summaryrefslogtreecommitdiffstats
path: root/system
diff options
context:
space:
mode:
Diffstat (limited to 'system')
-rw-r--r--system/core/Security.php12
-rw-r--r--system/database/DB_query_builder.php51
-rw-r--r--system/database/drivers/oci8/oci8_driver.php15
-rw-r--r--system/database/drivers/postgre/postgre_driver.php7
-rw-r--r--system/libraries/Email.php6
-rw-r--r--system/libraries/Xmlrpc.php2
6 files changed, 61 insertions, 32 deletions
diff --git a/system/core/Security.php b/system/core/Security.php
index 091093637..b19a6fb02 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -545,6 +545,14 @@ class CI_Security {
$str
);
+ // Same thing, but for "tag functions" (e.g. eval`some code`)
+ // See https://github.com/bcit-ci/CodeIgniter/issues/5420
+ $str = preg_replace(
+ '#(alert|prompt|confirm|cmd|passthru|eval|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)`(.*?)`#si',
+ '\\1\\2`\\3`',
+ $str
+ );
+
// Final clean up
// This adds a bit of extra precaution in case
// something got through the above filters
@@ -907,7 +915,7 @@ class CI_Security {
return str_replace(
$match[1],
preg_replace(
- '#href=.*?(?:(?:alert|prompt|confirm)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|\(?document\)?\.|\.cookie|<script|<xss|d\s*a\s*t\s*a\s*:)#si',
+ '#href=.*?(?:(?:alert|prompt|confirm)(?:\(|&\#40;|`|&\#96;)|javascript:|livescript:|mocha:|charset=|window\.|\(?document\)?\.|\.cookie|<script|<xss|d\s*a\s*t\s*a\s*:)#si',
'',
$this->_filter_attributes($match[1])
),
@@ -935,7 +943,7 @@ class CI_Security {
return str_replace(
$match[1],
preg_replace(
- '#src=.*?(?:(?:alert|prompt|confirm|eval)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|\(?document\)?\.|\.cookie|<script|<xss|base64\s*,)#si',
+ '#src=.*?(?:(?:alert|prompt|confirm|eval)(?:\(|&\#40;|`|&\#96;)|javascript:|livescript:|mocha:|charset=|window\.|\(?document\)?\.|\.cookie|<script|<xss|base64\s*,)#si',
'',
$this->_filter_attributes($match[1])
),
diff --git a/system/database/DB_query_builder.php b/system/database/DB_query_builder.php
index d271964b9..744c4970e 100644
--- a/system/database/DB_query_builder.php
+++ b/system/database/DB_query_builder.php
@@ -673,7 +673,7 @@ abstract class CI_DB_query_builder extends CI_DB_driver {
{
if ($escape === TRUE)
{
- $v = ' '.$this->escape($v);
+ $v = $this->escape($v);
}
if ( ! $this->_has_operator($k))
@@ -691,10 +691,11 @@ abstract class CI_DB_query_builder extends CI_DB_driver {
$k = substr($k, 0, $match[0][1]).($match[1][0] === '=' ? ' IS NULL' : ' IS NOT NULL');
}
- $this->{$qb_key}[] = array('condition' => $prefix.$k.$v, 'escape' => $escape);
+ ${$qb_key} = array('condition' => $prefix.$k, 'value' => $v, 'escape' => $escape);
+ $this->{$qb_key}[] = ${$qb_key};
if ($this->qb_caching === TRUE)
{
- $this->{$qb_cache_key}[] = array('condition' => $prefix.$k.$v, 'escape' => $escape);
+ $this->{$qb_cache_key}[] = ${$qb_key};
$this->qb_cache_exists[] = substr($qb_key, 3);
}
@@ -906,6 +907,7 @@ abstract class CI_DB_query_builder extends CI_DB_driver {
$wh_in = array(
'condition' => $prefix.$key.$not.' IN('.implode(', ', $wh_in).')',
+ 'value' => NULL,
'escape' => $escape
);
@@ -1034,33 +1036,34 @@ abstract class CI_DB_query_builder extends CI_DB_driver {
$v = $this->escape_like_str($v);
}
- if ($side === 'none')
+ switch ($side)
{
- $like_statement = "{$prefix} {$k} {$not} LIKE '{$v}'";
- }
