diff options
Diffstat (limited to 'system/core')
| -rw-r--r-- | system/core/CodeIgniter.php | 4 | ||||
| -rw-r--r-- | system/core/Common.php | 34 | ||||
| -rw-r--r-- | system/core/Exceptions.php | 2 | ||||
| -rw-r--r-- | system/core/Input.php | 16 | ||||
| -rw-r--r-- | system/core/Loader.php | 76 | ||||
| -rw-r--r-- | system/core/Log.php | 10 | ||||
| -rw-r--r-- | system/core/Output.php | 105 | ||||
| -rw-r--r-- | system/core/Security.php | 6 | ||||
| -rw-r--r-- | system/core/compat/hash.php | 17 | ||||
| -rw-r--r-- | system/core/compat/mbstring.php | 2 | ||||
| -rw-r--r-- | system/core/compat/password.php | 8 |
11 files changed, 135 insertions, 145 deletions
diff --git a/system/core/CodeIgniter.php b/system/core/CodeIgniter.php index 0edcf972d..0d03293f6 100644 --- a/system/core/CodeIgniter.php +++ b/system/core/CodeIgniter.php @@ -55,7 +55,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @var string * */ - const CI_VERSION = '3.1.3'; + const CI_VERSION = '3.1.6'; /* * ------------------------------------------------------ @@ -434,7 +434,7 @@ if ( ! is_php('5.4')) * ReflectionMethod::isConstructor() is the ONLY reliable check, * knowing which method will be executed as a constructor. */ - elseif ( ! is_callable(array($class, $method)) && strcasecmp($class, $method) === 0) + elseif ( ! is_callable(array($class, $method))) { $reflection = new ReflectionMethod($class, $method); if ( ! $reflection->isPublic() OR $reflection->isConstructor()) diff --git a/system/core/Common.php b/system/core/Common.php index 7b3eb6a4e..d6a1fdb4e 100644 --- a/system/core/Common.php +++ b/system/core/Common.php @@ -135,7 +135,7 @@ if ( ! function_exists('load_class')) * * @param string the class name being requested * @param string the directory where the class should be found - * @param string an optional argument to pass to the class constructor + * @param mixed an optional argument to pass to the class constructor * @return object */ function &load_class($class, $directory = 'libraries', $param = NULL) @@ -319,17 +319,13 @@ if ( ! function_exists('get_mimes')) if (empty($_mimes)) { + $_mimes = file_exists(APPPATH.'config/mimes.php') + ? include(APPPATH.'config/mimes.php') + : array(); + if (file_exists(APPPATH.'config/'.ENVIRONMENT.'/mimes.php')) { - $_mimes = include(APPPATH.'config/'.ENVIRONMENT.'/mimes.php'); - } - elseif (file_exists(APPPATH.'config/mimes.php')) - { - $_mimes = include(APPPATH.'config/mimes.php'); - } - else - { - $_mimes = array(); + $_mimes = array_merge($_mimes, include(APPPATH.'config/'.ENVIRONMENT.'/mimes.php')); } } @@ -410,11 +406,6 @@ if ( ! function_exists('show_error')) if ($status_code < 100) { $exit_status = $status_code + 9; // 9 is EXIT__AUTO_MIN - if ($exit_status > 125) // 125 is EXIT__AUTO_MAX - { - $exit_status = 1; // EXIT_ERROR - } - $status_code = 500; } else @@ -571,12 +562,12 @@ if ( ! function_exists('set_status_header')) if (strpos(PHP_SAPI, 'cgi') === 0) { header('Status: '.$code.' '.$text, TRUE); + return; } - else - { - $server_protocol = isset($_SERVER['SERVER_PROTOCOL']) ? $_SERVER['SERVER_PROTOCOL'] : 'HTTP/1.1'; - header($server_protocol.' '.$code.' '.$text, TRUE, $code); - } + + $server_protocol = (isset($_SERVER['SERVER_PROTOCOL']) && in_array($_SERVER['SERVER_PROTOCOL'], array('HTTP/1.0', 'HTTP/1.1', 'HTTP/2'), TRUE)) + ? $_SERVER['SERVER_PROTOCOL'] : 'HTTP/1.1'; + header($server_protocol.' '.$code.' '.$text, TRUE, $code); } } @@ -724,6 +715,7 @@ if ( ! function_exists('remove_invisible_characters')) { $non_displayables[] = '/%0[0-8bcef]/i'; // url encoded 00-08, 11, 12, 14, 15 $non_displayables[] = '/%1[0-9a-f]/i'; // url encoded 16-31 + $non_displayables[] = '/%7f/i'; // url encoded 127 } $non_displayables[] = '/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]+/S'; // 00-08, 11, 12, 14-31, 127 @@ -827,7 +819,7 @@ if ( ! function_exists('function_usable')) * terminate script execution if a disabled function is executed. * * The above described behavior turned out to be a bug in Suhosin, - * but even though a fix was