diff options
Diffstat (limited to 'system')
| -rwxr-xr-x | system/core/CodeIgniter.php | 2 | ||||
| -rw-r--r-- | system/core/Common.php | 30 | ||||
| -rwxr-xr-x | system/core/Input.php | 8 | ||||
| -rwxr-xr-x | system/core/Lang.php | 4 | ||||
| -rwxr-xr-x | system/core/Loader.php | 2 | ||||
| -rwxr-xr-x | system/core/Security.php | 38 | ||||
| -rwxr-xr-x | system/core/URI.php | 4 | ||||
| -rw-r--r-- | system/database/DB_active_rec.php | 2 | ||||
| -rw-r--r-- | system/database/DB_driver.php | 19 | ||||
| -rw-r--r-- | system/database/drivers/mysql/mysql_result.php | 4 | ||||
| -rw-r--r-- | system/database/drivers/mysqli/mysqli_result.php | 4 | ||||
| -rw-r--r-- | system/database/drivers/oci8/oci8_driver.php | 1 | ||||
| -rw-r--r-- | system/database/drivers/odbc/odbc_driver.php | 2 | ||||
| -rw-r--r-- | system/helpers/date_helper.php | 172 | ||||
| -rw-r--r-- | system/helpers/form_helper.php | 7 | ||||
| -rw-r--r-- | system/helpers/typography_helper.php | 10 | ||||
| -rwxr-xr-x[-rw-r--r--] | system/helpers/url_helper.php | 4 | ||||
| -rw-r--r-- | system/language/english/migration_lang.php | 2 | ||||
| -rw-r--r-- | system/libraries/Image_lib.php | 2 | ||||
| -rw-r--r-- | system/libraries/Migration.php | 2 |
20 files changed, 190 insertions, 129 deletions
diff --git a/system/core/CodeIgniter.php b/system/core/CodeIgniter.php index 0a1391d18..aca4fb23c 100755 --- a/system/core/CodeIgniter.php +++ b/system/core/CodeIgniter.php @@ -39,7 +39,7 @@ * @var string * */ - define('CI_VERSION', '2.0.2'); + define('CI_VERSION', '2.1.0-dev'); /** * CodeIgniter Branch (Core = TRUE, Reactor = FALSE) diff --git a/system/core/Common.php b/system/core/Common.php index db9fbeb9f..d79375475 100644 --- a/system/core/Common.php +++ b/system/core/Common.php @@ -132,9 +132,9 @@ if ( ! function_exists('load_class')) $name = FALSE; - // Look for the class first in the native system/libraries folder - // thenin the local application/libraries folder - foreach (array(BASEPATH, APPPATH) as $path) + // Look for the class first in the local application/libraries folder + // then in the native system/libraries folder + foreach (array(APPPATH, BASEPATH) as $path) { if (file_exists($path.$directory.'/'.$class.'.php')) { @@ -536,5 +536,29 @@ if ( ! function_exists('remove_invisible_characters')) } } +// ------------------------------------------------------------------------ + +/** +* Returns HTML escaped variable +* +* @access public +* @param mixed +* @return mixed +*/ +if ( ! function_exists('html_escape')) +{ + function html_escape($var) + { + if (is_array($var)) + { + return array_map('html_escape', $var); + } + else + { + return htmlspecialchars($var, ENT_QUOTES, config_item('charset')); + } + } +} + /* End of file Common.php */ /* Location: ./system/core/Common.php */
\ No newline at end of file diff --git a/system/core/Input.php b/system/core/Input.php index 5a033e7b8..0dc2c4550 100755 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -323,13 +323,13 @@ class CI_Input { $this->ip_address = in_array($_SERVER['REMOTE_ADDR'], $proxies) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']; } - elseif ($this->server('REMOTE_ADDR') AND $this->server('HTTP_CLIENT_IP')) + elseif (! $this->server('HTTP_CLIENT_IP') AND $this->server('REMOTE_ADDR')) { - $this->ip_address = $_SERVER['HTTP_CLIENT_IP']; + $this->ip_address = $_SERVER['REMOTE_ADDR']; } - elseif ($this->server('REMOTE_ADDR')) + elseif ($this->server('REMOTE_ADDR') AND $this->server('HTTP_CLIENT_IP')) { - $this->ip_address = $_SERVER['REMOTE_ADDR']; + $this->ip_address = $_SERVER['HTTP_CLIENT_IP']; } elseif ($this->server('HTTP_CLIENT_IP')) { diff --git a/system/core/Lang.php b/system/core/Lang.php index 5ac671838..d61d1029a 100755 --- a/system/core/Lang.php +++ b/system/core/Lang.php @@ -112,7 +112,7 @@ class CI_Lang { } - if ( ! isset($lang)) + if ( ! isset($lang) OR ! is_array($lang)) { log_message('error', 'Language file contains no data: language/'.