1 files changed, 46 insertions, 41 deletions

diff --git a/system/libraries/Form_validation.php b/system/libraries/Form_validation.php
index 7be0b949d..106907289 100644
--- a/system/libraries/Form_validation.php
+++ b/system/libraries/Form_validation.php
@@ -6,7 +6,7 @@
  *
  * This content is released under the MIT License (MIT)
  *
- * Copyright (c) 2014 - 2017, British Columbia Institute of Technology
+ * Copyright (c) 2014 - 2018, British Columbia Institute of Technology
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
@@ -29,8 +29,8 @@
  * @package	CodeIgniter
  * @author	EllisLab Dev Team
  * @copyright	Copyright (c) 2008 - 2014, EllisLab, Inc. (https://ellislab.com/)
- * @copyright	Copyright (c) 2014 - 2017, British Columbia Institute of Technology (http://bcit.ca/)
- * @license	http://opensource.org/licenses/MIT	MIT License
+ * @copyright	Copyright (c) 2014 - 2018, British Columbia Institute of Technology (https://bcit.ca/)
+ * @license	https://opensource.org/licenses/MIT	MIT License
  * @link	https://codeigniter.com
  * @since	Version 1.0.0
  * @filesource
@@ -105,13 +105,6 @@ class CI_Form_validation {
 	protected $error_string		= '';
 
 	/**
-	 * Whether the form data has been validated as safe
-	 *
-	 * @var bool
-	 */
-	protected $_safe_form_data	= FALSE;
-
-	/**
 	 * Custom data to validate
 	 *
 	 * @var array
@@ -414,10 +407,11 @@ class CI_Form_validation {
 	 *
 	 * This function does all the work.
 	 *
-	 * @param	string	$group
+	 * @param	string	$config
+	 * @param	array	$data
 	 * @return	bool
 	 */
-	public function run($group = '')
+	public function run($config = NULL, &$data = NULL)
 	{
 		$validation_array = empty($this->validation_data)
 			? $_POST
@@ -428,19 +422,19 @@ class CI_Form_validation {
 		if (count($this->_field_data) === 0)
 		{
 			// No validation rules?  We're done...
-			if (count($this->_config_rules) === 0)
+			if (empty($this->_config_rules))
 			{
 				return FALSE;
 			}
 
-			if (empty($group))
+			if (empty($config))
 			{
 				// Is there a validation rule for the particular URI being accessed?
-				$group = trim($this->CI->uri->ruri_string(), '/');
-				isset($this->_config_rules[$group]) OR $group = $this->CI->router->class.'/'.$this->CI->router->method;
+				$config = trim($this->CI->uri->ruri_string(), '/');
+				isset($this->_config_rules[$config]) OR $config = $this->CI->router->class.'/'.$this->CI->router->method;
 			}
 
-			$this->set_rules(isset($this->_config_rules[$group]) ? $this->_config_rules[$group] : $this->_config_rules);
+			$this->set_rules(isset($this->_config_rules[$config]) ? $this->_config_rules[$config] : $this->_config_rules);
 
 			// Were we able to set the rules correctly?
 			if (count($this->_field_data) === 0)
@@ -482,17 +476,22 @@ class CI_Form_validation {
 			$this->_execute($row, $row['rules'], $row['postdata']);
 		}
 
-		// Did we end up with any errors?
-		$total_errors = count($this->_error_array);
-		if ($total_errors > 0)
+		if ( ! empty($this->_error_array))
 		{
-			$this->_safe_form_data = TRUE;
+			return FALSE;
 		}
 
-		// Now we need to re-set the POST data with the new, processed data
-		empty($this->validation_data) && $this->_reset_post_array();
+		// Fill $data if requested, otherwise modify $_POST, as long as
+		// set_data() wasn't used (yea, I know it sounds confusing)
+		if (func_num_args() >= 2)
+		{
+			$data = empty($this->validation_data) ? $_POST : $this->validation_data;
+			$this->_reset_data_array($data);
+			return TRUE;
+		}
 
-		return ($total_errors === 0);
+		empty($this->validation_data) && $this->_reset_data_array($_POST);
+		return TRUE;
 	}
 