commited for 0.9.34 on 2012-02-12, + * but even though a fix was committed for 0.9.34 on 2012-02-12, * that version is yet to be released. This function will therefore * be just temporary, but would probably be kept for a few years. * diff --git a/system/core/Exceptions.php b/system/core/Exceptions.php index 47d153f49..526909602 100644 --- a/system/core/Exceptions.php +++ b/system/core/Exceptions.php @@ -231,7 +231,7 @@ class CI_Exceptions { * @param string $message Error message * @param string $filepath File path * @param int $line Line number - * @return string Error page output + * @return void */ public function show_php_error($severity, $message, $filepath, $line) { diff --git a/system/core/Input.php b/system/core/Input.php index d7cd29261..af4f87c1f 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -359,7 +359,7 @@ class CI_Input { * @param bool $httponly Whether to only makes the cookie accessible via HTTP (no javascript) * @return void */ - public function set_cookie($name, $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = FALSE, $httponly = FALSE) + public function set_cookie($name, $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = NULL, $httponly = NULL) { if (is_array($name)) { @@ -388,15 +388,13 @@ class CI_Input { $path = config_item('cookie_path'); } - if ($secure === FALSE && config_item('cookie_secure') === TRUE) - { - $secure = config_item('cookie_secure'); - } + $secure = ($secure === NULL && config_item('cookie_secure') !== NULL) + ? (bool) config_item('cookie_secure') + : (bool) $secure; - if ($httponly === FALSE && config_item('cookie_httponly') !== FALSE) - { - $httponly = config_item('cookie_httponly'); - } + $httponly = ($httponly === NULL && config_item('cookie_httponly') !== NULL) + ? (bool) config_item('cookie_httponly') + : (bool) $httponly; if ( ! is_numeric($expire)) { diff --git a/system/core/Loader.php b/system/core/Loader.php index acfc739dd..085c5b51d 100644 --- a/system/core/Loader.php +++ b/system/core/Loader.php @@ -182,7 +182,7 @@ class CI_Loader { * Loads and instantiates libraries. * Designed to be called from application controllers. * - * @param string $library Library name + * @param mixed $library Library name * @param array $params Optional parameters to pass to the library class constructor * @param string $object_name An optional object name to assign to * @return object @@ -590,7 +590,7 @@ class CI_Loader { { $filename = basename($helper); $filepath = ($filename === $helper) ? '' : substr($helper, 0, strlen($helper) - strlen($filename)); - $filename = strtolower(preg_replace('#(_helper)?(.php)?$#i', '', $filename)).'_helper'; + $filename = strtolower(preg_replace('#(_helper)?(\.php)?$#i', '', $filename)).'_helper'; $helper = $filepath.$filename; if (isset($this->_ci_helpers[$helper])) @@ -1037,6 +1037,26 @@ class CI_Loader { return $this->_ci_load_stock_library($class, $subdir, $params, $object_name); } + // Safety: Was the class already loaded by a previous call? + if (class_exists($class, FALSE)) + { + $property = $object_name; + if (empty($property)) + { + $property = strtolower($class); + isset($this->_ci_varmap[$property]) && $property = $this->_ci_varmap[$property]; + } + + $CI =& get_instance(); + if (isset($CI->$property)) + { + log_message('debug', $class.' class already loaded. Second attempt ignored.'); + return; + } + + return $this->_ci_init_library($class, '', $params, $object_name); + } + // Let's search for the requested library file and load it. foreach ($this->_ci_library_paths as $path) { @@ -1047,27 +1067,8 @@ class CI_Loader { } $filepath = $path.'libraries/'.$subdir.$class.'.php'; - - // Safety: Was the class already loaded by a previous call? - if (class_exists($class, FALSE)) - { - // Before we deem this to be a duplicate request, let's see - // if a custom object name is being supplied. If so, we'll - // return a new instance of the object - if ($object_name !