- elseif ($side === 'before')
- {
- $like_statement = "{$prefix} {$k} {$not} LIKE '%{$v}'";
- }
- elseif ($side === 'after')
- {
- $like_statement = "{$prefix} {$k} {$not} LIKE '{$v}%'";
- }
- else
- {
- $like_statement = "{$prefix} {$k} {$not} LIKE '%{$v}%'";
+ case 'none':
+ $v = "'{$v}'";
+ break;
+ case 'before':
+ $v = "%'{$v}'";
+ break;
+ case 'after':
+ $v = "'{$v}%'";
+ break;
+ case 'both':
+ default:
+ $v = "'%{$v}%'";
+ break;
}
// some platforms require an escape sequence definition for LIKE wildcards
if ($escape === TRUE && $this->_like_escape_str !== '')
{
- $like_statement .= sprintf($this->_like_escape_str, $this->_like_escape_chr);
+ $v .= sprintf($this->_like_escape_str, $this->_like_escape_chr);
}
- $this->qb_where[] = array('condition' => $like_statement, 'escape' => $escape);
+ $qb_where = array('condition' => "{$prefix} {$k} {$not} LIKE", 'value' => $v, 'escape' => $escape);
+ $this->qb_where[] = $qb_where;
if ($this->qb_caching === TRUE)
{
- $this->qb_cache_where[] = array('condition' => $like_statement, 'escape' => $escape);
+ $this->qb_cache_where[] = $qb_where;
$this->qb_cache_exists[] = 'where';
}
}
@@ -1085,6 +1088,7 @@ abstract class CI_DB_query_builder extends CI_DB_driver {
$prefix = (count($this->qb_where) === 0 && count($this->qb_cache_where) === 0) ? '' : $type;
$where = array(
'condition' => $prefix.$not.str_repeat(' ', ++$this->qb_where_group_count).' (',
+ 'value' => NULL,
'escape' => FALSE
);
@@ -1145,6 +1149,7 @@ abstract class CI_DB_query_builder extends CI_DB_driver {
$this->qb_where_group_started = FALSE;
$where = array(
'condition' => str_repeat(' ', $this->qb_where_group_count--).')',
+ 'value' => NULL,
'escape' => FALSE
);
@@ -1505,7 +1510,7 @@ abstract class CI_DB_query_builder extends CI_DB_driver {
// --------------------------------------------------------------------
/**
- * Get_Where
+ * get_where()
*
* Allows the where clause, limit and offset to be added directly
*
@@ -2467,7 +2472,7 @@ abstract class CI_DB_query_builder extends CI_DB_driver {
}
elseif ($this->{$qb_key}[$i]['escape'] === FALSE)
{
- $this->{$qb_key}[$i] = $this->{$qb_key}[$i]['condition'];
+ $this->{$qb_key}[$i] = $this->{$qb_key}[$i]['condition'].(isset($this->{$qb_key}[$i]['value']) ? ' '.$this->{$qb_key}[$i]['value'] : '');
continue;
}
@@ -2506,7 +2511,7 @@ abstract class CI_DB_query_builder extends CI_DB_driver {
.' '.trim($matches[3]).$matches[4].$matches[5];
}
- $this->{$qb_key}[$i] = implode('', $conditions);
+ $this->{$qb_key}[$i] = implode('', $conditions).(isset($this->{$qb_key}[$i]['value']) ? ' '.$this->{$qb_key}[$i]['value'] : '');
}
return ($qb_key === 'qb_having' ? "\nHAVING " : "\nWHERE ")
diff --git a/system/database/drivers/oci8/oci8_driver.php b/system/database/drivers/oci8/oci8_driver.php
index 1bd977390..b90db4bd2 100644
--- a/system/database/drivers/oci8/oci8_driver.php
+++ b/system/database/drivers/oci8/oci8_driver.php
@@ -97,7 +97,7 @@ class CI_DB_oci8_driver extends CI_DB {
*
* @var bool
*/
- public $limit_used;
+ public $limit_used = FALSE;
// --------------------------------------------------------------------
@@ -685,4 +685,17 @@ class CI_DB_oci8_driver extends CI_DB {
oci_close($this->conn_id);
}
+ // --------------------------------------------------------------------
+
+ /**
+ * We need to reset our $limit_used hack flag, so it doesn't propagate
+ * to subsequent queries.
