diff options
Diffstat (limited to 'system/core')
| -rw-r--r-- | system/core/CodeIgniter.php | 89 | ||||
| -rw-r--r-- | system/core/Common.php | 14 | ||||
| -rw-r--r-- | system/core/Config.php | 16 | ||||
| -rw-r--r-- | system/core/Exceptions.php | 12 | ||||
| -rw-r--r-- | system/core/Hooks.php | 6 | ||||
| -rw-r--r-- | system/core/Input.php | 285 | ||||
| -rw-r--r-- | system/core/Loader.php | 20 | ||||
| -rw-r--r-- | system/core/Log.php | 7 | ||||
| -rw-r--r-- | system/core/Model.php | 8 | ||||
| -rw-r--r-- | system/core/Output.php | 19 | ||||
| -rw-r--r-- | system/core/Router.php | 43 | ||||
| -rw-r--r-- | system/core/Security.php | 43 | ||||
| -rw-r--r-- | system/core/URI.php | 122 | ||||
| -rw-r--r-- | system/core/Utf8.php | 14 | ||||
| -rw-r--r-- | system/core/compat/hash.php | 8 | ||||
| -rw-r--r-- | system/core/compat/mbstring.php | 8 | ||||
| -rw-r--r-- | system/core/compat/password.php | 12 | ||||
| -rw-r--r-- | system/core/compat/standard.php | 50 |
18 files changed, 187 insertions, 589 deletions
diff --git a/system/core/CodeIgniter.php b/system/core/CodeIgniter.php index bd0c4c5d8..9bf60a4ac 100644 --- a/system/core/CodeIgniter.php +++ b/system/core/CodeIgniter.php @@ -55,7 +55,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @var string * */ - const CI_VERSION = '3.1.12-dev'; + const CI_VERSION = '3.2.0-dev'; /* * ------------------------------------------------------ @@ -79,57 +79,6 @@ defined('BASEPATH') OR exit('No direct script access allowed'); */ require_once(BASEPATH.'core/Common.php'); - -/* - * ------------------------------------------------------ - * Security procedures - * ------------------------------------------------------ - */ - -if ( ! is_php('5.4')) -{ - ini_set('magic_quotes_runtime', 0); - - if ((bool) ini_get('register_globals')) - { - $_protected = array( - '_SERVER', - '_GET', - '_POST', - '_FILES', - '_REQUEST', - '_SESSION', - '_ENV', - '_COOKIE', - 'GLOBALS', - 'HTTP_RAW_POST_DATA', - 'system_path', - 'application_folder', - 'view_folder', - '_protected', - '_registered' - ); - - $_registered = ini_get('variables_order'); - foreach (array('E' => '_ENV', 'G' => '_GET', 'P' => '_POST', 'C' => '_COOKIE', 'S' => '_SERVER') as $key => $superglobal) - { - if (strpos($_registered, $key) === FALSE) - { - continue; - } - - foreach (array_keys($$superglobal) as $var) - { - if (isset($GLOBALS[$var]) && ! in_array($var, $_protected, TRUE)) - { - $GLOBALS[$var] = NULL; - } - } - } - } -} - - /* * ------------------------------------------------------ * Define a custom error handler so we can log PHP errors @@ -194,20 +143,6 @@ if ( ! is_php('5.4')) /* * ------------------------------------------------------ - * Instantiate the hooks class - * ------------------------------------------------------ - */ - $EXT =& load_class('Hooks', 'core'); - -/* - * ------------------------------------------------------ - * Is there a "pre_system" hook? - * ------------------------------------------------------ - */ - $EXT->call_hook('pre_system'); - -/* - * ------------------------------------------------------ * Instantiate the config class * ------------------------------------------------------ * @@ -229,6 +164,20 @@ if ( ! is_php('5.4')) /* * ------------------------------------------------------ + * Instantiate the hooks class + * ------------------------------------------------------ + */ + $EXT =& load_class('Hooks', 'core', $CFG); + +/* + * ------------------------------------------------------ + * Is there a "pre_system" hook? + * ------------------------------------------------------ + */ + $EXT->call_hook('pre_system'); + +/* + * ------------------------------------------------------ * Important charset-related stuff * ------------------------------------------------------ * @@ -294,14 +243,14 @@ if ( ! is_php('5.4')) * Instantiate the UTF-8 class * ------------------------------------------------------ */ - $UNI =& load_class('Utf8', 'core'); + $UNI =& load_class('Utf8', 'core', $charset); /* * ------------------------------------------------------ * Instantiate the URI class * ------------------------------------------------------ */ - $URI =& load_class('URI', 'core'); + $URI =& load_class('URI', 'core', $CFG); /* * ------------------------------------------------------ @@ -332,14 +281,14 @@ if ( ! is_php('5.4')) * Load the security class for xss and csrf support * ----------------------------------------------------- */ - $SEC =& load_class('Security', 'core'); + $SEC =& load_class('Security', 'core', $charset); /* * ------------------------------------------------------ * Load the Input class and sanitize globals * ------------------------------------------------------ */ - $IN =& load_class('Input', 'core'); + $IN =& load_class('Input', 'core', $SEC); /* * ------------------------------------------------------ diff --git a/system/core/Common.php b/system/core/Common.php index 624b5a9f7..fadc0a0b1 100644 --- a/system/core/Common.php +++ b/system/core/Common.php @@ -81,8 +81,7 @@ if ( ! function_exists('is_really_writable')) * Tests for file writability * * is_writable() returns TRUE on Windows servers when you really can't write