From fa1ca8bdee7021a67f58a5278900266c16ef7cd7 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 22 Aug 2016 14:13:54 +0300 Subject: Merge pull request #4780 from tianhe1986/develop_standard_hex2bin [ci skip] Trigger error for "resource" type in hex2bin() inputs --- system/core/compat/standard.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/core/compat/standard.php b/system/core/compat/standard.php index c839c9bc9..6b7caa485 100644 --- a/system/core/compat/standard.php +++ b/system/core/compat/standard.php @@ -153,7 +153,7 @@ if ( ! function_exists('hex2bin')) */ function hex2bin($data) { - if (in_array($type = gettype($data), array('array', 'double', 'object'), TRUE)) + if (in_array($type = gettype($data), array('array', 'double', 'object', 'resource'), TRUE)) { if ($type === 'object' && method_exists($data, '__toString')) { -- cgit v1.2.3-24-g4f1b From 5ecf4f91caba105128405b784ceac93c1af69362 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 22 Aug 2016 14:16:33 +0300 Subject: [ci skip] Add changelog entry for PR #4780 --- user_guide_src/source/changelog.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 97b4d254d..aa9af21b6 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -22,6 +22,7 @@ Bug fixes for 3.1.1 - Fixed a bug (#4759) - :doc:`Form Validation `, :doc:`Trackback ` and `XML-RPC ` libraries treated URI schemes in a case-sensitive manner. - Fixed a bug (#4762) - :doc:`Cache Library ` 'file' driver method ``get_metadata()`` checked TTL time against ``mtime`` instead of the cache item's creation time. - Fixed a bug where :doc:`File Uploading Library ` generated error messages on PHP 7.1. +- Fixed a bug (#4780) - :doc:`compatibility function ` ``hex2bin()`` didn't reject inputs of type "resource". Version 3.1.0 ============= -- cgit v1.2.3-24-g4f1b From a9d83fb0ddef91f0fb386cbe8bdb9cef69ca2af3 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Tue, 23 Aug 2016 14:07:11 +0300 Subject: Merge pull request #4781 from tianhe1986/develop_hash_pbkdf2 Hash: processing algorithm name case-insensitively in hash_pbkdf2() --- system/core/compat/hash.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/core/compat/hash.php b/system/core/compat/hash.php index 6854e4c26..d567d0f80 100644 --- a/system/core/compat/hash.php +++ b/system/core/compat/hash.php @@ -119,7 +119,7 @@ if ( ! function_exists('hash_pbkdf2')) */ function hash_pbkdf2($algo, $password, $salt, $iterations, $length = 0, $raw_output = FALSE) { - if ( ! in_array($algo, hash_algos(), TRUE)) + if ( ! in_array(strtolower($algo), hash_algos(), TRUE)) { trigger_error('hash_pbkdf2(): Unknown hashing algorithm: '.$algo, E_USER_WARNING); return FALSE; -- cgit v1.2.3-24-g4f1b From 1d0bd83d0f4b9f133bf9657113fc50d57d767762 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 29 Aug 2016 14:14:54 +0300 Subject: Merge pull request #4785 from guitarrist/develop [ci skip] Fix a comment typo --- system/core/Security.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/core/Security.php b/system/core/Security.php index a29070095..3a5da4fde 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -230,7 +230,7 @@ class CI_Security { $this->csrf_show_error(); } - // We kill this since we're done and we don't want to polute the _POST array + // We kill this since we're done and we don't want to pollute the _POST array unset($_POST[$this->_csrf_token_name]); // Regenerate on every submission? -- cgit v1.2.3-24-g4f1b From 0abc0dfca3c4e9e17da07edc864e009c13222174 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 29 Aug 2016 15:15:49 +0300 Subject: Fix #4787 --- system/libraries/Form_validation.php | 4 ++-- user_guide_src/source/changelog.rst | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/system/libraries/Form_validation.php b/system/libraries/Form_validation.php index 61f0298fd..c39b65d89 100644 --- a/system/libraries/Form_validation.php +++ b/system/libraries/Form_validation.php @@ -1229,9 +1229,9 @@ class CI_Form_validation { */ public function valid_email($str) { - if (function_exists('idn_to_ascii') && $atpos = strpos($str, '@')) + if (function_exists('idn_to_ascii') && sscanf($str, '%[^@]@%s', $name, $domain) === 2) { - $str = substr($str, 0, ++$atpos).idn_to_ascii(substr($str, $atpos)); + $str = $name.'@'.idn_to_ascii($domain); } return (bool) filter_var($str, FILTER_VALIDATE_EMAIL); diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index aa9af21b6..5bdcda934 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -23,6 +23,7 @@ Bug fixes for 3.1.1 - Fixed a bug (#4762) - :doc:`Cache Library ` 'file' driver method ``get_metadata()`` checked TTL time against ``mtime`` instead of the cache item's creation time. - Fixed a bug where :doc:`File Uploading Library ` generated error messages on PHP 7.1. - Fixed a bug (#4780) - :doc:`compatibility function ` ``hex2bin()`` didn't reject inputs of type "resource". +- Fixed a bug (#4787) - :doc:`Form Validation Library ` method ``valid_email()`` triggered ``E_WARNING`` when input emails have empty domain names. Version 3.1.0 ============= -- cgit v1.2.3-24-g4f1b From a70b9614e71c0060700ab99bfa752fa2b9fafaed Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Tue, 30 Aug 2016 10:58:19 +0300 Subject: Merge pull request #4788 from edtsz/patch-2 Add OpenOffice mime-types to config/mimes.php --- application/config/mimes.php | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/application/config/mimes.php b/application/config/mimes.php index 8bac87251..017653335 100644 --- a/application/config/mimes.php +++ b/application/config/mimes.php @@ -163,5 +163,21 @@ return array( 'vcf' => 'text/x-vcard', 'srt' => array('text/srt', 'text/plain'), 'vtt' => array('text/vtt', 'text/plain'), - 'ico' => array('image/x-icon', 'image/x-ico', 'image/vnd.microsoft.icon') + 'ico' => array('image/x-icon', 'image/x-ico', 'image/vnd.microsoft.icon'), + 'odc' => 'application/vnd.oasis.opendocument.chart', + 'otc' => 'application/vnd.oasis.opendocument.chart-template', + 'odf' => 'application/vnd.oasis.opendocument.formula', + 'otf' => 'application/vnd.oasis.opendocument.formula-template', + 'odg' => 'application/vnd.oasis.opendocument.graphics', + 'otg' => 'application/vnd.oasis.opendocument.graphics-template', + 'odi' => 'application/vnd.oasis.opendocument.image', + 'oti' => 'application/vnd.oasis.opendocument.image-template', + 'odp' => 'application/vnd.oasis.opendocument.presentation', + 'otp' => 'application/vnd.oasis.opendocument.presentation-template', + 'ods' => 'application/vnd.oasis.opendocument.spreadsheet', + 'ots' => 'application/vnd.oasis.opendocument.spreadsheet-template', + 'odt' => 'application/vnd.oasis.opendocument.text', + 'odm' => 'application/vnd.oasis.opendocument.text-master', + 'ott' => 'application/vnd.oasis.opendocument.text-template', + 'oth' => 'application/vnd.oasis.opendocument.text-web' ); -- cgit v1.2.3-24-g4f1b From 676072ea1a1d5806c19cd0f76aaf9b6bf48d2741 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 9 Sep 2016 15:33:09 +0300 Subject: Merge pull request #4805 from intekhabrizvi/develop Use MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT as a connection flag instead of option --- system/database/drivers/mysqli/mysqli_driver.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/database/drivers/mysqli/mysqli_driver.php b/system/database/drivers/mysqli/mysqli_driver.php index f4597c746..4a14eea93 100644 --- a/system/database/drivers/mysqli/mysqli_driver.php +++ b/system/database/drivers/mysqli/mysqli_driver.php @@ -183,7 +183,7 @@ class CI_DB_mysqli_driver extends CI_DB { // https://bugs.php.net/bug.php?id=68344 elseif (defined('MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT')) { - $this->_mysqli->options(MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT, TRUE); + $client_flags |= MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT; } } -- cgit v1.2.3-24-g4f1b From 8c61ec2fb48dc75a19a594c5c704e6f8e186357d Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 9 Sep 2016 15:35:26 +0300 Subject: [ci skip] Add changelog entry for PR #4805 --- user_guide_src/source/changelog.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 5bdcda934..51de7b7ab 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -24,6 +24,7 @@ Bug fixes for 3.1.1 - Fixed a bug where :doc:`File Uploading Library ` generated error messages on PHP 7.1. - Fixed a bug (#4780) - :doc:`compatibility function ` ``hex2bin()`` didn't reject inputs of type "resource". - Fixed a bug (#4787) - :doc:`Form Validation Library ` method ``valid_email()`` triggered ``E_WARNING`` when input emails have empty domain names. +- Fixed a bug (#4805) - :doc:`Database ` driver 'mysqli' didn't use the ``MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT`` flag properly. Version 3.1.0 ============= -- cgit v1.2.3-24-g4f1b From 5f693cb38769b973f89cb8a40b43bb15ef3cd9cf Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 12 Sep 2016 12:35:57 +0300 Subject: Merge pull request #4806 from hex-ci/patch-1 [ci skip] Fix formatting in 2.1.0 upgrade instructions --- user_guide_src/source/installation/upgrade_210.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user_guide_src/source/installation/upgrade_210.rst b/user_guide_src/source/installation/upgrade_210.rst index 866dcf4ae..421435452 100644 --- a/user_guide_src/source/installation/upgrade_210.rst +++ b/user_guide_src/source/installation/upgrade_210.rst @@ -17,10 +17,10 @@ Step 2: Replace config/mimes.php ================================ This config file has been updated to contain more user agent types, -please copy it to _application/config/mimes.php*. +please copy it to *application/config/mimes.php*. Step 3: Update your user guide ============================== Please also replace your local copy of the user guide with the new -version. \ No newline at end of file +version. -- cgit v1.2.3-24-g4f1b From 442ea6861a5fdfb9780e79b00875e55cdab3f6ff Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 16 Sep 2016 11:51:25 +0300 Subject: [ci skip] Fix #4808 --- system/database/drivers/odbc/odbc_driver.php | 2 +- system/database/drivers/pdo/subdrivers/pdo_odbc_driver.php | 2 +- system/database/drivers/pdo/subdrivers/pdo_pgsql_driver.php | 2 +- system/database/drivers/postgre/postgre_driver.php | 2 +- user_guide_src/source/changelog.rst | 1 + 5 files changed, 5 insertions(+), 4 deletions(-) diff --git a/system/database/drivers/odbc/odbc_driver.php b/system/database/drivers/odbc/odbc_driver.php index 63df2963d..dbce1cf79 100644 --- a/system/database/drivers/odbc/odbc_driver.php +++ b/system/database/drivers/odbc/odbc_driver.php @@ -298,7 +298,7 @@ class CI_DB_odbc_driver extends CI_DB_driver { */ public function is_write_type($sql) { - if (preg_match('#^(INSERT|UPDATE).