summaryrefslogtreecommitdiffstats
path: root/system/core
diff options
context:
space:
mode:
Diffstat (limited to 'system/core')
-rw-r--r--system/core/CodeIgniter.php2
-rw-r--r--system/core/Common.php99
-rw-r--r--system/core/Config.php14
-rw-r--r--system/core/Hooks.php2
-rw-r--r--system/core/Input.php50
-rw-r--r--system/core/Loader.php52
-rw-r--r--system/core/Log.php9
-rw-r--r--system/core/Security.php39
-rw-r--r--system/core/URI.php68
-rw-r--r--system/core/compat/hash.php51
-rw-r--r--system/core/compat/index.html3
-rw-r--r--system/core/compat/mbstring.php2
-rw-r--r--system/core/index.html3
13 files changed, 238 insertions, 156 deletions
diff --git a/system/core/CodeIgniter.php b/system/core/CodeIgniter.php
index d830c1829..ddf322749 100644
--- a/system/core/CodeIgniter.php
+++ b/system/core/CodeIgniter.php
@@ -55,7 +55,7 @@ defined('BASEPATH') OR exit('No direct script access allowed');
* @var string
*
*/
- define('CI_VERSION', '3.0-dev');
+ define('CI_VERSION', '3.0.1-dev');
/*
* ------------------------------------------------------
diff --git a/system/core/Common.php b/system/core/Common.php
index 9f509745f..f28272b5b 100644
--- a/system/core/Common.php
+++ b/system/core/Common.php
@@ -492,59 +492,63 @@ if ( ! function_exists('set_status_header'))
*/
function set_status_header($code = 200, $text = '')
{
- $stati = array(
- 200 => 'OK',
- 201 => 'Created',
- 202 => 'Accepted',
- 203 => 'Non-Authoritative Information',
- 204 => 'No Content',
- 205 => 'Reset Content',
- 206 => 'Partial Content',
-
- 300 => 'Multiple Choices',
- 301 => 'Moved Permanently',
- 302 => 'Found',
- 303 => 'See Other',
- 304 => 'Not Modified',
- 305 => 'Use Proxy',
- 307 => 'Temporary Redirect',
-
- 400 => 'Bad Request',
- 401 => 'Unauthorized',
- 403 => 'Forbidden',
- 404 => 'Not Found',
- 405 => 'Method Not Allowed',
- 406 => 'Not Acceptable',
- 407 => 'Proxy Authentication Required',
- 408 => 'Request Timeout',
- 409 => 'Conflict',
- 410 => 'Gone',
- 411 => 'Length Required',
- 412 => 'Precondition Failed',
- 413 => 'Request Entity Too Large',
- 414 => 'Request-URI Too Long',
- 415 => 'Unsupported Media Type',
- 416 => 'Requested Range Not Satisfiable',
- 417 => 'Expectation Failed',
- 422 => 'Unprocessable Entity',
-
- 500 => 'Internal Server Error',
- 501 => 'Not Implemented',
- 502 => 'Bad Gateway',
- 503 => 'Service Unavailable',
- 504 => 'Gateway Timeout',
- 505 => 'HTTP Version Not Supported'
- );
+ if (is_cli())
+ {
+ return;
+ }
if (empty($code) OR ! is_numeric($code))
{
show_error('Status codes must be numeric', 500);
}
- is_int($code) OR $code = (int) $code;
-
if (empty($text))
{
+ is_int($code) OR $code = (int) $code;
+ $stati = array(
+ 200 => 'OK',
+ 201 => 'Created',
+ 202 => 'Accepted',
+ 203 => 'Non-Authoritative Information',
+ 204 => 'No Content',
+ 205 => 'Reset Content',
+ 206 => 'Partial Content',
+
+ 300 => 'Multiple Choices',
+ 301 => 'Moved Permanently',
+ 302 => 'Found',
+ 303 => 'See Other',
+ 304 => 'Not Modified',
+ 305 => 'Use Proxy',
+ 307 => 'Temporary Redirect',
+
+ 400 => 'Bad Request',
+ 401 => 'Unauthorized',
+ 403 => 'Forbidden',
+ 404 => 'Not Found',
+ 405 => 'Method Not Allowed',
+ 406 => 'Not Acceptable',
+ 407 => 'Proxy Authentication Required',