to - * the file, based on the read-only attribute. is_writable() is also unreliable - * on Unix servers if safe_mode is on. + * the file, based on the read-only attribute. * * @link https://bugs.php.net/bug.php?id=54709 * @param string @@ -90,8 +89,8 @@ if ( ! function_exists('is_really_writable')) */ function is_really_writable($file) { - // If we're on a Unix server with safe_mode off we call is_writable - if (DIRECTORY_SEPARATOR === '/' && (is_php('5.4') OR ! ini_get('safe_mode'))) + // If we're on a UNIX-like server, just is_writable() + if (DIRECTORY_SEPARATOR === '/') { return is_writable($file); } @@ -499,6 +498,7 @@ if ( ! function_exists('set_status_header')) $stati = array( 100 => 'Continue', 101 => 'Switching Protocols', + 103 => 'Early Hints', 200 => 'OK', 201 => 'Created', @@ -507,6 +507,7 @@ if ( ! function_exists('set_status_header')) 204 => 'No Content', 205 => 'Reset Content', 206 => 'Partial Content', + 207 => 'Multi-Status', 300 => 'Multiple Choices', 301 => 'Moved Permanently', @@ -515,6 +516,7 @@ if ( ! function_exists('set_status_header')) 304 => 'Not Modified', 305 => 'Use Proxy', 307 => 'Temporary Redirect', + 308 => 'Permanent Redirect', 400 => 'Bad Request', 401 => 'Unauthorized', @@ -534,11 +536,13 @@ if ( ! function_exists('set_status_header')) 415 => 'Unsupported Media Type', 416 => 'Requested Range Not Satisfiable', 417 => 'Expectation Failed', + 421 => 'Misdirected Request', 422 => 'Unprocessable Entity', 426 => 'Upgrade Required', 428 => 'Precondition Required', 429 => 'Too Many Requests', 431 => 'Request Header Fields Too Large', + 451 => 'Unavailable For Legal Reasons', 500 => 'Internal Server Error', 501 => 'Not Implemented', @@ -625,7 +629,7 @@ if ( ! function_exists('_error_handler')) // If the error is fatal, the execution of the script should be stopped because // errors can't be recovered from. Halting the script conforms with PHP's - // default error handling. See http://www.php.net/manual/en/errorfunc.constants.php + // default error handling. See https://secure.php.net/manual/en/errorfunc.constants.php if ($is_error) { exit(1); // EXIT_ERROR diff --git a/system/core/Config.php b/system/core/Config.php index fc6c30f86..13cc087d0 100644 --- a/system/core/Config.php +++ b/system/core/Config.php @@ -169,7 +169,7 @@ class CI_Config { $this->is_loaded[] = $file_path; $config = NULL; $loaded = TRUE; - log_message('debug', 'Config file loaded: '.$file_path); + log_message('info', 'Config file loaded: '.$file_path); } } @@ -351,20 +351,6 @@ class CI_Config { // -------------------------------------------------------------------- /** - * System URL - * - * @deprecated 3.0.0 Encourages insecure practices - * @return string - */ - public function system_url() - { - $x = explode('/', preg_replace('|/*(.+?)/*$|', '\\1', BASEPATH)); - return $this->slash_item('base_url').end($x).'/'; - } - - // -------------------------------------------------------------------- - - /** * Set a config file item * * @param string $item Config item key diff --git a/system/core/Exceptions.php b/system/core/Exceptions.php index 90ff1abf4..e8e7f6c29 100644 --- a/system/core/Exceptions.php +++ b/system/core/Exceptions.php @@ -161,6 +161,10 @@ class CI_Exceptions { { $templates_path = VIEWPATH.'errors'.DIRECTORY_SEPARATOR; } + else + { + $templates_path = rtrim($templates_path, '/\\').DIRECTORY_SEPARATOR; + } if (is_cli()) { @@ -194,6 +198,10 @@ class CI_Exceptions { { $templates_path = VIEWPATH.'errors'.DIRECTORY_SEPARATOR; } + else + { + $templates_path = rtrim($templates_path, '/\\').DIRECTORY_SEPARATOR; + } $message = $exception->getMessage(); if (empty($message)) @@ -240,6 +248,10 @@ class CI_Exceptions { { $templates_path = VIEWPATH.'errors'.DIRECTORY_SEPARATOR; } + else + { + $templates_path = rtrim($templates_path, '/\\').DIRECTORY_SEPARATOR; + } $severity = isset($this->levels[$severity]) ? $this->levels[$severity] : $severity; diff --git a/system/core/Hooks.php b/system/core/Hooks.php index 6236dd498..353e22e21 100644 --- a/system/core/Hooks.php +++ b/system/core/Hooks.php @@ -83,16 +83,16 @@ class CI_Hooks { /** * Class constructor * + * @param CI_Config $config * @return void */ - public function __construct() + public function __construct(CI_Config $config) { - $CFG =& load_class('Config', 'core'); log_message('info', 'Hooks Class Initialized'); // If hooks are not enabled in the config file // there is nothing else to do - if ($CFG->item('enable_hooks') === FALSE) + if ($config->item('enable_hooks') === FALSE) { return; } diff --git a/system/core/Input.php b/system/core/Input.php index 30b31d0d7..053970b01 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -58,45 +58,6 @@ class CI_Input { protected $ip_address = FALSE; /** - * Allow GET array flag - * - * If set to FALSE, then $_GET will be set to an empty array. - * - * @var bool - */ - protected $_allow_get_array = TRUE; - - /** - * Standardize new lines flag - * - * If set to TRUE, then newlines are standardized. - * - * @var bool - */ - protected $_standardize_newlines; - - /** - * Enable XSS flag - * - * Determines whether the XSS filter is always active when - * GET, POST or