*RETURNING\s.+(\,\s?.+)*$#i', $sql)) + if (preg_match('#^(INSERT|UPDATE).*RETURNING\s.+(\,\s?.+)*$#is', $sql)) { return FALSE; } diff --git a/system/database/drivers/pdo/subdrivers/pdo_odbc_driver.php b/system/database/drivers/pdo/subdrivers/pdo_odbc_driver.php index 82554ec80..ebe1ed6f0 100644 --- a/system/database/drivers/pdo/subdrivers/pdo_odbc_driver.php +++ b/system/database/drivers/pdo/subdrivers/pdo_odbc_driver.php @@ -181,7 +181,7 @@ class CI_DB_pdo_odbc_driver extends CI_DB_pdo_driver { */ public function is_write_type($sql) { - if (preg_match('#^(INSERT|UPDATE).*RETURNING\s.+(\,\s?.+)*$#i', $sql)) + if (preg_match('#^(INSERT|UPDATE).*RETURNING\s.+(\,\s?.+)*$#is', $sql)) { return FALSE; } diff --git a/system/database/drivers/pdo/subdrivers/pdo_pgsql_driver.php b/system/database/drivers/pdo/subdrivers/pdo_pgsql_driver.php index ee8f76348..9483d2457 100644 --- a/system/database/drivers/pdo/subdrivers/pdo_pgsql_driver.php +++ b/system/database/drivers/pdo/subdrivers/pdo_pgsql_driver.php @@ -154,7 +154,7 @@ class CI_DB_pdo_pgsql_driver extends CI_DB_pdo_driver { */ public function is_write_type($sql) { - if (preg_match('#^(INSERT|UPDATE).*RETURNING\s.+(\,\s?.+)*$#i', $sql)) + if (preg_match('#^(INSERT|UPDATE).*RETURNING\s.+(\,\s?.+)*$#is', $sql)) { return FALSE; } diff --git a/system/database/drivers/postgre/postgre_driver.php b/system/database/drivers/postgre/postgre_driver.php index 58d445187..dfd87f95a 100644 --- a/system/database/drivers/postgre/postgre_driver.php +++ b/system/database/drivers/postgre/postgre_driver.php @@ -288,7 +288,7 @@ class CI_DB_postgre_driver extends CI_DB { */ public function is_write_type($sql) { - if (preg_match('#^(INSERT|UPDATE).*RETURNING\s.+(\,\s?.+)*$#i', $sql)) + if (preg_match('#^(INSERT|UPDATE).*RETURNING\s.+(\,\s?.+)*$#is', $sql)) { return FALSE; } diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 51de7b7ab..2c8a131ff 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -25,6 +25,7 @@ Bug fixes for 3.1.1 - Fixed a bug (#4780) - :doc:`compatibility function ` ``hex2bin()`` didn't reject inputs of type "resource". - Fixed a bug (#4787) - :doc:`Form Validation Library ` method ``valid_email()`` triggered ``E_WARNING`` when input emails have empty domain names. - Fixed a bug (#4805) - :doc:`Database ` driver 'mysqli' didn't use the ``MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT`` flag properly. +- Fixed a bug (#4808) - :doc:`Database ` method ``is_write_type()`` only looked at the first line of a queries using ``RETURNING`` with the 'postgre', 'pdo/pgsql', 'odbc' and 'pdo/odbc' drivers. Version 3.1.0 ============= -- cgit v1.2.3-24-g4f1b From 0a4dd844b8a3d6edb7712d3bb4edf1b4f0e9dc4c Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 16 Sep 2016 12:06:40 +0300 Subject: [ci skip] Don't try to insert_batch() when we know it's not supported on Firebird --- system/database/drivers/ibase/ibase_driver.php | 17 +++++++++++++++++ .../drivers/pdo/subdrivers/pdo_firebird_driver.php | 16 ++++++++++++++++ user_guide_src/source/changelog.rst | 1 + 3 files changed, 34 insertions(+) diff --git a/system/database/drivers/ibase/ibase_driver.php b/system/database/drivers/ibase/ibase_driver.php index c1055c1e6..671a353bc 100644 --- a/system/database/drivers/ibase/ibase_driver.php +++ b/system/database/drivers/ibase/ibase_driver.php @@ -383,6 +383,23 @@ class CI_DB_ibase_driver extends CI_DB { // -------------------------------------------------------------------- + /** + * Insert batch statement + * + * Generates a platform-specific insert string from the supplied data. + * + * @param string $table Table name + * @param array $keys INSERT keys + * @param array $values INSERT values + * @return string|bool + */ + protected function _insert_batch($table, $keys, $values) + { + return ($this->db->db_debug) ? $this->db->display_error('db_unsupported_feature') : FALSE; + } + + // -------------------------------------------------------------------- + /** * Close DB Connection * diff --git a/system/database/drivers/pdo/subdrivers/pdo_firebird_driver.php b/system/database/drivers/pdo/subdrivers/pdo_firebird_driver.php index 96dcc5ec1..7811d3da4 100644 --- a/system/database/drivers/pdo/subdrivers/pdo_firebird_driver.php +++ b/system/database/drivers/pdo/subdrivers/pdo_firebird_driver.php @@ -260,4 +260,20 @@ class CI_DB_pdo_firebird_driver extends CI_DB_pdo_driver { return preg_replace('`SELECT`i', 'SELECT '.$select, $sql); } + // -------------------------------------------------------------------- + + /** + * Insert batch statement + * + * Generates a platform-specific insert string from the supplied data. + * + * @param string $table Table name + * @param array $keys INSERT keys + * @param array $values INSERT values + * @return string|bool + */ + protected function _insert_batch($table, $keys, $values) + { + return ($this->db->db_debug) ? $this->db->display_error('db_unsupported_feature') : FALSE; + } } diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 2c8a131ff..d99e44276 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -26,6 +26,7 @@ Bug fixes for 3.1.1 - Fixed a bug (#4787) - :doc:`Form Validation Library ` method ``valid_email()`` triggered ``E_WARNING`` when input emails have empty domain names. - Fixed a bug (#4805) - :doc:`Database ` driver 'mysqli' didn't use the ``MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT`` flag properly. - Fixed a bug (#4808) - :doc:`Database ` method ``is_write_type()`` only looked at the first line of a queries using ``RETURNING`` with the 'postgre', 'pdo/pgsql', 'odbc' and 'pdo/odbc' drivers. +- Fixed a bug where :doc:`Query Builder ` method ``insert_batch()`` tried to execute an unsupported SQL query with the 'ibase' and 'pdo/firebird' drivers. Version 3.1.0 ============= -- cgit v1.2.3-24-g4f1b From 7a49c0b0f12121be39001a13a97bd608f6a30a7a Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Tue, 27 Sep 2016 14:00:26 +0300 Subject: Merge pull request #4810 from Dutchy-/patch-1 Remove inline style from form_open() hidden fields --- system/helpers/form_helper.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/helpers/form_helper.php b/system/helpers/form_helper.php index 8825ecc2c..aa7379f77 100644 --- a/system/helpers/form_helper.php +++ b/system/helpers/form_helper.php @@ -100,7 +100,7 @@ if ( ! function_exists('form_open')) { foreach ($hidden as $name => $value) { - $form .= ''."\n"; + $form .= ''."\n"; } } -- cgit v1.2.3-24-g4f1b From 8a15f5af819424087b6676709d98de6fa5fc6115 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Tue, 27 Sep 2016 14:12:05 +0300 Subject: Fix #4809 --- .../drivers/pdo/subdrivers/pdo_mysql_driver.php | 49 ++++++++++++++++++++++ user_guide_src/source/changelog.rst | 1 + 2 files changed, 50 insertions(+) diff --git a/system/database/drivers/pdo/subdrivers/pdo_mysql_driver.php b/system/database/drivers/pdo/subdrivers/pdo_mysql_driver.php index 3631cdf7a..6452b787b 100644 --- a/system/database/drivers/pdo/subdrivers/pdo_mysql_driver.php +++ b/system/database/drivers/pdo/subdrivers/pdo_mysql_driver.php @@ -215,6 +215,55 @@ class CI_DB_pdo_mysql_driver extends CI_DB_pdo_driver { // -------------------------------------------------------------------- + /** + * Begin Transaction + * + * @return bool + */ + protected function _trans_begin() + { + $this->conn_id->setAttribute(PDO::ATTR_AUTOCOMMIT, FALSE); + return $this->conn_id->beginTransaction(); + } + + // -------------------------------------------------------------------- + + /** + * Commit Transaction + * + * @return bool + */ + protected function _trans_commit() + { + if ($this->conn_id->commit()) + { + $this->conn_id->setAttribute(PDO::ATTR_AUTOCOMMIT, TRUE); + return TRUE; + } + + return FALSE; + } + + // -------------------------------------------------------------------- + + /** + * Rollback Transaction + * + * @return bool + */ + protected function _trans_rollback() + { + if ($this->conn_id->rollBack()) + { + $this->conn_id->setAttribute(PDO::ATTR_AUTOCOMMIT, TRUE); + return TRUE; + } + + return FALSE; + } + + // -------------------------------------------------------------------- + /** * Show table query * diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index d99e44276..d41e79945 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -27,6 +27,7 @@ Bug fixes for 3.1.1 - Fixed a bug (#4805) - :doc:`Database ` driver 'mysqli' didn't use the ``MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT`` flag properly. - Fixed a bug (#4808) - :doc:`Database ` method ``is_write_type()`` only looked at the first line of a queries using ``RETURNING`` with the 'postgre', 'pdo/pgsql', 'odbc' and 'pdo/odbc' drivers. - Fixed a bug where :doc:`Query Builder ` method ``insert_batch()`` tried to execute an unsupported SQL query with the 'ibase' and 'pdo/firebird' drivers. +- Fixed a bug (#4809) - :doc:`Database ` driver 'pdo/mysql' didn't turn off ``AUTOCOMMIT`` when starting a transaction. Version 3.1.0 ============= -- cgit v1.2.3-24-g4f1b From eea02de557834006c5d6a0bfccca7f39e75bf3a8 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Tue, 27 Sep 2016 14:59:37 +0300 Subject: Fix entity_decode() issue --- system/core/Security.php | 39 ++++++++++++++++++-------------- tests/codeigniter/core/Security_test.php | 6 +++++ user_guide_src/source/changelog.rst | 4 ++++ 3 files changed, 32 insertions(+), 17 deletions(-) diff --git a/system/core/Security.php b/system/core/Security.php index 3a5da4fde..4a69daa18 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -669,6 +669,22 @@ class CI_Security { ? ENT_COMPAT | ENT_HTML5 : ENT_COMPAT; + if ( ! isset($_entities)) + { + $_entities = array_map('strtolower', get_html_translation_table(HTML_ENTITIES, $flag, $charset)); + + // If we're not on PHP 5.4+, add the possibly dangerous HTML 5 + // entities to the array manually + if ($flag === ENT_COMPAT) + { + $_entities[':'] = ':'; + $_entities['('] = '('; + $_entities[')'] = ')'; + $_entities["\n"] = ' '; + $_entities["\t"] = ' '; + } + } + do { $str_compare = $str; @@ -676,22 +692,6 @@ class CI_Security { // Decode standard entities, avoiding false positives if (preg_match_all('/&[a-z]{2,}(?![a-z;])/i', $str, $matches)) { - if ( ! isset($_entities)) - { - $_entities = array_map('strtolower', get_html_translation_table(HTML_ENTITIES, $flag, $charset)); - - // If we're not on PHP 5.4+, add the possibly dangerous HTML 5 - // entities to the array manually - if ($flag === ENT_COMPAT) - { - $_entities[':'] = ':'; - $_entities['('] = '('; - $_entities[')'] = ')'; - $_entities["\n"] = '&newline;'; - $_entities["\t"] = '&tab;'; - } - } - $replace = array(); $matches = array_unique(array_map('strtolower', $matches[0])); foreach ($matches as &$match) @@ -702,7 +702,7 @@ class CI_Security { } } - $str = str_ireplace(array_keys($replace), array_values($replace), $str); + $str = str_replace(array_keys($replace), array_values($replace), $str); } // Decode numeric & UTF16 two byte entities @@ -711,6 +711,11 @@ class CI_Security { $flag, $charset ); + + if ($flag === ENT_COMPAT) + { + $str = str_replace(array_values($_entities), array_keys($_entities), $str); + } } while ($str_compare !== $str); return $str; diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php index 8328c37cb..cbf0285ec 100644 --- a/tests/codeigniter/core/Security_test.php +++ b/tests/codeigniter/core/Security_test.php @@ -270,6 +270,12 @@ class Security_test extends CI_TestCase { $this->assertEquals('
