summaryrefslogtreecommitdiffstats
path: root/system
AgeCommit message (Collapse)AuthorFilesLines
2015-09-07Remove unnecessary count() calls from _sanitize_globals()Andrey Andreev1-3/+3
foreach() just won't execute for an empty array, it does that check internally.
2015-09-07Move csrf_verify() call out of _sanitize_globals()Andrey Andreev1-6/+6
It doesn't belong in there.
2015-09-03Fix #4096Andrey Andreev1-1/+1
2015-09-01Fix #4093Andrey Andreev1-1/+1
2015-09-01There was an extra = sign in this fileMarco Monteiro1-1/+1
2015-08-31[ci skip] Fix #4091Andrey Andreev1-1/+1
2015-08-31Fix #4086Andrey Andreev1-13/+13
2015-08-31Fix #4073Andrey Andreev1-7/+16
2015-08-31Fix #4066Andrey Andreev2-18/+6
2015-08-20Fix #4065Andrey Andreev1-1/+1
2015-08-19[ci skip] Fix 'sqlsrv' connect failure endless loopAndrey Andreev1-7/+8
Reported via the forums: http://forum.codeigniter.com/thread-61494.html
2015-08-17Allow capitals in the middle of model namesAndrey Andreev1-1/+1
Requested in #4059
2015-08-15Fix #4056Andrey Andreev1-1/+1
2015-08-14Fix #4052Andrey Andreev1-20/+0
The bug actually had two instances: - Callback routes with literal matches and HTTP verbs has never worked - The reported issue in #4052, which is a regression introduced in 3.0.1 with abc299b3a234eb7da1b7e3d257b7eba2da649219 Removed the literal matches logic altogether to avoid similar issues in the future and reduce code complexity. The same logic is performed with the regular expressions logic.
2015-08-13Fix typo in commentsClaudio Galdiolo1-1/+1
2015-08-07[ci skip] Partial patch for #2284Andrey Andreev1-2/+5
The issue description is about update_string(), which I'm not sure if can be fixed at all. This patch only addresses protect_identifiers().
2015-08-07[ci skip] Start of 3.0.2-devAndrey Andreev1-1/+1
2015-08-07Fix #4023Andrey Andreev1-1/+1
Close #4024
2015-08-07Fix ReDoS-bug in string_helper.phpKevin Morssink1-1/+1
Fix for ReDoS (Regular Expression Denial of Service) / Code Injection Risk
2015-08-05Fix #4026Andrey Andreev1-1/+4
2015-08-05Reduce once $config['query_toggle_count'] checkingbjjay1-6/+0
This checking can be done by calling set_sections method when initialize profiler .
2015-08-05Fix #4027Andrey Andreev1-8/+12
2015-08-03Fix #4015Andrey Andreev1-1/+2
2015-08-03[ci skip] Normalize tabs/spacesAndrey Andreev9-18/+18
Partial changes from PR #4016
2015-07-31Fix #4012Andrey Andreev1-1/+4
2015-07-29Fix a 'counter-#3989' bugAndrey Andreev1-5/+15
The issue described in #3989 is actually the opposite of what has beent the intended behavior for the parameter in all Query Builder methods. Unfortunately, there's been a huge misunderstanding about that and half the methods worked properly, while the other half did not ... fixing that here. Also related: #4001
2015-07-28Fix #4005Andrey Andreev1-1/+1
2015-07-27Close #4004Andrey Andreev1-1/+3
2015-07-27Revert "Fix an internal bug in QB where() escaping"Andrey Andreev1-1/+4
This reverts commit 43afc71b777b00cfc2638add6fa3c47d333c5e04.
2015-07-27Revert "Fix #3989"Andrey Andreev1-4/+11
This reverts commit e1a94d30e2f30cee36f71c246136fb2db34d25df.
2015-07-26Fix #4000Andrey Andreev1-1/+2
2015-07-24Fixed typosCalvin Tam9-9/+9
2015-07-23Merge pull request #3995 from rajatsharma94/developAndrey Andreev1-1/+1
set_realpath IP check
2015-07-23Update path_helper.phprajatsharma941-1/+1
2015-07-23Security check updated.rajatsharma941-1/+1
All security check conditions are modified according to CI styleguide.
2015-07-23Update path_helper.phprajatsharma941-1/+1
2015-07-23IP checking false positives and no ipv6 checkrajatsharma941-1/+1
The currently implemented method marks all IPs between 0.0.0.0 - 999.999.999.999 as valid IP Address. Which generates false positives as any IP after 255.255.255.255 is not a valid IP address. Also, there is no check for IPv6 IP addresses. filter_var() solves both the issues.
2015-07-23IP Address checking generates false positives.medhavini1-1/+1
IP Address checking marks all IPs between 0.0.0.0 - 999.999.999.999 as valid IP Address. Which is not true.
2015-07-23Fix an issue with CI_Upload max filesizeAndrey Andreev1-0/+16
Reported via the forums: http://forum.codeigniter.com/thread-62510.html
2015-07-22Remove eval()-related logic from function_exists()Andrey Andreev1-13/+3
#3991 shows that all such checks are useless as function_exists('eval') will always return FALSE.
2015-07-22Add class_exists() checks to CI_Loader::model()Andrey Andreev1-12/+26
Helps debugging in case of controller/model/library class name collision.
2015-07-22Fix #3991Andrey Andreev1-1/+1
2015-07-21Fix #3989Andrey Andreev1-11/+4
More instances of the bug that was fixed with 43afc71b777b00cfc2638add6fa3c47d333c5e04
2015-07-20Failed security checkrajatsharma941-2/+1
The implemented security check to make sure the path is NOT a URL can easily be bypassed (gives false negative) for all subdomains. Eg "subdomain.domain.com" should ideally show an error but it does not. The new security check tries to make a fsockopen connection to validate whether the URL is external or not.
2015-07-20Security check failmedhavini1-0/+1
Security check condition to check that the path is NOT a URL may give false negative in case of subdomains. Where URLs don't start with http or www.
2015-07-20Fix #3279Andrey Andreev1-4/+4
2015-07-20Fix an internal bug in QB where() escapingAndrey Andreev1-4/+1
This is not a supported use case, but if QB escaping is force-disabled, string values passed to where() or having() aren't escaped. That's wrong because escape-disabling should only be possible for identifiers and not values. Reported via the forums: http://forum.codeigniter.com/thread-62478.html
2015-07-17Fix #3752Andrey Andreev1-21/+22
2015-07-17[ci skip] Fix #3778Andrey Andreev1-15/+6
2015-07-17[ci skip] Fix a bug reported via PR #3704Andrey Andreev1-23/+20