COOKIE data is encountered. - * Set automatically based on config setting. - * - * @var bool - */ - protected $_enable_xss = FALSE; - - /** - * Enable CSRF flag - * - * Enables a CSRF cookie token to be set. - * Set automatically based on config setting. - * - * @var bool - */ - protected $_enable_csrf = FALSE; - - /** * List of all HTTP request headers * * @var array @@ -122,8 +83,15 @@ class CI_Input { */ protected $_input_stream; + /** + * CI_Security instance + * + * Used for the optional $xss_filter parameter that most + * getter methods have here. + * + * @var CI_Security + */ protected $security; - protected $uni; // -------------------------------------------------------------------- @@ -135,30 +103,9 @@ class CI_Input { * * @return void */ - public function __construct() + public function __construct(CI_Security &$security) { - $this->_allow_get_array = (config_item('allow_get_array') !== FALSE); - $this->_enable_xss = (config_item('global_xss_filtering') === TRUE); - $this->_enable_csrf = (config_item('csrf_protection') === TRUE); - $this->_standardize_newlines = (bool) config_item('standardize_newlines'); - - $this->security =& load_class('Security', 'core'); - - // Do we need the UTF-8 class? - if (UTF8_ENABLED === TRUE) - { - $this->uni =& load_class('Utf8', 'core'); - } - - // Sanitize global arrays - $this->_sanitize_globals(); - - // CSRF Protection check - if ($this->_enable_csrf === TRUE && ! is_cli()) - { - $this->security->csrf_verify(); - } - + $this->security = $security; log_message('info', 'Input Class Initialized'); } @@ -174,10 +121,8 @@ class CI_Input { * @param bool $xss_clean Whether to apply XSS filtering * @return mixed */ - protected function _fetch_from_array(&$array, $index = NULL, $xss_clean = NULL) + protected function _fetch_from_array(&$array, $index = NULL, $xss_clean = FALSE) { - is_bool($xss_clean) OR $xss_clean = $this->_enable_xss; - // If $index is NULL, it means that the whole $array is requested isset($index) OR $index = array_keys($array); @@ -237,7 +182,7 @@ class CI_Input { * @param bool $xss_clean Whether to apply XSS filtering * @return mixed */ - public function get($index = NULL, $xss_clean = NULL) + public function get($index = NULL, $xss_clean = FALSE) { return $this->_fetch_from_array($_GET, $index, $xss_clean); } @@ -251,7 +196,7 @@ class CI_Input { * @param bool $xss_clean Whether to apply XSS filtering * @return mixed */ - public function post($index = NULL, $xss_clean = NULL) + public function post($index = NULL, $xss_clean = FALSE) { return $this->_fetch_from_array($_POST, $index, $xss_clean); } @@ -265,11 +210,10 @@ class CI_Input { * @param bool $xss_clean Whether to apply XSS filtering * @return mixed */ - public function post_get($index, $xss_clean = NULL) + public function post_get($index, $xss_clean = FALSE) { - return isset($_POST[$index]) - ? $this->post($index, $xss_clean) - : $this->get($index, $xss_clean); + $output = $this->post($index, $xss_clean); + return isset($output) ? $output : $this->get($index, $xss_clean); } // -------------------------------------------------------------------- @@ -281,11 +225,10 @@ class CI_Input { * @param bool $xss_clean Whether to apply XSS filtering * @return mixed */ - public function get_post($index, $xss_clean = NULL) + public function get_post($index, $xss_clean = FALSE) { - return isset($_GET[$index]) - ? $this->get($index, $xss_clean) - : $this->post($index, $xss_clean); + $output = $this->get($index, $xss_clean); + return isset($output) ? $output : $this->post($index, $xss_clean); } // -------------------------------------------------------------------- @@ -297,7 +240,7 @@ class CI_Input { * @param bool $xss_clean Whether to apply XSS filtering * @return mixed */ - public function cookie($index = NULL, $xss_clean = NULL) + public function cookie($index = NULL, $xss_clean = FALSE) { return $this->_fetch_from_array($_COOKIE, $index, $xss_clean); } @@ -311,7 +254,7 @@ class CI_Input { * @param bool $xss_clean Whether to apply XSS filtering * @return mixed */ - public function server($index, $xss_clean = NULL) + public function server($index, $xss_clean = FALSE) { return $this->_fetch_from_array($_SERVER, $index, $xss_clean); } @@ -327,7 +270,7 @@ class CI_Input { * @param bool $xss_clean Whether to apply XSS filtering * @return mixed */ - public function input_stream($index = NULL, $xss_clean = NULL) + public function input_stream($index = NULL, $xss_clean = FALSE) { // Prior to PHP 5.6, the input stream can only be read once, // so we'll need to check if we have already done that first. @@ -359,7 +302,7 @@ class CI_Input { * @param bool $httponly Whether to only makes the cookie accessible via HTTP (no javascript) * @return void */ - public function set_cookie($name, $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = NULL, $httponly = NULL) + public function set_cookie($name, $value = '', $expire = 0, $domain = '', $path = '/', $prefix = '', $secure = NULL, $httponly = NULL) { if (is_array($name)) { @@ -396,9 +339,9 @@ class CI_Input { ? (bool) config_item('cookie_httponly') : (bool) $httponly; - if ( ! is_numeric($expire)) + if ( ! is_numeric($expire) OR $expire < 0) { - $expire = time() - 86500; + $expire = 1; } else { @@ -579,7 +522,7 @@ class CI_Input { * * @return string|null User Agent string or NULL if it doesn't exist */ - public function user_agent($xss_clean = NULL) + public function user_agent($xss_clean = FALSE) { return $this->_fetch_from_array($_SERVER, 'HTTP_USER_AGENT', $xss_clean); } @@ -587,167 +530,6 @@ class CI_Input { // -------------------------------------------------------------------- /** - * Sanitize Globals - * - * Internal method serving for the following purposes: - * - * - Unsets $_GET data, if query strings are not enabled - * - Cleans POST, COOKIE and SERVER data - * - Standardizes newline characters to PHP_EOL - * - * @return void - */ - protected function _sanitize_globals() - { - // Is $_GET data allowed? If not we'll set the $_GET to an empty array - if ($this->_allow_get_array === FALSE) - { - $_GET = array(); - } - elseif (is_array($_GET)) - { - foreach ($_GET as $key => $val) - { - $_GET[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); - } - } - - // Clean $_POST Data - if (is_array($_POST)) - { - foreach ($_POST as $key => $val) - { - $_POST[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); - } - } - - // Clean $_COOKIE Data - if (is_array($_COOKIE)) - { - // Also get rid of specially treated cookies that might be set by a server - // or silly application, that are of no use to a CI application anyway - // but that when present will trip our 'Disallowed Key Characters' alarm - // http://www.ietf.org/rfc/rfc2109.txt - // note that the key names below are single quoted strings, and are not PHP variables - unset( - $_COOKIE['$Version'], - $_COOKIE['$Path'], - $_COOKIE['$Domain'] - ); - - foreach ($_COOKIE as $key => $val) - { - if (($cookie_key = $this->_clean_input_keys($key)) !== FALSE) - { - $_COOKIE[$cookie_key] = $this->_clean_input_data($val); - } - else - { - unset($_COOKIE[$key]); - } - } - } - - // Sanitize PHP_SELF - $_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']); - - log_message('debug', 'Global POST, GET and COOKIE data sanitized'); - } - - // -------------------------------------------------------------------- - - /** - * Clean Input Data - * - * Internal method that aids in escaping data and - * standardizing newline characters to PHP_EOL. - * - * @param string|string[] $str Input string(s) - * @return string - */ - protected function _clean_input_data($str) - { - if (is_array($str)) - { - $new_array = array(); - foreach (array_keys($str) as $key) - { - $new_array[$this->_clean_input_keys($key)] = $this->_clean_input_data($str[$key]); - } - return $new_array; - } - - /* We strip slashes if magic quotes is on to keep things consistent - - NOTE: In PHP 5.4 get_magic_quotes_gpc() will always return 0 and - it will probably not exist in future versions at all. - */ - if ( ! is_php('5.4') && get_magic_quotes_gpc()) - { - $str = stripslashes($str); - } - - // Clean UTF-8 if supported - if (UTF8_ENABLED === TRUE) - { - $str = $this->uni->clean_string($str); - } - - // Remove control characters - $str = remove_invisible_characters($str, FALSE); - - // Standardize newlines if needed - if ($this->_standardize_newlines === TRUE) - { - return preg_replace('/(?:\r\n|[\r\n])/', PHP_EOL, $str); - } - - return $str; - } - - // -------------------------------------------------------------------- - - /** - * Clean Keys - * - * Internal method that helps to prevent malicious users - * from trying to exploit keys we make sure that keys are - * only named with alpha-numeric text and a few other items. - * - * @param string $str Input string - * @param bool $fatal Whether to terminate script exection - * or to return FALSE if an invalid - * key is encountered - * @return string|bool - */ - protected function _clean_input_keys($str, $fatal = TRUE) - { - if ( ! preg_match('/^[a-z0-9:_\/|-]+$/i', $str)) - { - if ($fatal === TRUE) - { - return FALSE; - } - else - { - set_status_header(503); - echo 'Disallowed Key Characters.'; - exit(7); // EXIT_USER_INPUT - } - } - - // Clean UTF-8 if supported - if (UTF8_ENABLED === TRUE) - { - return $this->uni->clean_string($str); - } - - return $str; - } - - // -------------------------------------------------------------------- - - /** * Request Headers * * @param bool $xss_clean Whether to apply XSS filtering @@ -839,21 +621,6 @@ class CI_Input { // -------------------------------------------------------------------- /** - * Is CLI request? - * - * Test to see if a request was made from the command line. - * - * @deprecated 3.0.0 Use is_cli() instead - * @return bool - */ - public function is_cli_request() - { - return is_cli(); - } - - // -------------------------------------------------------------------- - - /** * Get Request Method * * Return the request method diff --git a/system/core/Loader.php b/system/core/Loader.php index 14888e49a..0710b1611 100644 --- a/system/core/Loader.php +++ b/system/core/Loader.php @@ -348,9 +348,10 @@ class CI_Loader { throw new RuntimeException('Unable to locate the model you have specified: '.$model); } } - elseif ( ! is_subclass_of($model, 'CI_Model')) + + if ( ! is_subclass_of($model, 'CI_Model')) { - throw new RuntimeException("Class ".