summaryrefslogtreecommitdiffstats
path: root/system/core
diff options
context:
space:
mode:
Diffstat (limited to 'system/core')
-rwxr-xr-xsystem/core/CodeIgniter.php2
-rwxr-xr-xsystem/core/Common.php2
-rwxr-xr-xsystem/core/Config.php12
-rwxr-xr-xsystem/core/Input.php71
-rwxr-xr-xsystem/core/Security.php51
5 files changed, 68 insertions, 70 deletions
diff --git a/system/core/CodeIgniter.php b/system/core/CodeIgniter.php
index cd3333331..c16c79c09 100755
--- a/system/core/CodeIgniter.php
+++ b/system/core/CodeIgniter.php
@@ -33,7 +33,7 @@
* @var string
*
*/
- define('CI_VERSION', '2.1.2');
+ define('CI_VERSION', '2.1.3');
/**
* CodeIgniter Branch (Core = TRUE, Reactor = FALSE)
diff --git a/system/core/Common.php b/system/core/Common.php
index d79375475..07534c51f 100755
--- a/system/core/Common.php
+++ b/system/core/Common.php
@@ -187,7 +187,7 @@ if ( ! function_exists('load_class'))
*/
if ( ! function_exists('is_loaded'))
{
- function is_loaded($class = '')
+ function &is_loaded($class = '')
{
static $_is_loaded = array();
diff --git a/system/core/Config.php b/system/core/Config.php
index 714c4667b..5dffbf3f2 100755
--- a/system/core/Config.php
+++ b/system/core/Config.php
@@ -99,12 +99,12 @@ class CI_Config {
$found = FALSE;
$loaded = FALSE;
+ $check_locations = defined('ENVIRONMENT')
+ ? array(ENVIRONMENT.'/'.$file, $file)
+ : array($file);
+
foreach ($this->_config_paths as $path)
{
- $check_locations = defined('ENVIRONMENT')
- ? array(ENVIRONMENT.'/'.$file, $file)
- : array($file);
-
foreach ($check_locations as $location)
{
$file_path = $path.'config/'.$location.'.php';
@@ -168,7 +168,7 @@ class CI_Config {
{
return FALSE;
}
- show_error('The configuration file '.$file.'.php'.' does not exist.');
+ show_error('The configuration file '.$file.'.php does not exist.');
}
return TRUE;
@@ -279,7 +279,7 @@ class CI_Config {
*/
function base_url($uri = '')
{
- return $this->slash_item('base_url').ltrim($this->_uri_string($uri),'/');
+ return $this->slash_item('base_url').ltrim($this->_uri_string($uri), '/');
}
// -------------------------------------------------------------
diff --git a/system/core/Input.php b/system/core/Input.php
index 3559d8607..0c1f2b08e 100755
--- a/system/core/Input.php
+++ b/system/core/Input.php
@@ -73,13 +73,13 @@ class CI_Input {
*/
protected $headers = array();
-
/**
* Constructor
*
* Sets whether to globally enable the XSS processing
* and whether to allow the $_GET array
*
+ * @return void
*/
public function __construct()
{
@@ -306,50 +306,49 @@ class CI_Input {
/**
* Fetch the IP Address
*
- * @access public
* @return string
*/
- function ip_address()
+ public function ip_address()
{
if ($this->ip_address !== FALSE)
{
return $this->ip_address;
}
- if (config_item('proxy_ips') != '' && $this->server('HTTP_X_FORWARDED_FOR') && $this->server('REMOTE_ADDR'))
+ $proxy_ips = config_item('proxy_ips');
+ if ( ! empty($proxy_ips))
{
- $proxies = preg_split('/[\s,]/', config_item('proxy_ips'), -1, PREG_SPLIT_NO_EMPTY);
- $proxies = is_array($proxies) ? $proxies : array($proxies);
+ $proxy_ips = explode(',', str_replace(' ', '', $proxy_ips));
+ foreach (array('HTTP_X_FORWARDED_FOR', 'HTTP_CLIENT_IP', 'HTTP_X_CLIENT_IP', 'HTTP_X_CLUSTER_CLIENT_IP') as $header)
+ {
+ if (($spoof = $this->server($header)) !== FALSE)
+ {
+ // Some proxies typically list the whole chain of IP
+ // addresses through which the client has reached us.
+ // e.g. client_ip, proxy_ip1, proxy_ip2, etc.
