summaryrefslogtreecommitdiffstats
path: root/system/core/Security.php
AgeCommit message (Collapse)AuthorFilesLines
2015-01-20[ci skip] Change some log messages' levelAndrey Andreev1-4/+3
'Class Loaded' type of messages flood log files when log_threshold is set to 2 (debug). They're now logged as 'info' level. This is manually applying PR #1528, which was created to do the same thing, but became outdated.
2015-01-09Bulk (mostly documentation) updateAndrey Andreev1-3/+3
- Remove PHP version from license notices - Bump year number in copyright notices - Recommend PHP 5.4 or newer to be used - Tell Travis-CI to test on PHP 5.3.0 instead of the latest 5.3 version Related: #3450
2015-01-09Fix E_WARNING in CI_Security::entity_decode() on PHP<5.3.4Andrey Andreev1-1/+6
Related: #3057 Previous commit: 487d1ae060e6414e0a59c9752a4914fa3b8c4710
2014-12-16Remove trailing newlineJason Taylor1-1/+1
2014-12-16Fix Issue #3417warpcode1-2/+2
2014-12-08Fix 'Array to string conversion' notice in CSRF validationAndrey Andreev1-2/+2
Rel: #3398
2014-10-27[ci skip] Switch to MIT license; close #3293Andrey Andreev1-14/+25
2014-10-06Update a config_item() use case for the new NULL return valueAndrey Andreev1-1/+1
2014-10-05config_item() to return NULL instead of FALSE for non-existing itemsAndrey Andreev1-3/+3
Close #3001 Close #3232 Related: #3244
2014-10-02stream_set_chunk_size() requires PHP 5.4Andrey Andreev1-1/+2
2014-09-30Make sure we don't waste entropyAndrey Andreev1-0/+1
2014-09-28[ci skip] Remove references to 'PHP5' from commentsAndrey Andreev1-1/+1
2014-09-17Fix a defined() checkAndrey Andreev1-1/+1
Close #3233
2014-09-12Fix #3228Andrey Andreev1-2/+0
2014-08-28Fix CI_Security::get_random_bytes() length validationAndrey Andreev1-1/+1
2014-08-27Add CI_Security::get_random_bytes() for CSRF & XSS token generationAndrey Andreev1-7/+54
2014-08-18[ci skip] Polish changes from PR #3176Andrey Andreev1-6/+6
2014-08-18Alter Pull #3176 to follow discussioncaseyh1-4/+4
2014-08-11CSRF whitelist supports regexCasey Hancock1-4/+7
Signed-off-by: Casey Hancock <crh431@gmail.com>
2014-08-05Fix #3123Andrey Andreev1-1/+1
2014-07-14Add changelog entry for CSRF status code; remove line at EOFKyle Valade1-1/+1
2014-07-06Return 403 instead of 500 if no CSRF token givenKyle Valade1-2/+2
Not supplying a CSRF token shouldn't return a 500 response because it isn't a server error. The response status code should definitely be in the 400's, because it's the client's fault. And it should be a 403 because the client is forbidden from making that request without the appropriate credential (the CSRF token), though the request may be otherwise valid. http://en.wikipedia.org/wiki/List_of_HTTP_status_codes
2014-06-29Fixed eofGraham Campbell1-1/+1
2014-06-29Fixed typoGraham Campbell1-2/+2
2014-05-23Fix #3057Andrey Andreev1-66/+62
2014-05-06xss_clean is not protecting GET requests that &item=/startwithslashDocumentopia.com1-1/+1
/webacd.do?isurlact=true&entactname=/webacd.do becomes /webacd.do?isurlact=true&entactname;=/webacd.do This commit adds / to the regex to it will escape those GET requests related to issue #3030
2014-03-18More xss_clean() improvementsAndrey Andreev1-2/+2
Issue described in https://github.com/EllisLab/CodeIgniter/issues/2667#issuecomment-37980030 + a false positive
2014-03-18Another xss_clean() improvementAndrey Andreev1-2/+2
Fixes this: https://github.com/EllisLab/CodeIgniter/issues/2667#issuecomment-37958136
2014-03-18xss_clean() improvementAndrey Andreev1-4/+4
Fixes this: https://github.com/EllisLab/CodeIgniter/issues/2667#issuecomment-37819186
2014-02-112013 > 2014darwinel1-1/+1
Update copyright notices from 2013 to 2014. And update one calendar example in user_guide from year 2013/2014 to 2014/2015.
2014-02-10CI_Security: URL-decode until possibleAndrey Andreev1-1/+5
2014-02-10[ci skip] Fix a typoAndrey Andreev1-1/+1
2014-02-10CI_Security: Expect a backslash as a tag separatorAndrey Andreev1-2/+2
2014-02-10CI_Security: Filter jscript, wscript, vbs, confirm, prompt the same way as ↵Andrey Andreev1-6/+10
javascript, alert
2014-01-25Add <math> to 'naughty' HTML elementsAndrey Andreev1-1/+1
2014-01-25Previous commit caused side effects ...Andrey Andreev1-2/+2
2014-01-25Fix CI_Security::_remove_evil_attributes() being way too aggressiveAndrey Andreev1-2/+2
2014-01-25Re-add 'on\w*' to evil attributes (rel #2667)Andrey Andreev1-2/+1
2014-01-25Partially fix #2667Andrey Andreev1-2/+8
2014-01-24CI_Security: Also add <svg> to 'naughty' HTML elementsAndrey Andreev1-1/+1
2014-01-24CI_Security: Add <select> and <keygen> tags to the list of 'naughty' HTML ↵Andrey Andreev1-1/+1
elements
2014-01-24Fix syntax errorsAndrey Andreev1-2/+2
2014-01-24CI_Security: Add 'form' and 'xlink:href' to evil attributesAndrey Andreev1-1/+1
2014-01-24Add &newline; and &tab; to CI_Security::Andrey Andreev1-1/+3
2014-01-22CI_Security::_decode_entity() to replace dangerous HTML5 entitiesAndrey Andreev1-1/+19
Related to issue #2771
2014-01-21Add <button> to the list of 'naugthy' html elements in CI_Security::xss_clean()Andrey Andreev1-2/+2
2014-01-20Fix #2729Andrey Andreev1-2/+3
2014-01-18Fix #2829Andrey Andreev1-4/+4
2014-01-07Fix #2268 (manually implementing PR #2269)Andrey Andreev1-3/+3
2013-10-18Eh ... preg_replace() needs a replacementAndrey Andreev1-2/+2