summaryrefslogtreecommitdiffstats
path: root/system/core
diff options
context:
space:
mode:
Diffstat (limited to 'system/core')
-rw-r--r--system/core/CodeIgniter.php23
-rw-r--r--system/core/Common.php8
-rw-r--r--system/core/Exceptions.php1
-rw-r--r--system/core/Log.php53
-rw-r--r--system/core/Output.php62
-rw-r--r--system/core/Security.php94
6 files changed, 196 insertions, 45 deletions
diff --git a/system/core/CodeIgniter.php b/system/core/CodeIgniter.php
index e6ce13d81..66ed9ec8f 100644
--- a/system/core/CodeIgniter.php
+++ b/system/core/CodeIgniter.php
@@ -55,7 +55,7 @@ defined('BASEPATH') OR exit('No direct script access allowed');
* @var string
*
*/
- define('CI_VERSION', '3.2.0-dev');
+ const CI_VERSION = '3.2.0-dev';
/*
* ------------------------------------------------------
@@ -416,10 +416,29 @@ if ( ! is_php('5.4'))
$params = array($method, array_slice($URI->rsegments, 2));
$method = '_remap';
}
- elseif ( ! is_callable(array($class, $method)))
+ elseif ( ! method_exists($class, $method))
{
$e404 = TRUE;
}
+ /**
+ * DO NOT CHANGE THIS, NOTHING ELSE WORKS!
+ *
+ * - method_exists() returns true for non-public methods, which passes the previous elseif
+ * - is_callable() returns false for PHP 4-style constructors, even if there's a __construct()
+ * - method_exists($class, '__construct') won't work because CI_Controller::__construct() is inherited
+ * - People will only complain if this doesn't work, even though it is documented that it shouldn't.
+ *
+ * ReflectionMethod::isConstructor() is the ONLY reliable check,
+ * knowing which method will be executed as a constructor.
+ */
+ elseif ( ! is_callable(array($class, $method)) && strcasecmp($class, $method) === 0)
+ {
+ $reflection = new ReflectionMethod($class, $method);
+ if ( ! $reflection->isPublic() OR $reflection->isConstructor())
+ {
+ $e404 = TRUE;
+ }
+ }
}
if ($e404)
diff --git a/system/core/Common.php b/system/core/Common.php
index 2c7651943..91c585f7d 100644
--- a/system/core/Common.php
+++ b/system/core/Common.php
@@ -544,13 +544,18 @@ if ( ! function_exists('set_status_header'))
416 => 'Requested Range Not Satisfiable',
417 => 'Expectation Failed',
422 => 'Unprocessable Entity',
+ 426 => 'Upgrade Required',
+ 428 => 'Precondition Required',
+ 429 => 'Too Many Requests',
+ 431 => 'Request Header Fields Too Large',
500 => 'Internal Server Error',
501 => 'Not Implemented',
502 => 'Bad Gateway',
503 => 'Service Unavailable',
504 => 'Gateway Timeout',
- 505 => 'HTTP Version Not Supported'
+ 505 => 'HTTP Version Not Supported',
+ 511 => 'Network Authentication Required',
);
if (isset($stati[$code]))
@@ -656,6 +661,7 @@ if ( ! function_exists('_exception_handler'))
$_error =& load_class('Exceptions', 'core');
$_error->log_exception('error', 'Exception: '.$exception->getMessage(), $exception->getFile(), $exception->getLine());
+ is_cli() OR set_status_header(500);
// Should we display the error?
