summaryrefslogtreecommitdiffstats
path: root/system/core
AgeCommit message (Collapse)AuthorFilesLines
2014-08-18[ci skip] Polish changes from PR #3176Andrey Andreev1-6/+6
2014-08-18Alter Pull #3176 to follow discussioncaseyh1-4/+4
2014-08-11CSRF whitelist supports regexCasey Hancock1-4/+7
Signed-off-by: Casey Hancock <crh431@gmail.com>
2014-08-05Fix #3123Andrey Andreev1-1/+1
2014-07-14Merge pull request #3134 from kdazzle/patch-1Andrey Andreev1-1/+1
Return 403 instead of 500 if no CSRF token given
2014-07-14Add changelog entry for CSRF status code; remove line at EOFKyle Valade1-1/+1
2014-07-11Add setting ['composer_autoload']Andrey Andreev1-0/+17
Supersedes PR #3132
2014-07-07Fix potential bugs in password_hash(), CI_EncryptionAndrey Andreev1-3/+6
strlen(), substr() are not byte-safe when mbstring.func_overload is enabled
2014-07-07Add a backport (compat) for quoted_printable_encode()Andrey Andreev1-2/+90
2014-07-07Fix a few typos and add a backport (compat) for hex2bin()Andrey Andreev2-3/+50
2014-07-06Return 403 instead of 500 if no CSRF token givenKyle Valade1-2/+2
Not supplying a CSRF token shouldn't return a 500 response because it isn't a server error. The response status code should definitely be in the 400's, because it's the client's fault. And it should be a 403 because the client is forbidden from making that request without the appropriate credential (the CSRF token), though the request may be otherwise valid. http://en.wikipedia.org/wiki/List_of_HTTP_status_codes
2014-06-29Fixed eofGraham Campbell1-1/+1
2014-06-29Fixed typoGraham Campbell1-2/+2
2014-06-21Fix a _potential_ flaw in password_hash()Andrey Andreev1-1/+4
2014-06-12remove the empty line at the end of fileFu Xu1-1/+1
2014-06-12style changeFu Xu1-1/+1
2014-06-12config load bug fixFu Xu1-2/+3
2014-06-12Fix #3101Andrey Andreev1-1/+1
2014-05-31A fix about loading language files - ensuring suffix '_lang' presence properly.Ivan Tcholakov1-1/+1
2014-05-27fix callable hooksMax1-1/+1
2014-05-27fix callable hooksMax1-1/+1
2014-05-23Fix #3057Andrey Andreev1-66/+62
2014-05-19Fix caching of MIME configvlakoff1-7/+14
* in get_mimes(): was missing isset() test * in Email->_mimes_types(): static cache of reference was noneffective refs 6ef498b49946ba74d610b3805fb908b163a7f03a
2014-05-19Merge pull request #3053 from vlakoff/get_configAndrey Andreev1-7/+4
Simplify code in get_config()
2014-05-19Simplify code in get_config()vlakoff1-7/+4
Exact same behavior. The reference was just redundant.
2014-05-18[ci skip] Add a note to CI_Model::__get() (issue #3046)Andrey Andreev1-0/+4
2014-05-18Adjust docblock of load_class()vlakoff1-1/+1
refs c26b9ebb00e29be2e972fece3bcf73d33249a64b
2014-05-09Suppress PHP 5.6 E_DEPRECATED warnings for mbstring.internal_encoding as wellAndrey Andreev1-1/+3
2014-05-09Add hash_equals() to ext/hash compat layerAndrey Andreev1-0/+46
Introduced in PHP 5.6 Beta 1 (unfortunately, still undocumented). RFC: https://wiki.php.net/rfc/timing_attack (Yes, I am aware that the RFC talks about hash_compare(), the function was later renamed in the implementation.)
2014-05-08[ci skip] Update a comment for CI_Input::input_stream()Andrey Andreev1-2/+2
2014-05-06Account for PHP 5.6 changes related to charsetsAndrey Andreev1-2/+10
2014-05-06xss_clean is not protecting GET requests that &item=/startwithslashDocumentopia.com1-1/+1
/webacd.do?isurlact=true&entactname=/webacd.do becomes /webacd.do?isurlact=true&entactname;=/webacd.do This commit adds / to the regex to it will escape those GET requests related to issue #3030
2014-05-01Fix a typoAndrey Andreev1-1/+1
2014-05-01Optimization in CI_URI::_set_uri_string()Andrey Andreev1-1/+1
2014-05-01Fix docblock of URI->rsegments propertyvlakoff1-1/+3
2014-04-29Merge branch 'develop' of github.com:EllisLab/CodeIgniter into developAndrey Andreev2-2/+2
2014-04-29Small fixes (PR #3022)Andrey Andreev2-3/+3
- Fix incorrect variable in mb_strlen() compat - Micro-optimization of array_replace(), array_replace_recursive() compat
2014-04-25Minor fixesvlakoff2-2/+2
2014-04-15Merge pull request #3006 from vlakoff/securityAndrey Andreev1-1/+1
Fix in $_protected array of register_globals security procedure
2014-04-15#3005Andrey Andreev1-2/+1
2014-04-15Fix in $_protected array of register_globals security procedurevlakoff1-1/+1
* Followup to b78a8c7d40446a3e2e36772706662fd033fe7d1d * Just FYI, renamed to "system_path" in 0c1e405437ceb3c1888e151e6a400653310ad6c1
2014-04-15Fix #3004Andrey Andreev2-53/+52
2014-04-15Follow-up to aeed15eb8556ab671507f17ef9a8cf28903999aaAndrey Andreev1-1/+1
2014-04-14Different method for handling "error_views_path" config itemvlakoff1-15/+10
2014-04-14Rename config item "error_templates_path" to "error_views_path"vlakoff1-2/+2
2014-04-12Make the error templates path configurablevlakoff1-2/+15
2014-04-09Minor changes in FV, TrackbackAndrey Andreev1-3/+0
2014-04-05Remove default parameter value of is_php()vlakoff1-2/+2
It was simply pointless.
2014-04-01Merge pull request #2981 from vlakoff/base_urlAndrey Andreev1-3/+3
Work on determination of "base_url" config item
2014-04-01Discard the unwanted changesvlakoff1-3/+10