diff options
Diffstat (limited to 'system')
| -rw-r--r-- | system/core/Common.php | 1 | ||||
| -rwxr-xr-x | system/core/Input.php | 1 | ||||
| -rwxr-xr-x | system/core/Security.php | 64 | ||||
| -rw-r--r-- | system/database/DB_driver.php | 5 | ||||
| -rw-r--r-- | system/database/drivers/mysql/mysql_result.php | 6 | ||||
| -rw-r--r-- | system/database/drivers/mysqli/mysqli_driver.php | 19 | ||||
| -rw-r--r-- | system/database/drivers/mysqli/mysqli_result.php | 6 | ||||
| -rw-r--r-- | system/database/drivers/pdo/pdo_driver.php | 33 | ||||
| -rw-r--r-- | system/helpers/date_helper.php | 2 | ||||
| -rwxr-xr-x | system/helpers/url_helper.php | 10 | ||||
| -rw-r--r-- | system/libraries/Email.php | 31 | ||||
| -rw-r--r-- | system/libraries/Migration.php | 36 | ||||
| -rw-r--r-- | system/libraries/Pagination.php | 4 | ||||
| -rw-r--r-- | system/libraries/Upload.php | 4 | ||||
| -rw-r--r-- | system/libraries/Xmlrpc.php | 6 |
15 files changed, 142 insertions, 86 deletions
diff --git a/system/core/Common.php b/system/core/Common.php index e43bb8db3..b0921fe0c 100644 --- a/system/core/Common.php +++ b/system/core/Common.php @@ -419,6 +419,7 @@ if ( ! function_exists('set_status_header')) 415 => 'Unsupported Media Type', 416 => 'Requested Range Not Satisfiable', 417 => 'Expectation Failed', + 422 => 'Unprocessable Entity', 500 => 'Internal Server Error', 501 => 'Not Implemented', diff --git a/system/core/Input.php b/system/core/Input.php index 946d9296f..3cbbe787f 100755 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -740,7 +740,6 @@ class CI_Input { } } -// END Input class /* End of file Input.php */ /* Location: ./system/core/Input.php */ diff --git a/system/core/Security.php b/system/core/Security.php index ee4f0a08d..ce3f7d3cc 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -95,7 +95,8 @@ class CI_Security { '-moz-binding' => '[removed]', '<!--' => '<!--', '-->' => '-->', - '<![CDATA[' => '<![CDATA[' + '<![CDATA[' => '<![CDATA[', + '<comment>' => '<comment>' ); /** @@ -498,15 +499,7 @@ class CI_Security { { if ($this->_xss_hash == '') { - if (phpversion() >= 4.2) - { - mt_srand(); - } - else - { - mt_srand(hexdec(substr(md5(microtime()), -8)) & 0x7fffffff); - } - + mt_srand(); $this->_xss_hash = md5(time() + mt_rand(0, 1999999999)); } @@ -520,6 +513,12 @@ class CI_Security { * * This function is a replacement for html_entity_decode() * + * The reason we are not using html_entity_decode() by itself is because + * while it is not technically correct to leave out the semicolon + * at the end of an entity most browsers will still interpret the entity + * correctly. html_entity_decode() does not convert entities without + * semicolons, so we are left with our own little solution here. Bummer. + * * @param string * @param string * @return string @@ -536,11 +535,6 @@ class CI_Security { $charset = config_item('charset'); } - // The reason we are not using html_entity_decode() by itself is because - // while it is not technically correct to leave out the semicolon - // at the end of an entity most browsers will still interpret the entity - // correctly. html_entity_decode() does not convert entities without - // semicolons, so we are left with our own little solution here. Bummer. $str = html_entity_decode($str, ENT_COMPAT, $charset); $str = preg_replace('~&#x(0*[0-9a-f]{2,5})~ei', 'chr(hexdec("\\1"))', $str); return preg_replace('~&#([0-9]{2,4})~e', 'chr(\\1)', $str); @@ -637,25 +631,45 @@ class CI_Security { protected function _remove_evil_attributes($str, $is_image) { // All javascript event handlers (e.g. onload, onclick, onmouseover), style, and xmlns - $evil_attributes = array('on\w*', 'style', 'xmlns'); + $evil_attributes = array('on\w*', 'style', 'xmlns', 'formaction'); if ($is_image === TRUE) { /* - * Adobe Photoshop puts XML metadata into JFIF images, + * Adobe Photoshop puts XML metadata into JFIF images, * including namespacing, so we have to allow this for images. */ unset($evil_attributes[array_search('xmlns', $evil_attributes)]); } - + do { - $str = preg_replace( - "#<(/?