diff options
Diffstat (limited to 'system/core')
| -rw-r--r-- | system/core/CodeIgniter.php | 22 | ||||
| -rw-r--r-- | system/core/Common.php | 152 | ||||
| -rw-r--r-- | system/core/Config.php | 10 | ||||
| -rw-r--r-- | system/core/Exceptions.php | 2 | ||||
| -rw-r--r-- | system/core/Input.php | 53 | ||||
| -rw-r--r-- | system/core/Loader.php | 130 | ||||
| -rw-r--r-- | system/core/Log.php | 3 | ||||
| -rw-r--r-- | system/core/Output.php | 39 | ||||
| -rw-r--r-- | system/core/Router.php | 60 | ||||
| -rw-r--r-- | system/core/Security.php | 53 |
10 files changed, 316 insertions, 208 deletions
diff --git a/system/core/CodeIgniter.php b/system/core/CodeIgniter.php index 3fe5c0648..c12116236 100644 --- a/system/core/CodeIgniter.php +++ b/system/core/CodeIgniter.php @@ -73,11 +73,10 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * ------------------------------------------------------ */ set_error_handler('_exception_handler'); + register_shutdown_function('_shutdown_handler'); - if ( ! is_php('5.4')) - { - @ini_set('magic_quotes_runtime', 0); // Kill magic quotes - } + // Kill magic quotes + is_php('5.4') OR @ini_set('magic_quotes_runtime', 0); /* * ------------------------------------------------------ @@ -88,7 +87,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * The subclass prefix allows CI to know if a core class is * being extended via a library in the local application * "libraries" folder. Since CI allows config items to be - * overriden via data set in the main index. php file, + * overriden via data set in the main index.php file, * before proceeding we need to know if a subclass_prefix * override exists. If so, we will set this value now, * before any classes are loaded @@ -165,7 +164,6 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * ------------------------------------------------------ */ $RTR =& load_class('Router', 'core'); - $RTR->_set_routing(); // Set any routing overrides that may exist in the main index file if (isset($routing)) @@ -241,12 +239,13 @@ defined('BASEPATH') OR exit('No direct script access allowed'); // Load the local application controller // Note: The Router class automatically validates the controller path using the router->_validate_request(). // If this include fails it means that the default controller in the Routes.php file is not resolving to something valid. - if ( ! file_exists(APPPATH.'controllers/'.$RTR->directory.$RTR->class.'.php')) + $class = ucfirst($RTR->class); + if ( ! file_exists(APPPATH.'controllers/'.$RTR->directory.$class.'.php')) { show_error('Unable to load your default controller. Please make sure the controller specified in your Routes.php file is valid.'); } - include(APPPATH.'controllers/'.$RTR->directory.$RTR->class.'.php'); + include(APPPATH.'controllers/'.$RTR->directory.$class.'.php'); // Set a mark point for benchmarking $BM->mark('loading_time:_base_classes_end'); @@ -258,9 +257,8 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * * None of the methods in the app controller or the * loader class can be called via the URI, nor can - * controller functions that begin with an underscore. + * controller methods that begin with an underscore. */ - $class = $RTR->class; $method = $RTR->method; if ( ! class_exists($class, FALSE) OR $method[0] === '_' OR method_exists('CI_Controller', $method)) @@ -272,6 +270,8 @@ defined('BASEPATH') OR exit('No direct script access allowed'); $method = 'index'; } + $class = ucfirst($class); + if ( ! class_exists($class, FALSE)) { if ( ! file_exists(APPPATH.'controllers/'.$class.'.php')) @@ -310,6 +310,8 @@ defined('BASEPATH') OR exit('No direct script access allowed'); $method = 'index'; } + $class = ucfirst($class); + if ( ! class_exists($class, FALSE)) { if ( ! file_exists(APPPATH.'controllers/'.