$model." already exists and doesn't extend CI_Model"); + throw new RuntimeException("Class ".$model." doesn't extend CI_Model"); } $this->_ci_models[] = $name; @@ -943,7 +944,7 @@ class CI_Loader { empty($_ci_vars) OR $this->_ci_cached_vars = array_merge($this->_ci_cached_vars, $_ci_vars); extract($this->_ci_cached_vars); - /* + /** * Buffer the output * * We buffer the output for two reasons: @@ -956,18 +957,7 @@ class CI_Loader { */ ob_start(); - // If the PHP installation does not support short tags we'll - // do a little string replacement, changing the short tags - // to standard PHP echo statements. - if ( ! is_php('5.4') && ! ini_get('short_open_tag') && config_item('rewrite_short_tags') === TRUE) - { - echo eval('?>'.preg_replace('/;*\s*\?>/', '; ?>', str_replace('<?=', '<?php echo ', file_get_contents($_ci_path)))); - } - else - { - include($_ci_path); // include() vs include_once() allows for multiple views with the same name - } - + include($_ci_path); // include() vs include_once() allows for multiple views with the same name log_message('info', 'File loaded: '.$_ci_path); // Return the file data if requested diff --git a/system/core/Log.php b/system/core/Log.php index f37726e02..fde0bebf2 100644 --- a/system/core/Log.php +++ b/system/core/Log.php @@ -124,7 +124,9 @@ class CI_Log { isset(self::$func_overload) OR self::$func_overload = (extension_loaded('mbstring') && ini_get('mbstring.func_overload')); - $this->_log_path = ($config['log_path'] !== '') ? $config['log_path'] : APPPATH.'logs/'; + $this->_log_path = ($config['log_path'] !== '') + ? rtrim($config['log_path'], '/\\').DIRECTORY_SEPARATOR : APPPATH.'logs'.DIRECTORY_SEPARATOR; + $this->_file_ext = (isset($config['log_file_extension']) && $config['log_file_extension'] !== '') ? ltrim($config['log_file_extension'], '.') : 'php'; @@ -283,9 +285,6 @@ class CI_Log { { if (self::$func_overload) { - // mb_substr($str, $start, null, '8bit') returns an empty - // string on PHP 5.3 - isset($length) OR $length = ($start >= 0 ? self::strlen($str) - $start : -$start); return mb_substr($str, $start, $length, '8bit'); } diff --git a/system/core/Model.php b/system/core/Model.php index 0aadbcdc8..4c497d21e 100644 --- a/system/core/Model.php +++ b/system/core/Model.php @@ -49,14 +49,6 @@ defined('BASEPATH') OR exit('No direct script access allowed'); class CI_Model { /** - * Class constructor - * - * @link https://github.com/bcit-ci/CodeIgniter/issues/5332 - * @return void - */ - public function __construct() {} - - /** * __get magic * * Allows models to access CI's loaded classes using the same diff --git a/system/core/Output.php b/system/core/Output.php index 64e7ee1f9..f386d3ad4 100644 --- a/system/core/Output.php +++ b/system/core/Output.php @@ -412,7 +412,7 @@ class CI_Output { * @param string $output Output data override * @return void */ - public function _display($output = '') + public function _display($output = NULL) { // Note: We use load_class() because we can't use $CI =& get_instance() // since this function is sometimes called by the caching mechanism, @@ -429,7 +429,7 @@ class CI_Output { // -------------------------------------------------------------------- // Set the output data - if ($output === '') + if ($output === NULL) { $output =& $this->final_output; } @@ -502,7 +502,7 @@ class CI_Output { echo $output; log_message('info', 'Final output sent to browser'); - log_message('debug', 'Total execution time: '.$elapsed); + log_message('info', 'Total execution time: '.$elapsed); return; } @@ -539,7 +539,7 @@ class CI_Output { } log_message('info', 'Final output sent to browser'); - log_message('debug', 'Total execution time: '.$elapsed); + log_message('info', 'Total execution time: '.$elapsed); } // -------------------------------------------------------------------- @@ -554,7 +554,7 @@ class CI_Output { { $CI =& get_instance(); $path = $CI->config->item('cache_path'); - $cache_path = ($path === '') ? APPPATH.'cache/' : $path; + $cache_path = ($path === '') ? APPPATH.'cache'.DIRECTORY_SEPARATOR : rtrim($path, '/\\').DIRECTORY_SEPARATOR; if ( ! is_dir($cache_path) OR ! is_really_writable($cache_path)) { @@ -563,7 +563,7 @@ class CI_Output { } $uri = $CI->config->item('base_url') - .$CI->config->item('index_page') + .$CI->config->slash_item('index_page') .$CI->uri->uri_string(); if (($cache_query_string = $CI->config->item('cache_query_string')) && ! empty($_SERVER['QUERY_STRING'])) @@ -658,7 +658,7 @@ class CI_Output { $cache_path = ($CFG->item('cache_path') === '') ? APPPATH.'cache/' : $CFG->item('cache_path'); // Build the file path. The file name is an MD5 hash of the full URI - $uri = $CFG->item('base_url').$CFG->item('index_page').$URI->uri_string; + $uri = $CFG->item('base_url').$CFG->slash_item('index_page').$URI->uri_string; if (($cache_query_string = $CFG->item('cache_query_string')) && ! empty($_SERVER['QUERY_STRING'])) { @@ -761,7 +761,7 @@ class CI_Output { } } - $cache_path .= md5($CI->config->item('base_url').$CI->config->item('index_page').ltrim($uri, '/')); + $cache_path .= md5($CI->config->item('base_url').