[^><]+?)([^A-Za-z\-])(".implode('|', $evil_attributes).")(\s*=\s*)([\"][^>]*?[\"]|[\'][^>]*?[\']|[^>]*?)([\s><])([><]*)#i", - "<$1$6", - $str, -1, $count - ); - } while ($count); + $count = 0; + $attribs = array(); + + // find occurrences of illegal attribute strings without quotes + preg_match_all("/(".implode('|', $evil_attributes).")\s*=\s*([^\s]*)/is", $str, $matches, PREG_SET_ORDER); + + foreach ($matches as $attr) + { + $attribs[] = preg_quote($attr[0], '/'); + } + + // find occurrences of illegal attribute strings with quotes (042 and 047 are octal quotes) + preg_match_all("/(".implode('|', $evil_attributes).")\s*=\s*(\042|\047)([^\\2]*?)(\\2)/is", $str, $matches, PREG_SET_ORDER); + + foreach ($matches as $attr) + { + $attribs[] = preg_quote($attr[0], '/'); + } + // replace illegal attribute strings that are inside an html tag + if (count($attribs) > 0) + { + $str = preg_replace("/<(\/?[^><]+?)([^A-Za-z\-])(".implode('|', $attribs).")([\s><])([><]*)/i", '<$1$2$4$5', $str, -1, $count); + } + + } while ($count); + return $str; } @@ -877,4 +891,4 @@ class CI_Security { } /* End of file Security.php */ -/* Location: ./system/core/Security.php */ +/* Location: ./system/core/Security.php */
\ No newline at end of file diff --git a/system/database/DB_driver.php b/system/database/DB_driver.php index dd1b5677a..cc40ba48a 100644 --- a/system/database/DB_driver.php +++ b/system/database/DB_driver.php @@ -522,6 +522,7 @@ class CI_DB_driver { } $this->trans_begin($test_mode); + $this->_trans_depth += 1; } // -------------------------------------------------------------------- @@ -545,6 +546,10 @@ class CI_DB_driver { $this->_trans_depth -= 1; return TRUE; } + else + { + $this->_trans_depth = 0; + } // The query() function will set this flag to FALSE in the event that a query failed if ($this->_trans_status === FALSE) diff --git a/system/database/drivers/mysql/mysql_result.php b/system/database/drivers/mysql/mysql_result.php index 66f782df0..29297b6a4 100644 --- a/system/database/drivers/mysql/mysql_result.php +++ b/system/database/drivers/mysql/mysql_result.php @@ -98,10 +98,10 @@ class CI_DB_mysql_result extends CI_DB_result { $retval = array(); while ($field = mysql_fetch_object($this->result_id)) { - preg_match('/([a-zA-Z]+)(\((\d+)\))?/i', $field->Type, $matches); + preg_match('/([a-zA-Z]+)(\(\d+\))?/', $field->Type, $matches); - $type = $matches[1]; - $length = isset($matches[3]) ? (int) $matches[3] : NULL; + $type = (array_key_exists(1, $matches)) ? $matches[1] : NULL; + $length = (array_key_exists(2, $matches)) ? preg_replace('/[^\d]/', '', $matches[2]) : NULL; $F = new stdClass(); $F->name = $field->Field; diff --git a/system/database/drivers/mysqli/mysqli_driver.php b/system/database/drivers/mysqli/mysqli_driver.php index 4af08c8a9..fb5953bd7 100644 --- a/system/database/drivers/mysqli/mysqli_driver.php +++ b/system/database/drivers/mysqli/mysqli_driver.php @@ -574,6 +574,25 @@ class CI_DB_mysqli_driver extends CI_DB { // -------------------------------------------------------------------- + + /** + * Replace statement + * + * Generates a platform-specific replace string from the supplied data + * + * @access public + * @param string the table name + * @param array the insert keys + * @param array the insert values + * @return string + */ + function _replace($table, $keys, $values) + { + return "REPLACE INTO ".