$idiom.'/'.$langfile); return; @@ -124,7 +124,7 @@ class CI_Lang { } $this->is_loaded[] = $langfile; - $this->language = array_merge($this->language, $lang); + $this->language = $this->language + $lang; unset($lang); log_message('debug', 'Language file loaded: language/'.$idiom.'/'.$langfile); diff --git a/system/core/Loader.php b/system/core/Loader.php index 452dc0b4c..de0fc06d2 100755 --- a/system/core/Loader.php +++ b/system/core/Loader.php @@ -1106,7 +1106,7 @@ class CI_Loader { * @param array * @return void */ - private function _ci_autoloader() + protected function _ci_autoloader() { if (defined('ENVIRONMENT') AND file_exists(APPPATH.'config/'.ENVIRONMENT.'/autoload.php')) { diff --git a/system/core/Security.php b/system/core/Security.php index dcc680a11..e99418bdd 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -33,6 +33,7 @@ class CI_Security { * @access protected */ protected $_xss_hash = ''; + /** * Random Hash for Cross Site Request Forgery Protection Cookie * @@ -40,6 +41,7 @@ class CI_Security { * @access protected */ protected $_csrf_hash = ''; + /** * Expiration time for Cross Site Request Forgery Protection Cookie * Defaults to two hours (in seconds) @@ -48,6 +50,7 @@ class CI_Security { * @access protected */ protected $_csrf_expire = 7200; + /** * Token name for Cross Site Request Forgery Protection Cookie * @@ -55,6 +58,7 @@ class CI_Security { * @access protected */ protected $_csrf_token_name = 'ci_csrf_token'; + /** * Cookie name for Cross Site Request Forgery Protection Cookie * @@ -62,12 +66,14 @@ class CI_Security { * @access protected */ protected $_csrf_cookie_name = 'ci_csrf_token'; + /** * List of never allowed strings * * @var array * @access protected */ + protected $_never_allowed_str = array( 'document.cookie' => '[removed]', 'document.write' => '[removed]', @@ -80,7 +86,6 @@ class CI_Security { '<![CDATA[' => '<![CDATA[' ); - /* never allowed, regex replacement */ /** * List of never allowed regex replacement * @@ -134,6 +139,16 @@ class CI_Security { { return $this->csrf_set_cookie(); } + + // Check if URI has been whitelisted from CSRF checks + if ($exclude_uris = config_item('csrf_exclude_uris')) + { + $uri = load_class('URI', 'core'); + if (in_array($uri->uri_string(), $exclude_uris)) + { + return $this; + } + } // Do the tokens exist in both the _POST and _COOKIE arrays? if ( ! isset($_POST[$this->_csrf_token_name]) OR @@ -156,9 +171,9 @@ class CI_Security { unset($_COOKIE[$this->_csrf_cookie_name]); $this->_csrf_set_hash(); $this->csrf_set_cookie(); - - log_message('debug', "CSRF token verified "); - + + log_message('debug', "CSRF token verified"); + return $this; } @@ -510,9 +525,17 @@ class CI_Security { * @param string * @return string */ - public function entity_decode($str, $charset='UTF-8') + public function entity_decode($str, $charset = NULL) { - if (stristr($str, '&') === FALSE) return $str; + if (stristr($str, '&') === FALSE) + { + return $str; + } + + if (empty($charset)) + { + $charset = config_item('charset'); + } // The reason we are not using html_entity_decode() by itself is because // while it is not technically correct to leave out the semicolon @@ -869,7 +892,6 @@ class CI_Security { } } -// END Security Class /* End of file Security.php */ -/* Location: ./system/libraries/Security.php */ +/* Location: ./system/libraries/Security.php */