== NULL) - { - $CI =& get_instance(); - if ( ! isset($CI->$object_name)) - { - return $this->_ci_init_library($class, '', $params, $object_name); - } - } - - log_message('debug', $class.' class already loaded. Second attempt ignored.'); - return; - } // Does the file exist? No? Bummer... - elseif ( ! file_exists($filepath)) + if ( ! file_exists($filepath)) { continue; } @@ -1112,16 +1113,17 @@ class CI_Loader { $prefix = config_item('subclass_prefix'); } - // Before we deem this to be a duplicate request, let's see - // if a custom object name is being supplied. If so, we'll - // return a new instance of the object - if ($object_name !== NULL) + $property = $object_name; + if (empty($property)) { - $CI =& get_instance(); - if ( ! isset($CI->$object_name)) - { - return $this->_ci_init_library($library_name, $prefix, $params, $object_name); - } + $property = strtolower($library_name); + isset($this->_ci_varmap[$property]) && $property = $this->_ci_varmap[$property]; + } + + $CI =& get_instance(); + if ( ! isset($CI->$property)) + { + return $this->_ci_init_library($library_name, $prefix, $params, $object_name); } log_message('debug', $library_name.' class already loaded. Second attempt ignored.'); @@ -1143,10 +1145,8 @@ class CI_Loader { { return $this->_ci_init_library($library_name, $prefix, $params, $object_name); } - else - { - log_message('debug', $path.' exists, but does not declare '.$prefix.$library_name); - } + + log_message('debug', $path.' exists, but does not declare '.$prefix.$library_name); } } @@ -1164,10 +1164,8 @@ class CI_Loader { $prefix = config_item('subclass_prefix'); break; } - else - { - log_message('debug', $path.' exists, but does not declare '.$subclass); - } + + log_message('debug', $path.' exists, but does not declare '.$subclass); } } diff --git a/system/core/Log.php b/system/core/Log.php index 3e11b35f5..d443aedb8 100644 --- a/system/core/Log.php +++ b/system/core/Log.php @@ -105,11 +105,11 @@ class CI_Log { protected $_levels = array('ERROR' => 1, 'DEBUG' => 2, 'INFO' => 3, 'ALL' => 4); /** - * mbstring.func_override flag + * mbstring.func_overload flag * * @var bool */ - protected static $func_override; + protected static $func_overload; // -------------------------------------------------------------------- @@ -122,7 +122,7 @@ class CI_Log { { $config =& get_config(); - isset(self::$func_override) OR self::$func_override = (extension_loaded('mbstring') && ini_get('mbstring.func_override')); + isset(self::$func_overload) OR self::$func_overload = (extension_loaded('mbstring') && ini_get('mbstring.func_overload')); $this->_log_path = ($config['log_path'] !== '') ? $config['log_path'] : APPPATH.'logs/'; $this->_file_ext = (isset($config['log_file_extension']) && $config['log_file_extension'] !== '') @@ -264,7 +264,7 @@ class CI_Log { */ protected static function strlen($str) { - return (self::$func_override) + return (self::$func_overload) ? mb_strlen($str, '8bit') : strlen($str); } @@ -281,7 +281,7 @@ class CI_Log { */ protected static function substr($str, $start, $length = NULL) { - if (self::$func_override) + if (self::$func_overload) { // mb_substr($str, $start, null, '8bit') returns an empty // string on PHP 5.3 diff --git a/system/core/Output.php b/system/core/Output.php index 349955cd2..a3155fece 100644 --- a/system/core/Output.php +++ b/system/core/Output.php @@ -123,11 +123,11 @@ class CI_Output { public $parse_exec_vars = TRUE; /** - * mbstring.func_override flag + * mbstring.func_overload flag * * @var bool */ - protected static $func_override; + protected static $func_overload; /** * Class constructor @@ -145,7 +145,7 @@ class CI_Output { && extension_loaded('zlib') ); - isset(self::$func_override) OR self::$func_override = (extension_loaded('mbstring') && ini_get('mbstring.func_override')); + isset(self::$func_overload) OR self::$func_overload = (extension_loaded('mbstring') && ini_get('mbstring.func_overload')); // Get mime types for later $this->mimes =& get_mimes(); @@ -586,62 +586,59 @@ class CI_Output { return; } - if (flock($fp, LOCK_EX)) + if ( ! flock($fp, LOCK_EX)) { - // If output compression is enabled, compress the cache - // itself, so that we don't have to do that each time - // we're serving it - if ($this->_compress_output === TRUE) - { - $output = gzencode($output); + log_message('error', 'Unable to secure a file lock for file at: '.