Age | Commit message (Collapse) | Author | Files | Lines |
|
It doesn't belong in there.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Reported via the forums: http://forum.codeigniter.com/thread-61494.html
|
|
Requested in #4059
|
|
|
|
The bug actually had two instances:
- Callback routes with literal matches and HTTP verbs has never worked
- The reported issue in #4052, which is a regression introduced in 3.0.1
with abc299b3a234eb7da1b7e3d257b7eba2da649219
Removed the literal matches logic altogether to avoid similar issues
in the future and reduce code complexity. The same logic is performed
with the regular expressions logic.
|
|
|
|
The issue description is about update_string(), which
I'm not sure if can be fixed at all. This patch only
addresses protect_identifiers().
|
|
|
|
Close #4024
|
|
Fix for ReDoS (Regular Expression Denial of Service) / Code Injection
Risk
|
|
|
|
This checking can be done by calling set_sections method when initialize profiler .
|
|
|
|
|
|
Partial changes from PR #4016
|
|
|
|
The issue described in #3989 is actually the opposite of what has beent
the intended behavior for the parameter in all Query Builder
methods. Unfortunately, there's been a huge misunderstanding about
that and half the methods worked properly, while the other half did
not ... fixing that here.
Also related: #4001
|
|
|
|
|
|
This reverts commit 43afc71b777b00cfc2638add6fa3c47d333c5e04.
|
|
This reverts commit e1a94d30e2f30cee36f71c246136fb2db34d25df.
|
|
|
|
|
|
set_realpath IP check
|
|
|
|
All security check conditions are modified according to CI styleguide.
|
|
|
|
The currently implemented method marks all IPs between 0.0.0.0 - 999.999.999.999 as valid IP Address. Which generates false positives as any IP after 255.255.255.255 is not a valid IP address.
Also, there is no check for IPv6 IP addresses.
filter_var() solves both the issues.
|
|
IP Address checking marks all IPs between 0.0.0.0 - 999.999.999.999 as valid IP Address. Which is not true.
|
|
Reported via the forums: http://forum.codeigniter.com/thread-62510.html
|
|
#3991 shows that all such checks are useless as function_exists('eval')
will always return FALSE.
|
|
Helps debugging in case of controller/model/library class name collision.
|
|
|
|
More instances of the bug that was fixed with 43afc71b777b00cfc2638add6fa3c47d333c5e04
|
|
The implemented security check to make sure the path is NOT a URL can easily be bypassed (gives false negative) for all subdomains.
Eg "subdomain.domain.com" should ideally show an error but it does not.
The new security check tries to make a fsockopen connection to validate whether the URL is external or not.
|
|
Security check condition to check that the path is NOT a URL may give false negative in case of subdomains. Where URLs don't start with http or www.
|
|
|
|
This is not a supported use case, but if QB escaping is force-disabled,
string values passed to where() or having() aren't escaped. That's wrong
because escape-disabling should only be possible for identifiers and not
values.
Reported via the forums: http://forum.codeigniter.com/thread-62478.html
|
|
|
|
|
|
|
|
MYSQLI_OPT_SSL_VERIFY_SERVER_CERT is an undocumented option that may not always be available.
Reference: http://svn.php.net/viewvc/php/php-src/trunk/ext/mysqli/tests/mysqli_constants.phpt?view=markup&pathrev=302897
|