+ 408 => 'Request Timeout',
+ 409 => 'Conflict',
+ 410 => 'Gone',
+ 411 => 'Length Required',
+ 412 => 'Precondition Failed',
+ 413 => 'Request Entity Too Large',
+ 414 => 'Request-URI Too Long',
+ 415 => 'Unsupported Media Type',
+ 416 => 'Requested Range Not Satisfiable',
+ 417 => 'Expectation Failed',
+ 422 => 'Unprocessable Entity',
+
+ 500 => 'Internal Server Error',
+ 501 => 'Not Implemented',
+ 502 => 'Bad Gateway',
+ 503 => 'Service Unavailable',
+ 504 => 'Gateway Timeout',
+ 505 => 'HTTP Version Not Supported'
+ );
+
if (isset($stati[$code]))
{
$text = $stati[$code];
@@ -737,6 +741,11 @@ if ( ! function_exists('html_escape'))
*/
function html_escape($var, $double_encode = TRUE)
{
+ if (empty($var))
+ {
+ return $var;
+ }
+
if (is_array($var))
{
return array_map('html_escape', $var, array_fill(0, count($var), $double_encode));
diff --git a/system/core/Config.php b/system/core/Config.php
index a191a7727..d07000ac9 100644
--- a/system/core/Config.php
+++ b/system/core/Config.php
@@ -123,10 +123,9 @@ class CI_Config {
foreach ($this->_config_paths as $path)
{
- foreach (array($file, ENVIRONMENT.'/'.$file) as $location)
+ foreach (array($file, ENVIRONMENT.DIRECTORY_SEPARATOR.$file) as $location)
{
$file_path = $path.'config/'.$location.'.php';
-
if (in_array($file_path, $this->is_loaded, TRUE))
{
return TRUE;
@@ -165,14 +164,13 @@ class CI_Config {
$loaded = TRUE;
log_message('debug', 'Config file loaded: '.$file_path);
}
-
- if ($loaded === TRUE)
- {
- return TRUE;
- }
}
- if ($fail_gracefully === TRUE)
+ if ($loaded === TRUE)
+ {
+ return TRUE;
+ }
+ elseif ($fail_gracefully === TRUE)
{
return FALSE;
}
diff --git a/system/core/Hooks.php b/system/core/Hooks.php
index 08479b133..3b4fb2250 100644
--- a/system/core/Hooks.php
+++ b/system/core/Hooks.php
@@ -46,7 +46,7 @@ defined('BASEPATH') OR exit('No direct script access allowed');
* @subpackage Libraries
* @category Libraries
* @author EllisLab Dev Team
- * @link http://codeigniter.com/user_guide/libraries/encryption.html
+ * @link http://codeigniter.com/user_guide/general/hooks.html
*/
class CI_Hooks {
diff --git a/system/core/Input.php b/system/core/Input.php
index fae3b6c08..12332cf51 100644
--- a/system/core/Input.php
+++ b/system/core/Input.php
@@ -55,7 +55,7 @@ class CI_Input {
*
* @var string
*/
- public $ip_address = FALSE;
+ protected $ip_address = FALSE;
/**
* Allow GET array flag
@@ -104,14 +104,28 @@ class CI_Input {
protected $headers = array();
/**
- * Input stream data
+ * Raw input stream data
+ *
+ * Holds a cache of php://input contents
+ *
+ * @var string
+ */
+ protected $_raw_input_stream;
+
+ /**
+ * Parsed input stream data
*
* Parsed from php://input at runtime
*
* @see CI_Input::input_stream()
* @var array
*/
- protected $_input_stream = NULL;
+ protected $_input_stream;
+
+ protected $security;
+ protected $uni;
+
+ // --------------------------------------------------------------------
/**
* Class constructor
@@ -313,7 +327,8 @@ class CI_Input {
// so we'll need to check if we have already done that first.
if ( ! is_array($this->_input_stream))
{
- parse_str(file_get_contents('php://input'), $this->_input_stream);
+ // $this->raw_input_stream will trigger __get().