\ No newline at end of file diff --git a/system/core/URI.php b/system/core/URI.php index a3ae20cc3..8946bc76b 100755 --- a/system/core/URI.php +++ b/system/core/URI.php @@ -175,7 +175,7 @@ class CI_URI { * @access private * @return string */ - private function _detect_uri() + protected function _detect_uri() { if ( ! isset($_SERVER['REQUEST_URI']) OR ! isset($_SERVER['SCRIPT_NAME'])) { @@ -232,7 +232,7 @@ class CI_URI { * @access private * @return string */ - private function _parse_cli_args() + protected function _parse_cli_args() { $args = array_slice($_SERVER['argv'], 1); diff --git a/system/database/DB_active_rec.php b/system/database/DB_active_rec.php index 37d162bc1..89766e304 100644 --- a/system/database/DB_active_rec.php +++ b/system/database/DB_active_rec.php @@ -894,7 +894,7 @@ class CI_DB_active_record extends CI_DB_driver { */ public function offset($offset) { - $this->ar_offset = $offset; + $this->ar_offset = (int) $offset; return $this; } diff --git a/system/database/DB_driver.php b/system/database/DB_driver.php index f9bf118fb..f3c6e41ad 100644 --- a/system/database/DB_driver.php +++ b/system/database/DB_driver.php @@ -251,9 +251,10 @@ class CI_DB_driver { { if ($sql == '') { + log_message('error', 'Invalid query: '.$sql); + if ($this->db_debug) { - log_message('error', 'Invalid query: '.$sql); return $this->display_error('db_invalid_query'); } return FALSE; @@ -306,21 +307,23 @@ class CI_DB_driver { // This will trigger a rollback if transactions are being used $this->_trans_status = FALSE; + // Grab the error number and message now, as we might run some + // additional queries before displaying the error + $error_no = $this->_error_number(); + $error_msg = $this->_error_message(); + + // Log errors + log_message('error', 'Query error: '.$error_msg); + if ($this->db_debug) { - // grab the error number and message now, as we might run some - // additional queries before displaying the error - $error_no = $this->_error_number(); - $error_msg = $this->_error_message(); - // We call this function in order to roll-back queries // if transactions are enabled. If we don't call this here // the error message will trigger an exit, causing the // transactions to remain in limbo. $this->trans_complete(); - // Log and display errors - log_message('error', 'Query error: '.$error_msg); + // Display errors return $this->display_error( array( 'Error Number: '.$error_no, diff --git a/system/database/drivers/mysql/mysql_result.php b/system/database/drivers/mysql/mysql_result.php index 2d2905c98..6ceaf4b9b 100644 --- a/system/database/drivers/mysql/mysql_result.php +++ b/system/database/drivers/mysql/mysql_result.php @@ -86,10 +86,10 @@ class CI_DB_mysql_result extends CI_DB_result { $retval = array(); while ($field = mysql_fetch_object($this->result_id)) { - preg_match('/([a-zA-Z]+)\((\d+)\)/', $field->Type, $matches); + preg_match('/([a-zA-Z]+)(\((\d+)\))?