$class.'.php')) diff --git a/system/core/Common.php b/system/core/Common.php index d88b0867b..56008efe8 100644 --- a/system/core/Common.php +++ b/system/core/Common.php @@ -82,7 +82,7 @@ if ( ! function_exists('is_really_writable')) function is_really_writable($file) { // If we're on a Unix server with safe_mode off we call is_writable - if (DIRECTORY_SEPARATOR === '/' && (bool) @ini_get('safe_mode') === FALSE) + if (DIRECTORY_SEPARATOR === '/' && (is_php('5.4') OR (bool) @ini_get('safe_mode') === FALSE)) { return is_writable($file); } @@ -224,56 +224,51 @@ if ( ! function_exists('get_config')) * @param array * @return array */ - function &get_config($replace = array()) + function &get_config(Array $replace = array()) { static $_config; - if (isset($_config)) + if (empty($_config)) { - return $_config[0]; - } + $file_path = APPPATH.'config/config.php'; + $found = FALSE; + if (file_exists($file_path)) + { + $found = TRUE; + require($file_path); + } - $file_path = APPPATH.'config/config.php'; - $found = FALSE; - if (file_exists($file_path)) - { - $found = TRUE; - require($file_path); - } + // Is the config file in the environment folder? + if (file_exists($file_path = APPPATH.'config/'.ENVIRONMENT.'/config.php')) + { + require($file_path); + } + elseif ( ! $found) + { + set_status_header(503); + echo 'The configuration file does not exist.'; + exit(EXIT_CONFIG); + } - // Is the config file in the environment folder? - if (file_exists($file_path = APPPATH.'config/'.ENVIRONMENT.'/config.php')) - { - require($file_path); - } - elseif ( ! $found) - { - set_status_header(503); - echo 'The configuration file does not exist.'; - exit(EXIT_CONFIG); - } + // Does the $config array exist in the file? + if ( ! isset($config) OR ! is_array($config)) + { + set_status_header(503); + echo 'Your config file does not appear to be formatted correctly.'; + exit(EXIT_CONFIG); + } - // Does the $config array exist in the file? - if ( ! isset($config) OR ! is_array($config)) - { - set_status_header(503); - echo 'Your config file does not appear to be formatted correctly.'; - exit(EXIT_CONFIG); + // references cannot be directly assigned to static variables, so we use an array + $_config[0] =& $config; } - // Are any values being dynamically replaced? - if (count($replace) > 0) + // Are any values being dynamically added or replaced? + foreach ($replace as $key => $val) { - foreach ($replace as $key => $val) - { - if (isset($config[$key])) - { - $config[$key] = $val; - } - } + $_config[0][$key] = $val; } - return $_config[0] =& $config; + return $_config[0]; } } @@ -289,20 +284,15 @@ if ( ! function_exists('config_item')) */ function config_item($item) { - static $_config_item = array(); + static $_config; - if ( ! isset($_config_item[$item])) + if (empty($_config)) { - $config =& get_config(); - - if ( ! isset($config[$item])) - { - return FALSE; - } - $_config_item[$item] = $config[$item]; + // references cannot be directly assigned to static variables, so we use an array + $_config[0] =& get_config(); } - return $_config_item[$item]; + return isset($_config[0][$item]) ? $_config[0][$item] : FALSE; } } @@ -439,29 +429,19 @@ if ( ! function_exists('log_message')) * * @param string the error level: 'error', 'debug' or 'info' * @param string the error message - * @param bool whether the error is a native PHP error * @return void */ - function log_message($level, $message, $php_error = FALSE) + function log_message($level, $message) { - static $_log, $_log_threshold; - - if ($_log_threshold === NULL) - { - $_log_threshold = config_item('log_threshold'); - } - - if ($_log_threshold === 0) - { - return; - } + static $_log; if ($_log === NULL) { - $_log =& load_class('Log', 'core'); + // references cannot be directly assigned to static variables, so we use an array + $_log[0] =& load_class('Log', 'core'); } - $_log->write_log($level, $message, $php_error); + $_log[0]->write_log($level, $message); } } @@ -543,7 +523,7 @@ if ( ! function_exists('set_status_header')) $server_protocol = isset($_SERVER['SERVER_PROTOCOL']) ? $_SERVER['SERVER_PROTOCOL'] : FALSE; - if (strpos(php_sapi_name(), 'cgi') === 0) + if (strpos(PHP_SAPI, 'cgi') === 0) { header('Status: '.