Hello Booya
', $decoded); + $this->assertEquals('colon:', $this->security->entity_decode('colon:')); + $this->assertEquals("NewLine\n", $this->security->entity_decode('NewLine ')); + $this->assertEquals("Tab\t", $this->security->entity_decode('Tab ')); + $this->assertEquals("lpar(", $this->security->entity_decode('lpar(')); + $this->assertEquals("rpar)", $this->security->entity_decode('rpar)')); + // Issue #3057 (https://github.com/bcit-ci/CodeIgniter/issues/3057) $this->assertEquals( '&foo should not include a semicolon', diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index d41e79945..a0ed34a2f 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -7,6 +7,10 @@ Version 3.1.1 Release Date: Not Released +- **Security** + + - Fixed a flaw in :doc:`Security Library ` method ``entity_decode()`` (used by ``xss_clean()``) that affects HTML 5 entities when using PHP 5.3. + - General Changes - Added ``E_PARSE`` to the list of error levels detected by the shutdown handler. -- cgit v1.2.3-24-g4f1b From 7e669e67636a1d5cb10fa4288cdb9b0c39ad2124 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 30 Sep 2016 12:23:03 +0300 Subject: Merge pull request #4822 from gxgpet/develop Fix PNG file deletion on captcha helper --- system/helpers/captcha_helper.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/system/helpers/captcha_helper.php b/system/helpers/captcha_helper.php index 3c1e006f8..f2ff4dccf 100644 --- a/system/helpers/captcha_helper.php +++ b/system/helpers/captcha_helper.php @@ -110,7 +110,8 @@ if ( ! function_exists('create_captcha')) $current_dir = @opendir($img_path); while ($filename = @readdir($current_dir)) { - if (substr($filename, -4) === '.jpg' && (str_replace('.jpg', '', $filename) + $expiration) < $now) + if (in_array(substr($filename, -4), array('.jpg', '.png')) + && (str_replace(array('.jpg', '.png'), '', $filename) + $expiration) < $now) { @unlink($img_path.$filename); } -- cgit v1.2.3-24-g4f1b From 386e8e0356a50b0f5ef18632533b9410613b9f65 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 30 Sep 2016 12:26:27 +0300 Subject: [ci skip] Add a changelog entry for #4822 --- user_guide_src/source/changelog.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index d41e79945..2f08de072 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -28,6 +28,7 @@ Bug fixes for 3.1.1 - Fixed a bug (#4808) - :doc:`Database ` method ``is_write_type()`` only looked at the first line of a queries using ``RETURNING`` with the 'postgre', 'pdo/pgsql', 'odbc' and 'pdo/odbc' drivers. - Fixed a bug where :doc:`Query Builder ` method ``insert_batch()`` tried to execute an unsupported SQL query with the 'ibase' and 'pdo/firebird' drivers. - Fixed a bug (#4809) - :doc:`Database ` driver 'pdo/mysql' didn't turn off ``AUTOCOMMIT`` when starting a transaction. +- Fixed a bug (#4822) - :doc:`CAPTCHA Helper ` didn't clear expired PNG images. Version 3.1.0 ============= -- cgit v1.2.3-24-g4f1b From 103a4263fe8c2715f622355ee7d76114d015f242 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 3 Oct 2016 11:19:11 +0300 Subject: Fix #4823 --- .../Session/drivers/Session_files_driver.php | 27 ++++++++++++++++++++-- user_guide_src/source/changelog.rst | 1 + 2 files changed, 26 insertions(+), 2 deletions(-) diff --git a/system/libraries/Session/drivers/Session_files_driver.php b/system/libraries/Session/drivers/Session_files_driver.php index bf4df8b20..5f05396c0 100644 --- a/system/libraries/Session/drivers/Session_files_driver.php +++ b/system/libraries/Session/drivers/Session_files_driver.php @@ -76,6 +76,13 @@ class CI_Session_files_driver extends CI_Session_driver implements SessionHandle */ protected $_file_new; + /** + * mbstring.func_override flag + * + * @var bool + */ + protected static $func_override; + // ------------------------------------------------------------------------ /** @@ -98,6 +105,8 @@ class CI_Session_files_driver extends CI_Session_driver implements SessionHandle log_message('debug', 'Session: "sess_save_path" is empty; using "session.save_path" value from php.ini.'); $this->_config['save_path'] = rtrim(ini_get('session.save_path'), '/\\'); } + + isset(self::$func_override) OR self::$func_override = (extension_loaded('mbstring') && ini_get('mbstring.func_override')); } // ------------------------------------------------------------------------ @@ -187,7 +196,7 @@ class CI_Session_files_driver extends CI_Session_driver implements SessionHandle } $session_data = ''; - for ($read = 0, $length = filesize($this->_file_path.$session_id); $read < $length; $read += strlen($buffer)) + for ($read = 0, $length = filesize($this->_file_path.$session_id); $read < $length; $read += self::strlen($buffer)) { if (($buffer = fread($this->_file_handle, $length - $read)) === FALSE) { @@ -368,4 +377,18 @@ class CI_Session_files_driver extends CI_Session_driver implements SessionHandle return $this->_success; } -} \ No newline at end of file + // -------------------------------------------------------------------- + + /** + * Byte-safe strlen() + * + * @param string $str + * @return int + */ + protected static function strlen($str) + { + return (self::$func_override) + ? mb_strlen($str, '8bit') + : strlen($str); + } +} diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 2f08de072..080b51c68 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -29,6 +29,7 @@ Bug fixes for 3.1.1 - Fixed a bug where :doc:`Query Builder ` method ``insert_batch()`` tried to execute an unsupported SQL query with the 'ibase' and 'pdo/firebird' drivers. - Fixed a bug (#4809) - :doc:`Database ` driver 'pdo/mysql' didn't turn off ``AUTOCOMMIT`` when starting a transaction. - Fixed a bug (#4822) - :doc:`CAPTCHA Helper ` didn't clear expired PNG images. +- Fixed a bug (#4823) - :doc:`Session Library ` 'files' driver could enter an infinite loop if ``mbstring.func_override`` is enabled. Version 3.1.0 ============= -- cgit v1.2.3-24-g4f1b From 8dc32005f0364a07a0d472106e350826c651ea8d Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 3 Oct 2016 11:19:49 +0300 Subject: [ci skip] Alter a docblock --- system/libraries/Encryption.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/libraries/Encryption.php b/system/libraries/Encryption.php index 06284c2ed..545081b3b 100644 --- a/system/libraries/Encryption.php +++ b/system/libraries/Encryption.php @@ -907,7 +907,7 @@ class CI_Encryption { * Byte-safe strlen() * * @param string $str - * @return integer + * @return int */ protected static function strlen($str) { -- cgit v1.2.3-24-g4f1b From 727051267a83f6781745316ea4b749af09c8737f Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Tue, 11 Oct 2016 15:18:40 +0300 Subject: Merge pull request #4834 from renedekat/patch-1 Updated list of words that aren't countable in is_countable() inflector helper --- system/helpers/inflector_helper.php | 33 +++++++++++++++++++++++++++++++-- 1 file changed, 31 insertions(+), 2 deletions(-) diff --git a/system/helpers/inflector_helper.php b/system/helpers/inflector_helper.php index c064d8de4..6dc3b5030 100644 --- a/system/helpers/inflector_helper.php +++ b/system/helpers/inflector_helper.php @@ -238,8 +238,37 @@ if ( ! function_exists('is_countable')) return ! in_array( strtolower($word), array( - 'equipment', 'information', 'rice', 'money', - 'species', 'series', 'fish', 'meta' + 'audio', + 'bison', + 'chassis', + 'compensation', + 'coreopsis', + 'data', + 'deer', + 'education', + 'emoji', + 'equipment', + 'fish', + 'furniture', + 'gold', + 'information', + 'knowledge', + 'love', + 'rain', + 'money', + 'moose', + 'nutrition', + 'offspring', + 'plankton', + 'pokemon', + 'police', + 'rice', + 'series', + 'sheep', + 'species', + 'swine', + 'traffic', + 'wheat', ) ); } -- cgit v1.2.3-24-g4f1b From 5e22caa8d00165a63999cd828739f71758fba4e2 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Tue, 11 Oct 2016 15:20:27 +0300 Subject: [ci skip] Add changelog entry for PR #4834 --- user_guide_src/source/changelog.