summaryrefslogtreecommitdiffstats
path: root/system
diff options
context:
space:
mode:
Diffstat (limited to 'system')
-rw-r--r--system/core/Common.php9
-rw-r--r--system/core/Security.php19
-rw-r--r--system/database/DB_query_builder.php2
-rw-r--r--system/database/drivers/odbc/odbc_driver.php2
-rw-r--r--system/database/drivers/pdo/pdo_driver.php3
-rw-r--r--system/database/drivers/pdo/subdrivers/pdo_pgsql_driver.php6
-rw-r--r--system/helpers/captcha_helper.php2
-rw-r--r--system/helpers/download_helper.php2
-rw-r--r--system/helpers/file_helper.php3
-rw-r--r--system/libraries/Session/drivers/Session_cookie.php10
-rw-r--r--system/libraries/Zip.php2
11 files changed, 41 insertions, 19 deletions
diff --git a/system/core/Common.php b/system/core/Common.php
index cfc63c2aa..07f0c6dfd 100644
--- a/system/core/Common.php
+++ b/system/core/Common.php
@@ -598,14 +598,14 @@ if ( ! function_exists('_exception_handler'))
return;
}
+ $_error->log_exception($severity, $message, $filepath, $line);
+
// Should we display the error?
if ((bool) ini_get('display_errors') === TRUE)
{
$_error->show_php_error($severity, $message, $filepath, $line);
}
- $_error->log_exception($severity, $message, $filepath, $line);
-
// If the error is fatal, the execution of the script should be stopped because
// errors can't be recovered from. Halting the script conforms with PHP's
// default error handling. See http://www.php.net/manual/en/errorfunc.constants.php
@@ -756,6 +756,11 @@ if ( ! function_exists('function_usable'))
* *suhosin.executor.disable_eval*. These settings will just
* terminate script execution if a disabled function is executed.
*
+ * The above described behavior turned out to be a bug in Suhosin,
+ * but even though a fix was commited for 0.9.34 on 2012-02-12,
+ * that version is yet to be released. This function will therefore
+ * be just temporary, but would probably be kept for a few years.
+ *
* @link http://www.hardened-php.net/suhosin/
* @param string $function_name Function to check for
* @return bool TRUE if the function exists and is safe to call,
diff --git a/system/core/Security.php b/system/core/Security.php
index 49e5ab411..cbff38b30 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -433,6 +433,12 @@ class CI_Security {
* We used to do some version comparisons and use of stripos for PHP5,
* but it is dog slow compared to these simplified non-capturing
* preg_match(), especially if the pattern exists in the string
+ *
+ * Note: It was reported that not only space characters, but all in
+ * the following pattern can be parsed as separators between a tag name
+ * and its attributes: [\d\s"\'`;,\/\=\(\x00\x0B\x09\x0C]
+ * ... however, remove_invisible_characters() above already strips the
+ * hex-encoded ones, so we'll skip them below.