$code.' '.$text, TRUE); } @@ -561,23 +541,23 @@ if ( ! function_exists('_exception_handler')) /** * Exception Handler * - * This is the custom exception handler that is declaired at the top - * of Codeigniter.php. The main reason we use this is to permit + * This is the custom exception handler that is declared at the top + * of CodeIgniter.php. The main reason we use this is to permit * PHP errors to be logged in our own log files since the user may * not have access to server logs. Since this function * effectively intercepts PHP errors, however, we also need * to display errors based on the current error_reporting level. * We do that with the use of a PHP error template. * - * @param int - * @param string - * @param string - * @param int + * @param int $severity + * @param string $message + * @param string $filepath + * @param int $line * @return void */ function _exception_handler($severity, $message, $filepath, $line) { - $is_error = ((E_ERROR | E_COMPILE_ERROR | E_CORE_ERROR | E_USER_ERROR) & $severity) === $severity; + $is_error = (((E_ERROR | E_COMPILE_ERROR | E_CORE_ERROR | E_USER_ERROR) & $severity) === $severity); // When an error occurred, set the status header to '500 Internal Server Error' // to indicate to the client something went wrong. @@ -617,6 +597,34 @@ if ( ! function_exists('_exception_handler')) } } +// ------------------------------------------------------------------------ + +if ( ! function_exists('_shutdown_handler')) +{ + /** + * Shutdown Handler + * + * This is the shutdown handler that is declared at the top + * of CodeIgniter.php. The main reason we use this is to simulate + * a complete custom exception handler. + * + * E_STRICT is purposivly neglected because such events may have + * been caught. Duplication or none? None is preferred for now. + * + * @link http://insomanic.me.uk/post/229851073/php-trick-catching-fatal-errors-e-error-with-a + * @return void + */ + function _shutdown_handler() + { + $last_error = function_exists('error_get_last') ? error_get_last() : NULL; + if (isset($last_error) && + ($last_error['type'] & (E_ERROR | E_PARSE | E_CORE_ERROR | E_CORE_WARNING | E_COMPILE_ERROR | E_COMPILE_WARNING))) + { + _exception_handler($last_error['type'], $last_error['message'], $last_error['file'], $last_error['line']); + } + } +} + // -------------------------------------------------------------------- if ( ! function_exists('remove_invisible_characters')) diff --git a/system/core/Config.php b/system/core/Config.php index 7e64444bc..109ee6424 100644 --- a/system/core/Config.php +++ b/system/core/Config.php @@ -184,16 +184,16 @@ class CI_Config { * * @param string $item Config item name * @param string $index Index name - * @return string|bool The configuration item or FALSE on failure + * @return string|null The configuration item or NULL if the item doesn't exist */ public function item($item, $index = '') { if ($index == '') { - return isset($this->config[$item]) ? $this->config[$item] : FALSE; + return isset($this->config[$item]) ? $this->config[$item] : NULL; } - return isset($this->config[$index], $this->config[$index][$item]) ? $this->config[$index][$item] : FALSE; + return isset($this->config[$index], $this->config[$index][$item]) ? $this->config[$index][$item] : NULL; } // -------------------------------------------------------------------- @@ -202,13 +202,13 @@ class CI_Config { * Fetch a config file item with slash appended (if not empty) * * @param string $item Config item name - * @return string|bool The configuration item or FALSE on failure + * @return string|null The configuration item or NULL if the item doesn't exist */ public function slash_item($item) { if ( ! isset($this->config[$item])) { - return FALSE; + return NULL; } elseif (trim($this->config[$item]) === '') { diff --git a/system/core/Exceptions.php b/system/core/Exceptions.php index 9c68d06a5..d7e5ed4d9 100644 --- a/system/core/Exceptions.php +++ b/system/core/Exceptions.php @@ -91,7 +91,7 @@ class CI_Exceptions { public function log_exception($severity, $message, $filepath, $line) { $severity = isset($this->levels[$severity]) ? $this->levels[$severity] : $severity; - log_message('error', 'Severity: '.$severity.' --> '.$message. ' '.$filepath.' '.$line, TRUE); + log_message('error', 'Severity: '.$severity.' --> '.$message. ' '.$filepath.' '.$line); } // -------------------------------------------------------------------- diff --git a/system/core/Input.php b/system/core/Input.php index 0ef81128e..8c32e459e 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -47,7 +47,7 @@ class CI_Input { public $ip_address = FALSE; /** - * User agent strin + * User agent string * * @var string */ @@ -261,7 +261,7 @@ class CI_Input { * @param bool $xss_clean Whether to apply XSS filtering * @return mixed */ - public function get_post($index = '', $xss_clean = FALSE) + public function post_get($index = '', $xss_clean = FALSE) { return isset($_POST[$index]) ? $this->post($index, $xss_clean) @@ -271,6 +271,22 @@ class CI_Input { // -------------------------------------------------------------------- /** + * Fetch an item from GET data with fallback to POST + * + * @param string $index Index for item to be fetched from $_GET or $_POST + * @param bool $xss_clean Whether to apply XSS filtering + * @return mixed + */ + public function get_post($index = '', $xss_clean = FALSE) + { + return isset($_GET[$index]) + ? $this->get($index, $xss_clean) + : $this->post($index, $xss_clean); + } + + // -------------------------------------------------------------------- + + /** * Fetch an item from the COOKIE array * * @param string $index Index for item to be fetched from $_COOKIE @@ -677,7 +693,14 @@ class CI_Input { foreach ($_COOKIE as $key => $val) { - $_COOKIE[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); + if (($cookie_key = $this->_clean_input_keys($key)) !== FALSE) + { + $_COOKIE[$cookie_key] = $this->_clean_input_data($val); + } + else + { + unset($_COOKIE[$key]); + } } } @@ -690,7 +713,7 @@ class CI_Input { $this->security->csrf_verify(); } - log_message('debug', 'Global POST and COOKIE data sanitized'); + log_message('debug', 'Global POST, GET and COOKIE data sanitized'); } // -------------------------------------------------------------------- @@ -760,15 +783,25 @@ class CI_Input { * only named with alpha-numeric text and a few other items. * * @param string $str Input string - * @return string + * @param string $fatal Whether to terminate script exection + * or to return FALSE if an invalid + * key is encountered + * @return string|bool */ - protected function _clean_input_keys($str) + protected function _clean_input_keys($str, $fatal = TRUE) { if ( ! preg_match('/^[a-z0-9:_\/|-]+$/i', $str)) { - set_status_header(503); - echo 'Disallowed Key Characters.'; - exit(EXIT_USER_INPUT); + if ($fatal === TRUE) + { + return FALSE; + } + else + { + set_status_header(503); + echo 'Disallowed Key Characters.'; + exit(EXIT_USER_INPUT); + } } // Clean UTF-8 if supported @@ -872,7 +905,7 @@ class CI_Input { */ public function is_cli_request() { - return (php_sapi_name() === 'cli' OR