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 080b51c68..07815e851 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -10,6 +10,7 @@ Release Date: Not Released - General Changes - Added ``E_PARSE`` to the list of error levels detected by the shutdown handler. + - Updated :doc:`Inflector Helper ` function ``is_countable()`` with more words. Bug fixes for 3.1.1 ------------------- -- cgit v1.2.3-24-g4f1b From f2f6d8a70ca35930da798c1e2da134c810a17158 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Tue, 11 Oct 2016 16:00:57 +0300 Subject: [ci skip] Add new HTTP status codes https://tools.ietf.org/html/rfc2817 https://tools.ietf.org/html/rfc6585 Requested in #4835 --- system/core/Common.php | 7 ++++++- user_guide_src/source/changelog.rst | 7 +++++-- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/system/core/Common.php b/system/core/Common.php index 2c7651943..257763dd3 100644 --- a/system/core/Common.php +++ b/system/core/Common.php @@ -544,13 +544,18 @@ if ( ! function_exists('set_status_header')) 416 => 'Requested Range Not Satisfiable', 417 => 'Expectation Failed', 422 => 'Unprocessable Entity', + 426 => 'Upgrade Required', + 428 => 'Precondition Required', + 429 => 'Too Many Requests', + 431 => 'Request Header Fields Too Large', 500 => 'Internal Server Error', 501 => 'Not Implemented', 502 => 'Bad Gateway', 503 => 'Service Unavailable', 504 => 'Gateway Timeout', - 505 => 'HTTP Version Not Supported' + 505 => 'HTTP Version Not Supported', + 511 => 'Network Authentication Required', ); if (isset($stati[$code])) diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 07815e851..019adad91 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -10,7 +10,10 @@ Release Date: Not Released - General Changes - Added ``E_PARSE`` to the list of error levels detected by the shutdown handler. - - Updated :doc:`Inflector Helper ` function ``is_countable()`` with more words. + - Updated :doc:`Inflector Helper ` :php:func:`is_countable()` with more words. + - Updated :doc:`common function ` :php:func:`set_status_header()` with new status codes from IETF RFCs + `2817 https://tools.ietf.org/html/rfc2817>`_ (426) + and `6585 `_ (428, 429, 431, 511). Bug fixes for 3.1.1 ------------------- @@ -40,7 +43,7 @@ Release Date: July 26, 2016 - **Security** - Fixed an SQL injection in the 'odbc' database driver. - - Updated :php:func:`set_realpath()` :doc:`Path Helpr ` function to filter-out ``php://`` wrapper inputs. + - Updated :php:func:`set_realpath()` :doc:`Path Helper ` function to filter-out ``php://`` wrapper inputs. - Officially dropped any kind of support for PHP 5.2.x and anything under 5.3.7. - General Changes -- cgit v1.2.3-24-g4f1b From c34a3d6d052d2b7ba7955ea2bc70039ce0405b68 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 14 Oct 2016 14:23:10 +0300 Subject: Merge pull request #4840 from ihatehandles/patch-2 [ci skip] Fixed some typos --- user_guide_src/source/general/cli.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/user_guide_src/source/general/cli.rst b/user_guide_src/source/general/cli.rst index b45be1aa8..764a6b835 100644 --- a/user_guide_src/source/general/cli.rst +++ b/user_guide_src/source/general/cli.rst @@ -47,11 +47,11 @@ in it:: Then save the file to your *application/controllers/* folder. -Now normally you would visit the your site using a URL similar to this:: +Now normally you would visit the site using a URL similar to this:: example.com/index.php/tools/message/to -Instead, we are going to open Terminal in Mac/Linux or go to Run > "cmd" +Instead, we are going to open the terminal in Mac/Linux or go to Run > "cmd" in Windows and navigate to our CodeIgniter project. .. code-block:: bash @@ -75,4 +75,4 @@ That's it! That, in a nutshell, is all there is to know about controllers on the command line. Remember that this is just a normal controller, so routing -and ``_remap()`` works fine. \ No newline at end of file +and ``_remap()`` works fine. -- cgit v1.2.3-24-g4f1b From da270b26d7cb9c55385150659ecfb7d2d97b4c63 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 17 Oct 2016 18:22:43 +0300 Subject: Fix #4851 --- system/database/DB_forge.php | 4 ++-- system/database/drivers/ibase/ibase_forge.php | 2 +- system/database/drivers/pdo/subdrivers/pdo_firebird_forge.php | 2 +- system/database/drivers/pdo/subdrivers/pdo_sqlite_forge.php | 4 ++-- system/database/drivers/sqlite/sqlite_forge.php | 4 ++-- system/database/drivers/sqlite3/sqlite3_forge.php | 4 ++-- user_guide_src/source/changelog.rst | 1 + 7 files changed, 11 insertions(+), 10 deletions(-) diff --git a/system/database/DB_forge.php b/system/database/DB_forge.php index 826aa1ebf..ed6f4b672 100644 --- a/system/database/DB_forge.php +++ b/system/database/DB_forge.php @@ -184,7 +184,7 @@ abstract class CI_DB_forge { { return ($this->db->db_debug) ? $this->db->display_error('db_unsupported_feature') : FALSE; } - elseif ( ! $this->db->query(sprintf($this->_create_database, $db_name, $this->db->char_set, $this->db->dbcollat))) + elseif ( ! $this->db->query(sprintf($this->_create_database, $this->db->escape_identifiers($db_name), $this->db->char_set, $this->db->dbcollat))) { return ($this->db->db_debug) ? $this->db->display_error('db_unable_to_drop') : FALSE; } @@ -211,7 +211,7 @@ abstract class CI_DB_forge { { return ($this->db->db_debug) ? $this->db->display_error('db_unsupported_feature') : FALSE; } - elseif ( ! $this->db->query(sprintf($this->_drop_database, $db_name))) + elseif ( ! $this->db->query(sprintf($this->_drop_database, $this->db->escape_identifiers($db_name)))) { return ($this->db->db_debug) ? $this->db->display_error('db_unable_to_drop') : FALSE; } diff --git a/system/database/drivers/ibase/ibase_forge.php b/system/database/drivers/ibase/ibase_forge.php index 9c358c365..b35cc3749 100644 --- a/system/database/drivers/ibase/ibase_forge.php +++ b/system/database/drivers/ibase/ibase_forge.php @@ -111,7 +111,7 @@ class CI_DB_ibase_forge extends CI_DB_forge { * @param string $db_name (ignored) * @return bool */ - public function drop_database($db_name = '') + public function drop_database($db_name) { if ( ! ibase_drop_db($this->conn_id)) { diff --git a/system/database/drivers/pdo/subdrivers/pdo_firebird_forge.php b/system/database/drivers/pdo/subdrivers/pdo_firebird_forge.php index 256fa1413..50df76905 100644 --- a/system/database/drivers/pdo/subdrivers/pdo_firebird_forge.php +++ b/system/database/drivers/pdo/subdrivers/pdo_firebird_forge.php @@ -97,7 +97,7 @@ class CI_DB_pdo_firebird_forge extends CI_DB_pdo_forge { * @param string $db_name (ignored) * @return bool */ - public function drop_database($db_name = '') + public function drop_database($db_name) { if ( ! ibase_drop_db($this->conn_id)) { diff --git a/system/database/drivers/pdo/subdrivers/pdo_sqlite_forge.php b/system/database/drivers/pdo/subdrivers/pdo_sqlite_forge.php index f6f9bb481..b124bcad1 100644 --- a/system/database/drivers/pdo/subdrivers/pdo_sqlite_forge.php +++ b/system/database/drivers/pdo/subdrivers/pdo_sqlite_forge.php @@ -101,7 +101,7 @@ class CI_DB_pdo_sqlite_forge extends CI_DB_pdo_forge { * @param string $db_name (ignored) * @return bool */ - public function create_database($db_name = '') + public function create_database($db_name) { // In SQLite, a database is created when you connect to the database. // We'll return TRUE so that an error isn't generated @@ -116,7 +116,7 @@ class CI_DB_pdo_sqlite_forge extends CI_DB_pdo_forge { * @param string $db_name (ignored) * @return bool */ - public function drop_database($db_name = '') + public function drop_database($db_name) { // In SQLite, a database is dropped when we delete a file if (file_exists($this->db->database)) diff --git a/system/database/drivers/sqlite/sqlite_forge.php b/system/database/drivers/sqlite/sqlite_forge.php index 8a1659430..3ad3477e4 100644 --- a/system/database/drivers/sqlite/sqlite_forge.php +++ b/system/database/drivers/sqlite/sqlite_forge.php @@ -75,7 +75,7 @@ class CI_DB_sqlite_forge extends CI_DB_forge { * @param string $db_name (ignored) * @return bool */ - public function create_database($db_name = '') + public function create_database($db_name) { // In SQLite, a database is created when you connect to the database. // We'll return TRUE so that an error isn't generated @@ -90,7 +90,7 @@ class CI_DB_sqlite_forge extends CI_DB_forge { * @param string $db_name (ignored) * @return bool */ - public function drop_database($db_name = '') + public function drop_database($db_name) { if ( ! file_exists($this->db->database) OR ! @unlink($this->db->database)) { diff --git a/system/database/drivers/sqlite3/sqlite3_forge.php b/system/database/drivers/sqlite3/sqlite3_forge.php index 43cbe33e5..c45472f54 100644 --- a/system/database/drivers/sqlite3/sqlite3_forge.php +++ b/system/database/drivers/sqlite3/sqlite3_forge.php @@ -87,7 +87,7 @@ class CI_DB_sqlite3_forge extends CI_DB_forge { * @param string $db_name * @return bool */ - public function create_database($db_name = '') + public function create_database($db_name) { // In SQLite, a database is created when you connect to the database. // We'll return TRUE so that an error isn't generated @@ -102,7 +102,7 @@ class CI_DB_sqlite3_forge extends CI_DB_forge { * @param string $db_name (ignored) * @return bool */ - public function drop_database($db_name = '') + public function drop_database($db_name) { // In SQLite, a database is dropped when we delete a file if (file_exists($this->db->database)) diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 019adad91..9aa716c89 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -34,6 +34,7 @@ Bug fixes for 3.1.1 - Fixed a bug (#4809) - :doc:`Database ` driver 'pdo/mysql' didn't turn off ``AUTOCOMMIT`` when starting a transaction. - Fixed a bug (#4822) - :doc:`CAPTCHA Helper ` didn't clear expired PNG images. - Fixed a bug (#4823) - :doc:`Session Library ` 'files' driver could enter an infinite loop if ``mbstring.func_override`` is enabled. +- Fixed a bug (#4851) - :doc:`Database Forge ` didn't quote schema names passed to its ``create_database()`` method. Version 3.1.0 ============= -- cgit v1.2.3-24-g4f1b From fb4cec2f9184af60791eaaae612e1ffcb9a4ee4f Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 20 Oct 2016 11:47:58 +0300 Subject: Merge pull request #4863 from gxgpet/develop4 Add missing method chaining support to CI_Table::set_caption() --- system/libraries/Table.php | 1 + 1 file changed, 1 insertion(+) diff --git a/system/libraries/Table.php b/system/libraries/Table.php index 3bce294d8..f2fa434d9 100644 --- a/system/libraries/Table.php +++ b/system/libraries/Table.php @@ -277,6 +277,7 @@ class CI_Table { public function set_caption($caption) { $this->caption = $caption; + return $this; } // -------------------------------------------------------------------- -- cgit v1.2.3-24-g4f1b From a9e57732f000e4c90e4cdfbe9e747f6dc416d28c Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 20 Oct 2016 11:51:50 +0300 Subject: [ci skip] Add changelog entry for #4863 --- user_guide_src/source/changelog.