$table." (".implode(', ', $keys).") VALUES (".implode(', ', $values).")"; + } + + // -------------------------------------------------------------------- + /** * Update statement * diff --git a/system/database/drivers/mysqli/mysqli_result.php b/system/database/drivers/mysqli/mysqli_result.php index bfe500e19..163788b6c 100644 --- a/system/database/drivers/mysqli/mysqli_result.php +++ b/system/database/drivers/mysqli/mysqli_result.php @@ -98,10 +98,10 @@ class CI_DB_mysqli_result extends CI_DB_result { $retval = array(); while ($field = mysqli_fetch_object($this->result_id)) { - preg_match('/([a-zA-Z]+)(\((\d+)\))?/i', $field->Type, $matches); + preg_match('/([a-zA-Z]+)(\(\d+\))?/', $field->Type, $matches); - $type = $matches[1]; - $length = isset($matches[3]) ? (int) $matches[3] : NULL; + $type = (array_key_exists(1, $matches)) ? $matches[1] : NULL; + $length = (array_key_exists(2, $matches)) ? preg_replace('/[^\d]/', '', $matches[2]) : NULL; $F = new stdClass(); $F->name = $field->Field; diff --git a/system/database/drivers/pdo/pdo_driver.php b/system/database/drivers/pdo/pdo_driver.php index 10ef00c49..5f63a3771 100644 --- a/system/database/drivers/pdo/pdo_driver.php +++ b/system/database/drivers/pdo/pdo_driver.php @@ -57,7 +57,8 @@ class CI_DB_pdo_driver extends CI_DB { */ var $_count_string = "SELECT COUNT(*) AS "; var $_random_keyword; - + + var $options = array(); function __construct($params) { @@ -68,6 +69,15 @@ class CI_DB_pdo_driver extends CI_DB { { $this->_like_escape_str = ''; $this->_like_escape_chr = ''; + + //Prior to this version, the charset can't be set in the dsn + if(is_php('5.3.6')) + { + $this->hostname .= ";charset={$this->char_set}"; + } + + //Set the charset with the connection options + $this->options['PDO::MYSQL_ATTR_INIT_COMMAND'] = "SET NAMES {$this->char_set}"; } else if (strpos($this->hostname, 'odbc') !== FALSE) { @@ -80,7 +90,8 @@ class CI_DB_pdo_driver extends CI_DB { $this->_like_escape_chr = '!'; } - $this->hostname = $this->hostname . ";dbname=".$this->database; + $this->hostname .= ";dbname=".$this->database; + $this->trans_enabled = FALSE; $this->_random_keyword = ' RND('.time().')'; // database specific random keyword @@ -94,9 +105,9 @@ class CI_DB_pdo_driver extends CI_DB { */ function db_connect() { - return new PDO($this->hostname,$this->username,$this->password, array( - PDO::ATTR_ERRMODE => PDO::ERRMODE_SILENT - )); + $this->options['PDO::ATTR_ERRMODE'] = PDO::ERRMODE_SILENT; + + return new PDO($this->hostname, $this->username, $this->password, $this->options); } // -------------------------------------------------------------------- @@ -109,10 +120,10 @@ class CI_DB_pdo_driver extends CI_DB { */ function db_pconnect() { - return new PDO($this->hostname,$this->username,$this->password, array( - PDO::ATTR_ERRMODE => PDO::ERRMODE_SILENT, - PDO::ATTR_PERSISTENT => true - )); + $this->options['PDO::ATTR_ERRMODE'] = PDO::ERRMODE_SILENT; + $this->options['PDO::ATTR_PERSISTENT'] = TRUE; + + return new PDO($this->hostname, $this->username, $this->password, $this->options); } // -------------------------------------------------------------------- @@ -244,7 +255,11 @@ class CI_DB_pdo_driver extends CI_DB { // Reset the transaction failure flag. // If the $test_mode flag is set to TRUE transactions will be rolled back // even if the queries produce a successful result. +<<<<<<< HEAD $this->_trans_failure = ($test_mode === TRUE) ? TRUE : FALSE; +======= + $this->_trans_failure = (bool) ($test_mode === TRUE); +>>>>>>> master return $this->conn_id->beginTransaction(); } diff --git a/system/helpers/date_helper.php b/system/helpers/date_helper.php index 447bf55ac..8c92fdc89 100644 --- a/system/helpers/date_helper.php +++ b/system/helpers/date_helper.php @@ -132,7 +132,7 @@ if ( ! function_exists('standard_date')) 'DATE_COOKIE' => '%l, %d-%M-%y %H:%i:%s UTC', 'DATE_ISO8601' => '%Y-%m-%dT%H:%i:%s%Q', 'DATE_RFC822' => '%D, %d %M %y %H:%i:%s %O', - 'DATE_RFC850' => '%l, %d-%M-%y %H:%m:%i UTC', + 'DATE_RFC850' => '%l, %d-%M-%y %H:%i:%s UTC', 'DATE_RFC1036' => '%D, %d %M %y %H:%i:%s %O', 'DATE_RFC1123' => '%D, %d %M %Y %H:%i:%s %O', 'DATE_RSS' => '%D, %d %M %Y %H:%i:%s %O', diff --git a/system/helpers/url_helper.php b/system/helpers/url_helper.php index bfed96c6e..5d9afe457 100755 --- a/system/helpers/url_helper.php +++ b/system/helpers/url_helper.php @@ -393,7 +393,7 @@ if ( ! function_exists('auto_link')) { if ($type != 'email') { - if (preg_match_all("#(^|\s|\()((http(s?)://)|(www\.))(\w+[^\s\)\<]+)#i", $str, $matches)) + if (preg_match_all("#(^|\s|\(|\b)((http(s?)://)|(www\.))(\w+[^\s\)\<]+)#i", $str, $matches)) { $pop = ($popup == TRUE) ? " target=\"_blank\" " : ""; @@ -544,13 +544,19 @@ if ( ! function_exists('url_title')) */ if ( ! function_exists('redirect')) { - function redirect($uri = '', $method = 'location', $http_response_code = 302) + function redirect($uri = '', $method = 'auto', $http_response_code = 302) { if ( ! preg_match('#^https?://#i', $uri)) { $uri = site_url($uri); } + // IIS environment likely? Use 'refresh' for better compatibility + if (DIRECTORY_SEPARATOR != '/' && $method == 'auto') + { + $method = 'refresh'; + } + switch($method) { case 'refresh' : header("Refresh:0;url=".$uri); diff --git a/system/libraries/Email.php b/system/libraries/Email.php index db6ea8f90..631b62e86 100644 --- a/system/libraries/Email.php +++ b/system/libraries/Email.php @@ -418,11 +418,11 @@ class CI_Email { * @param string * @return void */ - public function attach($filename, $disposition = 'attachment') + public function attach($filename, $disposition = '', $newname = NULL) { - $this->_attach_name[] = $filename; + $this->_attach_name[] = array($filename, $newname); $this->_attach_type[] = $this->_mime_types(pathinfo($filename, PATHINFO_EXTENSION)); - $this->_attach_disp[] = $disposition; // Can also be 'inline' Not sure if it matters + $this->_attach_disp[] = empty($disposition) ? 'attachment' : $disposition; // Can also be 'inline' Not sure if it matters return $this; } @@ -1151,8 +1151,9 @@ class CI_Email { for ($i=0; $i < count($this->_attach_name); $i++) { - $filename = $this->_attach_name[$i]; - $basename = basename($filename); + $filename = $this->_attach_name[$i][0]; + $basename = ( is_null($this->_attach_name[$i][1]) ? basename($filename) : $this->_attach_name[$i][1] ); + $ctype = $this->_attach_type[$i]; if ( ! file_exists($filename)) @@ -1692,12 +1693,7 @@ class CI_Email { */ protected function _smtp_connect() { - $ssl = NULL; - - if ($this->smtp_crypto == 'ssl') - { - $ssl = 'ssl://'; - } + $ssl = ($this->smtp_crypto == 'ssl') ? 'ssl://' : NULL; $this->_smtp_connect = fsockopen($ssl.