+ parse_str($this->raw_input_stream, $this->_input_stream);
is_array($this->_input_stream) OR $this->_input_stream = array();
}
@@ -475,9 +490,9 @@ class CI_Input {
)
);
- for ($i = 0; $i < 8; $i++)
+ for ($j = 0; $j < 8; $j++)
{
- $ip[$i] = intval($ip[$i], 16);
+ $ip[$j] = intval($ip[$j], 16);
}
$sprintf = '%016b%016b%016b%016b%016b%016b%016b%016b';
@@ -846,4 +861,27 @@ class CI_Input {
: strtolower($this->server('REQUEST_METHOD'));
}
+ // ------------------------------------------------------------------------
+
+ /**
+ * Magic __get()
+ *
+ * Allows read access to protected properties
+ *
+ * @param string $name
+ * @return mixed
+ */
+ public function __get($name)
+ {
+ if ($name === 'raw_input_stream')
+ {
+ isset($this->_raw_input_stream) OR $this->_raw_input_stream = file_get_contents('php://input');
+ return $this->_raw_input_stream;
+ }
+ elseif ($name === 'ip_address')
+ {
+ return $this->ip_address;
+ }
+ }
+
}
diff --git a/system/core/Loader.php b/system/core/Loader.php
index b2eeb3b1d..9205ad1b6 100644
--- a/system/core/Loader.php
+++ b/system/core/Loader.php
@@ -1079,17 +1079,26 @@ class CI_Loader {
log_message('debug', $library_name.' class already loaded. Second attempt ignored.');
return;
}
- elseif (file_exists(APPPATH.'libraries/'.$file_path.$library_name.'.php'))
+
+ $paths = $this->_ci_library_paths;
+ array_pop($paths); // BASEPATH
+ array_pop($paths); // APPPATH (needs to be the first path checked)
+ array_unshift($paths, APPPATH);
+
+ foreach ($paths as $path)
{
- // Override
- include_once(APPPATH.'libraries/'.$file_path.$library_name.'.php');
- if (class_exists($prefix.$library_name, FALSE))
- {
- return $this->_ci_init_library($library_name, $prefix, $params, $object_name);
- }
- else
+ if (file_exists($path = $path.'libraries/'.$file_path.$library_name.'.php'))
{
- log_message('debug', APPPATH.'libraries/'.$file_path.$library_name.'.php exists, but does not declare '.$prefix.$library_name);
+ // Override
+ include_once($path);
+ if (class_exists($prefix.$library_name, FALSE))
+ {
+ return $this->_ci_init_library($library_name, $prefix, $params, $object_name);
+ }
+ else
+ {
+ log_message('debug', $path.' exists, but does not declare '.$prefix.$library_name);
+ }
}
}
@@ -1097,16 +1106,20 @@ class CI_Loader {
// Check for extensions
$subclass = config_item('subclass_prefix').$library_name;
- if (file_exists(APPPATH.'libraries/'.$file_path.$subclass.'.php'))
+ foreach ($paths as $path)
{
- include_once(APPPATH.'libraries/'.$file_path.$subclass.'.php');
- if (class_exists($subclass, FALSE))
+ if (file_exists($path = $path.'libraries/'.$file_path.$subclass.'.php'))
{
- $prefix = config_item('subclass_prefix');
- }
- else
- {
- log_message('debug', APPPATH.'libraries/'.$file_path.$subclass.'.php exists, but does not declare '.$subclass);
+ include_once($path);
+ if (class_exists($subclass, FALSE))
+ {
+ $prefix = config_item('subclass_prefix');
+ break;
+ }
+ else
+ {
+ log_message('debug', $path.' exists, but does not declare '.$subclass);
+ }
}
}
@@ -1294,10 +1307,7 @@ class CI_Loader {
}
// Load all other libraries
- foreach ($autoload['libraries'] as $item)
- {
- $this->library($item);
- }
+ $this->library($autoload['libraries']);
}
// Autoload models
diff --git a/system/core/Log.php b/system/core/Log.php
index 833316273..e8cb401f5 100644
--- a/system/core/Log.php
+++ b/system/core/Log.php
@@ -70,13 +70,6 @@ class CI_Log {
protected $_threshold = 1;
/**
- * Highest level of logging
- *
- * @var int
- */
- protected $_threshold_max = 0;
-
- /**
* Array of threshold levels to log
*
* @var array