defined('STDIN')); + return (PHP_SAPI === 'cli' OR defined('STDIN')); } // -------------------------------------------------------------------- diff --git a/system/core/Loader.php b/system/core/Loader.php index 70a6b6fa6..70c1e4154 100644 --- a/system/core/Loader.php +++ b/system/core/Loader.php @@ -76,13 +76,6 @@ class CI_Loader { protected $_ci_helper_paths = array(APPPATH, BASEPATH); /** - * List of loaded base classes - * - * @var array - */ - protected $_base_classes = array(); // Set by the controller class - - /** * List of cached variables * * @var array @@ -120,6 +113,8 @@ class CI_Loader { 'user_agent' => 'agent' ); + // -------------------------------------------------------------------- + /** * Class constructor * @@ -129,7 +124,8 @@ class CI_Loader { */ public function __construct() { - $this->_ci_ob_level = ob_get_level(); + $this->_ci_ob_level = ob_get_level(); + $this->_ci_classes =& is_loaded(); log_message('debug', 'Loader Class Initialized'); } @@ -147,7 +143,6 @@ class CI_Loader { */ public function initialize() { - $this->_base_classes =& is_loaded(); $this->_ci_autoloader(); } @@ -165,7 +160,7 @@ class CI_Loader { */ public function is_loaded($class) { - return isset($this->_ci_classes[$class]) ? $this->_ci_classes[$class] : FALSE; + return array_search(ucfirst($class), $this->_ci_classes, TRUE); } // -------------------------------------------------------------------- @@ -183,7 +178,11 @@ class CI_Loader { */ public function library($library = '', $params = NULL, $object_name = NULL) { - if (is_array($library)) + if (empty($library)) + { + return; + } + elseif (is_array($library)) { foreach ($library as $class) { @@ -193,11 +192,6 @@ class CI_Loader { return; } - if ($library === '' OR isset($this->_base_classes[$library])) - { - return; - } - if ($params !== NULL && ! is_array($params)) { $params = NULL; @@ -228,7 +222,7 @@ class CI_Loader { { foreach ($model as $key => $value) { - $this->model(is_int($key) ? $value : $key, $value); + is_int($key) ? $this->model($value, '', $db_conn) : $this->model($key, $value, $db_conn); } return; } @@ -261,33 +255,32 @@ class CI_Loader { show_error('The model name you are loading is the name of a resource that is already being used: '.$name); } - $model = strtolower($model); - - foreach ($this->_ci_model_paths as $mod_path) + if ($db_conn !== FALSE && ! class_exists('CI_DB', FALSE)) { - if ( ! file_exists($mod_path.'models/'.$path.$model.'.php')) + if ($db_conn === TRUE) { - continue; + $db_conn = ''; } - if ($db_conn !== FALSE && ! class_exists('CI_DB', FALSE)) - { - if ($db_conn === TRUE) - { - $db_conn = ''; - } + $CI->load->database($db_conn, FALSE, TRUE); + } - $CI->load->database($db_conn, FALSE, TRUE); - } + if ( ! class_exists('CI_Model', FALSE)) + { + load_class('Model', 'core'); + } - if ( ! class_exists('CI_Model', FALSE)) + $model = ucfirst(strtolower($model)); + + foreach ($this->_ci_model_paths as $mod_path) + { + if ( ! file_exists($mod_path.'models/'.$path.$model.'.php')) { - load_class('Model', 'core'); + continue; } require_once($mod_path.'models/'.$path.$model.'.php'); - $model = ucfirst($model); $CI->$name = new $model(); $this->_ci_models[] = $name; return; @@ -422,7 +415,7 @@ class CI_Loader { * to be extracted for use in the view * @param bool $return Whether to return the view output * or leave it to the Output class - * @return void + * @return void|string */ public function view($view, $vars = array(), $return = FALSE) { @@ -478,6 +471,20 @@ class CI_Loader { // -------------------------------------------------------------------- /** + * Clear Cached Variables + * + * Clears the cached variables. + * + * @return void + */ + public function clear_vars() + { + $this->_ci_cached_vars = array(); + } + + // -------------------------------------------------------------------- + + /** * Get Variable * * Check if a variable is set and retrieve it. @@ -1118,30 +1125,35 @@ class CI_Loader { // Set the variable name we will assign the class to // Was a custom class name supplied? If so we'll use it - $class = strtolower($class); - - if ($object_name === NULL) + if (empty($object_name)) { - $classvar = isset($this->_ci_varmap[$class]) ? $this->_ci_varmap[$class] : $class; + $object_name = strtolower($class); + if (isset($this->_ci_varmap[$object_name])) + { + $object_name = $this->_ci_varmap[$object_name]; + } } - else + + // Don't overwrite existing properties + $CI =& get_instance(); + if (isset($CI->$object_name)) { - $classvar = $object_name; + if ($CI->$object_name instanceof $name) + { + log_message('debug', $class." has already been instantiated as '".$object_name."'. Second attempt aborted."); + return; + } + + show_error("Resource '".$object_name."' already exists and is not a ".$class." instance."); } // Save the class name and object name - $this->_ci_classes[$class] = $classvar; + $this->_ci_classes[$object_name] = $class; // Instantiate the class - $CI =& get_instance(); - if ($config !== NULL) - { - $CI->$classvar = new $name($config); - } - else - { - $CI->$classvar = new $name(); - } + $CI->$object_name = isset($config) + ? new $name($config) + : new $name(); } // -------------------------------------------------------------------- @@ -1198,6 +1210,15 @@ class CI_Loader { } } + // Autoload drivers + if (isset($autoload['drivers'])) + { + foreach ($autoload['drivers'] as $item) + { + $this->driver($item); + } + } + // Load libraries if (isset($autoload['libraries']) && count($autoload['libraries']) > 0) { @@ -1215,15 +1236,6 @@ class CI_Loader { } } - // Autoload drivers - if (isset($autoload['drivers'])) - { - foreach ($autoload['drivers'] as $item) - { - $this->driver($item); - } - } - // Autoload models if (isset($autoload['model'])) { diff --git a/system/core/Log.php b/system/core/Log.php index e4d72b544..b2327b8f0 100644 --- a/system/core/Log.php +++ b/system/core/Log.php @@ -140,10 +140,9 @@ class CI_Log { * * @param string the error level: 'error', 'debug' or 'info' * @param string the error message - * @param bool whether the error is a native PHP error * @return bool */ - public function write_log($level, $msg, $php_error = FALSE) + public function write_log($level, $msg) { if ($this->_enabled === FALSE) { diff --git a/system/core/Output.php b/system/core/Output.php index 06d7a866b..04209d920 100644 --- a/system/core/Output.php +++ b/system/core/Output.php @@ -841,13 +841,42 @@ class CI_Output { $output = substr_replace($output, '', 0, $pos); // Remove closing tag and save it for later - $pos = strpos($output, '</'); - $closing_tag = substr($output, $pos, strlen($output)); + $pos = strrpos($output, '</'); + $closing_tag = substr($output, $pos); $output = substr_replace($output, '', $pos); } // Remove CSS comments - $output = preg_replace('!/\*[^*]*\*+([^/][^*]*\*+)*/!i', '', $output); + $output = preg_replace('@/\*([^/][^*]*\*)*/(?!.+?["\'])@i', '', $output); + + // Remove Javascript inline comments + if ($has_tags === TRUE && strpos(strtolower($open_tag), 'script') !== FALSE) + { + $lines = preg_split('/\r?\n|\n?