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 9aa716c89..61a982a4c 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -35,6 +35,7 @@ Bug fixes for 3.1.1 - Fixed a bug (#4822) - :doc:`CAPTCHA Helper ` didn't clear expired PNG images. - Fixed a bug (#4823) - :doc:`Session Library ` 'files' driver could enter an infinite loop if ``mbstring.func_override`` is enabled. - Fixed a bug (#4851) - :doc:`Database Forge ` didn't quote schema names passed to its ``create_database()`` method. +- Fixed a bug (#4863) - :doc:`HTML Table Library ` method ``set_caption()`` was missing method chaining support. Version 3.1.0 ============= -- cgit v1.2.3-24-g4f1b From a09ffbc3bc91acd60735c6f1289b97125dae5ed6 Mon Sep 17 00:00:00 2001 From: "Instructor, Computer Systems Technology" Date: Tue, 18 Oct 2016 15:28:05 -0700 Subject: Merge pull request #4855 from jim-parry/fix/xmlrpc-timeout Fix xmlrpc timeout, #4843 --- system/libraries/Xmlrpc.php | 5 ++--- user_guide_src/source/libraries/xmlrpc.rst | 4 ++++ 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/system/libraries/Xmlrpc.php b/system/libraries/Xmlrpc.php index 181a104d0..4be926f0e 100644 --- a/system/libraries/Xmlrpc.php +++ b/system/libraries/Xmlrpc.php @@ -734,6 +734,8 @@ class XML_RPC_Client extends CI_Xmlrpc .'User-Agent: '.$this->xmlrpcName.$r .'Content-Length: '.strlen($msg->payload).$r.$r .$msg->payload; + + stream_set_timeout($fp,$this->timeout); // set timeout for subsequent operations for ($written = $timestamp = 0, $length = strlen($op); $written < $length; $written += $result) { @@ -753,9 +755,6 @@ class XML_RPC_Client extends CI_Xmlrpc $result = FALSE; break; } - - usleep(250000); - continue; } else { diff --git a/user_guide_src/source/libraries/xmlrpc.rst b/user_guide_src/source/libraries/xmlrpc.rst index 4d7ed66d5..04be8d52d 100644 --- a/user_guide_src/source/libraries/xmlrpc.rst +++ b/user_guide_src/source/libraries/xmlrpc.rst @@ -490,6 +490,10 @@ Class Reference $this->xmlrpc->timeout(6); + This timeout period will be used both for an initial connection to + the remote server, as well as for getting a response from it. + Make sure you set the timeout before calling `send_request`. + .. php:method:: method($function) :param string $function: Method name -- cgit v1.2.3-24-g4f1b From dc44b922dfda28d72879f6e5d2ef509e8bb51275 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 20 Oct 2016 11:56:20 +0300 Subject: [ci skip] Polish changes and add a changelog entry for PR #4855 --- system/libraries/Xmlrpc.php | 4 ++-- user_guide_src/source/changelog.rst | 1 + user_guide_src/source/libraries/xmlrpc.rst | 4 ++-- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/system/libraries/Xmlrpc.php b/system/libraries/Xmlrpc.php index 4be926f0e..7186646da 100644 --- a/system/libraries/Xmlrpc.php +++ b/system/libraries/Xmlrpc.php @@ -734,8 +734,8 @@ class XML_RPC_Client extends CI_Xmlrpc .'User-Agent: '.$this->xmlrpcName.$r .'Content-Length: '.strlen($msg->payload).$r.$r .$msg->payload; - - stream_set_timeout($fp,$this->timeout); // set timeout for subsequent operations + + stream_set_timeout($fp, $this->timeout); // set timeout for subsequent operations for ($written = $timestamp = 0, $length = strlen($op); $written < $length; $written += $result) { diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 61a982a4c..4d2cad662 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -36,6 +36,7 @@ Bug fixes for 3.1.1 - Fixed a bug (#4823) - :doc:`Session Library ` 'files' driver could enter an infinite loop if ``mbstring.func_override`` is enabled. - Fixed a bug (#4851) - :doc:`Database Forge ` didn't quote schema names passed to its ``create_database()`` method. - Fixed a bug (#4863) - :doc:`HTML Table Library ` method ``set_caption()`` was missing method chaining support. +- Fixed a bug (#4843) - :doc:`XML-RPC Library ` client class didn't set a read/write socket timeout. Version 3.1.0 ============= diff --git a/user_guide_src/source/libraries/xmlrpc.rst b/user_guide_src/source/libraries/xmlrpc.rst index 04be8d52d..2fe07c49d 100644 --- a/user_guide_src/source/libraries/xmlrpc.rst +++ b/user_guide_src/source/libraries/xmlrpc.rst @@ -492,7 +492,7 @@ Class Reference This timeout period will be used both for an initial connection to the remote server, as well as for getting a response from it. - Make sure you set the timeout before calling `send_request`. + Make sure you set the timeout before calling ``send_request()``. .. php:method:: method($function) @@ -579,4 +579,4 @@ Class Reference 'struct' ); - return $this->xmlrpc->send_response($response); \ No newline at end of file + return $this->xmlrpc->send_response($response); -- cgit v1.2.3-24-g4f1b From 6513701f21e72fadbbadc4bfea501dd871fa5149 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 20 Oct 2016 12:36:06 +0300 Subject: [ci skip] Document FV set_rules() fourth parameter --- user_guide_src/source/libraries/form_validation.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/user_guide_src/source/libraries/form_validation.rst b/user_guide_src/source/libraries/form_validation.rst index 5b9a74273..7792369b2 100644 --- a/user_guide_src/source/libraries/form_validation.rst +++ b/user_guide_src/source/libraries/form_validation.rst @@ -1027,11 +1027,12 @@ Class Reference .. php:class:: CI_Form_validation - .. php:method:: set_rules($field[, $label = ''[, $rules = '']]) + .. php:method:: set_rules($field[, $label = ''[, $rules = ''[, $errors = array()]]]) :param string $field: Field name :param string $label: Field label :param mixed $rules: Validation rules, as a string list separated by a pipe "|", or as an array or rules + :param array $errors: A list of custom error messages :returns: CI_Form_validation instance (method chaining) :rtype: CI_Form_validation -- cgit v1.2.3-24-g4f1b From 4ffe6345690f81872d0937e562faaf75f3185b6a Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 21 Oct 2016 16:30:31 +0300 Subject: Fix #4865 --- system/core/Common.php | 1 + system/core/Exceptions.php | 1 - user_guide_src/source/changelog.rst | 1 + 3 files changed, 2 insertions(+), 1 deletion(-) diff --git a/system/core/Common.php b/system/core/Common.php index 257763dd3..91c585f7d 100644 --- a/system/core/Common.php +++ b/system/core/Common.php @@ -661,6 +661,7 @@ if ( ! function_exists('_exception_handler')) $_error =& load_class('Exceptions', 'core'); $_error->log_exception('error', 'Exception: '.$exception->getMessage(), $exception->getFile(), $exception->getLine()); + is_cli() OR set_status_header(500); // Should we display the error? if (str_ireplace(array('off', 'none', 'no', 'false', 'null'), '', ini_get('display_errors'))) { diff --git a/system/core/Exceptions.php b/system/core/Exceptions.php index a1c6a1970..4e10f2831 100644 --- a/system/core/Exceptions.php +++ b/system/core/Exceptions.php @@ -207,7 +207,6 @@ class CI_Exceptions { } else { - set_status_header(500); $templates_path .= 'html'.DIRECTORY_SEPARATOR; } diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 4d2cad662..1b3820cb0 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -37,6 +37,7 @@ Bug fixes for 3.1.1 - Fixed a bug (#4851) - :doc:`Database Forge ` didn't quote schema names passed to its ``create_database()`` method. - Fixed a bug (#4863) - :doc:`HTML Table Library ` method ``set_caption()`` was missing method chaining support. - Fixed a bug (#4843) - :doc:`XML-RPC Library ` client class didn't set a read/write socket timeout. +- Fixed a bug (#4865) - uncaught exceptions didn't set the HTTP Response status code to 500 unless ``display_errors`` was turned On. Version 3.1.0 ============= -- cgit v1.2.3-24-g4f1b From dae08b59fd808c3baf838161223fdba2a80f1610 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Sat, 22 Oct 2016 15:37:15 +0300 Subject: Allow binding 0, null out of array in query() --- system/database/DB_driver.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/database/DB_driver.php b/system/database/DB_driver.php index 848516adc..7ae52a307 100644 --- a/system/database/DB_driver.php +++ b/system/database/DB_driver.php @@ -980,7 +980,7 @@ abstract class CI_DB_driver { */ public function compile_binds($sql, $binds) { - if (empty($binds) OR empty($this->bind_marker) OR strpos($sql, $this->bind_marker) === FALSE) + if (empty($this->bind_marker) OR strpos($sql, $this->bind_marker) === FALSE) { return $sql; } -- cgit v1.2.3-24-g4f1b From 6c6ee1a1e73b3f8a93ca031107bec35e56272a0a Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Sat, 22 Oct 2016 16:33:06 +0300 Subject: Close #4830, #3649 --- system/libraries/Session/Session.php | 36 ++++++++++++++++++++-- .../Session/drivers/Session_files_driver.php | 18 +++++++++-- user_guide_src/source/changelog.rst | 1 + user_guide_src/source/libraries/sessions.rst | 4 +-- 4 files changed, 51 insertions(+), 8 deletions(-) diff --git a/system/libraries/Session/Session.php b/system/libraries/Session/Session.php index 3b391a8ef..5aac12f36 100644 --- a/system/libraries/Session/Session.php +++ b/system/libraries/Session/Session.php @@ -57,6 +57,7 @@ class CI_Session { protected $_driver = 'files'; protected $_config; + protected $_sid_regexp; // ------------------------------------------------------------------------ @@ -99,6 +100,7 @@ class CI_Session { // Configuration ... $this->_configure($params); + $this->_config['_sid_regexp'] = $this->_sid_regexp; $class = new $class($this->_config); if ($class instanceof SessionHandlerInterface) @@ -131,7 +133,7 @@ class CI_Session { if (isset($_COOKIE[$this->_config['cookie_name']]) && ( ! is_string($_COOKIE[$this->_config['cookie_name']]) - OR ! preg_match('/^[0-9a-f]{40}$/', $_COOKIE[$this->_config['cookie_name']]) + OR ! preg_match('#\A'.$this->_sid_regexp.'\z#', $_COOKIE[$this->_config['cookie_name']]) ) ) { @@ -315,8 +317,36 @@ class CI_Session { ini_set('session.use_strict_mode', 1); ini_set('session.use_cookies', 1); ini_set('session.use_only_cookies', 1); - ini_set('session.hash_function', 1); - ini_set('session.hash_bits_per_character', 4); + + if (PHP_VERSION_ID < 70100) + { + if ((int) ini_get('session.hash_function') === 0) + { + ini_set('session.hash_function', 1); + ini_set('session.hash_bits_per_character', $bits_per_character = 4); + } + else + { + $bits_per_character = (int) ini_get('session.hash_bits_per_character'); + } + } + elseif ((int) ini_get('session.sid_length') < 40 && ($bits_per_character = (int) ini_get('session.sid_bits_per_character')) === 4) + { + ini_set('session.sid_length', 40); + } + + switch ($bits_per_character) + { + case 4: + $this->_sid_regexp = '[0-9a-f]{40,}'; + break; + case 5: + $this->_sid_regexp = '[0-9a-v]{40,}'; + break; + case 6: + $this->_sid_regexp = '[0-9a-zA-Z,-]{40,}'; + break; + } } // ------------------------------------------------------------------------ diff --git a/system/libraries/Session/drivers/Session_files_driver.php b/system/libraries/Session/drivers/Session_files_driver.php index 5f05396c0..37315d3cd 100644 --- a/system/libraries/Session/drivers/Session_files_driver.php +++ b/system/libraries/Session/drivers/Session_files_driver.php @@ -76,6 +76,13 @@ class CI_Session_files_driver extends CI_Session_driver implements SessionHandle */ protected $_file_new; + /** + * Validate SID regular expression + * + * @var string + */ + protected $_sid_regexp; + /** * mbstring.func_override flag * @@ -106,6 +113,8 @@ class CI_Session_files_driver extends CI_Session_driver implements SessionHandle $this->_config['save_path'] = rtrim(ini_get('session.save_path'), '/\\'); } + $this->_sid_regexp = $this->_config['_sid_regexp']; + isset(self::$func_override) OR self::$func_override = (extension_loaded('mbstring') && ini_get('mbstring.func_override')); } @@ -352,10 +361,13 @@ class CI_Session_files_driver extends CI_Session_driver implements SessionHandle $ts = time() - $maxlifetime; + $pattern = ($this->_config['match_ip'] === TRUE) + ? '[0-9a-f]{32}' + : ''; + $pattern = sprintf( - '/^%s[0-9a-f]{%d}$/', - preg_quote($this->_config['cookie_name'], '/'), - ($this->_config['match_ip'] === TRUE ? 