@@ -139,7 +132,7 @@ class CI_Log {
}
elseif (is_array($config['log_threshold']))
{
- $this->_threshold = $this->_threshold_max;
+ $this->_threshold = 0;
$this->_threshold_array = array_flip($config['log_threshold']);
}
diff --git a/system/core/Security.php b/system/core/Security.php
index 7c18c7406..9cef42439 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -639,7 +639,7 @@ class CI_Security {
$str_compare = $str;
// Decode standard entities, avoiding false positives
- if ($c = preg_match_all('/&[a-z]{2,}(?![a-z;])/i', $str, $matches))
+ if (preg_match_all('/&[a-z]{2,}(?![a-z;])/i', $str, $matches))
{
if ( ! isset($_entities))
{
@@ -656,7 +656,7 @@ class CI_Security {
{
$_entities[':'] = '&colon;';
$_entities['('] = '&lpar;';
- $_entities[')'] = '&rpar';
+ $_entities[')'] = '&rpar;';
$_entities["\n"] = '&newline;';
$_entities["\t"] = '&tab;';
}
@@ -664,11 +664,11 @@ class CI_Security {
$replace = array();
$matches = array_unique(array_map('strtolower', $matches[0]));
- for ($i = 0; $i < $c; $i++)
+ foreach ($matches as &$match)
{
- if (($char = array_search($matches[$i].';', $_entities, TRUE)) !== FALSE)
+ if (($char = array_search($match.';', $_entities, TRUE)) !== FALSE)
{
- $replace[$matches[$i]] = $char;
+ $replace[$match] = $char;
}
}
@@ -772,7 +772,7 @@ class CI_Security {
*/
protected function _remove_evil_attributes($str, $is_image)
{
- $evil_attributes = array('on\w*', 'style', 'xmlns', 'formaction', 'form', 'xlink:href');
+ $evil_attributes = array('on\w*', 'style', 'xmlns', 'formaction', 'form', 'xlink:href', 'FSCommand', 'seekSegmentTime');
if ($is_image === TRUE)
{
@@ -784,30 +784,15 @@ class CI_Security {
}
do {
- $count = 0;
- $attribs = array();
+ $count = $temp_count = 0;
- // find occurrences of illegal attribute strings with quotes (042 and 047 are octal quotes)
- preg_match_all('/(?<!\w)('.implode('|', $evil_attributes).')\s*=\s*(\042|\047)([^\\2]*?)(\\2)/is', $str, $matches, PREG_SET_ORDER);
-
- foreach ($matches as $attr)
- {
- $attribs[] = preg_quote($attr[0], '/');
- }
+ // replace occurrences of illegal attribute strings with quotes (042 and 047 are octal quotes)
+ $str = preg_replace('/(<[^>]+)(?<!\w)('.implode('|', $evil_attributes).')\s*=\s*(\042|\047)([^\\2]*?)(\\2)/is', '$1[removed]', $str, -1, $temp_count);
+ $count += $temp_count;
// find occurrences of illegal attribute strings without quotes
- preg_match_all('/(?<!\w)('.implode('|', $evil_attributes).')\s*=\s*([^\s>]*)/is', $str, $matches, PREG_SET_ORDER);
-
- foreach ($matches as $attr)
- {
- $attribs[] = preg_quote($attr[0], '/');
- }
-
- // replace illegal attribute strings that are inside an html tag
- if (count($attribs) > 0)
- {
- $str = preg_replace('/(<?)(\/?[^><]+?)([^A-Za-z<>\-])(.*?)('.implode('|', $attribs).')(.*?)([\s><]?)([><]*)/i', '$1$2 $4$6$7$8', $str, -1, $count);
- }
+ $str = preg_replace('/(<[^>]+)(?<!\w)('.implode('|', $evil_attributes).')\s*=\s*([^\s>]*)/is', '$1[removed]', $str, -1, $temp_count);
+ $count += $temp_count;
}
while ($count);
diff --git a/system/core/URI.php b/system/core/URI.php
index 9bc34ace7..2211e3665 100644
--- a/system/core/URI.php
+++ b/system/core/URI.php
@@ -107,37 +107,34 @@ class CI_URI {
$this->_permitted_uri_chars = $this->config->item('permitted_uri_chars');
// If it's a CLI request, ignore the configuration
- if (is_cli() OR ($protocol = strtoupper($this->config->item('uri_protocol'))) === 'CLI')
+ if (is_cli())
{
- $this->_set_uri_string($this->_parse_argv());
+ $uri = $this->_parse_argv();
}
- elseif ($protocol === 'AUTO')
+ else
{
- // Is there a PATH_INFO variable? This should be the easiest solution.