\r/', $output); + foreach ($lines as &$line) + { + $in_string = $in_dstring = FALSE; + for ($i = 0, $len = strlen($line); $i < $len; $i++) + { + if ( ! $in_string && ! $in_dstring && substr($line, $i, 2) === '//') + { + $line = substr($line, 0, $i); + break; + } + + if ($line[$i] === "'" && ! $in_dstring) + { + $in_string = ! $in_string; + } + elseif ($line[$i] === '"' && ! $in_string) + { + $in_dstring = ! $in_dstring; + } + } + } + + $output = implode("\n", $lines); + } // Remove spaces around curly brackets, colons, // semi-colons, parenthesis, commas @@ -899,11 +928,11 @@ class CI_Output { } } - if ($value === "'") + if ($value === "'" && ! $in_dstring) { $in_string = ! $in_string; } - elseif ($value === '"') + elseif ($value === '"' && ! $in_string) { $in_dstring = ! $in_dstring; } diff --git a/system/core/Router.php b/system/core/Router.php index c86ab9c20..0f7278ae6 100644 --- a/system/core/Router.php +++ b/system/core/Router.php @@ -82,6 +82,18 @@ class CI_Router { public $default_controller; /** + * Translate URI dashes + * + * Determines whether dashes in controller & method segments + * should be automatically replaced by underscores. + * + * @var bool + */ + public $translate_uri_dashes = FALSE; + + // -------------------------------------------------------------------- + + /** * Class constructor * * Runs the route mapping function. @@ -92,6 +104,7 @@ class CI_Router { { $this->config =& load_class('Config', 'core'); $this->uri =& load_class('URI', 'core'); + $this->_set_routing(); log_message('debug', 'Router Class Initialized'); } @@ -105,7 +118,7 @@ class CI_Router { * * @return void */ - public function _set_routing() + protected function _set_routing() { // Are query strings enabled in the config file? Normally CI doesn't utilize query strings // since URI segments are more search-engine friendly, but they can optionally be used. @@ -143,12 +156,14 @@ class CI_Router { include(APPPATH.'config/'.ENVIRONMENT.'/routes.php'); } - $this->routes = (empty($route) OR ! is_array($route)) ? array() : $route; - unset($route); - - // Set the default controller so we can display it in the event - // the URI doesn't correlated to a valid controller. - $this->default_controller = empty($this->routes['default_controller']) ? FALSE : $this->routes['default_controller']; + // Validate & get reserved routes + if (isset($route) && is_array($route)) + { + isset($route['default_controller']) && $this->default_controller = $route['default_controller']; + isset($route['translate_uri_dashes']) && $this->translate_uri_dashes = $route['translate_uri_dashes']; + unset($route['default_controller'], $route['translate_uri_dashes']); + $this->routes = $route; + } // Were there any query string segments? If so, we'll validate them and bail out since we're done. if (count($segments) > 0) @@ -191,8 +206,6 @@ class CI_Router { $method = 'index'; } - $this->set_class($class); - $this->set_method($method); $this->_set_request(array($class, $method)); // re-index the routed segments array so it starts with 1 rather than 0 @@ -221,8 +234,16 @@ class CI_Router { return $this->_set_default_controller(); } - $this->set_class($segments[0]); + if ($this->translate_uri_dashes === TRUE) + { + $segments[0] = str_replace('-', '_', $segments[0]); + if (isset($segments[1])) + { + $segments[1] = str_replace('-', '_', $segments[1]); + } + } + $this->set_class($segments[0]); isset($segments[1]) OR $segments[1] = 'index'; $this->set_method($segments[1]); @@ -249,13 +270,11 @@ class CI_Router { return $segments; } - $temp = str_replace('-', '_', $segments[0]); + $test = ucfirst($this->translate_uri_dashes === TRUE ? str_replace('-', '_', $segments[0]) : $segments[0]); // Does the requested controller exist in the root folder? - if (file_exists(APPPATH.'controllers/'.$temp.'.php')) + if (file_exists(APPPATH.'controllers/'.$test.'.php')) { - $segments[0] = $temp; - empty($segments[1]) OR $segments[1] = str_replace('-', '_', $segments[1]); return $segments; } @@ -266,11 +285,10 @@ class CI_Router { $this->set_directory(array_shift($segments)); if (count($segments) > 0) { - $segments[0] = str_replace('-', '_', $segments[0]); - empty($segments[1]) OR $segments[1] = str_replace('-', '_', $segments[1]); + $test = ucfirst($this->translate_uri_dashes === TRUE ? str_replace('-', '_', $segments[0]) : $segments[0]); - // Does the requested controller exist in the sub-folder? - if ( ! file_exists(APPPATH.'controllers/'.