/i', $field->Type, $matches); $type = $matches[1]; - $length = (int)$matches[2]; + $length = isset($matches[3]) ? (int) $matches[3] : NULL; $F = new stdClass(); $F->name = $field->Field; diff --git a/system/database/drivers/mysqli/mysqli_result.php b/system/database/drivers/mysqli/mysqli_result.php index ac863056a..bbfb8481a 100644 --- a/system/database/drivers/mysqli/mysqli_result.php +++ b/system/database/drivers/mysqli/mysqli_result.php @@ -86,10 +86,10 @@ class CI_DB_mysqli_result extends CI_DB_result { $retval = array(); while ($field = mysqli_fetch_object($this->result_id)) { - preg_match('/([a-zA-Z]+)\((\d+)\)/', $field->Type, $matches); + preg_match('/([a-zA-Z]+)(\((\d+)\))?/i', $field->Type, $matches); $type = $matches[1]; - $length = (int)$matches[2]; + $length = isset($matches[3]) ? (int) $matches[3] : NULL; $F = new stdClass(); $F->name = $field->Field; diff --git a/system/database/drivers/oci8/oci8_driver.php b/system/database/drivers/oci8/oci8_driver.php index 42cfaaefb..d4adfd528 100644 --- a/system/database/drivers/oci8/oci8_driver.php +++ b/system/database/drivers/oci8/oci8_driver.php @@ -404,6 +404,7 @@ class CI_DB_oci8_driver extends CI_DB { } $str = remove_invisible_characters($str); + $str = str_replace("'", "''", $str); // escape LIKE condition wildcards if ($like === TRUE) diff --git a/system/database/drivers/odbc/odbc_driver.php b/system/database/drivers/odbc/odbc_driver.php index 5e764e071..08cd27b6c 100644 --- a/system/database/drivers/odbc/odbc_driver.php +++ b/system/database/drivers/odbc/odbc_driver.php @@ -50,7 +50,7 @@ class CI_DB_odbc_driver extends CI_DB { function CI_DB_odbc_driver($params) { - parent::CI_DB($params); + parent::CI_DB_driver($params); $this->_random_keyword = ' RND('.time().')'; // database specific random keyword } diff --git a/system/helpers/date_helper.php b/system/helpers/date_helper.php index 6c559bb25..e14bc2f94 100644 --- a/system/helpers/date_helper.php +++ b/system/helpers/date_helper.php @@ -54,10 +54,8 @@ if ( ! function_exists('now')) return $system_time; } - else - { - return time(); - } + + return time(); } } @@ -85,12 +83,18 @@ if ( ! function_exists('mdate')) function mdate($datestr = '', $time = '') { if ($datestr == '') - return ''; + { + return ''; + } - if ($time == '') - $time = now(); + $time = ($time == '') ? now() : $time; + + $datestr = str_replace( + '%\\', + '', + preg_replace("/([a-z]+?){1}/i", "\\\\\\1", $datestr) + ); - $datestr = str_replace('%\\', '', preg_replace("/([a-z]+?){1}/i", "\\\\\\1", $datestr)); return date($datestr, $time); } } @@ -162,14 +166,7 @@ if ( ! function_exists('timespan')) $time = time(); } - if ($time <= $seconds) - { - $seconds = 1; - } - else - { - $seconds = $time - $seconds; - } + $seconds = ($time <= $seconds) ? 1 : $time - $seconds; $str = ''; $years = floor($seconds / 31536000); @@ -303,9 +300,18 @@ if ( ! function_exists('local_to_gmt')) function local_to_gmt($time = '') { if ($time == '') + { $time = time(); - - return mktime( gmdate("H", $time), gmdate("i", $time), gmdate("s", $time), gmdate("m", $time), gmdate("d", $time), gmdate("Y", $time)); + } + + return mktime( + gmdate("H", $time), + gmdate("i", $time), + gmdate("s", $time), + gmdate("m", $time), + gmdate("d", $time), + gmdate("Y", $time) + ); } } @@ -366,14 +372,14 @@ if ( ! function_exists('mysql_to_unix')) $time = str_replace(' ', '', $time); // YYYYMMDDHHMMSS - return mktime( - substr($time, 8, 2), - substr($time, 10, 2), - substr($time, 12, 2), - substr($time, 4, 2), - substr($time, 6, 2), - substr($time, 0, 4) - ); + return mktime( + substr($time, 8, 2), + substr($time, 10, 2), + substr($time, 12, 2), + substr($time, 4, 2), + substr($time, 6, 2), + substr($time, 0, 4) + ); } } @@ -475,13 +481,19 @@ if ( ! function_exists('human_to_unix')) $ampm = strtolower($split['2']); if (substr($ampm, 0, 1) == 'p' AND $hour < 12) - $hour = $hour + 12; + { + $hour = $hour + 12; + } if (substr($ampm, 0, 1) == 'a' AND $hour == 12) + { $hour = '00'; - + } + if (strlen($hour) == 1) - $hour = '0'.