diff options
Diffstat (limited to 'system/core')
-rw-r--r-- | system/core/Benchmark.php | 2 | ||||
-rw-r--r-- | system/core/CodeIgniter.php | 4 | ||||
-rw-r--r-- | system/core/Common.php | 9 | ||||
-rw-r--r-- | system/core/Config.php | 2 | ||||
-rw-r--r-- | system/core/Controller.php | 9 | ||||
-rw-r--r-- | system/core/Exceptions.php | 2 | ||||
-rw-r--r-- | system/core/Hooks.php | 2 | ||||
-rw-r--r-- | system/core/Input.php | 51 | ||||
-rw-r--r-- | system/core/Lang.php | 2 | ||||
-rw-r--r-- | system/core/Loader.php | 2 | ||||
-rw-r--r-- | system/core/Log.php | 8 | ||||
-rw-r--r-- | system/core/Model.php | 2 | ||||
-rw-r--r-- | system/core/Output.php | 14 | ||||
-rw-r--r-- | system/core/Router.php | 2 | ||||
-rw-r--r-- | system/core/Security.php | 41 | ||||
-rw-r--r-- | system/core/URI.php | 2 | ||||
-rw-r--r-- | system/core/Utf8.php | 2 | ||||
-rw-r--r-- | system/core/compat/hash.php | 2 | ||||
-rw-r--r-- | system/core/compat/index.html | 2 | ||||
-rw-r--r-- | system/core/compat/mbstring.php | 2 | ||||
-rw-r--r-- | system/core/compat/password.php | 2 | ||||
-rw-r--r-- | system/core/compat/standard.php | 2 | ||||
-rw-r--r-- | system/core/index.html | 2 |
23 files changed, 120 insertions, 48 deletions
diff --git a/system/core/Benchmark.php b/system/core/Benchmark.php index 014220a44..0b48d4d0c 100644 --- a/system/core/Benchmark.php +++ b/system/core/Benchmark.php @@ -47,7 +47,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @subpackage Libraries * @category Libraries * @author EllisLab Dev Team - * @link https://codeigniter.com/user_guide/libraries/benchmark.html + * @link https://codeigniter.com/userguide3/libraries/benchmark.html */ class CI_Benchmark { diff --git a/system/core/CodeIgniter.php b/system/core/CodeIgniter.php index 9bf60a4ac..704539ef4 100644 --- a/system/core/CodeIgniter.php +++ b/system/core/CodeIgniter.php @@ -46,7 +46,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @subpackage CodeIgniter * @category Front-controller * @author EllisLab Dev Team - * @link https://codeigniter.com/user_guide/ + * @link https://codeigniter.com/userguide3/ */ /** @@ -383,7 +383,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * ReflectionMethod::isConstructor() is the ONLY reliable check, * knowing which method will be executed as a constructor. */ - elseif ( ! is_callable(array($class, $method))) + else { $reflection = new ReflectionMethod($class, $method); if ( ! $reflection->isPublic() OR $reflection->isConstructor()) diff --git a/system/core/Common.php b/system/core/Common.php index fadc0a0b1..52cb7114e 100644 --- a/system/core/Common.php +++ b/system/core/Common.php @@ -46,7 +46,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @subpackage CodeIgniter * @category Common Functions * @author EllisLab Dev Team - * @link https://codeigniter.com/user_guide/ + * @link https://codeigniter.com/userguide3/ */ // ------------------------------------------------------------------------ @@ -569,7 +569,7 @@ if ( ! function_exists('set_status_header')) return; } - $server_protocol = (isset($_SERVER['SERVER_PROTOCOL']) && in_array($_SERVER['SERVER_PROTOCOL'], array('HTTP/1.0', 'HTTP/1.1', 'HTTP/2'), TRUE)) + $server_protocol = (isset($_SERVER['SERVER_PROTOCOL']) && in_array($_SERVER['SERVER_PROTOCOL'], array('HTTP/1.0', 'HTTP/1.1', 'HTTP/2', 'HTTP/2.0'), TRUE)) ? $_SERVER['SERVER_PROTOCOL'] : 'HTTP/1.1'; header($server_protocol.' '.$code.' '.$text, TRUE, $code); } @@ -782,11 +782,9 @@ if ( ! function_exists('_stringify_attributes')) */ function _stringify_attributes($attributes, $js = FALSE) { - $atts = NULL; - if (empty($attributes)) { - return $atts; + return NULL; } if (is_string($attributes)) @@ -796,6 +794,7 @@ if ( ! function_exists('_stringify_attributes')) $attributes = (array) $attributes; + $atts = ''; foreach ($attributes as $key => $val) { $atts .