$this->smtp_host, $this->smtp_port, @@ -1717,13 +1713,14 @@ class CI_Email { { $this->_send_command('hello'); $this->_send_command('starttls'); + $crypto = stream_socket_enable_crypto($this->_smtp_connect, TRUE, STREAM_CRYPTO_METHOD_TLS_CLIENT); - } - if ($crypto !== TRUE) - { - $this->_set_error_message('lang:email_smtp_error', $this->_get_smtp_data()); - return FALSE; + if ($crypto !== TRUE) + { + $this->_set_error_message('lang:email_smtp_error', $this->_get_smtp_data()); + return FALSE; + } } return $this->_send_command('hello'); @@ -2112,4 +2109,4 @@ class CI_Email { // END CI_Email class /* End of file Email.php */ -/* Location: ./system/libraries/Email.php */ +/* Location: ./system/libraries/Email.php */
\ No newline at end of file diff --git a/system/libraries/Migration.php b/system/libraries/Migration.php index b7edf7195..94961b568 100644 --- a/system/libraries/Migration.php +++ b/system/libraries/Migration.php @@ -5,9 +5,9 @@ * An open source application development framework for PHP 5.1.6 or newer * * NOTICE OF LICENSE - * + * * Licensed under the Open Software License version 3.0 - * + * * This source file is subject to the Open Software License (OSL 3.0) that is * bundled with this package in the files license.txt / license.rst. It is * also available through the world wide web at this URL: @@ -46,7 +46,7 @@ class CI_Migration { protected $_migration_version = 0; protected $_migration_table = 'migrations'; protected $_migration_auto_latest = FALSE; - + protected $_error_string = ''; public function __construct($config = array()) @@ -71,7 +71,7 @@ class CI_Migration { } // If not set, set it - $this->_migration_path == '' AND $this->_migration_path = APPPATH . 'migrations/'; + $this->_migration_path == '' AND $this->_migration_path = APPPATH.'migrations/'; // Add trailing slash if not set $this->_migration_path = rtrim($this->_migration_path, '/').'/'; @@ -85,7 +85,7 @@ class CI_Migration { // Make sure the migration table name was set. if (empty($this->_migration_table)) { - show_error('Migrations configuration file (migration.php) must have "migration_table" set.'); + show_error('Migrations configuration file (migration.php) must have "migration_table" set.'); } // If the migrations table is missing, make it @@ -99,9 +99,9 @@ class CI_Migration { $this->db->insert($this->_migration_table, array('version' => 0)); } - + // Do we auto migrate to the latest migration? - if ( $this->_migration_auto_latest == TRUE ) + if ($this->_migration_auto_latest == TRUE) { if ( ! $this->latest() ) { @@ -140,7 +140,7 @@ class CI_Migration { // Moving Down $step = -1; } - + $method = $step === 1 ? 'up' : 'down'; $migrations = array(); @@ -148,7 +148,7 @@ class CI_Migration { // But first let's make sure that everything is the way it should be for ($i = $start; $i != $stop; $i += $step) { - $f = glob(sprintf($this->_migration_path . '%03d_*.php', $i)); + $f = glob(sprintf($this->_migration_path.'%03d_*.php', $i)); // Only one migration per step is permitted if (count($f) > 1) @@ -189,7 +189,7 @@ class CI_Migration { } include $f[0]; - $class = 'Migration_' . ucfirst($match[1]); + $class = 'Migration_'.ucfirst($match[1]); if ( ! class_exists($class)) { @@ -212,7 +212,7 @@ class CI_Migration { } } - log_message('debug', 'Current migration: ' . $current_version); + log_message('debug', 'Current migration: '.$current_version); $version = $i + ($step == 1 ? -1 : 0); @@ -222,13 +222,13 @@ class CI_Migration { return TRUE; } - log_message('debug', 'Migrating from ' . $method . ' to version ' . $version); + log_message('debug', 'Migrating from '.$method.' to version '.