$hour; + { + $hour = '0'.$hour; + } } return mktime($hour, $min, $sec, $month, $day, $year); @@ -501,16 +513,16 @@ if ( ! function_exists('human_to_unix')) */ if ( ! function_exists('nice_date')) { - function nice_date($bad_date='', $format=false) + function nice_date($bad_date = '', $format = FALSE) { if (empty($bad_date)) { return 'Unknown'; } + // Date like: YYYYMM - if (preg_match('/^\d{6}$/',$bad_date)) + if (preg_match('/^\d{6}$/', $bad_date)) { - //echo $bad_date." "; if (in_array(substr($bad_date, 0, 2),array('19', '20'))) { $year = substr($bad_date, 0, 4); @@ -521,8 +533,8 @@ if ( ! function_exists('nice_date')) $month = substr($bad_date, 0, 2); $year = substr($bad_date, 2, 4); } + return date($format, strtotime($year . '-' . $month . '-01')); - } // Date Like: YYYYMMDD @@ -531,6 +543,7 @@ if ( ! function_exists('nice_date')) $month = substr($bad_date, 0, 2); $day = substr($bad_date, 2, 2); $year = substr($bad_date, 4, 4); + return date($format, strtotime($month . '/01/' . $year)); } @@ -574,8 +587,7 @@ if ( ! function_exists('timezone_menu')) $CI =& get_instance(); $CI->lang->load('date'); - if ($default == 'GMT') - $default = 'UTC'; + $default = ($default == 'GMT') ? 'UTC' : $default; $menu = '<select name="'.$name.'"'; @@ -618,60 +630,58 @@ if ( ! function_exists('timezones')) // some items appear to be in the wrong order $zones = array( - 'UM12' => -12, - 'UM11' => -11, - 'UM10' => -10, - 'UM95' => -9.5, - 'UM9' => -9, - 'UM8' => -8, - 'UM7' => -7, - 'UM6' => -6, - 'UM5' => -5, - 'UM45' => -4.5, - 'UM4' => -4, - 'UM35' => -3.5, - 'UM3' => -3, - 'UM2' => -2, - 'UM1' => -1, - 'UTC' => 0, - 'UP1' => +1, - 'UP2' => +2, - 'UP3' => +3, - 'UP35' => +3.5, - 'UP4' => +4, - 'UP45' => +4.5, - 'UP5' => +5, - 'UP55' => +5.5, - 'UP575' => +5.75, - 'UP6' => +6, - 'UP65' => +6.5, - 'UP7' => +7, - 'UP8' => +8, - 'UP875' => +8.75, - 'UP9' => +9, - 'UP95' => +9.5, - 'UP10' => +10, - 'UP105' => +10.5, - 'UP11' => +11, - 'UP115' => +11.5, - 'UP12' => +12, - 'UP1275' => +12.75, - 'UP13' => +13, - 'UP14' => +14 - ); + 'UM12' => -12, + 'UM11' => -11, + 'UM10' => -10, + 'UM95' => -9.5, + 'UM9' => -9, + 'UM8' => -8, + 'UM7' => -7, + 'UM6' => -6, + 'UM5' => -5, + 'UM45' => -4.5, + 'UM4' => -4, + 'UM35' => -3.5, + 'UM3' => -3, + 'UM2' => -2, + 'UM1' => -1, + 'UTC' => 0, + 'UP1' => +1, + 'UP2' => +2, + 'UP3' => +3, + 'UP35' => +3.5, + 'UP4' => +4, + 'UP45' => +4.5, + 'UP5' => +5, + 'UP55' => +5.5, + 'UP575' => +5.75, + 'UP6' => +6, + 'UP65' => +6.5, + 'UP7' => +7, + 'UP8' => +8, + 'UP875' => +8.75, + 'UP9' => +9, + 'UP95' => +9.5, + 'UP10' => +10, + 'UP105' => +10.5, + 'UP11' => +11, + 'UP115' => +11.5, + 'UP12' => +12, + 'UP1275' => +12.75, + 'UP13' => +13, + 'UP14' => +14 + ); if ($tz == '') { return $zones; } - - if ($tz == 'GMT') - $tz = 'UTC'; - + + $tz = ($tz == 'GMT') ? 'UTC' : $tz; + return ( ! isset($zones[$tz])) ? 0 : $zones[$tz]; } } - /* End of file date_helper.php */ /* Location: ./system/helpers/date_helper.php */