= ($js) ? $key.'='.$val.',' : ' '.$key.'="'.$val.'"'; diff --git a/system/core/Config.php b/system/core/Config.php index 13cc087d0..e6eb0ad95 100644 --- a/system/core/Config.php +++ b/system/core/Config.php @@ -46,7 +46,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @subpackage Libraries * @category Libraries * @author EllisLab Dev Team - * @link https://codeigniter.com/user_guide/libraries/config.html + * @link https://codeigniter.com/userguide3/libraries/config.html */ class CI_Config { diff --git a/system/core/Controller.php b/system/core/Controller.php index 2bb157802..ac27989f3 100644 --- a/system/core/Controller.php +++ b/system/core/Controller.php @@ -47,7 +47,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @subpackage Libraries * @category Libraries * @author EllisLab Dev Team - * @link https://codeigniter.com/user_guide/general/controllers.html + * @link https://codeigniter.com/userguide3/general/controllers.html */ class CI_Controller { @@ -59,6 +59,13 @@ class CI_Controller { private static $instance; /** + * CI_Loader + * + * @var CI_Loader + */ + public $load; + + /** * Class constructor * * @return void diff --git a/system/core/Exceptions.php b/system/core/Exceptions.php index e8e7f6c29..92c635f97 100644 --- a/system/core/Exceptions.php +++ b/system/core/Exceptions.php @@ -44,7 +44,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @subpackage Libraries * @category Exceptions * @author EllisLab Dev Team - * @link https://codeigniter.com/user_guide/libraries/exceptions.html + * @link https://codeigniter.com/userguide3/libraries/exceptions.html */ class CI_Exceptions { diff --git a/system/core/Hooks.php b/system/core/Hooks.php index 353e22e21..864c59d25 100644 --- a/system/core/Hooks.php +++ b/system/core/Hooks.php @@ -46,7 +46,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @subpackage Libraries * @category Libraries * @author EllisLab Dev Team - * @link https://codeigniter.com/user_guide/general/hooks.html + * @link https://codeigniter.com/userguide3/general/hooks.html */ class CI_Hooks { diff --git a/system/core/Input.php b/system/core/Input.php index 053970b01..0beb252ed 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -46,7 +46,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @subpackage Libraries * @category Input * @author EllisLab Dev Team - * @link https://codeigniter.com/user_guide/libraries/input.html + * @link https://codeigniter.com/userguide3/libraries/input.html */ class CI_Input { @@ -300,14 +300,15 @@ class CI_Input { * @param string $prefix Cookie name prefix * @param bool $secure Whether to only transfer cookies via SSL * @param bool $httponly Whether to only makes the cookie accessible via HTTP (no javascript) + * @param string $samesite SameSite attribute * @return void */ - public function set_cookie($name, $value = '', $expire = 0, $domain = '', $path = '/', $prefix = '', $secure = NULL, $httponly = NULL) + public function set_cookie($name, $value = '', $expire = 0, $domain = '', $path = '/', $prefix = '', $secure = NULL, $httponly = NULL, $samesite = NULL) { if (is_array($name)) { // always leave 'name' in last place, as the loop will break otherwise, due to $$item - foreach (array('value', 'expire', 'domain', 'path', 'prefix', 'secure', 'httponly', 'name') as $item) + foreach (array('value', 'expire', 'domain', 'path', 'prefix', 'secure', 'httponly', 'name', 'samesite') as $item) { if (isset($name[$item])) { @@ -348,7 +349,47 @@ class CI_Input { $expire = ($expire > 0) ? time() + $expire : 0; } - setcookie($prefix.