*/
do
{
@@ -440,12 +446,12 @@ class CI_Security {
if (preg_match('/<a/i', $str))
{
- $str = preg_replace_callback('#<a\s+([^>]*?)(?:>|$)#si', array($this, '_js_link_removal'), $str);
+ $str = preg_replace_callback('#<a[\s\d"\'`;/=,\(]+([^>]*?)(?:>|$)#si', array($this, '_js_link_removal'), $str);
}
if (preg_match('/<img/i', $str))
{
- $str = preg_replace_callback('#<img\s+([^>]*?)(?:\s?/?>|$)#si', array($this, '_js_img_removal'), $str);
+ $str = preg_replace_callback('#<img[\s\d"\'`;/=,\(]+([^>]*?)(?:\s?/?>|$)#si', array($this, '_js_img_removal'), $str);
}
if (preg_match('/script|xss/i', $str))
@@ -469,7 +475,7 @@ class CI_Security {
* So this: <blink>
* Becomes: &lt;blink&gt;
*/
- $naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|button|select|isindex|layer|link|meta|keygen|object|plaintext|style|script|textarea|title|video|svg|xml|xss';
+ $naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|button|select|isindex|layer|link|meta|keygen|object|plaintext|style|script|textarea|title|math|video|svg|xml|xss';
$str = preg_replace_callback('#<(/*\s*)('.$naughty.')([^><]*)([><]*)#is', array($this, '_sanitize_naughty_html'), $str);
/*
@@ -661,8 +667,7 @@ class CI_Security {
*/
protected function _remove_evil_attributes($str, $is_image)
{
- // Formaction, style, and xmlns
- $evil_attributes = array('style', 'xmlns', 'formaction', 'form', 'xlink:href');
+ $evil_attributes = array('on\w*', 'style', 'xmlns', 'formaction', 'form', 'xlink:href');
if ($is_image === TRUE)
{
@@ -678,7 +683,7 @@ class CI_Security {
$attribs = array();
// find occurrences of illegal attribute strings with quotes (042 and 047 are octal quotes)
- preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*(\042|\047)([^\\2]*?)(\\2)/is', $str, $matches, PREG_SET_ORDER);
+ preg_match_all('/(?<!\w)('.implode('|', $evil_attributes).')\s*=\s*(\042|\047)([^\\2]*?)(\\2)/is', $str, $matches, PREG_SET_ORDER);
foreach ($matches as $attr)
{
@@ -686,7 +691,7 @@ class CI_Security {
}
// find occurrences of illegal attribute strings without quotes
- preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*([^\s>]*)/is', $str, $matches, PREG_SET_ORDER);
+ preg_match_all('/(?<!\w)('.implode('|', $evil_attributes).')\s*=\s*([^\s>]*)/is', $str, $matches, PREG_SET_ORDER);
foreach ($matches as $attr)
{
diff --git a/system/database/DB_query_builder.php b/system/database/DB_query_builder.php
index 8223baac1..ef690090f 100644
--- a/system/database/DB_query_builder.php
+++ b/system/database/DB_query_builder.php
@@ -263,7 +263,7 @@ abstract class CI_DB_query_builder extends CI_DB_driver {
$select = explode(',', $select);
}
- // If the escape value was not set will will base it on the global setting
+ // If the escape value was not set, we will base it on the global setting
is_bool($escape) OR $escape = $this->_protect_identifiers;
foreach ($select as $val)
diff --git a/system/database/drivers/odbc/odbc_driver.php b/system/database/drivers/odbc/odbc_driver.php
index 45e91cbc5..6f635bdfb 100644
--- a/system/database/drivers/odbc/odbc_driver.php
+++ b/system/database/drivers/odbc/odbc_driver.php
@@ -222,7 +222,7 @@ class CI_DB_odbc_driver extends CI_DB {
*/
public function affected_rows()
{
- return @odbc_num_rows($this->conn_id);
+ return @odbc_num_rows($this->result_id);
}
// --------------------------------------------------------------------
diff --git a/system/database/drivers/pdo/pdo_driver.php b/system/database/drivers/pdo/pdo_driver.php
index 184a8df33..3f4275f64 100644
--- a/system/database/drivers/pdo/pdo_driver.php
+++ b/system/database/drivers/pdo/pdo_driver.php
@@ -92,7 +92,7 @@ class CI_DB_pdo_driver extends CI_DB {
{
$this->subdriver = '4d';
}
- elseif ( ! in_array($this->subdriver, array('4d', 'cubrid', 'dblib', 'firebird', 'ibm', 'informix', 'mysql', 'oci', 'odbc', 'sqlite', 'sqlsrv'), TRUE))
+ elseif ( ! in_array($this->subdriver, array('4d', 'cubrid', 'dblib', 'firebird', 'ibm', 'informix', 'mysql', 'oci', 'odbc', 'pgsql', 'sqlite', 'sqlsrv'), TRUE))
{
log_message('error', 'PDO: Invalid or non-existent subdriver');
@@ -117,7 +117,6 @@ class CI_DB_pdo_driver extends CI_DB {
{
$this->options[PDO::ATTR_PERSISTENT] = $persistent;
- // Connecting...