$CI->config->slash_item('index_page').ltrim($uri, '/')); if ( ! @unlink($cache_path)) { @@ -829,9 +829,6 @@ class CI_Output { { if (self::$func_overload) { - // mb_substr($str, $start, null, '8bit') returns an empty - // string on PHP 5.3 - isset($length) OR $length = ($start >= 0 ? self::strlen($str) - $start : -$start); return mb_substr($str, $start, $length, '8bit'); } diff --git a/system/core/Router.php b/system/core/Router.php index 90b69d07a..dcdd1ed1f 100644 --- a/system/core/Router.php +++ b/system/core/Router.php @@ -439,19 +439,6 @@ class CI_Router { // -------------------------------------------------------------------- /** - * Fetch the current class - * - * @deprecated 3.0.0 Read the 'class' property instead - * @return string - */ - public function fetch_class() - { - return $this->class; - } - - // -------------------------------------------------------------------- - - /** * Set method name * * @param string $method Method name @@ -465,19 +452,6 @@ class CI_Router { // -------------------------------------------------------------------- /** - * Fetch the current method - * - * @deprecated 3.0.0 Read the 'method' property instead - * @return string - */ - public function fetch_method() - { - return $this->method; - } - - // -------------------------------------------------------------------- - - /** * Set directory name * * @param string $dir Directory name @@ -495,21 +469,4 @@ class CI_Router { $this->directory .= str_replace('.', '', trim($dir, '/')).'/'; } } - - // -------------------------------------------------------------------- - - /** - * Fetch directory - * - * Feches the sub-directory (if any) that contains the requested - * controller class. - * - * @deprecated 3.0.0 Read the 'directory' property instead - * @return string - */ - public function fetch_directory() - { - return $this->directory; - } - } diff --git a/system/core/Security.php b/system/core/Security.php index 6a81faff1..5edb67f4e 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -169,10 +169,12 @@ class CI_Security { * * @return void */ - public function __construct() + public function __construct($charset) { + $this->charset = $charset; + // Is CSRF protection enabled? - if (config_item('csrf_protection')) + if (config_item('csrf_protection') && ! is_cli()) { // CSRF config foreach (array('csrf_expire', 'csrf_token_name', 'csrf_cookie_name') as $key) @@ -191,10 +193,9 @@ class CI_Security { // Set the CSRF hash $this->_csrf_set_hash(); + $this->csrf_verify(); } - $this->charset = strtoupper(config_item('charset')); - log_message('info', 'Security Class Initialized'); } @@ -639,7 +640,7 @@ class CI_Security { if (is_readable('/dev/urandom') && ($fp = fopen('/dev/urandom', 'rb')) !== FALSE) { // Try not to waste entropy ... - is_php('5.4') && stream_set_chunk_size($fp, $length); + stream_set_chunk_size($fp, $length); $output = fread($fp, $length); fclose($fp); if ($output !== FALSE) @@ -669,7 +670,7 @@ class CI_Security { * correctly. html_entity_decode() does not convert entities without * semicolons, so we are left with our own little solution here. Bummer. * - * @link http://php.net/html-entity-decode + * @link https://secure.php.net/html-entity-decode * * @param string $str Input * @param string $charset Character set @@ -684,26 +685,8 @@ class CI_Security { static $_entities; - isset($charset) OR $charset = $this->charset; - $flag = is_php('5.4') - ? ENT_COMPAT | ENT_HTML5 - : ENT_COMPAT; - - if ( ! isset($_entities)) - { - $_entities = array_map('strtolower', get_html_translation_table(HTML_ENTITIES, $flag, $charset)); - - // If we're not on PHP 5.4+, add the possibly dangerous HTML 5 - // entities to the array manually - if ($flag === ENT_COMPAT) - { - $_entities[':'] = ':'; - $_entities['('] = '('; - $_entities[')'] = ')'; - $_entities["\n"] = '
'; - $_entities["\t"] = '	'; - } - } + isset($charset) OR $charset = $this->charset; + isset($_entities) OR $_entities = array_map('strtolower', get_html_translation_table(HTML_ENTITIES, ENT_COMPAT | ENT_HTML5, $charset)); do { @@ -728,14 +711,9 @@ class CI_Security { // Decode numeric & UTF16 two byte entities $str = html_entity_decode( preg_replace('/(&#(?:x0*[0-9a-f]{2,5}(?![0-9a-f;])|(?:0*\d{2,4}(?![0-9;]))))/iS', '$1;', $str), - $flag, + ENT_COMPAT | ENT_HTML5, $charset ); - - if ($flag === ENT_COMPAT) - { - $str = str_replace(array_values($_entities), array_keys($_entities), $str); - } } while ($str_compare !== $str); return $str; @@ -1087,5 +1065,4 @@ class CI_Security { return $this->_csrf_hash; } - } diff --git a/system/core/URI.php b/system/core/URI.php index a8b98ae93..3670ef29d 100644 --- a/system/core/URI.php +++ b/system/core/URI.php @@ -96,45 +96,40 @@ class CI_URI { * * @return void */ - public function __construct() + public function __construct(CI_Config $config) { - $this->config =& load_class('Config', 'core'); + $this->config = $config; + // If it's a CLI request, ignore the configuration + if (is_cli()) + { + $this->_set_uri_string($this->_parse_argv(), TRUE); + } // If query strings are enabled, we don't need to parse any segments. - // However, they don't make sense under CLI. - if (is_cli() OR $this->config->item('enable_query_strings') !