\ No newline at end of file diff --git a/system/helpers/form_helper.php b/system/helpers/form_helper.php index d9305c00b..130daee6a 100644 --- a/system/helpers/form_helper.php +++ b/system/helpers/form_helper.php @@ -642,11 +642,8 @@ if ( ! function_exists('form_prep')) { return $str; } - - $str = htmlspecialchars($str); - - // In case htmlspecialchars misses these. - $str = str_replace(array("'", '"'), array("'", """), $str); + + $str = html_escape($str); if ($field_name != '') { diff --git a/system/helpers/typography_helper.php b/system/helpers/typography_helper.php index 19b4eec03..82e686e53 100644 --- a/system/helpers/typography_helper.php +++ b/system/helpers/typography_helper.php @@ -39,9 +39,7 @@ if ( ! function_exists('nl2br_except_pre')) function nl2br_except_pre($str) { $CI =& get_instance(); - $CI->load->library('typography'); - return $CI->typography->nl2br_except_pre($str); } } @@ -82,9 +80,15 @@ if ( ! function_exists('auto_typography')) */ if ( ! function_exists('entity_decode')) { - function entity_decode($str, $charset='UTF-8') + function entity_decode($str, $charset = NULL) { global $SEC; + + if (empty($charset)) + { + $charset = config_item('charset'); + } + return $SEC->entity_decode($str, $charset); } } diff --git a/system/helpers/url_helper.php b/system/helpers/url_helper.php index 9f4b85248..c524dddd1 100644..100755 --- a/system/helpers/url_helper.php +++ b/system/helpers/url_helper.php @@ -512,7 +512,7 @@ if ( ! function_exists('url_title')) $str = strtolower($str); } - return trim(stripslashes($str)); + return trim(trim(stripslashes($str)), $replace); } } @@ -527,7 +527,7 @@ if ( ! function_exists('url_title')) * * @access public * @param string the URL - * @param string the method: location or redirect + * @param string the method: location or refresh * @return string */ if ( ! function_exists('redirect')) diff --git a/system/language/english/migration_lang.php b/system/language/english/migration_lang.php index 4763ca243..94cb882fb 100644 --- a/system/language/english/migration_lang.php +++ b/system/language/english/migration_lang.php @@ -5,7 +5,7 @@ $lang['migration_not_found'] = "This migration could not be found."; $lang['migration_multiple_version'] = "This are multiple migrations with the same version number: %d."; $lang['migration_class_doesnt_exist'] = "The migration class \"%s\" could not be found."; $lang['migration_missing_up_method'] = "The migration class \"%s\" is missing an 'up' method."; -$lang['migration_missing_down_method'] = "The migration class \"%s\" is missing an 'up' method."; +$lang['migration_missing_down_method'] = "The migration class \"%s\" is missing a 'down' method."; $lang['migration_invalid_filename'] = "Migration \"%s\" has an invalid filename."; diff --git a/system/libraries/Image_lib.php b/system/libraries/Image_lib.php index 8902f524d..a8a0387d8 100644 --- a/system/libraries/Image_lib.php +++ b/system/libraries/Image_lib.php @@ -1334,7 +1334,7 @@ class CI_Image_lib { return FALSE; } - $vals = @getimagesize($path); + $vals = getimagesize($path); $types = array(1 => 'gif', 2 => 'jpeg', 3 => 'png'); diff --git a/system/libraries/Migration.php b/system/libraries/Migration.php index 3943ec130..3734e18f5 100644 --- a/system/libraries/Migration.php +++ b/system/libraries/Migration.php @@ -57,7 +57,7 @@ class CI_Migration { } // If not set, set it - $this->_migration_path == '' OR $this->_migration_path = APPPATH . 'migrations/'; + $this->_migration_path == '' AND $this->_migration_path = APPPATH . 'migrations/'; // Add trailing slash if not set $this->_migration_path = rtrim($this->_migration_path, '/').'/'; |