diff options
Diffstat (limited to 'system')
| -rw-r--r-- | system/core/Security.php | 43 | ||||
| -rw-r--r-- | system/database/drivers/pdo/pdo_driver.php | 4 | ||||
| -rw-r--r-- | system/helpers/form_helper.php | 9 | ||||
| -rw-r--r-- | system/libraries/Cache/drivers/Cache_apc.php | 2 | ||||
| -rw-r--r-- | system/libraries/Cache/drivers/Cache_memcached.php | 2 | ||||
| -rw-r--r-- | system/libraries/Cache/drivers/Cache_redis.php | 2 | ||||
| -rw-r--r-- | system/libraries/Cache/drivers/Cache_wincache.php | 2 | ||||
| -rw-r--r-- | system/libraries/Session/Session.php | 39 |
8 files changed, 56 insertions, 47 deletions
diff --git a/system/core/Security.php b/system/core/Security.php index 196d61144..70cf3e013 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -38,6 +38,30 @@ defined('BASEPATH') OR exit('No direct script access allowed'); class CI_Security { /** + * List of sanitize filename strings + * + * @var array + */ + public $filename_bad_chars = array( + '../', '<!--', '-->', '<', '>', + "'", '"', '&', '$', '#', + '{', '}', '[', ']', '=', + ';', '?', '%20', '%22', + '%3c', // < + '%253c', // < + '%3e', // > + '%0e', // > + '%28', // ( + '%29', // ) + '%2528', // ( + '%26', // & + '%24', // $ + '%3f', // ? + '%3b', // ; + '%3d' // = + ); + + /** * XSS Hash * * Random Hash for protecting URLs. @@ -549,24 +573,7 @@ class CI_Security { */ public function sanitize_filename($str, $relative_path = FALSE) { - $bad = array( - '../', '<!--', '-->', '<', '>', - "'", '"', '&', '$', '#', - '{', '}', '[', ']', '=', - ';', '?', '%20', '%22', - '%3c', // < - '%253c', // < - '%3e', // > - '%0e', // > - '%28', // ( - '%29', // ) - '%2528', // ( - '%26', // & - '%24', // $ - '%3f', // ? - '%3b', // ; - '%3d' // = - ); + $bad = $this->filename_bad_chars; if ( ! $relative_path) { diff --git a/system/database/drivers/pdo/pdo_driver.php b/system/database/drivers/pdo/pdo_driver.php index fa89661b1..184a8df33 100644 --- a/system/database/drivers/pdo/pdo_driver.php +++ b/system/database/drivers/pdo/pdo_driver.php @@ -69,7 +69,7 @@ class CI_DB_pdo_driver extends CI_DB { { parent::__construct($params); - if (preg_match('/([^;]+):/', $this->dsn, $match) && count($match) === 2) + if (preg_match('/([^:]+):/', $this->dsn, $match) && count($match) === 2) { // If there is a minimum valid dsn string pattern found, we're done // This is for general PDO users, who tend to have a full DSN string. @@ -77,7 +77,7 @@ class CI_DB_pdo_driver extends CI_DB { return; } // Legacy support for DSN specified in the hostname field - elseif (preg_match('/([^;]+):/', $this->hostname, $match) && count($match) === 2) + elseif (preg_match('/([^:]+):/', $this->hostname, $match) && count($match) === 2) { $this->dsn = $this->hostname; $this->hostname = NULL; diff --git a/system/helpers/form_helper.php b/system/helpers/form_helper.php index 6fca73f85..146c0f588 100644 --- a/system/helpers/form_helper.php +++ b/system/helpers/form_helper.php @@ -931,9 +931,9 @@ if ( ! function_exists('_attributes_to_string')) */ function _attributes_to_string($attributes) { - if (is_string($attributes)) + if (empty($attributes)) { - return ($attributes === '' ? '' : ' '.$attributes); + return ''; } if (is_object($attributes)) @@ -953,6 +953,11 @@ if ( ! function_exists('_attributes_to_string')) return $atts; } + if (is_string($attributes)) + { + return ' '.