== TRUE) + elseif ($this->config->item('enable_query_strings') !== TRUE) { $this->_permitted_uri_chars = $this->config->item('permitted_uri_chars'); + $protocol = $this->config->item('uri_protocol'); + empty($protocol) && $protocol = 'REQUEST_URI'; - // If it's a CLI request, ignore the configuration - if (is_cli()) + switch ($protocol) { - $uri = $this->_parse_argv(); + case 'AUTO': // For BC purposes only + case 'REQUEST_URI': + $uri = $this->_parse_request_uri(); + break; + case 'QUERY_STRING': + $uri = $this->_parse_query_string(); + break; + case 'PATH_INFO': + default: + $uri = isset($_SERVER[$protocol]) + ? $_SERVER[$protocol] + : $this->_parse_request_uri(); + break; } - else - { - $protocol = $this->config->item('uri_protocol'); - empty($protocol) && $protocol = 'REQUEST_URI'; - switch ($protocol) - { - case 'AUTO': // For BC purposes only - case 'REQUEST_URI': - $uri = $this->_parse_request_uri(); - break; - case 'QUERY_STRING': - $uri = $this->_parse_query_string(); - break; - case 'PATH_INFO': - default: - $uri = isset($_SERVER[$protocol]) - ? $_SERVER[$protocol] - : $this->_parse_request_uri(); - break; - } - } - - $this->_set_uri_string($uri); + $this->_set_uri_string($uri, FALSE); } log_message('info', 'URI Class Initialized'); @@ -145,43 +140,66 @@ class CI_URI { /** * Set URI String * - * @param string $str + * @param string $str Input URI string + * @param bool $is_cli Whether the input comes from CLI * @return void */ - protected function _set_uri_string($str) + protected function _set_uri_string($str, $is_cli = FALSE) { - // Filter out control characters and trim slashes - $this->uri_string = trim(remove_invisible_characters($str, FALSE), '/'); - - if ($this->uri_string !== '') + // CLI requests have a bit simpler logic + if ($is_cli) { - // Remove the URL suffix, if present - if (($suffix = (string) $this->config->item('url_suffix')) !== '') + if (($this->uri_string = trim($str, '/')) === '') { - $slen = strlen($suffix); - - if (substr($this->uri_string, -$slen) === $suffix) - { - $this->uri_string = substr($this->uri_string, 0, -$slen); - } + return; } $this->segments[0] = NULL; - // Populate the segments array - foreach (explode('/', trim($this->uri_string, '/')) as $val) + foreach (explode('/', $this->uri_string) as $segment) { - $val = trim($val); - // Filter segments for security - $this->filter_uri($val); - - if ($val !== '') + if (($segment = trim($segment)) !== '') { - $this->segments[] = $val; + $this->segments[] = $segment; } } unset($this->segments[0]); + return; + } + + // Filter out control characters and trim slashes + $this->uri_string = trim(remove_invisible_characters($str, FALSE), '/'); + + if ($this->uri_string === '') + { + return; } + + // Remove the URL suffix, if present + if (($suffix = (string) $this->config->item('url_suffix')) !== '') + { + $slen = strlen($suffix); + + if (substr($this->uri_string, -$slen) === $suffix) + { + $this->uri_string = substr($this->uri_string, 0, -$slen); + } + } + + $this->segments[0] = NULL; + foreach (explode('/', trim($this->uri_string, '/')) as $segment) + { + $segment = trim($segment); + // Filter segments for security + $this->filter_uri($segment); + + if ($segment !== '') + { + $this->segments[] = $segment; + } + } + + unset($this->segments[0]); } // -------------------------------------------------------------------- diff --git a/system/core/Utf8.php b/system/core/Utf8.php index 9ee63e929..39954c428 100644 --- a/system/core/Utf8.php +++ b/system/core/Utf8.php @@ -57,21 +57,21 @@ class CI_Utf8 { * * @return void */ - public function __construct() + public function __construct($charset) { if ( - defined('PREG_BAD_UTF8_ERROR') // PCRE must support UTF-8 - && (ICONV_ENABLED === TRUE OR MB_ENABLED === TRUE) // iconv or mbstring must be installed - && strtoupper(config_item('charset')) === 'UTF-8' // Application charset must be UTF-8 - ) + defined('PREG_BAD_UTF8_ERROR') // PCRE must support UTF-8 + && (ICONV_ENABLED === TRUE OR MB_ENABLED === TRUE) // iconv or mbstring must be installed + && $charset === 'UTF-8' // Application charset must be UTF-8 + ) { define('UTF8_ENABLED', TRUE); - log_message('debug', 'UTF-8 Support Enabled'); + log_message('info', 'UTF-8 Support Enabled'); } else { define('UTF8_ENABLED', FALSE); - log_message('debug', 'UTF-8 Support Disabled'); + log_message('info', 'UTF-8 Support Disabled'); } log_message('info', 'Utf8 Class Initialized'); diff --git a/system/core/compat/hash.php b/system/core/compat/hash.php index 8f5510c3f..8d905ad68 100644 --- a/system/core/compat/hash.php +++ b/system/core/compat/hash.php @@ -45,7 +45,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @category Compatibility * @author Andrey Andreev * @link https://codeigniter.com/user_guide/ - * @link http://php.net/hash + * @link https://secure.php.net/hash */ // ------------------------------------------------------------------------ @@ -62,7 +62,7 @@ if ( ! function_exists('hash_equals')) /** * hash_equals() * - * @link http://php.net/hash_equals + * @link https://secure.php.net/hash_equals * @param string $known_string * @param