 	// --------------------------------------------------------------------
@@ -580,7 +579,7 @@ class CI_Form_validation {
 	 *
 	 * @return	void
 	 */
-	protected function _reset_post_array()
+	protected function _reset_data_array(&$data)
 	{
 		foreach ($this->_field_data as $field => $row)
 		{
@@ -588,27 +587,26 @@ class CI_Form_validation {
 			{
 				if ($row['is_array'] === FALSE)
 				{
-					isset($_POST[$field]) && $_POST[$field] = $row['postdata'];
+					isset($data[$field]) && $data[$field] = $row['postdata'];
 				}
 				else
 				{
-					// start with a reference
-					$post_ref =& $_POST;
+					$data_ref =& $data;
 
 					// before we assign values, make a reference to the right POST key
 					if (count($row['keys']) === 1)
 					{
-						$post_ref =& $post_ref[current($row['keys'])];
+						$data_ref =& $data[current($row['keys'])];
 					}
 					else
 					{
 						foreach ($row['keys'] as $val)
 						{
-							$post_ref =& $post_ref[$val];
+							$data_ref =& $data_ref[$val];
 						}
 					}
 
-					$post_ref = $row['postdata'];
+					$data_ref = $row['postdata'];
 				}
 			}
 		}
@@ -627,11 +625,13 @@ class CI_Form_validation {
 	 */
 	protected function _execute($row, $rules, $postdata = NULL, $cycles = 0)
 	{
+		$allow_arrays = in_array('is_array', $rules, TRUE);
+
 		// If the $_POST data is an array we will run a recursive call
 		//
 		// Note: We MUST check if the array is empty or not!
 		//       Otherwise empty arrays will always pass validation.
-		if (is_array($postdata) && ! empty($postdata))
+		if ($allow_arrays === FALSE && is_array($postdata) && ! empty($postdata))
 		{
 			foreach ($postdata as $key => $val)
 			{
@@ -660,14 +660,16 @@ class CI_Form_validation {
 				$postdata = $this->_field_data[$row['field']]['postdata'][$cycles];
 				$_in_array = TRUE;
 			}
+			// If we get an array field, but it's not expected - then it is most likely
+			// somebody messing with the form on the client side, so we'll just consider
+			// it an empty field
+			elseif ($allow_arrays === FALSE && is_array($this->_field_data[$row['field']]['postdata']))
+			{
+				$postdata = NULL;
+			}
 			else
 			{
-				// If we get an array field, but it's not expected - then it is most likely
-				// somebody messing with the form on the client side, so we'll just consider
-				// it an empty field
-				$postdata = is_array($this->_field_data[$row['field']]['postdata'])
-					? NULL
-					: $this->_field_data[$row['field']]['postdata'];
+				$postdata = $this->_field_data[$row['field']]['postdata'];
 			}
 
 			// Is the rule a callback?
@@ -702,7 +704,7 @@ class CI_Form_validation {
 
 			// Ignore empty, non-required inputs with a few exceptions ...
 			if (
-				($postdata === NULL OR $postdata === '')
+				($postdata === NULL OR ($allow_arrays === FALSE && $postdata === ''))
 				&& $callback === FALSE
 				&& $callable === FALSE
 				&& ! in_array($rule, array('required', 'isset', 'matches'), TRUE)
@@ -1233,9 +1235,12 @@ class CI_Form_validation {
 	 */
 	public function valid_email($str)
 	{
-		if (function_exists('idn_to_ascii') && sscanf($str, '%[^@]@%s', $name, $domain) === 2)
+		if (function_exists('idn_to_ascii') && preg_match('#\A([^@]+)@(.+)\z#', $str, $matches))
 		{
-			$str = $name.'@'.idn_to_ascii($domain);
+			$domain = defined('INTL_IDNA_VARIANT_UTS46')
+				? idn_to_ascii($matches[2], 0, INTL_IDNA_VARIANT_UTS46)
+				: idn_to_ascii($matches[2]);
+			$str = $matches[1].'@'.$domain;
 		}
 
 		return (bool) filter_var($str, FILTER_VALIDATE_EMAIL);