$this->directory.$segments[0].'.php')) + // Does the requested controller exist in the sub-directory? + if ( ! file_exists(APPPATH.'controllers/'.$this->directory.$test.'.php')) { if ( ! empty($this->routes['404_override'])) { @@ -287,7 +305,7 @@ class CI_Router { { // Is the method being specified in the route? $segments = explode('/', $this->default_controller); - if ( ! file_exists(APPPATH.'controllers/'.$this->directory.$segments[0].'.php')) + if ( ! file_exists(APPPATH.'controllers/'.$this->directory.ucfirst($segments[0]).'.php')) { $this->directory = ''; } @@ -333,10 +351,10 @@ class CI_Router { return $this->_set_request(explode('/', $this->routes[$uri])); } - // Loop through the route array looking for wild-cards + // Loop through the route array looking for wildcards foreach ($this->routes as $key => $val) { - // Convert wild-cards to RegEx + // Convert wildcards to RegEx $key = str_replace(array(':any', ':num'), array('[^/]+', '[0-9]+'), $key); // Does the RegEx match? diff --git a/system/core/Security.php b/system/core/Security.php index 196d61144..9423f825c 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -38,6 +38,30 @@ defined('BASEPATH') OR exit('No direct script access allowed'); class CI_Security { /** + * List of sanitize filename strings + * + * @var array + */ + public $filename_bad_chars = array( + '../', '<!--', '-->', '<', '>', + "'", '"', '&', '$', '#', + '{', '}', '[', ']', '=', + ';', '?', '%20', '%22', + '%3c', // < + '%253c', // < + '%3e', // > + '%0e', // > + '%28', // ( + '%29', // ) + '%2528', // ( + '%26', // & + '%24', // $ + '%3f', // ? + '%3b', // ; + '%3d' // = + ); + + /** * XSS Hash * * Random Hash for protecting URLs. @@ -529,9 +553,9 @@ class CI_Security { { $matches = $matches1 = 0; + $str = preg_replace('~(�*[0-9a-f]{2,5});?~iS', '$1;', $str, -1, $matches); + $str = preg_replace('~(&#\d{2,4});?~S', '$1;', $str, -1, $matches1); $str = html_entity_decode($str, ENT_COMPAT, $charset); - $str = preg_replace('~&#x(0*[0-9a-f]{2,5})~ei', 'chr(hexdec("\\1"))', $str, -1, $matches); - $str = preg_replace('~&#([0-9]{2,4})~e', 'chr(\\1)', $str, -1, $matches1); } while ($matches OR $matches1); @@ -549,24 +573,7 @@ class CI_Security { */ public function sanitize_filename($str, $relative_path = FALSE) { - $bad = array( - '../', '<!--', '-->', '<', '>', - "'", '"', '&', '$', '#', - '{', '}', '[', ']', '=', - ';', '?', '%20', '%22', - '%3c', // < - '%253c', // < - '%3e', // > - '%0e', // > - '%28', // ( - '%29', // ) - '%2528', // ( - '%26', // & - '%24', // $ - '%3f', // ? - '%3b', // ; - '%3d' // = - ); + $bad = $this->filename_bad_chars; if ( ! $relative_path) { @@ -596,7 +603,7 @@ class CI_Security { */ public function strip_image_tags($str) { - return preg_replace(array('#<img\s+.*?src\s*=\s*["\'](.+?)["\'].*?\>#', '#<img\s+.*?src\s*=\s*(.+?).*?\>#'), '\\1', $str); + return preg_replace(array('#<img[\s/]+.*?src\s*=\s*["\'](.+?)["\'].*?\>#', '#<img[\s/]+.*?src\s*=\s*(.+?).*?\>#'), '\\1', $str); } // ---------------------------------------------------------------- @@ -877,7 +884,7 @@ class CI_Security { { if ($this->_csrf_hash === '') { - // If the cookie exists we will use it's value. + // If the cookie exists we will use its value. // We don't necessarily want to regenerate it with // each page load since a page could contain embedded // sub-pages causing this feature to fail @@ -887,7 +894,7 @@ class CI_Security { return $this->_csrf_hash = $_COOKIE[$this->_csrf_cookie_name]; } - $this->_csrf_hash = md5(uniqid(rand(), TRUE)); + $this->_csrf_hash = md5(uniqid(mt_rand(), TRUE)); $this->csrf_set_cookie(); } |