$name, $value, $expire, $path, $domain, $secure, $httponly); + isset($samesite) OR $samesite = config_item('cookie_samesite'); + if (isset($samesite)) + { + $samesite = ucfirst(strtolower($samesite)); + in_array($samesite, array('Lax', 'Strict', 'None'), TRUE) OR $samesite = 'Lax'; + } + else + { + $samesite = 'Lax'; + } + + if ($samesite === 'None' && ! $secure) + { + log_message('error', $name.' cookie sent with SameSite=None, but without Secure attribute.'); + } + + if ( ! is_php('7.3')) + { + $maxage = $expire - time(); + if ($maxage < 1) + { + $maxage = 0; + } + + $cookie_header = 'Set-Cookie: '.$prefix.$name.'='.rawurlencode($value); + $cookie_header .= ($expire === 0 ? '' : '; Expires='.gmdate('D, d-M-Y H:i:s T', $expire)).'; Max-Age='.$maxage; + $cookie_header .= '; Path='.$path.($domain !== '' ? '; Domain='.$domain : ''); + $cookie_header .= ($secure ? '; Secure' : '').($httponly ? '; HttpOnly' : '').'; SameSite='.$samesite; + header($cookie_header); + return; + } + + $setcookie_options = array( + 'expires' => $expire, + 'path' => $path, + 'domain' => $domain, + 'secure' => $secure, + 'httponly' => $httponly, + 'samesite' => $samesite, + ); + setcookie($prefix.$name, $value, $setcookie_options); } // -------------------------------------------------------------------- @@ -508,7 +549,7 @@ class CI_Input { $which = FILTER_FLAG_IPV6; break; default: - $which = NULL; + $which = 0; break; } diff --git a/system/core/Lang.php b/system/core/Lang.php index 2c8654dcf..5cfeaf37e 100644 --- a/system/core/Lang.php +++ b/system/core/Lang.php @@ -44,7 +44,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @subpackage Libraries * @category Language * @author EllisLab Dev Team - * @link https://codeigniter.com/user_guide/libraries/language.html + * @link https://codeigniter.com/userguide3/libraries/language.html */ class CI_Lang { diff --git a/system/core/Loader.php b/system/core/Loader.php index 0710b1611..d9a1539aa 100644 --- a/system/core/Loader.php +++ b/system/core/Loader.php @@ -46,7 +46,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @subpackage Libraries * @category Loader * @author EllisLab Dev Team - * @link https://codeigniter.com/user_guide/libraries/loader.html + * @link https://codeigniter.com/userguide3/libraries/loader.html */ class CI_Loader { diff --git a/system/core/Log.php b/system/core/Log.php index d651e8abe..9c33f3e98 100644 --- a/system/core/Log.php +++ b/system/core/Log.php @@ -44,7 +44,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @subpackage Libraries * @category Logging * @author EllisLab Dev Team - * @link https://codeigniter.com/user_guide/general/errors.html + * @link https://codeigniter.com/userguide3/general/errors.html */ class CI_Log { @@ -122,7 +122,7 @@ class CI_Log { { $config =& get_config(); - isset(self::$func_overload) OR self::$func_overload = (extension_loaded('mbstring') && ini_get('mbstring.func_overload')); + isset(self::$func_overload) OR self::$func_overload = ( ! is_php('8.0') && extension_loaded('mbstring') && @ini_get('mbstring.func_overload')); $this->_log_path = ($config['log_path'] !== '') ? rtrim($config['log_path'], '/\\').DIRECTORY_SEPARATOR : APPPATH.'logs'.DIRECTORY_SEPARATOR; @@ -249,11 +249,11 @@ class CI_Log { * @param string $level The error level * @param string $date Formatted date string * @param string $message The log message - * @return string Formatted log line with a new line character '\n' at the end + * @return string Formatted log line with a new line character at the end */ protected function _format_line($level, $date, $message) { - return $level.' - '.$date.' --> '.$message."\n"; + return $level.' - '.$date.' --> '.