$version); // Loop through the migrations foreach ($migrations AS $migration) { // Run the migration class - $class = 'Migration_' . ucfirst(strtolower($migration)); + $class = 'Migration_'.ucfirst(strtolower($migration)); call_user_func(array(new $class, $method)); $current_version += $step; @@ -252,12 +252,12 @@ class CI_Migration { { if ( ! $migrations = $this->find_migrations()) { - $this->_error_string = $this->line->lang('migration_none_found'); + $this->_error_string = $this->lang->line('migration_none_found'); return false; } $last_migration = basename(end($migrations)); - + // Calculate the last migration step from existing migration // filenames and procceed to the standard version migration return $this->version((int) substr($last_migration, 0, 3)); @@ -300,9 +300,9 @@ class CI_Migration { protected function find_migrations() { // Load all *_*.php files in the migrations path - $files = glob($this->_migration_path . '*_*.php'); + $files = glob($this->_migration_path.'*_*.php'); $file_count = count($files); - + for ($i = 0; $i < $file_count; $i++) { // Mark wrongly formatted files as false for later filtering @@ -312,7 +312,7 @@ class CI_Migration { $files[$i] = FALSE; } } - + sort($files); return $files; diff --git a/system/libraries/Pagination.php b/system/libraries/Pagination.php index 7398c292d..f470debeb 100644 --- a/system/libraries/Pagination.php +++ b/system/libraries/Pagination.php @@ -298,11 +298,11 @@ class CI_Pagination { if ($this->last_link !== FALSE AND ($this->cur_page + $this->num_links) < $num_pages) { $i = ($this->use_page_numbers) ? $num_pages : ($num_pages * $this->per_page) - $this->per_page; - + $output .= $this->last_tag_open.'<a '.$this->anchor_class.'href="'.$this->base_url.$this->prefix.$i.$this->suffix.'">'.$this->last_link.'</a>'.$this->last_tag_close; } - // Kill double slashes. Note: Sometimes we can end up with a double slash + // Kill double slashes. Note: Sometimes we can end up with a double slash // in the penultimate link so we'll kill all double slashes. $output = preg_replace("#([^:])//+#", "\\1/", $output); diff --git a/system/libraries/Upload.php b/system/libraries/Upload.php index 56062befb..66e91c5b6 100644 --- a/system/libraries/Upload.php +++ b/system/libraries/Upload.php @@ -1033,7 +1033,7 @@ class CI_Upload { protected function _file_mime_type($file) { // Use if the Fileinfo extension, if available (only versions above 5.3 support the FILEINFO_MIME_TYPE flag) - if (is_php('5.3') && function_exists('finfo_file')) + if ( (float) substr(phpversion(), 0, 3) >= 5.3 && function_exists('finfo_file')) { $finfo = new finfo(FILEINFO_MIME_TYPE); if ($finfo !== FALSE) // This is possible, if there is no magic MIME database file found on the system @@ -1086,4 +1086,4 @@ class CI_Upload { // END Upload Class /* End of file Upload.php */ -/* Location: ./system/libraries/Upload.php */ +/* Location: ./system/libraries/Upload.php */
\ No newline at end of file diff --git a/system/libraries/Xmlrpc.php b/system/libraries/Xmlrpc.php index 2f66ef09a..7b1e3fa6e 100644 --- a/system/libraries/Xmlrpc.php +++ b/system/libraries/Xmlrpc.php @@ -1416,14 +1416,14 @@ class XML_RPC_Values extends CI_Xmlrpc { if ($utc == 1) { - $t = strftime("%Y%m%dT%H:%M:%S", $time); + $t = strftime("%Y%m%dT%H:%i:%s", $time); } else { if (function_exists('gmstrftime')) - $t = gmstrftime("%Y%m%dT%H:%M:%S", $time); + $t = gmstrftime("%Y%m%dT%H:%i:%s", $time); else - $t = strftime("%Y%m%dT%H:%M:%S", $time - date('Z')); + $t = strftime("%Y%m%dT%H:%i:%s", $time - date('Z')); } return $t; } |