$attributes; + } + return FALSE; } } diff --git a/system/libraries/Cache/drivers/Cache_apc.php b/system/libraries/Cache/drivers/Cache_apc.php index 127a220a7..a84e7d2d3 100644 --- a/system/libraries/Cache/drivers/Cache_apc.php +++ b/system/libraries/Cache/drivers/Cache_apc.php @@ -150,7 +150,7 @@ class CI_Cache_apc extends CI_Driver { { if ( ! extension_loaded('apc') OR ! (bool) @ini_get('apc.enabled')) { - log_message('error', 'The APC PHP extension must be loaded to use APC Cache.'); + log_message('debug', 'The APC PHP extension must be loaded to use APC Cache.'); return FALSE; } diff --git a/system/libraries/Cache/drivers/Cache_memcached.php b/system/libraries/Cache/drivers/Cache_memcached.php index 35d91049a..d2a3a489d 100644 --- a/system/libraries/Cache/drivers/Cache_memcached.php +++ b/system/libraries/Cache/drivers/Cache_memcached.php @@ -240,7 +240,7 @@ class CI_Cache_memcached extends CI_Driver { { if ( ! extension_loaded('memcached') && ! extension_loaded('memcache')) { - log_message('error', 'The Memcached Extension must be loaded to use Memcached Cache.'); + log_message('debug', 'The Memcached Extension must be loaded to use Memcached Cache.'); return FALSE; } diff --git a/system/libraries/Cache/drivers/Cache_redis.php b/system/libraries/Cache/drivers/Cache_redis.php index 484f284f1..40823fcb4 100644 --- a/system/libraries/Cache/drivers/Cache_redis.php +++ b/system/libraries/Cache/drivers/Cache_redis.php @@ -168,7 +168,7 @@ class CI_Cache_redis extends CI_Driver } else { - log_message('error', 'The Redis extension must be loaded to use Redis cache.'); + log_message('debug', 'The Redis extension must be loaded to use Redis cache.'); return FALSE; } } diff --git a/system/libraries/Cache/drivers/Cache_wincache.php b/system/libraries/Cache/drivers/Cache_wincache.php index d749978f5..80d3ac13d 100644 --- a/system/libraries/Cache/drivers/Cache_wincache.php +++ b/system/libraries/Cache/drivers/Cache_wincache.php @@ -150,7 +150,7 @@ class CI_Cache_wincache extends CI_Driver { { if ( ! extension_loaded('wincache')) { - log_message('error', 'The Wincache PHP extension must be loaded to use Wincache Cache.'); + log_message('debug', 'The Wincache PHP extension must be loaded to use Wincache Cache.'); return FALSE; } diff --git a/system/libraries/Session/Session.php b/system/libraries/Session/Session.php index c7f6f828c..659a0269e 100644 --- a/system/libraries/Session/Session.php +++ b/system/libraries/Session/Session.php @@ -60,11 +60,18 @@ class CI_Session extends CI_Driver_Library { public $params = array(); /** + * Valid drivers list + * + * @var array + */ + public $valid_drivers = array('native', 'cookie'); + + /** * Current driver in use * * @var string */ - protected $current = NULL; + public $current = NULL; /** * User data @@ -105,36 +112,26 @@ class CI_Session extends CI_Driver_Library { log_message('debug', 'CI_Session Class Initialized'); - // Get valid drivers list - $this->valid_drivers = array( - 'native', - 'cookie' - ); - $key = 'sess_valid_drivers'; - $drivers = isset($params[$key]) ? $params[$key] : $CI->config->item($key); - if ($drivers) + // Add possible extra entries to our valid drivers list + $drivers = isset($params['sess_valid_drivers']) ? $params['sess_valid_drivers'] : $CI->config->item('sess_valid_drivers'); + if ( ! empty($drivers)) { - // Add driver names to valid list - foreach ((array) $drivers as $driver) - { - if ( ! in_array(strtolower($driver), array_map('strtolower', $this->valid_drivers))) - { - $this->valid_drivers[] = $driver; - } - } + $drivers = array_map('strtolower', (array) $drivers); + $this->valid_drivers = array_merge($this->valid_drivers, array_diff($drivers, $this->valid_drivers)); } // Get driver to load - $key = 'sess_driver'; - $driver = isset($params[$key]) ? $params[$key] : $CI->config->item($key); + $driver = isset($params['sess_driver']) ? $params['sess_driver'] : $CI->config->item('sess_driver'); if ( ! $driver) { + log_message('debug', "Session: No driver name is configured, defaulting to 'cookie'."); $driver = 'cookie'; } - if ( ! in_array(strtolower($driver), array_map('strtolower', $this->valid_drivers))) + if ( ! in_array($driver, $this->valid_drivers)) { - $this->valid_drivers[] = $driver; + log_message('error', 'Session: Configured driver name is not valid, aborting.'); + return; } // Save a copy of parameters in case drivers need access |