diff options
Diffstat (limited to 'system')
-rw-r--r-- | system/core/CodeIgniter.php | 2 | ||||
-rw-r--r-- | system/core/Common.php | 2 | ||||
-rw-r--r-- | system/core/Hooks.php | 2 | ||||
-rw-r--r-- | system/core/Loader.php | 7 | ||||
-rw-r--r-- | system/core/Router.php | 2 | ||||
-rw-r--r-- | system/core/URI.php | 15 | ||||
-rw-r--r-- | system/core/compat/hash.php | 51 | ||||
-rw-r--r-- | system/database/DB_query_builder.php | 4 | ||||
-rw-r--r-- | system/libraries/Encryption.php | 2 | ||||
-rw-r--r-- | system/libraries/Form_validation.php | 12 | ||||
-rw-r--r-- | system/libraries/Session/Session.php | 2 | ||||
-rw-r--r-- | system/libraries/Zip.php | 2 |
12 files changed, 75 insertions, 28 deletions
diff --git a/system/core/CodeIgniter.php b/system/core/CodeIgniter.php index d830c1829..ddf322749 100644 --- a/system/core/CodeIgniter.php +++ b/system/core/CodeIgniter.php @@ -55,7 +55,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @var string * */ - define('CI_VERSION', '3.0-dev'); + define('CI_VERSION', '3.0.1-dev'); /* * ------------------------------------------------------ diff --git a/system/core/Common.php b/system/core/Common.php index f28272b5b..a96828e96 100644 --- a/system/core/Common.php +++ b/system/core/Common.php @@ -181,7 +181,7 @@ if ( ! function_exists('load_class')) // Did we find the class? if ($name === FALSE) { - // Note: We use exit() rather then show_error() in order to avoid a + // Note: We use exit() rather than show_error() in order to avoid a // self-referencing loop with the Exceptions class set_status_header(503); echo 'Unable to locate the specified class: '.$class.'.php'; diff --git a/system/core/Hooks.php b/system/core/Hooks.php index 08479b133..3b4fb2250 100644 --- a/system/core/Hooks.php +++ b/system/core/Hooks.php @@ -46,7 +46,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @subpackage Libraries * @category Libraries * @author EllisLab Dev Team - * @link http://codeigniter.com/user_guide/libraries/encryption.html + * @link http://codeigniter.com/user_guide/general/hooks.html */ class CI_Hooks { diff --git a/system/core/Loader.php b/system/core/Loader.php index 254ad0d6d..9205ad1b6 100644 --- a/system/core/Loader.php +++ b/system/core/Loader.php @@ -1118,7 +1118,7 @@ class CI_Loader { } else { - log_message('debug', APPPATH.'libraries/'.$file_path.$subclass.'.php exists, but does not declare '.$subclass); + log_message('debug', $path.' exists, but does not declare '.$subclass); } } } @@ -1307,10 +1307,7 @@ class CI_Loader { } // Load all other libraries - foreach ($autoload['libraries'] as $item) - { - $this->library($item); - } + $this->library($autoload['libraries']); } // Autoload models diff --git a/system/core/Router.php b/system/core/Router.php index eb3da2285..f91d3f6ec 100644 --- a/system/core/Router.php +++ b/system/core/Router.php @@ -493,7 +493,7 @@ class CI_Router { * Set directory name * * @param string $dir Directory name - * @param bool $appent Whether we're appending rather then setting the full value + * @param bool $appent Whether we're appending rather than setting the full value * @return void */ public function set_directory($dir, $append = FALSE) diff --git a/system/core/URI.php b/system/core/URI.php index e96749456..2211e3665 100644 --- a/system/core/URI.php +++ b/system/core/URI.php @@ -205,13 +205,16 @@ class CI_URI { $query = isset($uri['query']) ? $uri['query'] : ''; $uri = isset($uri['path']) ? $uri['path'] : ''; - if (strpos($uri, $_SERVER['SCRIPT_NAME']) === 0) + if (isset($_SERVER['SCRIPT_NAME'][0])) { - $uri = (string) substr($uri, strlen($_SERVER['SCRIPT_NAME'])); - } - elseif (strpos($uri, dirname($_SERVER['SCRIPT_NAME'])) === 0) - { - $uri = (string) substr($uri, strlen(dirname($_SERVER['SCRIPT_NAME']))); + if (strpos($uri, $_SERVER['SCRIPT_NAME']) === 0) + { + $uri = (string) substr($uri, strlen($_SERVER['SCRIPT_NAME'])); + } + elseif (strpos($uri, dirname($_SERVER['SCRIPT_NAME'])) === 0) + { + $uri = (string) substr($uri, strlen(dirname($_SERVER['SCRIPT_NAME']))); + } } // This section ensures that even on servers that require the URI to be in the query string (Nginx) a correct diff --git a/system/core/compat/hash.php b/system/core/compat/hash.php index 477535dca..15954559c 100644 --- a/system/core/compat/hash.php +++ b/system/core/compat/hash.php @@ -174,9 +174,56 @@ if ( ! function_exists('hash_pbkdf2')) } $hash_length = strlen(hash($algo, NULL, TRUE)); - if (empty($length)) + empty($length) && $length = $hash_length; + + // Pre-hash password inputs longer than the algorithm's block size + // (i.e. prepare HMAC key) to mitigate potential DoS attacks. + static $block_sizes; + empty($block_sizes) && $block_sizes = array( + 'gost' => 32, + 'haval128,3' => 128, + 'haval160,3' => 128, + 'haval192,3' => 128, + 'haval224,3' => 128, + 'haval256,3' => 128, + 'haval128,4' => 128, + 'haval160,4' => 128, + 'haval192,4' => 128, + 'haval224,4' => 128, + 'haval256,4' => 128, + 'haval128,5' => 128, + 'haval160,5' => 128, + 'haval192,5' => 128, + 'haval224,5' => 128, + 'haval256,5' => 128, + 'md2' => 16, + 'md4' => 64, + 'md5' => 64, + 'ripemd128' => 64, + 'ripemd160' => 64, + 'ripemd256' => 64, + 'ripemd320' => 64, + 'salsa10' => 64, + 'salsa20' => 64, + 'sha1' => 64, + 'sha224' => 64, + 'sha256' => 64, + 'sha384' => 128, + 'sha512' => 128, + 'snefru' => 32, + 'snefru256' => 32, + 'tiger128,3' => 64, + 'tiger160,3' => 64, + 'tiger192,3' => 64, + 'tiger128,4' => 64, + 'tiger160,4' => 64, + 'tiger192,4' => 64, + 'whirlpool' => 64 + ); + + if (isset($block_sizes[$algo]) && strlen($password) > $block_sizes[$algo]) { - $length = $hash_length; + $password = hash($algo, $password, TRUE); } $hash = ''; diff --git a/system/database/DB_query_builder.php b/system/database/DB_query_builder.php index e5ffef2bb..8251f4558 100644 --- a/system/database/DB_query_builder.php +++ b/system/database/DB_query_builder.php @@ -918,6 +918,8 @@ abstract class CI_DB_query_builder extends CI_DB_driver { } is_bool($escape) OR $escape = $this->_protect_identifiers; + // lowercase $side in case somebody writes e.g. 'BEFORE' instead of 'before' (doh) + $side = strtolower($side); foreach ($field as $k => $v) { @@ -2253,7 +2255,7 @@ abstract class CI_DB_query_builder extends CI_DB_driver { else { // Cycle through the "select" portion of the query and prep each column name. - // The reason we protect identifiers here rather then in the select() function + // The reason we protect identifiers here rather than in the select() function // is because until the user calls the from() function we don't know if there are aliases foreach ($this->qb_select as $key => $val) { diff --git a/system/libraries/Encryption.php b/system/libraries/Encryption.php index e3e68139a..f3e039881 100644 --- a/system/libraries/Encryption.php +++ b/system/libraries/Encryption.php @@ -121,7 +121,7 @@ class CI_Encryption { ); /** - * List of supported HMAC algorightms + * List of supported HMAC algorithms * * name => digest size pairs * diff --git a/system/libraries/Form_validation.php b/system/libraries/Form_validation.php index 05de59628..522eba704 100644 --- a/system/libraries/Form_validation.php +++ b/system/libraries/Form_validation.php @@ -198,22 +198,20 @@ class CI_Form_validation { return $this; } - // No fields? Nothing to do... - if ( ! is_string($field) OR $field === '') + // No fields or no rules? Nothing to do... + if ( ! is_string($field) OR $field === '' OR empty($rules)) { return $this; } elseif ( ! is_array($rules)) { // BC: Convert pipe-separated rules string to an array - if (is_string($rules)) - { - $rules = explode('|', $rules); - } - else + if ( ! is_string($rules)) { return $this; } + + $rules = explode('|', $rules); } // If the field label wasn't passed we use the field name diff --git a/system/libraries/Session/Session.php b/system/libraries/Session/Session.php index bb457c659..0549fef66 100644 --- a/system/libraries/Session/Session.php +++ b/system/libraries/Session/Session.php @@ -869,7 +869,7 @@ class CI_Session { public function set_tempdata($data, $value = NULL, $ttl = 300) { $this->set_userdata($data, $value); - $this->mark_as_temp($data, $ttl); + $this->mark_as_temp(is_array($data) ? array_keys($data) : $data, $ttl); } // ------------------------------------------------------------------------ diff --git a/system/libraries/Zip.php b/system/libraries/Zip.php index f2f17148b..3e98ac568 100644 --- a/system/libraries/Zip.php +++ b/system/libraries/Zip.php @@ -352,7 +352,7 @@ class CI_Zip { // Set the original directory root for child dir's to use as relative if ($root_path === NULL) { - $root_path = dirname($path).DIRECTORY_SEPARATOR; + $root_path = str_replace(array('\\', '/'), DIRECTORY_SEPARATOR, dirname($path)).DIRECTORY_SEPARATOR; } while (FALSE !== ($file = readdir($fp))) |