72 : 40) + '#\A%s'.$pattern.$this->_sid_regexp.'\z#', + preg_quote($this->_config['cookie_name']) ); while (($file = readdir($directory)) !== FALSE) diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 1b3820cb0..d025d52f1 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -38,6 +38,7 @@ Bug fixes for 3.1.1 - Fixed a bug (#4863) - :doc:`HTML Table Library ` method ``set_caption()`` was missing method chaining support. - Fixed a bug (#4843) - :doc:`XML-RPC Library ` client class didn't set a read/write socket timeout. - Fixed a bug (#4865) - uncaught exceptions didn't set the HTTP Response status code to 500 unless ``display_errors`` was turned On. +- Fixed a bug (#4830) - :doc:`Session Library ` didn't take into account the new session INI settings in PHP 7.1. Version 3.1.0 ============= diff --git a/user_guide_src/source/libraries/sessions.rst b/user_guide_src/source/libraries/sessions.rst index 082828c4e..a95cd5a19 100644 --- a/user_guide_src/source/libraries/sessions.rst +++ b/user_guide_src/source/libraries/sessions.rst @@ -594,7 +594,7 @@ And then of course, create the database table ... For MySQL:: CREATE TABLE IF NOT EXISTS `ci_sessions` ( - `id` varchar(40) NOT NULL, + `id` varchar(128) NOT NULL, `ip_address` varchar(45) NOT NULL, `timestamp` int(10) unsigned DEFAULT 0 NOT NULL, `data` blob NOT NULL, @@ -604,7 +604,7 @@ For MySQL:: For PostgreSQL:: CREATE TABLE "ci_sessions" ( - "id" varchar(40) NOT NULL, + "id" varchar(128) NOT NULL, "ip_address" varchar(45) NOT NULL, "timestamp" bigint DEFAULT 0 NOT NULL, "data" text DEFAULT '' NOT NULL -- cgit v1.2.3-24-g4f1b From 378627bb0e0cfb433299a6d832c18099e5c1dc9c Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Sat, 22 Oct 2016 16:48:35 +0300 Subject: [ci skip] Prepare for 3.1.1 release --- system/core/CodeIgniter.php | 2 +- user_guide_src/source/changelog.rst | 2 +- user_guide_src/source/conf.py | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/system/core/CodeIgniter.php b/system/core/CodeIgniter.php index 804c6856d..c5d26e52b 100644 --- a/system/core/CodeIgniter.php +++ b/system/core/CodeIgniter.php @@ -55,7 +55,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @var string * */ - const CI_VERSION = '3.1.1-dev'; + const CI_VERSION = '3.1.1'; /* * ------------------------------------------------------ diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 1e59d4ca2..c7bd50240 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -5,7 +5,7 @@ Change Log Version 3.1.1 ============= -Release Date: Not Released +Release Date: Oct 22, 2016 - **Security** diff --git a/user_guide_src/source/conf.py b/user_guide_src/source/conf.py index 0c4901d8f..a685c4442 100644 --- a/user_guide_src/source/conf.py +++ b/user_guide_src/source/conf.py @@ -48,9 +48,9 @@ copyright = u'2014 - 2016, British Columbia Institute of Technology' # built documents. # # The short X.Y version. -version = '3.1.1-dev' +version = '3.1.1' # The full version, including alpha/beta/rc tags. -release = '3.1.1-dev' +release = '3.1.1' # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages. -- cgit v1.2.3-24-g4f1b From 6c33f22983a60a046c7de580bebb9b95c4ea106a Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Sat, 22 Oct 2016 17:08:13 +0300 Subject: [ci skip] Fix a changelog link --- user_guide_src/source/changelog.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index c7bd50240..559c12884 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -16,7 +16,7 @@ Release Date: Oct 22, 2016 - Added ``E_PARSE`` to the list of error levels detected by the shutdown handler. - Updated :doc:`Inflector Helper ` :php:func:`is_countable()` with more words. - Updated :doc:`common function ` :php:func:`set_status_header()` with new status codes from IETF RFCs - `2817 https://tools.ietf.org/html/rfc2817>`_ (426) + `2817 `_ (426) and `6585 `_ (428, 429, 431, 511). Bug fixes for 3.1.1 -- cgit v1.2.3-24-g4f1b From 255e4c073fcd82f4c35ef0789aa2f98a16ee8092 Mon Sep 17 00:00:00 2001 From: vkeranov Date: Sun, 23 Oct 2016 20:47:32 +0300 Subject: Small Changelog Fix --- user_guide_src/source/changelog.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 559c12884..2d9ef69b5 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -27,7 +27,7 @@ Bug fixes for 3.1.1 - Fixed a bug (#4737) - :doc:`Query Builder ` didn't add an ``OFFSET`` when ``LIMIT`` is zero or unused. - Fixed a regression (#4739) - :doc:`Email Library ` doesn't properly separate attachment bodies from headers. - Fixed a bug (#4754) - :doc:`Unit Testing Library ` method ``result()`` didn't translate ``res_datatype``. -- Fixed a bug (#4759) - :doc:`Form Validation `, :doc:`Trackback ` and `XML-RPC ` libraries treated URI schemes in a case-sensitive manner. +- Fixed a bug (#4759) - :doc:`Form Validation `, :doc:`Trackback ` and :doc:`XML-RPC ` libraries treated URI schemes in a case-sensitive manner. - Fixed a bug (#4762) - :doc:`Cache Library ` 'file' driver method ``get_metadata()`` checked TTL time against ``mtime`` instead of the cache item's creation time. - Fixed a bug where :doc:`File Uploading Library ` generated error messages on PHP 7.1. - Fixed a bug (#4780) - :doc:`compatibility function ` ``hex2bin()`` didn't reject inputs of type "resource". -- cgit v1.2.3-24-g4f1b From b6359a6edc03e4959ab7ae0918b89e49b4b39b8d Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 24 Oct 2016 09:41:29 +0300 Subject: Merge pull request #4868 from hex-ci/patch-2 [ci skip] Fix a doc link --- user_guide_src/source/general/compatibility_functions.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user_guide_src/source/general/compatibility_functions.rst b/user_guide_src/source/general/compatibility_functions.rst index 936f2a24b..584968663 100644 --- a/user_guide_src/source/general/compatibility_functions.rst +++ b/user_guide_src/source/general/compatibility_functions.rst @@ -10,7 +10,7 @@ Being custom implementations, these functions will also have some set of dependencies on their own, but are still useful if your PHP setup doesn't offer them natively. -.. note:: Much like the `common functions `, the +.. note:: Much like the :doc:`common functions `, the compatibility functions are always available, as long as their dependencies are met. -- cgit v1.2.3-24-g4f1b From d81b59ef02dab9072e44eec2dec519e5178e7759 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 24 Oct 2016 09:45:54 +0300 Subject: [ci skip] Fix 3.1.1 download link --- user_guide_src/source/installation/downloads.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user_guide_src/source/installation/downloads.rst b/user_guide_src/source/installation/downloads.rst index 7380dcb28..d04bccb7c 100644 --- a/user_guide_src/source/installation/downloads.rst +++ b/user_guide_src/source/installation/downloads.rst @@ -2,7 +2,7 @@ Downloading CodeIgniter ####################### -- `CodeIgniter v3.1.1 (Current version) `_ +- `CodeIgniter v3.1.1 (Current version) `_ - `CodeIgniter v3.1.0 `_ - `CodeIgniter v3.0.6 `_ - `CodeIgniter v3.0.5 `_ @@ -32,4 +32,4 @@ Please note that while every effort is made to keep this code base functional, we cannot guarantee the functionality of code taken from the develop branch. -Beginning with version 2.0.3, stable versions are also available via `GitHub Releases `_. \ No newline at end of file +Beginning with version 2.0.3, stable versions are also available via `GitHub Releases `_. -- cgit v1.2.3-24-g4f1b From 777bb986d9e252dcc4dde3c76c03b0e0c7c1f8ef Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 24 Oct 2016 10:11:22 +0300 Subject: [ci skip] Update docs on trans_off() --- user_guide_src/source/database/transactions.rst | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/user_guide_src/source/database/transactions.rst b/user_guide_src/source/database/transactions.rst index 2e6d4b477..e25b8ed14 100644 --- a/user_guide_src/source/database/transactions.rst +++ b/user_guide_src/source/database/transactions.rst @@ -75,12 +75,11 @@ debugging is turned off, you can manage your own errors like this:: // generate an error... or use the log_message() function to log your error } -Enabling Transactions -===================== +Disabling Transactions +====================== -Transactions are enabled automatically the moment you use -$this->db->trans_start(). If you would like to disable transactions you -can do so using $this->db->trans_off():: +If you would like to disable transactions you can do so using +``$this->db->trans_off()``:: $this->db->trans_off(); @@ -88,8 +87,9 @@ can do so using $this->db->trans_off():: $this->db->query('AN SQL QUERY...'); $this->db->trans_complete(); -When transactions are disabled, your queries will be auto-commited, just -as they are when running queries without transactions. +When transactions are disabled, your queries will be auto-commited, just as +they are when running queries without transactions, practically ignoring +any calls to ``trans_start()``, ``trans_complete()``, etc. Test Mode ========= -- cgit v1.2.3-24-g4f1b From 40282340cd7de02cbe8297f557b7d3e23cbc652a Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 26 Oct 2016 17:41:18 +0300 Subject: Fix #4877 --- system/core/Security.php | 34 +++++++++++++++++++++++++++++----- 1 file changed, 29 insertions(+), 5 deletions(-) diff --git a/system/core/Security.php b/system/core/Security.php index 4a69daa18..b9160a252 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -371,11 +371,17 @@ class CI_Security { * * Note: Use rawurldecode() so it does not remove plus signs */ - do + if (stripos($str, '%') !