diff options
Diffstat (limited to 'system')
-rw-r--r-- | system/core/Security.php | 12 | ||||
-rw-r--r-- | system/database/DB_query_builder.php | 51 | ||||
-rw-r--r-- | system/database/drivers/oci8/oci8_driver.php | 15 | ||||
-rw-r--r-- | system/database/drivers/postgre/postgre_driver.php | 7 | ||||
-rw-r--r-- | system/libraries/Email.php | 6 | ||||
-rw-r--r-- | system/libraries/Xmlrpc.php | 2 |
6 files changed, 61 insertions, 32 deletions
diff --git a/system/core/Security.php b/system/core/Security.php index 091093637..b19a6fb02 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -545,6 +545,14 @@ class CI_Security { $str ); + // Same thing, but for "tag functions" (e.g. eval`some code`) + // See https://github.com/bcit-ci/CodeIgniter/issues/5420 + $str = preg_replace( + '#(alert|prompt|confirm|cmd|passthru|eval|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)`(.*?)`#si', + '\\1\\2`\\3`', + $str + ); + // Final clean up // This adds a bit of extra precaution in case // something got through the above filters @@ -907,7 +915,7 @@ class CI_Security { return str_replace( $match[1], preg_replace( - '#href=.*?(?:(?:alert|prompt|confirm)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|\(?document\)?\.|\.cookie|<script|<xss|d\s*a\s*t\s*a\s*:)#si', + '#href=.*?(?:(?:alert|prompt|confirm)(?:\(|&\#40;|`|&\#96;)|javascript:|livescript:|mocha:|charset=|window\.|\(?document\)?\.|\.cookie|<script|<xss|d\s*a\s*t\s*a\s*:)#si', '', $this->_filter_attributes($match[1]) ), @@ -935,7 +943,7 @@ class CI_Security { return str_replace( $match[1], preg_replace( - '#src=.*?(?:(?:alert|prompt|confirm|eval)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|\(?document\)?\.|\.cookie|<script|<xss|base64\s*,)#si', + '#src=.*?(?:(?:alert|prompt|confirm|eval)(?:\(|&\#40;|`|&\#96;)|javascript:|livescript:|mocha:|charset=|window\.|\(?document\)?\.|\.cookie|<script|<xss|base64\s*,)#si', '', $this->_filter_attributes($match[1]) ), diff --git a/system/database/DB_query_builder.php b/system/database/DB_query_builder.php index d271964b9..744c4970e 100644 --- a/system/database/DB_query_builder.php +++ b/system/database/DB_query_builder.php @@ -673,7 +673,7 @@ abstract class CI_DB_query_builder extends CI_DB_driver { { if ($escape === TRUE) { - $v = ' '.$this->escape($v); + $v = $this->escape($v); } if ( ! $this->_has_operator($k)) @@ -691,10 +691,11 @@ abstract class CI_DB_query_builder extends CI_DB_driver { $k = substr($k, 0, $match[0][1]).($match[1][0] === '=' ? ' IS NULL' : ' IS NOT NULL'); } - $this->{$qb_key}[] = array('condition' => $prefix.$k.$v, 'escape' => $escape); + ${$qb_key} = array('condition' => $prefix.$k, 'value' => $v, 'escape' => $escape); + $this->{$qb_key}[] = ${$qb_key}; if ($this->qb_caching === TRUE) { - $this->{$qb_cache_key}[] = array('condition' => $prefix.$k.$v, 'escape' => $escape); + $this->{$qb_cache_key}[] = ${$qb_key}; $this->qb_cache_exists[] = substr($qb_key, 3); } @@ -906,6 +907,7 @@ abstract class CI_DB_query_builder extends CI_DB_driver { $wh_in = array( 'condition' => $prefix.$key.$not.' IN('.implode(', ', $wh_in).')', + 'value' => NULL, 'escape' => $escape ); @@ -1034,33 +1036,34 @@ abstract class CI_DB_query_builder extends CI_DB_driver { $v = $this->escape_like_str($v); } - if ($side === 'none') + switch ($side) { - $like_statement = "{$prefix} {$k} {$not} LIKE '{$v}'"; - } - elseif ($side === 'before') - { - $like_statement = "{$prefix} {$k} {$not} LIKE '%{$v}'"; - } - elseif ($side === 'after') - { - $like_statement = "{$prefix} {$k} {$not} LIKE '{$v}%'"; - } - else - { - $like_statement = "{$prefix} {$k} {$not} LIKE '%{$v}%'"; + case 'none': + $v = "'{$v}'"; + break; + case 'before': + $v = "%'{$v}'"; + break; + case 'after': + $v = "'{$v}%'"; + break; + case 'both': + default: + $v = "'%{$v}%'"; + break; } // some platforms require an escape sequence definition for LIKE wildcards if ($escape === TRUE && $this->_like_escape_str !== '') { - $like_statement .= sprintf($this->_like_escape_str, $this->_like_escape_chr); + $v .= sprintf($this->_like_escape_str, $this->_like_escape_chr); } - $this->qb_where[] = array('condition' => $like_statement, 'escape' => $escape); + $qb_where = array('condition' => "{$prefix} {$k} {$not} LIKE", 'value' => $v, 'escape' => $escape); + $this->qb_where[] = $qb_where; if ($this->qb_caching === TRUE) { - $this->qb_cache_where[] = array('condition' => $like_statement, 'escape' => $escape); + $this->qb_cache_where[] = $qb_where; $this->qb_cache_exists[] = 'where'; } } @@ -1085,6 +1088,7 @@ abstract class CI_DB_query_builder extends CI_DB_driver { $prefix = (count($this->qb_where) === 0 && count($this->qb_cache_where) === 0) ? '' : $type; $where = array( 'condition' => $prefix.