if (str_ireplace(array('off', 'none', 'no', 'false', 'null'), '', ini_get('display_errors')))
{
diff --git a/system/core/Exceptions.php b/system/core/Exceptions.php
index a1c6a1970..4e10f2831 100644
--- a/system/core/Exceptions.php
+++ b/system/core/Exceptions.php
@@ -207,7 +207,6 @@ class CI_Exceptions {
}
else
{
- set_status_header(500);
$templates_path .= 'html'.DIRECTORY_SEPARATOR;
}
diff --git a/system/core/Log.php b/system/core/Log.php
index 986121526..cf6c75a95 100644
--- a/system/core/Log.php
+++ b/system/core/Log.php
@@ -104,6 +104,13 @@ class CI_Log {
*/
protected $_levels = array('ERROR' => 1, 'DEBUG' => 2, 'INFO' => 3, 'ALL' => 4);
+ /**
+ * mbstring.func_override flag
+ *
+ * @var bool
+ */
+ protected static $func_override;
+
// --------------------------------------------------------------------
/**
@@ -115,6 +122,8 @@ class CI_Log {
{
$config =& get_config();
+ isset(self::$func_override) OR self::$func_override = (extension_loaded('mbstring') && ini_get('mbstring.func_override'));
+
$this->_log_path = ($config['log_path'] !== '') ? $config['log_path'] : APPPATH.'logs/';
$this->_file_ext = (isset($config['log_file_extension']) && $config['log_file_extension'] !== '')
? ltrim($config['log_file_extension'], '.') : 'php';
@@ -208,9 +217,9 @@ class CI_Log {
$message .= $this->_format_line($level, $date, $msg);
- for ($written = 0, $length = strlen($message); $written < $length; $written += $result)
+ for ($written = 0, $length = self::strlen($message); $written < $length; $written += $result)
{
- if (($result = fwrite($fp, substr($message, $written))) === FALSE)
+ if (($result = fwrite($fp, self::substr($message, $written))) === FALSE)
{
break;
}
@@ -244,4 +253,44 @@ class CI_Log {
{
return $level.' - '.$date.' --> '.$message."\n";
}
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Byte-safe strlen()
+ *
+ * @param string $str
+ * @return int
+ */
+ protected static function strlen($str)
+ {
+ return (self::$func_override)
+ ? mb_strlen($str, '8bit')
+ : strlen($str);
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Byte-safe substr()
+ *
+ * @param string $str
+ * @param int $start
+ * @param int $length
+ * @return string
+ */
+ protected static function substr($str, $start, $length = NULL)
+ {
+ if (self::$func_override)
+ {
+ // mb_substr($str, $start, null, '8bit') returns an empty
+ // string on PHP 5.3
+ isset($length) OR $length = ($start >= 0 ? self::strlen($str) - $start : -$start);
+ return mb_substr($str, $start, $length, '8bit');
+ }
+
+ return isset($length)
+ ? substr($str, $start, $length)
+ : substr($str, $start);
+ }
}
diff --git a/system/core/Output.php b/system/core/Output.php
index 98db212a0..7921a54ef 100644
--- a/system/core/Output.php
+++ b/system/core/Output.php
@@ -123,6 +123,13 @@ class CI_Output {
public $parse_exec_vars = TRUE;
/**
+ * mbstring.func_override flag
+ *
+ * @var bool
+ */
+ protected static $func_override;
+
+ /**
* Class constructor
*
* Determines whether zLib output compression will be used.
@@ -138,6 +145,8 @@ class CI_Output {
&& extension_loaded('zlib')
);
+ isset(self::$func_override) OR self::$func_override = (extension_loaded('mbstring') && ini_get('mbstring.func_override'));
+
// Get mime types for later
$this->mimes =& get_mimes();
@@ -304,9 +313,9 @@ class CI_Output {
for ($i = 0, $c = count($headers); $i < $c; $i++)
{
- if (strncasecmp($header, $headers[$i], $l = strlen($header)) === 0)
+ if (strncasecmp($header, $headers[$i], $l = self::strlen($header)) === 0)
{
- return trim(substr($headers[$i], $l+1));