== false) { - $str = rawurldecode($str); + do + { + $oldstr = $str; + $str = rawurldecode($str); + $str = preg_replace_callback('#%(?:\s*[0-9a-f]){2,}#i', array($this, '_urldecodespaces'), $str); + } + while ($oldstr !== $str); + unset($oldstr); } - while (preg_match('/%[0-9a-f]{2,}/i', $str)); /* * Convert character entities to ASCII @@ -466,7 +472,7 @@ class CI_Security { if (preg_match('/]+([^>]*?)(?:>|$)#si', array($this, '_js_link_removal'), $str); + $str = preg_replace_callback('#]+([^>]*?)(?:>|$)#si', array($this, '_js_link_removal'), $str); } if (preg_match('/ Date: Thu, 27 Oct 2016 15:06:46 +0300 Subject: [ci skip] This is 3.1.2-dev --- system/core/CodeIgniter.php | 2 +- user_guide_src/source/conf.py | 4 ++-- user_guide_src/source/installation/downloads.rst | 3 ++- user_guide_src/source/installation/upgrade_312.rst | 14 ++++++++++++++ user_guide_src/source/installation/upgrading.rst | 3 ++- 5 files changed, 21 insertions(+), 5 deletions(-) create mode 100644 user_guide_src/source/installation/upgrade_312.rst diff --git a/system/core/CodeIgniter.php b/system/core/CodeIgniter.php index c5d26e52b..6562e99a2 100644 --- a/system/core/CodeIgniter.php +++ b/system/core/CodeIgniter.php @@ -55,7 +55,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @var string * */ - const CI_VERSION = '3.1.1'; + const CI_VERSION = '3.1.2-dev'; /* * ------------------------------------------------------ diff --git a/user_guide_src/source/conf.py b/user_guide_src/source/conf.py index a685c4442..17771fa9e 100644 --- a/user_guide_src/source/conf.py +++ b/user_guide_src/source/conf.py @@ -48,9 +48,9 @@ copyright = u'2014 - 2016, British Columbia Institute of Technology' # built documents. # # The short X.Y version. -version = '3.1.1' +version = '3.1.2-dev' # The full version, including alpha/beta/rc tags. -release = '3.1.1' +release = '3.1.2-dev' # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages. diff --git a/user_guide_src/source/installation/downloads.rst b/user_guide_src/source/installation/downloads.rst index d04bccb7c..1eacd4d33 100644 --- a/user_guide_src/source/installation/downloads.rst +++ b/user_guide_src/source/installation/downloads.rst @@ -2,7 +2,8 @@ Downloading CodeIgniter ####################### -- `CodeIgniter v3.1.1 (Current version) `_ +- `CodeIgniter v3.1.2-dev (Current version) `_ +- `CodeIgniter v3.1.1 `_ - `CodeIgniter v3.1.0 `_ - `CodeIgniter v3.0.6 `_ - `CodeIgniter v3.0.5 `_ diff --git a/user_guide_src/source/installation/upgrade_312.rst b/user_guide_src/source/installation/upgrade_312.rst new file mode 100644 index 000000000..91467233e --- /dev/null +++ b/user_guide_src/source/installation/upgrade_312.rst @@ -0,0 +1,14 @@ +############################# +Upgrading from 3.1.1 to 3.1.2 +############################# + +Before performing an update you should take your site offline by +replacing the index.php file with a static one. + +Step 1: Update your CodeIgniter files +===================================== + +Replace all files and directories in your *system/* directory. + +.. note:: If you have any custom developed files in these directories, + please make copies of them first. diff --git a/user_guide_src/source/installation/upgrading.rst b/user_guide_src/source/installation/upgrading.rst index 727d054d1..61b16e038 100644 --- a/user_guide_src/source/installation/upgrading.rst +++ b/user_guide_src/source/installation/upgrading.rst @@ -8,8 +8,9 @@ upgrading from. .. toctree:: :titlesonly: + Upgrading from 3.1.2 to 3.1.2 Upgrading from 3.1.0 to 3.1.1 - Upgrading from 3.0.6 to 3.1.0 + Upgrading from 3.0.6 to 3.1.x Upgrading from 3.0.5 to 3.0.6 Upgrading from 3.0.4 to 3.0.5 Upgrading from 3.0.3 to 3.0.4 -- cgit v1.2.3-24-g4f1b From 098412502a966597631470a2f0cf935d9ecfe16d Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 27 Oct 2016 15:10:30 +0300 Subject: [ci skip] Add changelog entry for #4877 --- user_guide_src/source/changelog.rst | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 2d9ef69b5..ee66cc0a4 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -2,6 +2,15 @@ Change Log ########## +Version 3.1.2 +============= + +Release Date: Not Released + +- **Security** + + - Fixed a new URL-encoding attack vector in :doc:`Security Library ` method ``xss_clean()`` affecting Firefox. + Version 3.1.1 ============= -- cgit v1.2.3-24-g4f1b From 7bc882384ef4c442fb4edd699c8dd15bbd22e429 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 27 Oct 2016 15:41:23 +0300 Subject: Close #4875 --- system/core/CodeIgniter.php | 21 ++++++++++++++++++++- user_guide_src/source/changelog.rst | 4 ++++ 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/system/core/CodeIgniter.php b/system/core/CodeIgniter.php index 6562e99a2..32ad61899 100644 --- a/system/core/CodeIgniter.php +++ b/system/core/CodeIgniter.php @@ -416,10 +416,29 @@ if ( ! is_php('5.4')) $params = array($method, array_slice($URI->rsegments, 2)); $method = '_remap'; } - elseif ( ! is_callable(array($class, $method))) + elseif ( ! method_exists($class, $method)) { $e404 = TRUE; } + /** + * DO NOT CHANGE THIS, NOTHING ELSE WORKS! + * + * - method_exists() returns true for non-public methods, which passes the previous elseif + * - is_callable() returns false for PHP 4-style constructors, even if there's a __construct() + * - method_exists($class, '__construct') won't work because CI_Controller::__construct() is inherited + * - People will only complain if this doesn't work, even though it is documented that it shouldn't. + * + * ReflectionMethod::isConstructor() is the ONLY reliable check, + * knowing which method will be executed as a constructor. + */ + elseif ( ! is_callable(array($class, $method)) && strcasecmp($class, $method) === 0) + { + $reflection = new ReflectionMethod($class, $method); + if ( ! $reflection->isPublic() OR $reflection->isConstructor()) + { + $e404 = TRUE; + } + } } if ($e404) diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index ee66cc0a4..b7be0866f 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -11,6 +11,10 @@ Release Date: Not Released - Fixed a new URL-encoding attack vector in :doc:`Security Library ` method ``xss_clean()`` affecting Firefox. +- General Changes + + - Allowed PHP 4-style constructors (``Mathching_name::Matching_name()`` methods) to be used as routes, if there's a ``__construct()`` to override them. + Version 3.1.1 ============= -- cgit v1.2.3-24-g4f1b From 2f760877c313871e5066b93b0b1aa76428c09fb6 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 27 Oct 2016 16:39:12 +0300 Subject: Fix #4874 --- system/libraries/Session/Session.php | 63 ++++++++++++++++++++++++++++++------ user_guide_src/source/changelog.rst | 5 +++ 2 files changed, 59 insertions(+), 9 deletions(-) diff --git a/system/libraries/Session/Session.php b/system/libraries/Session/Session.php index 5aac12f36..ea7853108 100644 --- a/system/libraries/Session/Session.php +++ b/system/libraries/Session/Session.php @@ -318,35 +318,80 @@ class CI_Session { ini_set('session.use_cookies', 1); ini_set('session.use_only_cookies', 1); + $this->_configure_sid_length(); + } + + // ------------------------------------------------------------------------ + + /** + * Configure session ID length + * + * To make life easier, we used to force SHA-1 and 4 bits per + * character on everyone. And of course, someone was unhappy. + * + * Then PHP 7.1 broke backwards-compatibility because ext/session + * is such a mess that nobody wants to touch it with a pole stick, + * and the one guy who does, nobody has the energy to argue with. + * + * So we were forced to make changes, and OF COURSE something was + * going to break and now we have this pile of shit. -- Narf + * + * @return void + */ + protected function _configure_sid_length() + { if (PHP_VERSION_ID < 70100) { - if ((int) ini_get('session.hash_function') === 0) + $hash_function = ini_get('session.hash_function'); + if (ctype_digit($hash_function)) + { + if ($hash_function !== '1') + { + ini_set('session.hash_function', 1); + $bits = 160; + } + } + elseif ( ! in_array($hash_function, hash_algos(), TRUE)) { ini_set('session.hash_function', 1); - ini_set('session.hash_bits_per_character', $bits_per_character = 4); + $bits = 160; } - else + elseif (($bits = strlen(hash($hash_function, 'dummy', false)) * 4) < 160) { - $bits_per_character = (int) ini_get('session.hash_bits_per_character'); + ini_set('session.hash_function', 1); + $bits = 160; } + + $bits_per_character = (int) ini_get('session.hash_bits_per_character'); + $sid_length = $bits * $bits_per_character; } - elseif ((int) ini_get('session.sid_length') < 40 && ($bits_per_character = (int) ini_get('session.sid_bits_per_character')) === 4) + else { - ini_set('session.sid_length', 40); + $bits_per_character = (int) ini_get('session.sid_bits_per_character'); + $sid_length = (int) ini_get('session.sid_length'); + if (($bits = $sid_length * $bits_per_character) < 160) + { + // Add as many more characters as necessary to reach at least 160 bits + $sid_length += (int) ceil((160 % $bits) / $bits_per_character); + ini_set('session.sid_length', $sid_length); + } } + // Yes, 4,5,6 are the only known possible values as of 2016-10-27 switch ($bits_per_character) { case 4: - $this->_sid_regexp = '[0-9a-f]{40,}'; + $this->_sid_regexp = '[0-9a-f]'; break; case 5: - $this->_sid_regexp = '[0-9a-v]{40,}'; + $this->_sid_regexp = '[0-9a-v]'; break; case 6: - $this->_sid_regexp = '[0-9a-zA-Z,-]{40,}'; + $this->_sid_regexp = '[0-9a-zA-Z,-]'; break; } + + $this->_sid_regexp .= '{'.$sid_length.'}'; } // ------------------------------------------------------------------------ diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index b7be0866f..4c6143c59 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -15,6 +15,11 @@ Release Date: Not Released - Allowed PHP 4-style constructors (``Mathching_name::Matching_name()`` methods) to be used as routes, if there's a ``__construct()`` to override them. +Bug fixes for 3.1.2 +------------------- + +- Fixed a regression (#4874) - :doc:`Session Library ` didn't take into account `session.hash_bits_per_character` when validating session IDs. + Version 3.1.1 ============= -- cgit v1.2.3-24-g4f1b From 2b9d88c3fe78218bb9d8bcbb6ea114d190bc0d0e Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 27 Oct 2016 16:47:57 +0300 Subject: [ci skip] Fix changelog entry formatting from last commit --- user_guide_src/source/changelog.