try
{
return @new PDO($this->dsn, $this->username, $this->password, $this->options);
diff --git a/system/database/drivers/pdo/subdrivers/pdo_pgsql_driver.php b/system/database/drivers/pdo/subdrivers/pdo_pgsql_driver.php
index 6ee327bd5..507abda51 100644
--- a/system/database/drivers/pdo/subdrivers/pdo_pgsql_driver.php
+++ b/system/database/drivers/pdo/subdrivers/pdo_pgsql_driver.php
@@ -84,6 +84,12 @@ class CI_DB_pdo_pgsql_driver extends CI_DB_pdo_driver {
empty($this->port) OR $this->dsn .= ';port='.$this->port;
empty($this->database) OR $this->dsn .= ';dbname='.$this->database;
+
+ if ( ! empty($this->username))
+ {
+ $this->dsn .= ';username='.$this->username;
+ empty($this->password) OR $this->dsn .= ';password='.$this->password;
+ }
}
}
diff --git a/system/helpers/captcha_helper.php b/system/helpers/captcha_helper.php
index 24cd53568..b61b2d5cf 100644
--- a/system/helpers/captcha_helper.php
+++ b/system/helpers/captcha_helper.php
@@ -82,7 +82,7 @@ if ( ! function_exists('create_captcha'))
}
if ($img_path === '' OR $img_url === ''
- OR ! @is_dir($img_path) OR ! is_writeable($img_path)
+ OR ! @is_dir($img_path) OR ! is_really_writable($img_path)
OR ! extension_loaded('gd'))
{
return FALSE;
diff --git a/system/helpers/download_helper.php b/system/helpers/download_helper.php
index 4fe6a0e88..9a6f684e4 100644
--- a/system/helpers/download_helper.php
+++ b/system/helpers/download_helper.php
@@ -120,7 +120,7 @@ if ( ! function_exists('force_download'))
// Clean output buffer
if (ob_get_level() !== 0 && @ob_end_clean() === FALSE)
{
- ob_clean();
+ @ob_clean();
}
// Generate the server headers
diff --git a/system/helpers/file_helper.php b/system/helpers/file_helper.php
index 0587740b1..ae3db5846 100644
--- a/system/helpers/file_helper.php
+++ b/system/helpers/file_helper.php
@@ -298,8 +298,7 @@ if ( ! function_exists('get_file_info'))
$fileinfo['readable'] = is_readable($file);
break;
case 'writable':
- // There are known problems using is_weritable on IIS. It may not be reliable - consider fileperms()
- $fileinfo['writable'] = is_writable($file);
+ $fileinfo['writable'] = is_really_writable($file);
break;
case 'executable':
$fileinfo['executable'] = is_executable($file);
diff --git a/system/libraries/Session/drivers/Session_cookie.php b/system/libraries/Session/drivers/Session_cookie.php
index 971dfeabe..c8dfad6c9 100644
--- a/system/libraries/Session/drivers/Session_cookie.php
+++ b/system/libraries/Session/drivers/Session_cookie.php
@@ -395,7 +395,15 @@ class CI_Session_cookie extends CI_Session_driver {
$hmac = substr($session, $len);
$session = substr($session, 0, $len);
- if ($hmac !== hash_hmac('sha1', $session, $this->encryption_key))
+ // Time-attack-safe comparison
+ $hmac_check = hash_hmac('sha1', $session, $this->encryption_key);
+ $diff = 0;
+ for ($i = 0; $i < 40; $i++)
+ {
+ $diff |= ord($hmac[$i]) ^ ord($hmac_check[$i]);
+ }
+
+ if ($diff !== 0)
{
log_message('error', 'The session cookie data did not match what was expected.');
$this->sess_destroy();
diff --git a/system/libraries/Zip.php b/system/libraries/Zip.php
index b10b0bb0f..58f06455c 100644
--- a/system/libraries/Zip.php
+++ b/system/libraries/Zip.php
@@ -294,7 +294,7 @@ class CI_Zip {
{
$name = str_replace('\\', '/', $path);
- if ($preserve_filepath === FALSE)
+ if ($archive_filepath === FALSE)
{
$name = preg_replace('|.*/(.+)|', '\\1', $name);
}