$cache_path); + fclose($fp); + return; + } - if ($this->get_header('content-type') === NULL) - { - $this->set_content_type($this->mime_type); - } + // If output compression is enabled, compress the cache + // itself, so that we don't have to do that each time + // we're serving it + if ($this->_compress_output === TRUE) + { + $output = gzencode($output); + + if ($this->get_header('content-type') === NULL) + { + $this->set_content_type($this->mime_type); } + } - $expire = time() + ($this->cache_expiration * 60); + $expire = time() + ($this->cache_expiration * 60); - // Put together our serialized info. - $cache_info = serialize(array( - 'expire' => $expire, - 'headers' => $this->headers - )); + // Put together our serialized info. + $cache_info = serialize(array( + 'expire' => $expire, + 'headers' => $this->headers + )); - $output = $cache_info.'ENDCI--->'.$output; + $output = $cache_info.'ENDCI--->'.$output; - for ($written = 0, $length = self::strlen($output); $written < $length; $written += $result) + for ($written = 0, $length = self::strlen($output); $written < $length; $written += $result) + { + if (($result = fwrite($fp, self::substr($output, $written))) === FALSE) { - if (($result = fwrite($fp, self::substr($output, $written))) === FALSE) - { - break; - } + break; } - - flock($fp, LOCK_UN); - } - else - { - log_message('error', 'Unable to secure a file lock for file at: '.$cache_path); - return; } + flock($fp, LOCK_UN); fclose($fp); - if (is_int($result)) - { - chmod($cache_path, 0640); - log_message('debug', 'Cache file written: '.$cache_path); - - // Send HTTP cache-control headers to browser to match file cache settings. - $this->set_cache_header($_SERVER['REQUEST_TIME'], $expire); - } - else + if ( ! is_int($result)) { @unlink($cache_path); log_message('error', 'Unable to write the complete cache content at: '.$cache_path); + return; } + + chmod($cache_path, 0640); + log_message('debug', 'Cache file written: '.$cache_path); + + // Send HTTP cache-control headers to browser to match file cache settings. + $this->set_cache_header($_SERVER['REQUEST_TIME'], $expire); } // -------------------------------------------------------------------- @@ -708,11 +705,9 @@ class CI_Output { log_message('debug', 'Cache file has expired. File deleted.'); return FALSE; } - else - { - // Or else send the HTTP cache control headers. - $this->set_cache_header($last_modified, $expire); - } + + // Send the HTTP cache control headers + $this->set_cache_header($last_modified, $expire); // Add headers from cache file. foreach ($cache_info['headers'] as $header) @@ -798,13 +793,11 @@ class CI_Output { $this->set_status_header(304); exit; } - else - { - header('Pragma: public'); - header('Cache-Control: max-age='.$max_age.', public'); - header('Expires: '.gmdate('D, d M Y H:i:s', $expiration).' GMT'); - header('Last-modified: '.gmdate('D, d M Y H:i:s', $last_modified).' GMT'); - } + + header('Pragma: public'); + header('Cache-Control: max-age='.$max_age.', public'); + header('Expires: '.gmdate('D, d M Y H:i:s', $expiration).' GMT'); + header('Last-modified: '.gmdate('D, d M Y H:i:s', $last_modified).' GMT'); } // -------------------------------------------------------------------- @@ -817,7 +810,7 @@ class CI_Output { */ protected static function strlen($str) { - return (self::$func_override) + return (self::$func_overload) ? mb_strlen($str, '8bit') : strlen($str); } @@ -834,7 +827,7 @@ class CI_Output { */ protected static function substr($str, $start, $length = NULL) { - if (self::$func_override) + if (self::$func_overload) { // mb_substr($str, $start, null, '8bit') returns an empty // string on PHP 5.3 diff --git a/system/core/Security.php b/system/core/Security.php index 585ed90ec..082ffa96b 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -354,9 +354,9 @@ class CI_Security { // Is the string an array? if (is_array($str)) { - while (list($key) = each($str)) + foreach ($str as $key => &$value) { - $str[$key] = $this->xss_clean($str[$key]); + $str[$key] = $this->xss_clean($value); } return $str; @@ -869,7 +869,7 @@ class CI_Security { // Each iteration filters a single attribute do { - // Strip any non-alpha characters that may preceed an attribute. + // Strip any non-alpha characters that may precede an attribute. // Browsers often parse these incorrectly and that has been a // of numerous XSS issues we've had. $matches['attributes'] = preg_replace('#^[^a-z]+#i', '', $matches['attributes']); diff --git a/system/core/compat/hash.php b/system/core/compat/hash.php index ba0198e10..c65203aaf 100644 --- a/system/core/compat/hash.php +++ b/system/core/compat/hash.php @@ -173,7 +173,9 @@ if ( ! function_exists('hash_pbkdf2')) return FALSE; } - $hash_length = strlen(hash($algo, NULL, TRUE)); + $hash_length = defined('MB_OVERLOAD_STRING') + ? mb_strlen(hash($algo, NULL, TRUE), '8bit') + : strlen(hash($algo, NULL, TRUE)); empty($length) && $length = $hash_length; // Pre-hash password inputs longer than the algorithm's block size @@ -221,14 +223,14 @@ if ( ! function_exists('hash_pbkdf2')) 'whirlpool' => 64 ); - if (isset($block_sizes[$algo]) && strlen($password) > $block_sizes[$algo]) + if (isset($block_sizes[$algo], $password[$block_sizes[$algo]])) { $password = hash($algo, $password, TRUE); } $hash = ''; // Note: Blocks are NOT 0-indexed - for ($bc = ceil($length / $hash_length), $bi = 1; $bi <= $bc; $bi++) + for ($bc = (int) ceil($length / $hash_length), $bi = 1; $bi <= $bc; $bi++) { $key = $derived_key = hash_hmac($algo, $salt.pack('N', $bi), $password, TRUE); for ($i = 1; $i < $iterations; $i++) @@ -240,6 +242,13 @@ if ( ! function_exists('hash_pbkdf2')) } // This is not RFC-compatible, but we're aiming for natural PHP compatibility - return substr($raw_output ? $hash : bin2hex($hash), 0, $length); + if ( ! $raw_output) + { + $hash = bin2hex($hash); + } + + return defined('MB_OVERLOAD_STRING') + ? mb_substr($hash, 0, $length, '8bit') + : substr($hash, 0, $length); } } diff --git a/system/core/compat/mbstring.php b/system/core/compat/mbstring.php index f466e1c34..1b2f2c63b 100644 --- a/system/core/compat/mbstring.php +++ b/system/core/compat/mbstring.php @@ -68,7 +68,7 @@ if ( ! function_exists('mb_strlen')) * @link http://php.net/mb_strlen * @param string $str * @param string $encoding - * @return string + * @return int */ function mb_strlen($str, $encoding = NULL) { diff --git a/system/core/compat/password.php b/system/core/compat/password.php index b209cbe70..8176f0088 100644 --- a/system/core/compat/password.php +++ b/system/core/compat/password.php @@ -94,8 +94,8 @@ if ( ! function_exists('password_hash')) */ function password_hash($password, $algo, array $options = array()) { - static $func_override; - isset($func_override) OR $func_override = (extension_loaded('mbstring') && ini_get('mbstring.func_override')); + static $func_overload; + isset($func_overload) OR $func_overload = (extension_loaded('mbstring') && ini_get('mbstring.func_overload')); if ($algo !== 1) { @@ -109,7 +109,7 @@ if ( ! function_exists('password_hash')) return NULL; } - if (isset($options['salt']) && ($saltlen = ($func_override ? mb_strlen($options['salt'], '8bit') : strlen($options['salt']))) < 22) + if (isset($options['salt']) && ($saltlen = ($func_overload ? mb_strlen($options['salt'], '8bit') : strlen($options['salt']))) < 22) { trigger_error('password_hash(): Provided salt is too short: '.$saltlen.' expecting 22', E_USER_WARNING); return NULL; @@ -144,7 +144,7 @@ if ( ! function_exists('password_hash')) is_php('5.4') && stream_set_chunk_size($fp, 16); $options['salt'] = ''; - for ($read = 0; $read < 16; $read = ($func_override) ? mb_strlen($options['salt'], '8bit') : strlen($options['salt'])) + for ($read = 0; $read < 16; $read = ($func_overload) ? mb_strlen($options['salt'], '8bit') : strlen($options['salt'])) { if (($read = fread($fp, 16 - $read)) === FALSE) { |