+ return trim(self::substr($headers[$i], $l+1));
}
}
@@ -480,13 +489,13 @@ class CI_Output {
if (isset($_SERVER['HTTP_ACCEPT_ENCODING']) && strpos($_SERVER['HTTP_ACCEPT_ENCODING'], 'gzip') !== FALSE)
{
header('Content-Encoding: gzip');
- header('Content-Length: '.strlen($output));
+ header('Content-Length: '.self::strlen($output));
}
else
{
// User agent doesn't support gzip compression,
// so we'll have to decompress our cache
- $output = gzinflate(substr($output, 10, -8));
+ $output = gzinflate(self::substr($output, 10, -8));
}
}
@@ -601,9 +610,9 @@ class CI_Output {
$output = $cache_info.'ENDCI--->'.$output;
- for ($written = 0, $length = strlen($output); $written < $length; $written += $result)
+ for ($written = 0, $length = self::strlen($output); $written < $length; $written += $result)
{
- if (($result = fwrite($fp, substr($output, $written))) === FALSE)
+ if (($result = fwrite($fp, self::substr($output, $written))) === FALSE)
{
break;
}
@@ -711,7 +720,7 @@ class CI_Output {
}
// Display the cache
- $this->_display(substr($cache, strlen($match[0])));
+ $this->_display(self::substr($cache, self::strlen($match[0])));
log_message('debug', 'Cache file is current. Sending it to browser.');
return TRUE;
}
@@ -797,4 +806,43 @@ class CI_Output {
}
}
+ // --------------------------------------------------------------------
+
+ /**
+ * Byte-safe strlen()
+ *
+ * @param string $str
+ * @return int
+ */
+ protected static function strlen($str)
+ {
+ return (self::$func_override)
+ ? mb_strlen($str, '8bit')
+ : strlen($str);
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Byte-safe substr()
+ *
+ * @param string $str
+ * @param int $start
+ * @param int $length
+ * @return string
+ */
+ protected static function substr($str, $start, $length = NULL)
+ {
+ if (self::$func_override)
+ {
+ // mb_substr($str, $start, null, '8bit') returns an empty
+ // string on PHP 5.3
+ isset($length) OR $length = ($start >= 0 ? self::strlen($str) - $start : -$start);
+ return mb_substr($str, $start, $length, '8bit');
+ }
+
+ return isset($length)
+ ? substr($str, $start, $length)
+ : substr($str, $start);
+ }
}
diff --git a/system/core/Security.php b/system/core/Security.php
index 3a5da4fde..d0308c5f9 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -133,15 +133,16 @@ class CI_Security {
* @var array
*/
protected $_never_allowed_str = array(
- 'document.cookie' => '[removed]',
- 'document.write' => '[removed]',
- '.parentNode' => '[removed]',
- '.innerHTML' => '[removed]',
- '-moz-binding' => '[removed]',
- '<!--' => '&lt;!--',
- '-->' => '--&gt;',
- '<![CDATA[' => '&lt;![CDATA[',
- '<comment>' => '&lt;comment&gt;'
+ 'document.cookie' => '[removed]',
+ 'document.write' => '[removed]',
+ '.parentNode' => '[removed]',
+ '.innerHTML' => '[removed]',
+ '-moz-binding' => '[removed]',
+ '<!--' => '&lt;!--',
+ '-->' => '--&gt;',
+ '<![CDATA[' => '&lt;![CDATA[',
+ '<comment>' => '&lt;comment&gt;',
+ '<%' => '&lt;&#37;'
);
/**
@@ -371,11 +372,17 @@ class CI_Security {
*
* Note: Use rawurldecode() so it does not remove plus signs
*/
- do
+ if (stripos($str, '%') !== false)
{
- $str = rawurldecode($str);
+ do
+ {
+ $oldstr = $str;
+ $str = rawurldecode($str);
+ $str = preg_replace_callback('#%(?:\s*[0-9a-f]){2,}#i', array($this, '_urldecodespaces'), $str);
+ }
+ while ($oldstr !== $str);
+ unset($oldstr);
}
- while (preg_match('/%[0-9a-f]{2,}/i', $str));
/*
* Convert character entities to ASCII
@@ -466,7 +473,7 @@ class CI_Security {
if (preg_match('/<a/i', $str))
{