$message.PHP_EOL; } // -------------------------------------------------------------------- diff --git a/system/core/Model.php b/system/core/Model.php index 4c497d21e..585148298 100644 --- a/system/core/Model.php +++ b/system/core/Model.php @@ -44,7 +44,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @subpackage Libraries * @category Libraries * @author EllisLab Dev Team - * @link https://codeigniter.com/user_guide/libraries/config.html + * @link https://codeigniter.com/userguide3/libraries/config.html */ class CI_Model { diff --git a/system/core/Output.php b/system/core/Output.php index f386d3ad4..7f153ef77 100644 --- a/system/core/Output.php +++ b/system/core/Output.php @@ -46,7 +46,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @subpackage Libraries * @category Output * @author EllisLab Dev Team - * @link https://codeigniter.com/user_guide/libraries/output.html + * @link https://codeigniter.com/userguide3/libraries/output.html */ class CI_Output { @@ -145,7 +145,7 @@ class CI_Output { && extension_loaded('zlib') ); - isset(self::$func_overload) OR self::$func_overload = (extension_loaded('mbstring') && ini_get('mbstring.func_overload')); + isset(self::$func_overload) OR self::$func_overload = ( ! is_php('8.0') && extension_loaded('mbstring') && @ini_get('mbstring.func_overload')); // Get mime types for later $this->mimes =& get_mimes(); @@ -299,10 +299,14 @@ class CI_Output { */ public function get_header($header) { - // Combine headers already sent with our batched headers + // We only need [x][0] from our multi-dimensional array + $header_lines = array_map(function ($headers) + { + return array_shift($headers); + }, $this->headers); + $headers = array_merge( - // We only need [x][0] from our multi-dimensional array - array_map('array_shift', $this->headers), + $header_lines, headers_list() ); diff --git a/system/core/Router.php b/system/core/Router.php index dcdd1ed1f..0d9662559 100644 --- a/system/core/Router.php +++ b/system/core/Router.php @@ -46,7 +46,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @subpackage Libraries * @category Libraries * @author EllisLab Dev Team - * @link https://codeigniter.com/user_guide/general/routing.html + * @link https://codeigniter.com/userguide3/general/routing.html */ class CI_Router { diff --git a/system/core/Security.php b/system/core/Security.php index 27b4db69d..aac308194 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -44,7 +44,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @subpackage Libraries * @category Security * @author EllisLab Dev Team - * @link https://codeigniter.com/user_guide/libraries/security.html + * @link https://codeigniter.com/userguide3/libraries/security.html */ class CI_Security { @@ -229,6 +229,7 @@ class CI_Security { // Check CSRF token validity, but don't error on mismatch just yet - we'll want to regenerate $valid = isset($_POST[$this->_csrf_token_name], $_COOKIE[$this->_csrf_cookie_name]) + && is_string($_POST[$this->_csrf_token_name]) && is_string($_COOKIE[$this->_csrf_cookie_name]) && hash_equals($_POST[$this->_csrf_token_name], $_COOKIE[$this->_csrf_cookie_name]); // We kill this since we're done and we don't want to pollute the _POST array @@ -272,15 +273,35 @@ class CI_Security { return FALSE; } - setcookie( - $this->_csrf_cookie_name, - $this->_csrf_hash, - $expire, - config_item('cookie_path'), - config_item('cookie_domain'), - $secure_cookie, - config_item('cookie_httponly') - ); + if (is_php('7.3')) + { + setcookie( + $this->_csrf_cookie_name, + $this->_csrf_hash, + array( + 'expires' => $expire, + 'path' => config_item('cookie_path'), + 'domain' => config_item('cookie_domain'), + 'secure' => $secure_cookie, + 'httponly' => config_item('cookie_httponly'), + 'samesite' => 'Strict' + ) + ); + } + else + { + $domain = trim(config_item('cookie_domain')); + header('Set-Cookie: '.