '.$subclass); } } } @@ -1307,10 +1307,7 @@ class CI_Loader { } // Load all other libraries - foreach ($autoload['libraries'] as $item) - { - $this->library($item); - } + $this->library($autoload['libraries']); } // Autoload models diff --git a/system/core/Output.php b/system/core/Output.php index 02f66936c..e7d559a1d 100644 --- a/system/core/Output.php +++ b/system/core/Output.php @@ -674,7 +674,7 @@ class CI_Output { $cache_info = unserialize($match[1]); $expire = $cache_info['expire']; - $last_modified = filemtime($cache_path); + $last_modified = filemtime($filepath); // Has the file expired? if ($_SERVER['REQUEST_TIME'] >= $expire && is_really_writable($cache_path)) diff --git a/system/core/Router.php b/system/core/Router.php index eb3da2285..051000533 100644 --- a/system/core/Router.php +++ b/system/core/Router.php @@ -105,7 +105,7 @@ class CI_Router { /** * Enable query strings flag * - * Determines wether to use GET parameters or segment URIs + * Determines whether to use GET parameters or segment URIs * * @var bool */ @@ -493,7 +493,7 @@ class CI_Router { * Set directory name * * @param string $dir Directory name - * @param bool $appent Whether we're appending rather then setting the full value + * @param bool $appent Whether we're appending rather than setting the full value * @return void */ public function set_directory($dir, $append = FALSE) diff --git a/system/core/Security.php b/system/core/Security.php index 9cef42439..7c5199255 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -275,7 +275,7 @@ class CI_Security { $secure_cookie, config_item('cookie_httponly') ); - log_message('info', 'CRSF cookie sent'); + log_message('info', 'CSRF cookie sent'); return $this; } diff --git a/system/core/URI.php b/system/core/URI.php index e96749456..2211e3665 100644 --- a/system/core/URI.php +++ b/system/core/URI.php @@ -205,13 +205,16 @@ class CI_URI { $query = isset($uri['query']) ? $uri['query'] : ''; $uri = isset($uri['path']) ? $uri['path'] : ''; - if (strpos($uri, $_SERVER['SCRIPT_NAME']) === 0) + if (isset($_SERVER['SCRIPT_NAME'][0])) { - $uri = (string) substr($uri, strlen($_SERVER['SCRIPT_NAME'])); - } - elseif (strpos($uri, dirname($_SERVER['SCRIPT_NAME'])) === 0) - { - $uri = (string) substr($uri, strlen(dirname($_SERVER['SCRIPT_NAME']))); + if (strpos($uri, $_SERVER['SCRIPT_NAME']) === 0) + { + $uri = (string) substr($uri, strlen($_SERVER['SCRIPT_NAME'])); + } + elseif (strpos($uri, dirname($_SERVER['SCRIPT_NAME'])) === 0) + { + $uri = (string) substr($uri, strlen(dirname($_SERVER['SCRIPT_NAME']))); + } } // This section ensures that even on servers that require the URI to be in the query string (Nginx) a correct diff --git a/system/core/compat/hash.php b/system/core/compat/hash.php index 477535dca..15954559c 100644 --- a/system/core/compat/hash.php +++ b/system/core/compat/hash.php @@ -174,9 +174,56 @@ if ( ! function_exists('hash_pbkdf2')) } $hash_length = strlen(hash($algo, NULL, TRUE)); - if (empty($length)) + empty($length) && $length = $hash_length; + + // Pre-hash password inputs longer than the algorithm's block size + // (i.e. prepare HMAC key) to mitigate potential DoS attacks. + static $block_sizes; + empty($block_sizes) && $block_sizes = array( + 'gost' => 32, + 'haval128,3' => 128, + 'haval160,3' => 128, + 'haval192,3' => 128, + 'haval224,3' => 128, + 'haval256,3' => 128, + 'haval128,4' => 128, + 'haval160,4' => 128, + 'haval192,4' => 128, + 'haval224,4' => 128, + 'haval256,4' => 128, + 'haval128,5' => 128, + 'haval160,5' => 128, + 'haval192,5' => 128, + 'haval224,5' => 128, + 'haval256,5' => 128, + 'md2' => 16, + 'md4' => 64, + 'md5' => 64, + 'ripemd128' => 64, + 'ripemd160' => 64, + 'ripemd256' => 64, + 'ripemd320' => 64, + 'salsa10' => 64, + 'salsa20' => 64, + 'sha1' => 64, + 'sha224' => 64, + 'sha256' => 64, + 'sha384' => 128, + 'sha512' => 128, + 'snefru' => 32, + 'snefru256' => 32, + 'tiger128,3' => 64, + 'tiger160,3' => 64, + 'tiger192,3' => 64, + 'tiger128,4' => 64, + 'tiger160,4' => 64, + 'tiger192,4' => 64, + 'whirlpool' => 64 + ); + + if (isset($block_sizes[$algo]) && strlen($password) > $block_sizes[$algo]) { - $length = $hash_length; + $password = hash($algo, $password, TRUE); } $hash = ''; |