string $user_string * @return bool @@ -108,7 +108,7 @@ if ( ! function_exists('hash_pbkdf2')) /** * hash_pbkdf2() * - * @link http://php.net/hash_pbkdf2 + * @link https://secure.php.net/hash_pbkdf2 * @param string $algo * @param string $password * @param string $salt @@ -205,8 +205,6 @@ if ( ! function_exists('hash_pbkdf2')) 'ripemd160' => 64, 'ripemd256' => 64, 'ripemd320' => 64, - 'salsa10' => 64, - 'salsa20' => 64, 'sha1' => 64, 'sha224' => 64, 'sha256' => 64, diff --git a/system/core/compat/mbstring.php b/system/core/compat/mbstring.php index 552e72719..41c86376c 100644 --- a/system/core/compat/mbstring.php +++ b/system/core/compat/mbstring.php @@ -45,7 +45,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @category Compatibility * @author Andrey Andreev * @link https://codeigniter.com/user_guide/ - * @link http://php.net/mbstring + * @link https://secure.php.net/mbstring */ // ------------------------------------------------------------------------ @@ -65,7 +65,7 @@ if ( ! function_exists('mb_strlen')) * WARNING: This function WILL fall-back to strlen() * if iconv is not available! * - * @link http://php.net/mb_strlen + * @link https://secure.php.net/mb_strlen * @param string $str * @param string $encoding * @return int @@ -92,7 +92,7 @@ if ( ! function_exists('mb_strpos')) * WARNING: This function WILL fall-back to strpos() * if iconv is not available! * - * @link http://php.net/mb_strpos + * @link https://secure.php.net/mb_strpos * @param string $haystack * @param string $needle * @param int $offset @@ -121,7 +121,7 @@ if ( ! function_exists('mb_substr')) * WARNING: This function WILL fall-back to substr() * if iconv is not available. * - * @link http://php.net/mb_substr + * @link https://secure.php.net/mb_substr * @param string $str * @param int $start * @param int $length diff --git a/system/core/compat/password.php b/system/core/compat/password.php index 5a3bc2076..f6517b46d 100644 --- a/system/core/compat/password.php +++ b/system/core/compat/password.php @@ -45,7 +45,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @category Compatibility * @author Andrey Andreev * @link https://codeigniter.com/user_guide/ - * @link http://php.net/password + * @link https://secure.php.net/password */ // ------------------------------------------------------------------------ @@ -67,7 +67,7 @@ if ( ! function_exists('password_get_info')) /** * password_get_info() * - * @link http://php.net/password_get_info + * @link https://secure.php.net/password_get_info * @param string $hash * @return array */ @@ -86,7 +86,7 @@ if ( ! function_exists('password_hash')) /** * password_hash() * - * @link http://php.net/password_hash + * @link https://secure.php.net/password_hash * @param string $password * @param int $algo * @param array $options @@ -141,7 +141,7 @@ if ( ! function_exists('password_hash')) } // Try not to waste entropy ... - is_php('5.4') && stream_set_chunk_size($fp, 16); + stream_set_chunk_size($fp, 16); $options['salt'] = ''; for ($read = 0; $read < 16; $read = ($func_overload) ? mb_strlen($options['salt'], '8bit') : strlen($options['salt'])) @@ -194,7 +194,7 @@ if ( ! function_exists('password_needs_rehash')) /** * password_needs_rehash() * - * @link http://php.net/password_needs_rehash + * @link https://secure.php.net/password_needs_rehash * @param string $hash * @param int $algo * @param array $options @@ -228,7 +228,7 @@ if ( ! function_exists('password_verify')) /** * password_verify() * - * @link http://php.net/password_verify + * @link https://secure.php.net/password_verify * @param string $password * @param string $hash * @return bool diff --git a/system/core/compat/standard.php b/system/core/compat/standard.php index 2c528fd7c..31c39ca25 100644 --- a/system/core/compat/standard.php +++ b/system/core/compat/standard.php @@ -61,7 +61,7 @@ if ( ! function_exists('array_column')) /** * array_column() * - * @link http://php.net/array_column + * @link https://secure.php.net/array_column * @param array $array * @param mixed $column_key * @param mixed $index_key @@ -132,51 +132,3 @@ if ( ! function_exists('array_column')) return $result; } } - -// ------------------------------------------------------------------------ - -if (is_php('5.4')) -{ - return; -} - -// ------------------------------------------------------------------------ - -if ( ! function_exists('hex2bin')) -{ - /** - * hex2bin() - * - * @link http://php.net/hex2bin - * @param string $data - * @return string - */ - function hex2bin($data) - { - if (in_array($type = gettype($data), array('array', 'double', 'object', 'resource'), TRUE)) - { - if ($type === 'object' && method_exists($data, '__toString')) - { - $data = (string) $data; - } - else - { - trigger_error('hex2bin() expects parameter 1 to be string, '.$type.' given', E_USER_WARNING); - return NULL; - } - } - - if (strlen($data) % 2 !== 0) - { - trigger_error('Hexadecimal input string must have an even length', E_USER_WARNING); - return FALSE; - } - elseif ( ! preg_match('/^[0-9a-f]*$/i', $data)) - { - trigger_error('Input string must be hexadecimal string', E_USER_WARNING); - return FALSE; - } - - return pack('H*', $data); - } -} |