$not.str_repeat(' ', ++$this->qb_where_group_count).' (', + 'value' => NULL, 'escape' => FALSE ); @@ -1145,6 +1149,7 @@ abstract class CI_DB_query_builder extends CI_DB_driver { $this->qb_where_group_started = FALSE; $where = array( 'condition' => str_repeat(' ', $this->qb_where_group_count--).')', + 'value' => NULL, 'escape' => FALSE ); @@ -1505,7 +1510,7 @@ abstract class CI_DB_query_builder extends CI_DB_driver { // -------------------------------------------------------------------- /** - * Get_Where + * get_where() * * Allows the where clause, limit and offset to be added directly * @@ -2467,7 +2472,7 @@ abstract class CI_DB_query_builder extends CI_DB_driver { } elseif ($this->{$qb_key}[$i]['escape'] === FALSE) { - $this->{$qb_key}[$i] = $this->{$qb_key}[$i]['condition']; + $this->{$qb_key}[$i] = $this->{$qb_key}[$i]['condition'].(isset($this->{$qb_key}[$i]['value']) ? ' '.$this->{$qb_key}[$i]['value'] : ''); continue; } @@ -2506,7 +2511,7 @@ abstract class CI_DB_query_builder extends CI_DB_driver { .' '.trim($matches[3]).$matches[4].$matches[5]; } - $this->{$qb_key}[$i] = implode('', $conditions); + $this->{$qb_key}[$i] = implode('', $conditions).(isset($this->{$qb_key}[$i]['value']) ? ' '.$this->{$qb_key}[$i]['value'] : ''); } return ($qb_key === 'qb_having' ? "\nHAVING " : "\nWHERE ") diff --git a/system/database/drivers/oci8/oci8_driver.php b/system/database/drivers/oci8/oci8_driver.php index 1bd977390..b90db4bd2 100644 --- a/system/database/drivers/oci8/oci8_driver.php +++ b/system/database/drivers/oci8/oci8_driver.php @@ -97,7 +97,7 @@ class CI_DB_oci8_driver extends CI_DB { * * @var bool */ - public $limit_used; + public $limit_used = FALSE; // -------------------------------------------------------------------- @@ -685,4 +685,17 @@ class CI_DB_oci8_driver extends CI_DB { oci_close($this->conn_id); } + // -------------------------------------------------------------------- + + /** + * We need to reset our $limit_used hack flag, so it doesn't propagate + * to subsequent queries. + * + * @return void + */ + protected function _reset_select() + { + $this->limit_used = FALSE; + parent::_reset_select(); + } } diff --git a/system/database/drivers/postgre/postgre_driver.php b/system/database/drivers/postgre/postgre_driver.php index cae162e2e..e9b1e991c 100644 --- a/system/database/drivers/postgre/postgre_driver.php +++ b/system/database/drivers/postgre/postgre_driver.php @@ -218,8 +218,8 @@ class CI_DB_postgre_driver extends CI_DB { * and so we'll have to fall back to running a query in * order to get it. */ - return isset($pg_version['server']) - ? $this->data_cache['version'] = $pg_version['server'] + return (isset($pg_version['server']) && preg_match('#^(\d+\.\d+)#', $pg_version['server'], $match)) + ? $this->data_cache['version'] = $match[1] : parent::version(); } @@ -348,8 +348,7 @@ class CI_DB_postgre_driver extends CI_DB { */ public function insert_id() { - $v = pg_version($this->conn_id); - $v = isset($v['server']) ? $v['server'] : 0; // 'server' key is only available since PosgreSQL 7.4 + $v = $this->version(); $table = (func_num_args() > 0) ? func_get_arg(0) : NULL; $column = (func_num_args() > 1) ? func_get_arg(1) : NULL; diff --git a/system/libraries/Email.php b/system/libraries/Email.php index 1847cc96f..beb2ffa17 100644 --- a/system/libraries/Email.php +++ b/system/libraries/Email.php @@ -1824,7 +1824,11 @@ class CI_Email { { if (function_exists('idn_to_ascii') && $atpos = strpos($email, '@')) { - $email = self::substr($email, 0, ++$atpos).idn_to_ascii(self::substr($email, $atpos), 0, INTL_IDNA_VARIANT_UTS46); + list($account, $domain) = explode('@', $email, 2); + $domain = defined('INTL_IDNA_VARIANT_UTS46') + ? idn_to_ascii($domain, 0, INTL_IDNA_VARIANT_UTS46) + : idn_to_ascii($domain); + $email = $account.'@'.$domain; } return (filter_var($email, FILTER_VALIDATE_EMAIL) === $email && preg_match('#\A[a-z0-9._+-]+@[a-z0-9.-]{1,253}\z#i', $email)); diff --git a/system/libraries/Xmlrpc.php b/system/libraries/Xmlrpc.php index 1d33b7742..8cc1c83f5 100644 --- a/system/libraries/Xmlrpc.php +++ b/system/libraries/Xmlrpc.php @@ -1179,7 +1179,7 @@ class XML_RPC_Message extends CI_Xmlrpc $data = implode("\r\n", $lines); // Parse XML data - if ( ! xml_parse($parser, $data, count($data))) + if ( ! xml_parse($parser, $data, TRUE)) { $errstr = sprintf('XML error: %s at line %d', xml_error_string(xml_get_error_code($parser)), |