diff options
Diffstat (limited to 'user_guide_src/source')
-rw-r--r-- | user_guide_src/source/changelog.rst | 8 | ||||
-rw-r--r-- | user_guide_src/source/conf.py | 4 | ||||
-rw-r--r-- | user_guide_src/source/installation/upgrade_300.rst | 45 | ||||
-rw-r--r-- | user_guide_src/source/installation/upgrade_303.rst | 43 |
4 files changed, 95 insertions, 5 deletions
diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index f9f451d98..d67ae4e8c 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -5,7 +5,13 @@ Change Log Version 3.0.3 ============= -Release Date: Not Released +Release Date: October 31, 2015 + +- **Security** + + - Fixed an XSS attack vector in :doc:`Security Library <libraries/security>` method ``xss_clean()``. + - Changed :doc:`Config Library <libraries/config>` method ``base_url()`` to fallback to ``$_SERVER['SERVER_ADDR']`` when ``$config['base_url']`` is empty in order to avoid *Host* header injections. + - Changed :doc:`CAPTCHA Helper <helpers/captcha_helper>` to use the operating system's PRNG when possible. - Database diff --git a/user_guide_src/source/conf.py b/user_guide_src/source/conf.py index 46e033ec8..031f95e2d 100644 --- a/user_guide_src/source/conf.py +++ b/user_guide_src/source/conf.py @@ -48,9 +48,9 @@ copyright = u'2014 - 2015, British Columbia Institute of Technology' # built documents. # # The short X.Y version. -version = '3.0.3-dev' +version = '3.0.3' # The full version, including alpha/beta/rc tags. -release = '3.0.3-dev' +release = '3.0.3' # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages. diff --git a/user_guide_src/source/installation/upgrade_300.rst b/user_guide_src/source/installation/upgrade_300.rst index 4b3b408a7..a29f400f8 100644 --- a/user_guide_src/source/installation/upgrade_300.rst +++ b/user_guide_src/source/installation/upgrade_300.rst @@ -464,8 +464,51 @@ files and error messages format: Therefore you're encouraged to update its usage sooner rather than later. +************************************************************ +Step 19: Make sure your 'base_url' config value is not empty +************************************************************ + +When ``$config['base_url']`` is not set, CodeIgniter tries to automatically +detect what your website's base URL is. This is done purely for convenience +when you are starting development of a new application. + +Auto-detection is never reliable and also has security implications, which +is why you should **always** have it manually configured! + +One of the changes in CodeIgniter 3.0.3 is how this auto-detection works, +and more specifically it now falls back to the server's IP address instead +of the hostname requested by the client. Therefore, if you've ever relied +on auto-detection, it will change how your website works now. + +In case you need to allow e.g. multiple domains, or both http:// and +https:// prefixes to be dynamically used depending on the request, +remember that *application/config/config.php* is still a PHP script, in +which you can create this logic with a few lines of code. For example:: + + $allowed_domains = array('domain1.tld', 'domain2.tld'); + $default_domain = 'domain1.tld'; + + if (in_array($_SERVER['HTTP_HOST'], $allowed_domains, TRUE)) + { + $domain = $_SERVER['HTTP_HOST']; + } + else + { + $domain = $default_domain; + } + + if ( ! empty($_SERVER['HTTPS'])) + { + $config['base_url'] = 'https://'.$domain; + } + else + { + $config['base_url'] = 'http://'.$domain; + } + + **************************************************************** -Step 19: Remove usage of (previously) deprecated functionalities +Step 20: Remove usage of (previously) deprecated functionalities **************************************************************** In addition to the ``$autoload['core']`` configuration setting, there's a diff --git a/user_guide_src/source/installation/upgrade_303.rst b/user_guide_src/source/installation/upgrade_303.rst index a98eed0d4..d13a0fe46 100644 --- a/user_guide_src/source/installation/upgrade_303.rst +++ b/user_guide_src/source/installation/upgrade_303.rst @@ -11,4 +11,45 @@ Step 1: Update your CodeIgniter files Replace all files and directories in your *system/* directory. .. note:: If you have any custom developed files in these directories, - please make copies of them first.
\ No newline at end of file + please make copies of them first. + +Step 2: Make sure your 'base_url' config value is not empty +=========================================================== + +When ``$config['base_url']`` is not set, CodeIgniter tries to automatically +detect what your website's base URL is. This is done purely for convenience +when you are starting development of a new application. + +Auto-detection is never reliable and also has security implications, which +is why you should **always** have it manually configured! + +One of the changes in CodeIgniter 3.0.3 is how this auto-detection works, +and more specifically it now falls back to the server's IP address instead +of the hostname requested by the client. Therefore, if you've ever relied +on auto-detection, it will change how your website works now. + +In case you need to allow e.g. multiple domains, or both http:// and +https:// prefixes to be dynamically used depending on the request, +remember that *application/config/config.php* is still a PHP script, in +which you can create this logic with a few lines of code. For example:: + + $allowed_domains = array('domain1.tld', 'domain2.tld'); + $default_domain = 'domain1.tld'; + + if (in_array($_SERVER['HTTP_HOST'], $allowed_domains, TRUE)) + { + $domain = $_SERVER['HTTP_HOST']; + } + else + { + $domain = $default_domain; + } + + if ( ! empty($_SERVER['HTTPS'])) + { + $config['base_url'] = 'https://'.$domain; + } + else + { + $config['base_url'] = 'http://'.$domain; + } |