- if (isset($_SERVER['PATH_INFO']))
- {
- $this->_set_uri_string($_SERVER['PATH_INFO']);
- }
- // No PATH_INFO? Let's try REQUST_URI or QUERY_STRING then
- elseif (($uri = $this->_parse_request_uri()) !== '' OR ($uri = $this->_parse_query_string()) !== '')
- {
- $this->_set_uri_string($uri);
- }
- // As a last ditch effor, let's try using the $_GET array
- elseif (is_array($_GET) && count($_GET) === 1 && trim(key($_GET), '/') !== '')
+ $protocol = $this->config->item('uri_protocol');
+ empty($protocol) && $protocol = 'REQUEST_URI';
+
+ switch ($protocol)
{
- $this->_set_uri_string(key($_GET));
+ case 'AUTO': // For BC purposes only
+ case 'REQUEST_URI':
+ $uri = $this->_parse_request_uri();
+ break;
+ case 'QUERY_STRING':
+ $uri = $this->_parse_query_string();
+ break;
+ case 'PATH_INFO':
+ default:
+ $uri = isset($_SERVER[$protocol])
+ ? $_SERVER[$protocol]
+ : $this->_parse_request_uri();
+ break;
}
}
- elseif (method_exists($this, ($method = '_parse_'.strtolower($protocol))))
- {
- $this->_set_uri_string($this->$method());
- }
- else
- {
- $uri = isset($_SERVER[$protocol]) ? $_SERVER[$protocol] : @getenv($protocol);
- $this->_set_uri_string($uri);
- }
+
+ $this->_set_uri_string($uri);
}
log_message('info', 'URI Class Initialized');
@@ -206,15 +203,18 @@ class CI_URI {
$uri = parse_url($_SERVER['REQUEST_URI']);
$query = isset($uri['query']) ? $uri['query'] : '';
- $uri = isset($uri['path']) ? rawurldecode($uri['path']) : '';
+ $uri = isset($uri['path']) ? $uri['path'] : '';
- if (strpos($uri, $_SERVER['SCRIPT_NAME']) === 0)
- {
- $uri = (string) substr($uri, strlen($_SERVER['SCRIPT_NAME']));
- }
- elseif (strpos($uri, dirname($_SERVER['SCRIPT_NAME'])) === 0)
+ if (isset($_SERVER['SCRIPT_NAME'][0]))
{
- $uri = (string) substr($uri, strlen(dirname($_SERVER['SCRIPT_NAME'])));
+ if (strpos($uri, $_SERVER['SCRIPT_NAME']) === 0)
+ {
+ $uri = (string) substr($uri, strlen($_SERVER['SCRIPT_NAME']));
+ }
+ elseif (strpos($uri, dirname($_SERVER['SCRIPT_NAME'])) === 0)
+ {
+ $uri = (string) substr($uri, strlen(dirname($_SERVER['SCRIPT_NAME'])));
+ }
}
// This section ensures that even on servers that require the URI to be in the query string (Nginx) a correct
@@ -222,7 +222,7 @@ class CI_URI {
if (trim($uri, '/') === '' && strncmp($query, '/', 1) === 0)
{
$query = explode('?', $query, 2);
- $uri = rawurldecode($query[0]);
+ $uri = $query[0];
$_SERVER['QUERY_STRING'] = isset($query[1]) ? $query[1] : '';
}
else
@@ -262,7 +262,7 @@ class CI_URI {
{
$uri = explode('?', $uri, 2);
$_SERVER['QUERY_STRING'] = isset($uri[1]) ? $uri[1] : '';
- $uri = rawurldecode($uri[0]);
+ $uri = $uri[0];
}
parse_str($_SERVER['QUERY_STRING'], $_GET);
diff --git a/system/core/compat/hash.php b/system/core/compat/hash.php
index 477535dca..15954559c 100644
--- a/system/core/compat/hash.php
+++ b/system/core/compat/hash.php
@@ -174,9 +174,56 @@ if ( ! function_exists('hash_pbkdf2'))
}
$hash_length = strlen(hash($algo, NULL, TRUE));
- if (empty($length))
+ empty($length) && $length = $hash_length;
+
+ // Pre-hash password inputs longer than the algorithm's block size
+ // (i.e. prepare HMAC key) to mitigate potential DoS attacks.