$this->_csrf_cookie_name.'='.$this->_csrf_hash + .'; Expires='.gmdate('D, d-M-Y H:i:s T', $expire) + .'; Max-Age='.$this->_csrf_expire + .'; Path='.rawurlencode(config_item('cookie_path')) + .($domain === '' ? '' : '; Domain='.$domain) + .($secure_cookie ? '; Secure' : '') + .(config_item('cookie_httponly') ? '; HttpOnly' : '') + .'; SameSite=Strict' + ); + } + log_message('info', 'CSRF cookie sent'); return $this; diff --git a/system/core/URI.php b/system/core/URI.php index 3670ef29d..9bef22d6c 100644 --- a/system/core/URI.php +++ b/system/core/URI.php @@ -46,7 +46,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @subpackage Libraries * @category URI * @author EllisLab Dev Team - * @link https://codeigniter.com/user_guide/libraries/uri.html + * @link https://codeigniter.com/userguide3/libraries/uri.html */ class CI_URI { diff --git a/system/core/Utf8.php b/system/core/Utf8.php index 39954c428..5e18f07bb 100644 --- a/system/core/Utf8.php +++ b/system/core/Utf8.php @@ -46,7 +46,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @subpackage Libraries * @category UTF-8 * @author EllisLab Dev Team - * @link https://codeigniter.com/user_guide/libraries/utf8.html + * @link https://codeigniter.com/userguide3/libraries/utf8.html */ class CI_Utf8 { diff --git a/system/core/compat/hash.php b/system/core/compat/hash.php index 8d905ad68..f1829a3a6 100644 --- a/system/core/compat/hash.php +++ b/system/core/compat/hash.php @@ -44,7 +44,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @subpackage CodeIgniter * @category Compatibility * @author Andrey Andreev - * @link https://codeigniter.com/user_guide/ + * @link https://codeigniter.com/userguide3/ * @link https://secure.php.net/hash */ diff --git a/system/core/compat/index.html b/system/core/compat/index.html index b702fbc39..bcb7cae34 100644 --- a/system/core/compat/index.html +++ b/system/core/compat/index.html @@ -1,5 +1,5 @@ <!DOCTYPE html> -<html> +<html lang="en"> <head> <title>403 Forbidden</title> </head> diff --git a/system/core/compat/mbstring.php b/system/core/compat/mbstring.php index 41c86376c..af73b8cce 100644 --- a/system/core/compat/mbstring.php +++ b/system/core/compat/mbstring.php @@ -44,7 +44,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @subpackage CodeIgniter * @category Compatibility * @author Andrey Andreev - * @link https://codeigniter.com/user_guide/ + * @link https://codeigniter.com/userguide3/ * @link https://secure.php.net/mbstring */ diff --git a/system/core/compat/password.php b/system/core/compat/password.php index f6517b46d..306300eda 100644 --- a/system/core/compat/password.php +++ b/system/core/compat/password.php @@ -44,7 +44,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @subpackage CodeIgniter * @category Compatibility * @author Andrey Andreev - * @link https://codeigniter.com/user_guide/ + * @link https://codeigniter.com/userguide3/ * @link https://secure.php.net/password */ diff --git a/system/core/compat/standard.php b/system/core/compat/standard.php index 31c39ca25..21feeb04e 100644 --- a/system/core/compat/standard.php +++ b/system/core/compat/standard.php @@ -44,7 +44,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @subpackage CodeIgniter * @category Compatibility * @author Andrey Andreev - * @link https://codeigniter.com/user_guide/ + * @link https://codeigniter.com/userguide3/ */ // ------------------------------------------------------------------------ diff --git a/system/core/index.html b/system/core/index.html index b702fbc39..bcb7cae34 100644 --- a/system/core/index.html +++ b/system/core/index.html @@ -1,5 +1,5 @@ <!DOCTYPE html> -<html> +<html lang="en"> <head> <title>403 Forbidden</title> </head> |