+ if (strpos($spoof, ',') !== FALSE)
+ {
+ $spoof = explode(',', $spoof, 2);
+ $spoof = $spoof[0];
+ }
- $this->ip_address = in_array($_SERVER['REMOTE_ADDR'], $proxies) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];
- }
- elseif ($this->server('REMOTE_ADDR') AND $this->server('HTTP_CLIENT_IP'))
- {
- $this->ip_address = $_SERVER['HTTP_CLIENT_IP'];
- }
- elseif ($this->server('REMOTE_ADDR'))
- {
- $this->ip_address = $_SERVER['REMOTE_ADDR'];
- }
- elseif ($this->server('HTTP_CLIENT_IP'))
- {
- $this->ip_address = $_SERVER['HTTP_CLIENT_IP'];
- }
- elseif ($this->server('HTTP_X_FORWARDED_FOR'))
- {
- $this->ip_address = $_SERVER['HTTP_X_FORWARDED_FOR'];
- }
+ if ( ! $this->valid_ip($spoof))
+ {
+ $spoof = FALSE;
+ }
+ else
+ {
+ break;
+ }
+ }
+ }
- if ($this->ip_address === FALSE)
- {
- $this->ip_address = '0.0.0.0';
- return $this->ip_address;
+ $this->ip_address = ($spoof !== FALSE && in_array($_SERVER['REMOTE_ADDR'], $proxy_ips, TRUE))
+ ? $spoof : $_SERVER['REMOTE_ADDR'];
}
-
- if (strpos($this->ip_address, ',') !== FALSE)
+ else
{
- $x = explode(',', $this->ip_address);
- $this->ip_address = trim(end($x));
+ $this->ip_address = $_SERVER['REMOTE_ADDR'];
}
if ( ! $this->valid_ip($this->ip_address))
@@ -642,8 +641,8 @@ class CI_Input {
$_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']);
- // CSRF Protection check
- if ($this->_enable_csrf == TRUE)
+ // CSRF Protection check on HTTP requests
+ if ($this->_enable_csrf == TRUE && ! $this->is_cli_request())
{
$this->security->csrf_verify();
}
@@ -837,11 +836,11 @@ class CI_Input {
*
* Test to see if a request was made from the command line
*
- * @return boolean
+ * @return bool
*/
public function is_cli_request()
{
- return (php_sapi_name() == 'cli') or defined('STDIN');
+ return (php_sapi_name() === 'cli' OR defined('STDIN'));
}
}
diff --git a/system/core/Security.php b/system/core/Security.php
index 7af240ded..00089d765 100755
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -98,26 +98,32 @@ class CI_Security {
/**
* Constructor
+ *
+ * @return void
*/
public function __construct()
{
- // CSRF config
- foreach(array('csrf_expire', 'csrf_token_name', 'csrf_cookie_name') as $key)
+ // Is CSRF protection enabled?
+ if (config_item('csrf_protection') === TRUE)
{
- if (FALSE !== ($val = config_item($key)))
+ // CSRF config
+ foreach (array('csrf_expire', 'csrf_token_name', 'csrf_cookie_name') as $key)
{
- $this->{'_'.$key} = $val;
+ if (FALSE !== ($val = config_item($key)))
+ {
+ $this->{'_'.$key} = $val;
+ }
}
- }
- // Append application specific cookie prefix
- if (config_item('cookie_prefix'))
- {
- $this->_csrf_cookie_name = config_item('cookie_prefix').$this->_csrf_cookie_name;
- }
+ // Append application specific cookie prefix
+ if (config_item('cookie_prefix'))
+ {
+ $this->_csrf_cookie_name = config_item('cookie_prefix').$this->_csrf_cookie_name;
+ }
- // Set the CSRF hash
- $this->_csrf_set_hash();
+ // Set the CSRF hash
+ $this->_csrf_set_hash();
+ }
log_message('debug', "Security Class Initialized");
}
@@ -131,15 +137,14 @@ class CI_Security {
*/
public function csrf_verify()
{
- // If no POST data exists we will set the CSRF cookie
- if (count($_POST) == 0)
+ // If it's not a POST request we will set the CSRF cookie
+ if (strtoupper($_SERVER['REQUEST_METHOD']) !== 'POST')
{
return $this->csrf_set_cookie();
}
// Do the tokens exist in both the _POST and _COOKIE arrays?
- if ( ! isset($_POST[$this->_csrf_token_name]) OR
- ! isset($_COOKIE[$this->_csrf_cookie_name]))
+ if ( ! isset($_POST[$this->_csrf_token_name], $_COOKIE[$this->_csrf_cookie_name]))
{
$this->csrf_show_error();
}
@@ -159,7 +164,7 @@ class CI_Security {
$this->_csrf_set_hash();
$this->csrf_set_cookie();
- log_message('debug', "CSRF token verified ");
+ log_message('debug', 'CSRF token verified');
return $this;
}
@@ -176,14 +181,9 @@ class CI_Security {
$expire = time() + $this->_csrf_expire;
$secure_cookie = (config_item('cookie_secure') === TRUE) ? 1 : 0;
- if ($secure_cookie)
+ if ($secure_cookie && (empty($_SERVER['HTTPS']) OR strtolower($_SERVER['HTTPS']) === 'off'))
{
- $req = isset($_SERVER['HTTPS']) ? $_SERVER['HTTPS'] : FALSE;
-
- if ( ! $req OR $req == 'off')
- {
- return FALSE;
- }
+ return FALSE;
}
setcookie($this->_csrf_cookie_name, $this->_csrf_hash, $expire, config_item('cookie_path'), config_item('cookie_domain'), $secure_cookie);
@@ -871,7 +871,6 @@ class CI_Security {
}
}
-// END Security Class
/* End of file Security.php */
-/* Location: ./system/libraries/Security.php */
+/* Location: ./system/libraries/Security.php */ \ No newline at end of file