+ *
+ * @return void
+ */
+ protected function _reset_select()
+ {
+ $this->limit_used = FALSE;
+ parent::_reset_select();
+ }
}
diff --git a/system/database/drivers/postgre/postgre_driver.php b/system/database/drivers/postgre/postgre_driver.php
index cae162e2e..e9b1e991c 100644
--- a/system/database/drivers/postgre/postgre_driver.php
+++ b/system/database/drivers/postgre/postgre_driver.php
@@ -218,8 +218,8 @@ class CI_DB_postgre_driver extends CI_DB {
* and so we'll have to fall back to running a query in
* order to get it.
*/
- return isset($pg_version['server'])
- ? $this->data_cache['version'] = $pg_version['server']
+ return (isset($pg_version['server']) && preg_match('#^(\d+\.\d+)#', $pg_version['server'], $match))
+ ? $this->data_cache['version'] = $match[1]
: parent::version();
}
@@ -348,8 +348,7 @@ class CI_DB_postgre_driver extends CI_DB {
*/
public function insert_id()
{
- $v = pg_version($this->conn_id);
- $v = isset($v['server']) ? $v['server'] : 0; // 'server' key is only available since PosgreSQL 7.4
+ $v = $this->version();
$table = (func_num_args() > 0) ? func_get_arg(0) : NULL;
$column = (func_num_args() > 1) ? func_get_arg(1) : NULL;
diff --git a/system/libraries/Email.php b/system/libraries/Email.php
index 1847cc96f..beb2ffa17 100644
--- a/system/libraries/Email.php
+++ b/system/libraries/Email.php
@@ -1824,7 +1824,11 @@ class CI_Email {
{
if (function_exists('idn_to_ascii') && $atpos = strpos($email, '@'))
{
- $email = self::substr($email, 0, ++$atpos).idn_to_ascii(self::substr($email, $atpos), 0, INTL_IDNA_VARIANT_UTS46);
+ list($account, $domain) = explode('@', $email, 2);
+ $domain = defined('INTL_IDNA_VARIANT_UTS46')
+ ? idn_to_ascii($domain, 0, INTL_IDNA_VARIANT_UTS46)
+ : idn_to_ascii($domain);
+ $email = $account.'@'.$domain;
}
return (filter_var($email, FILTER_VALIDATE_EMAIL) === $email && preg_match('#\A[a-z0-9._+-]+@[a-z0-9.-]{1,253}\z#i', $email));
diff --git a/system/libraries/Xmlrpc.php b/system/libraries/Xmlrpc.php
index 1d33b7742..8cc1c83f5 100644
--- a/system/libraries/Xmlrpc.php
+++ b/system/libraries/Xmlrpc.php
@@ -1179,7 +1179,7 @@ class XML_RPC_Message extends CI_Xmlrpc
$data = implode("\r\n", $lines);
// Parse XML data
- if ( ! xml_parse($parser, $data, count($data)))
+ if ( ! xml_parse($parser, $data, TRUE))
{
$errstr = sprintf('XML error: %s at line %d',
xml_error_string(xml_get_error_code($parser)),