+ static $block_sizes;
+ empty($block_sizes) && $block_sizes = array(
+ 'gost' => 32,
+ 'haval128,3' => 128,
+ 'haval160,3' => 128,
+ 'haval192,3' => 128,
+ 'haval224,3' => 128,
+ 'haval256,3' => 128,
+ 'haval128,4' => 128,
+ 'haval160,4' => 128,
+ 'haval192,4' => 128,
+ 'haval224,4' => 128,
+ 'haval256,4' => 128,
+ 'haval128,5' => 128,
+ 'haval160,5' => 128,
+ 'haval192,5' => 128,
+ 'haval224,5' => 128,
+ 'haval256,5' => 128,
+ 'md2' => 16,
+ 'md4' => 64,
+ 'md5' => 64,
+ 'ripemd128' => 64,
+ 'ripemd160' => 64,
+ 'ripemd256' => 64,
+ 'ripemd320' => 64,
+ 'salsa10' => 64,
+ 'salsa20' => 64,
+ 'sha1' => 64,
+ 'sha224' => 64,
+ 'sha256' => 64,
+ 'sha384' => 128,
+ 'sha512' => 128,
+ 'snefru' => 32,
+ 'snefru256' => 32,
+ 'tiger128,3' => 64,
+ 'tiger160,3' => 64,
+ 'tiger192,3' => 64,
+ 'tiger128,4' => 64,
+ 'tiger160,4' => 64,
+ 'tiger192,4' => 64,
+ 'whirlpool' => 64
+ );
+
+ if (isset($block_sizes[$algo]) && strlen($password) > $block_sizes[$algo])
{
- $length = $hash_length;
+ $password = hash($algo, $password, TRUE);
}
$hash = '';
diff --git a/system/core/compat/index.html b/system/core/compat/index.html
index c942a79ce..b702fbc39 100644
--- a/system/core/compat/index.html
+++ b/system/core/compat/index.html
@@ -1,3 +1,4 @@
+<!DOCTYPE html>
<html>
<head>
<title>403 Forbidden</title>
@@ -7,4 +8,4 @@
<p>Directory access is forbidden.</p>
</body>
-</html> \ No newline at end of file
+</html>
diff --git a/system/core/compat/mbstring.php b/system/core/compat/mbstring.php
index ddb2bae47..e335c85f7 100644
--- a/system/core/compat/mbstring.php
+++ b/system/core/compat/mbstring.php
@@ -92,7 +92,7 @@ if ( ! function_exists('mb_strpos'))
* WARNING: This function WILL fall-back to strpos()
* if iconv is not available!
*
- * @link http://php.net/mb_strpos()
+ * @link http://php.net/mb_strpos
* @param string $haystack
* @param string $needle
* @param int $offset
diff --git a/system/core/index.html b/system/core/index.html
index c942a79ce..b702fbc39 100644
--- a/system/core/index.html
+++ b/system/core/index.html
@@ -1,3 +1,4 @@
+<!DOCTYPE html>
<html>
<head>
<title>403 Forbidden</title>
@@ -7,4 +8,4 @@
<p>Directory access is forbidden.</p>
</body>
-</html> \ No newline at end of file
+</html>