summaryrefslogtreecommitdiffstats
path: root/system/core
diff options
context:
space:
mode:
Diffstat (limited to 'system/core')
-rw-r--r--system/core/Common.php31
-rw-r--r--system/core/Loader.php2
-rwxr-xr-xsystem/core/Security.php39
3 files changed, 34 insertions, 38 deletions
diff --git a/system/core/Common.php b/system/core/Common.php
index 225227d17..491979350 100644
--- a/system/core/Common.php
+++ b/system/core/Common.php
@@ -56,7 +56,7 @@ if ( ! function_exists('is_php'))
function is_php($version = '5.0.0')
{
static $_is_php;
- $version = (string)$version;
+ $version = (string) $version;
if ( ! isset($_is_php[$version]))
{
@@ -84,7 +84,7 @@ if ( ! function_exists('is_really_writable'))
function is_really_writable($file)
{
// If we're on a Unix server with safe_mode off we call is_writable
- if (DIRECTORY_SEPARATOR === '/' AND @ini_get('safe_mode') == FALSE)
+ if (DIRECTORY_SEPARATOR === '/' && (bool) @ini_get('safe_mode') === FALSE)
{
return is_writable($file);
}
@@ -120,7 +120,7 @@ if ( ! function_exists('is_really_writable'))
/**
* Class registry
*
-* This function acts as a singleton. If the requested class does not
+* This function acts as a singleton. If the requested class does not
* exist it is instantiated and set to a static variable. If it has
* previously been instantiated the variable is returned.
*
@@ -192,7 +192,7 @@ if ( ! function_exists('load_class'))
// --------------------------------------------------------------------
/**
-* Keeps track of which libraries have been loaded. This function is
+* Keeps track of which libraries have been loaded. This function is
* called by the load_class() function above
*
* @access public
@@ -437,7 +437,7 @@ if ( ! function_exists('set_status_header'))
show_error('Status codes must be numeric', 500);
}
- if (isset($stati[$code]) AND $text == '')
+ if (isset($stati[$code]) && $text == '')
{
$text = $stati[$code];
}
@@ -447,19 +447,19 @@ if ( ! function_exists('set_status_header'))
show_error('No status text available. Please check your status code number or supply your own message text.', 500);
}
- $server_protocol = (isset($_SERVER['SERVER_PROTOCOL'])) ? $_SERVER['SERVER_PROTOCOL'] : FALSE;
+ $server_protocol = isset($_SERVER['SERVER_PROTOCOL']) ? $_SERVER['SERVER_PROTOCOL'] : FALSE;
if (strpos(php_sapi_name(), 'cgi') === 0)
{
- header("Status: {$code} {$text}", TRUE);
+ header('Status: '.$code.' '.$text, TRUE);
}
- elseif ($server_protocol == 'HTTP/1.1' OR $server_protocol == 'HTTP/1.0')
+ elseif ($server_protocol === 'HTTP/1.0')
{
- header($server_protocol." {$code} {$text}", TRUE, $code);
+ header('HTTP/1.0 '.$code.' '.$text, TRUE, $code);
}
else
{
- header("HTTP/1.1 {$code} {$text}", TRUE, $code);
+ header('HTTP/1.1 '.$code.' '.$text, TRUE, $code);
}
}
}
@@ -564,14 +564,9 @@ if ( ! function_exists('html_escape'))
{
function html_escape($var)
{
- if (is_array($var))
- {
- return array_map('html_escape', $var);
- }
- else
- {
- return htmlspecialchars($var, ENT_QUOTES, config_item('charset'));
- }
+ return is_array($var)
+ ? array_map('html_escape', $var)
+ : htmlspecialchars($var, ENT_QUOTES, config_item('charset'));
}
}
diff --git a/system/core/Loader.php b/system/core/Loader.php
index 12daaa928..20cf7ef33 100644
--- a/system/core/Loader.php
+++ b/system/core/Loader.php
@@ -833,7 +833,7 @@ class CI_Loader {
// If the PHP installation does not support short tags we'll
// do a little string replacement, changing the short tags
// to standard PHP echo statements.