- $str = preg_replace_callback('#<a[^a-z0-9>]+([^>]*?)(?:>|$)#si', array($this, '_js_link_removal'), $str);
+ $str = preg_replace_callback('#<a(?:rea)?[^a-z0-9>]+([^>]*?)(?:>|$)#si', array($this, '_js_link_removal'), $str);
}
if (preg_match('/<img/i', $str))
@@ -669,6 +676,22 @@ class CI_Security {
? ENT_COMPAT | ENT_HTML5
: ENT_COMPAT;
+ if ( ! isset($_entities))
+ {
+ $_entities = array_map('strtolower', get_html_translation_table(HTML_ENTITIES, $flag, $charset));
+
+ // If we're not on PHP 5.4+, add the possibly dangerous HTML 5
+ // entities to the array manually
+ if ($flag === ENT_COMPAT)
+ {
+ $_entities[':'] = '&colon;';
+ $_entities['('] = '&lpar;';
+ $_entities[')'] = '&rpar;';
+ $_entities["\n"] = '&NewLine;';
+ $_entities["\t"] = '&Tab;';
+ }
+ }
+
do
{
$str_compare = $str;
@@ -676,22 +699,6 @@ class CI_Security {
// Decode standard entities, avoiding false positives
if (preg_match_all('/&[a-z]{2,}(?![a-z;])/i', $str, $matches))
{
- if ( ! isset($_entities))
- {
- $_entities = array_map('strtolower', get_html_translation_table(HTML_ENTITIES, $flag, $charset));
-
- // If we're not on PHP 5.4+, add the possibly dangerous HTML 5
- // entities to the array manually
- if ($flag === ENT_COMPAT)
- {
- $_entities[':'] = '&colon;';
- $_entities['('] = '&lpar;';
- $_entities[')'] = '&rpar;';
- $_entities["\n"] = '&newline;';
- $_entities["\t"] = '&tab;';
- }
- }
-
$replace = array();
$matches = array_unique(array_map('strtolower', $matches[0]));
foreach ($matches as &$match)
@@ -702,7 +709,7 @@ class CI_Security {
}
}
- $str = str_ireplace(array_keys($replace), array_values($replace), $str);
+ $str = str_replace(array_keys($replace), array_values($replace), $str);
}
// Decode numeric & UTF16 two byte entities
@@ -711,6 +718,11 @@ class CI_Security {
$flag,
$charset
);
+
+ if ($flag === ENT_COMPAT)
+ {
+ $str = str_replace(array_values($_entities), array_keys($_entities), $str);
+ }
}
while ($str_compare !== $str);
return $str;
@@ -770,6 +782,24 @@ class CI_Security {
// ----------------------------------------------------------------
/**
+ * URL-decode taking spaces into account
+ *
+ * @see https://github.com/bcit-ci/CodeIgniter/issues/4877
+ * @param array $matches
+ * @return string
+ */
+ protected function _urldecodespaces($matches)
+ {
+ $input = $matches[0];
+ $nospaces = preg_replace('#\s+#', '', $input);
+ return ($nospaces === $input)
+ ? $input
+ : rawurldecode($nospaces);
+ }
+
+ // ----------------------------------------------------------------
+
+ /**
* Compact Exploded Words
*
* Callback method for xss_clean() to remove whitespace from
@@ -798,7 +828,7 @@ class CI_Security {
protected function _sanitize_naughty_html($matches)
{
static $naughty_tags = array(
- 'alert', 'prompt', 'confirm', 'applet', 'audio', 'basefont', 'base', 'behavior', 'bgsound',
+ 'alert', 'area', 'prompt', 'confirm', 'applet', 'audio', 'basefont', 'base', 'behavior', 'bgsound',
'blink', 'body', 'embed', 'expression', 'form', 'frameset', 'frame', 'head', 'html', 'ilayer',
'iframe', 'input', 'button', 'select', 'isindex', 'layer', 'link', 'meta', 'keygen', 'object',
'plaintext', 'style', 'script', 'textarea', 'title', 'math', 'video', 'svg', 'xml', 'xss'
@@ -895,7 +925,7 @@ class CI_Security {
return str_replace(
$match[1],
preg_replace(
- '#href=.*?(?:(?:alert|prompt|confirm)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|<script|<xss|data\s*:)#si',
+ '#href=.*?(?:(?:alert|prompt|confirm)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|<script|<xss|d\s*a\s*t\s*a\s*:)#si',
'',
$this->_filter_attributes($match[1])
),