- if ((bool) @ini_get('short_open_tag') === FALSE AND config_item('rewrite_short_tags') == TRUE)
+ if ( ! is_php('5.4') && (bool) @ini_get('short_open_tag') === FALSE && config_item('rewrite_short_tags') == TRUE)
{
echo eval('?>'.preg_replace('/;*\s*\?>/', '; ?>', str_replace('<?=', '<?php echo ', file_get_contents($_ci_path))));
}
diff --git a/system/core/Security.php b/system/core/Security.php
index 1007f61f4..6f25fb5bb 100755
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -25,8 +25,6 @@
* @filesource
*/
-// ------------------------------------------------------------------------
-
/**
* Security Class
*
@@ -106,23 +104,27 @@ class CI_Security {
public function __construct()
{
- // CSRF config
- foreach(array('csrf_expire', 'csrf_token_name', 'csrf_cookie_name') as $key)
+ // Is CSRF protection enabled?
+ if (config_item('csrf_protection') === TRUE)
{
- if (FALSE !== ($val = config_item($key)))
+ // CSRF config
+ foreach (array('csrf_expire', 'csrf_token_name', 'csrf_cookie_name') as $key)
{
- $this->{'_'.$key} = $val;
+ if (FALSE !== ($val = config_item($key)))
+ {
+ $this->{'_'.$key} = $val;
+ }
}
- }
- // Append application specific cookie prefix
- if (config_item('cookie_prefix'))
- {
- $this->_csrf_cookie_name = config_item('cookie_prefix').$this->_csrf_cookie_name;
- }
+ // Append application specific cookie prefix
+ if (config_item('cookie_prefix'))
+ {
+ $this->_csrf_cookie_name = config_item('cookie_prefix').$this->_csrf_cookie_name;
+ }
- // Set the CSRF hash
- $this->_csrf_set_hash();
+ // Set the CSRF hash
+ $this->_csrf_set_hash();
+ }
log_message('debug', 'Security Class Initialized');
}
@@ -189,7 +191,7 @@ class CI_Security {
$expire = time() + $this->_csrf_expire;
$secure_cookie = (bool) config_item('cookie_secure');
- if ($secure_cookie && ( ! isset($_SERVER['HTTPS']) OR $_SERVER['HTTPS'] == 'off' OR ! $_SERVER['HTTPS']))
+ if ($secure_cookie && (empty($_SERVER['HTTPS']) OR strtolower($_SERVER['HTTPS']) === 'off'))
{
return FALSE;
}
@@ -358,7 +360,7 @@ class CI_Security {
foreach ($words as $word)
{
- $word = implode("\s*", str_split($word)) . "\s*";
+ $word = implode('\s*', str_split($word)).'\s*';
// We only want to do this when it is followed by a non-word character
// That way valid stuff like "dealer to" does not become "dealerto"
@@ -425,7 +427,6 @@ class CI_Security {
'\\1\\2&#40;\\3&#41;',
$str);
-
// Final clean up
// This adds a bit of extra precaution in case
// something got through the above filters
@@ -601,7 +602,7 @@ class CI_Security {
}
// find occurrences of illegal attribute strings with quotes (042 and 047 are octal quotes)
- preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*(\042|\047)([^\\2]*?)(\\2)/is', $str, $matches, PREG_SET_ORDER);
+ preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*(\042|\047)([^\\2]*?)(\\2)/is', $str, $matches, PREG_SET_ORDER);
foreach ($matches as $attr)
{
@@ -633,7 +634,7 @@ class CI_Security {
{
return '&lt;'.$matches[1].$matches[2].$matches[3] // encode opening brace
// encode captured opening or closing brace to prevent recursive vectors:
- . str_replace(array('>', '<'), array('&gt;', '&lt;'), $matches[4]);
+ .str_replace(array('>', '<'), array('&gt;', '&lt;'), $matches[4]);
}
// --------------------------------------------------------------------