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 4c6143c59..51242efa3 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -18,7 +18,7 @@ Release Date: Not Released Bug fixes for 3.1.2 ------------------- -- Fixed a regression (#4874) - :doc:`Session Library ` didn't take into account `session.hash_bits_per_character` when validating session IDs. +- Fixed a regression (#4874) - :doc:`Session Library ` didn't take into account ``session.hash_bits_per_character`` when validating session IDs. Version 3.1.1 ============= -- cgit v1.2.3-24-g4f1b From 0c23e9122666a30797079bea9415da135d4f7e12 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 27 Oct 2016 16:55:19 +0300 Subject: Fix #4871 --- system/database/DB_query_builder.php | 8 +++++--- user_guide_src/source/changelog.rst | 1 + 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/system/database/DB_query_builder.php b/system/database/DB_query_builder.php index 7a008eeb8..5491b2000 100644 --- a/system/database/DB_query_builder.php +++ b/system/database/DB_query_builder.php @@ -1915,7 +1915,7 @@ abstract class CI_DB_query_builder extends CI_DB_driver { $affected_rows = 0; for ($i = 0, $total = count($this->qb_set); $i < $total; $i += $batch_size) { - if ($this->query($this->_update_batch($this->protect_identifiers($table, TRUE, NULL, FALSE), array_slice($this->qb_set, $i, $batch_size), $this->protect_identifiers($index)))) + if ($this->query($this->_update_batch($this->protect_identifiers($table, TRUE, NULL, FALSE), array_slice($this->qb_set, $i, $batch_size), $index))) { $affected_rows += $this->affected_rows(); } @@ -1941,6 +1941,8 @@ abstract class CI_DB_query_builder extends CI_DB_driver { */ protected function _update_batch($table, $values, $index) { + $index_escaped = $this->protect_identifiers($index); + $ids = array(); foreach ($values as $key => $val) { @@ -1950,7 +1952,7 @@ abstract class CI_DB_query_builder extends CI_DB_driver { { if ($field !== $index) { - $final[$field][] = 'WHEN '.$index.' = '.$val[$index].' THEN '.$val[$field]; + $final[$field][] = 'WHEN '.$index_escaped.' = '.$val[$index].' THEN '.$val[$field]; } } } @@ -1963,7 +1965,7 @@ abstract class CI_DB_query_builder extends CI_DB_driver { .'ELSE '.$k.' END, '; } - $this->where($index.' IN('.implode(',', $ids).')', NULL, FALSE); + $this->where($index_escaped.' IN('.implode(',', $ids).')', NULL, FALSE); return 'UPDATE '.$table.' SET '.substr($cases, 0, -2).$this->_compile_wh('qb_where'); } diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 51242efa3..58ca20ee9 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -19,6 +19,7 @@ Bug fixes for 3.1.2 ------------------- - Fixed a regression (#4874) - :doc:`Session Library ` didn't take into account ``session.hash_bits_per_character`` when validating session IDs. +- Fixed a bug (#4871) - :doc:`Query Builder ` method ``update_batch()`` didn't properly handle identifier escaping. Version 3.1.1 ============= -- cgit v1.2.3-24-g4f1b From dbc025b6c2c9b0b085bb79dc126bc58fb2a8c2a8 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 27 Oct 2016 17:37:25 +0300 Subject: [ci skip] Another attempt at #4874 --- system/libraries/Session/Session.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/system/libraries/Session/Session.php b/system/libraries/Session/Session.php index ea7853108..01989d2d7 100644 --- a/system/libraries/Session/Session.php +++ b/system/libraries/Session/Session.php @@ -348,8 +348,9 @@ class CI_Session { if ($hash_function !== '1') { ini_set('session.hash_function', 1); - $bits = 160; } + + $bits = 160; } elseif ( ! in_array($hash_function, hash_algos(), TRUE)) { @@ -363,7 +364,7 @@ class CI_Session { } $bits_per_character = (int) ini_get('session.hash_bits_per_character'); - $sid_length = $bits * $bits_per_character; + $sid_length = (int) ceil($bits / $bits_per_character); } else { -- cgit v1.2.3-24-g4f1b From be4bab99fc8165858568e0278492aaebecee68f0 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 28 Oct 2016 12:50:03 +0300 Subject: Fix #4884 --- system/database/DB_query_builder.php | 2 +- user_guide_src/source/changelog.rst | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/system/database/DB_query_builder.php b/system/database/DB_query_builder.php index 5491b2000..5a86ce50f 100644 --- a/system/database/DB_query_builder.php +++ b/system/database/DB_query_builder.php @@ -679,7 +679,7 @@ abstract class CI_DB_query_builder extends CI_DB_driver { // value appears not to have been set, assign the test to IS NULL $k .= ' IS NULL'; } - elseif (preg_match('/\s*(!?=|<>|IS(?:\s+NOT)?)\s*$/i', $k, $match, PREG_OFFSET_CAPTURE)) + elseif (preg_match('/\s*(!?=|<>|\sIS(?:\s+NOT)?\s)\s*$/i', $k, $match, PREG_OFFSET_CAPTURE)) { $k = substr($k, 0, $match[0][1]).($match[1][0] === '=' ? ' IS NULL' : ' IS NOT NULL'); } diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 58ca20ee9..0a8160acb 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -20,6 +20,7 @@ Bug fixes for 3.1.2 - Fixed a regression (#4874) - :doc:`Session Library ` didn't take into account ``session.hash_bits_per_character`` when validating session IDs. - Fixed a bug (#4871) - :doc:`Query Builder ` method ``update_batch()`` didn't properly handle identifier escaping. +- Fixed a bug (#4884) - :doc:`Query Builder ` didn't properly parse field names ending in 'is' when used inside WHERE and HAVING statements. Version 3.1.1 ============= -- cgit v1.2.3-24-g4f1b From 8bb7f7f50e99407c5f4def6e2f8e429245bd8613 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 28 Oct 2016 13:16:38 +0300 Subject: [ci skip] Add upgrade instructions for CI_Sessions --- user_guide_src/source/installation/upgrade_312.rst | 26 ++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/user_guide_src/source/installation/upgrade_312.rst b/user_guide_src/source/installation/upgrade_312.rst index 91467233e..e0b2191dd 100644 --- a/user_guide_src/source/installation/upgrade_312.rst +++ b/user_guide_src/source/installation/upgrade_312.rst @@ -12,3 +12,29 @@ Replace all files and directories in your *system/* directory. .. note:: If you have any custom developed files in these directories, please make copies of them first. + +Step 2: Update your "ci_sessions" database table +================================================ + +If you're using the :doc:`Session Library ` with the +'database' driver, you may have to ``ALTER`` your sessions table for your +sessions to continue to work. + +.. note:: The table in question is not necessarily named "ci_sessions". + It is what you've set as your ``$config['sess_save_path']``. + +This will only affect you if you've changed your ``session.hash_function`` +*php.ini* setting to something like 'sha512'. Or if you've been running +an older CodeIgniter version on PHP 7.1+. + +It is recommended that you do this anyway, just to avoid potential issues +in the future if you do change your configuration. + +Just execute the one of the following SQL queries, depending on your +database:: + + // MySQL: + ALTER TABLE ci_sessions CHANGE id id varchar(128) NOT NULL; + + // PostgreSQL + ALTER TABLE ci_sessions ALTER COLUMN id SET DATA TYPE varchar(128); -- cgit v1.2.3-24-g4f1b From 4c7323e2e0ff8f39e4b14233903c3bba878240b7 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 28 Oct 2016 13:18:17 +0300 Subject: [ci skip] Clear trailing whitespace from PR #4834 --- system/helpers/inflector_helper.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/helpers/inflector_helper.php b/system/helpers/inflector_helper.php index 6dc3b5030..f54dac019 100644 --- a/system/helpers/inflector_helper.php +++ b/system/helpers/inflector_helper.php @@ -268,7 +268,7 @@ if ( ! function_exists('is_countable')) 'species', 'swine', 'traffic', - 'wheat', + 'wheat' ) ); } -- cgit v1.2.3-24-g4f1b From 4e2cdec6ff4b4af5f994be4c348ad3b9a9a2942f Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 28 Oct 2016 14:19:08 +0300 Subject: Improve byte-safety --- system/core/Log.php | 53 +++++++++++++++++++++- system/core/Output.php | 62 +++++++++++++++++++++++--- system/libraries/Email.php | 87 +++++++++++++++++++++++++++++-------- system/libraries/Zip.php | 74 +++++++++++++++++++++++++------ user_guide_src/source/changelog.rst | 1 + 5 files changed, 236 insertions(+), 41 deletions(-) diff --git a/system/core/Log.php b/system/core/Log.php index 986121526..cf6c75a95 100644 --- a/system/core/Log.php +++ b/system/core/Log.php @@ -104,6 +104,13 @@ class CI_Log { */ protected $_levels = array('ERROR' => 1, 'DEBUG' => 2, 'INFO' => 3, 'ALL' => 4); + /** + * mbstring.func_override flag + * + * @var bool + */ + protected static $func_override; + // -------------------------------------------------------------------- /** @@ -115,6 +122,8 @@ class CI_Log { { $config =& get_config(); + isset(self::$func_override) OR self::$func_override = (extension_loaded('mbstring') && ini_get('mbstring.func_override')); + $this->_log_path = ($config['log_path'] !== '') ? $config['log_path'] : APPPATH.'logs/'; $this->_file_ext = (isset($config['log_file_extension']) && $config['log_file_extension'] !== '') ? ltrim($config['log_file_extension'], '.') : 'php'; @@ -208,9 +217,9 @@ class CI_Log { $message .= $this->_format_line($level, $date, $msg); - for ($written = 0, $length = strlen($message); $written < $length; $written += $result) + for ($written = 0, $length = self::strlen($message); $written < $length; $written += $result) { - if (($result = fwrite($fp, substr($message, $written))) === FALSE) + if (($result = fwrite($fp, self::substr($message, $written))) === FALSE) { break; } @@ -244,4 +253,44 @@ class CI_Log { { return $level.' - '.$date.' --> '.$message."\n"; } + + // -------------------------------------------------------------------- + + /** + * Byte-safe strlen() + * + * @param string $str + * @return int + */ + protected static function strlen($str) + { + return (self::$func_override) + ? mb_strlen($str, '8bit') + : strlen($str); + } + + // -------------------------------------------------------------------- + + /** + * Byte-safe substr() + * + * @param string $str + * @param int $start + * @param int $length + * @return string + */ + protected static function substr($str, $start, $length = NULL) + { + if (self::$func_override) + { + // mb_substr($str, $start, null, '8bit') returns an empty + // string on PHP 5.3 + isset($length) OR $length = ($start >= 0 ? self::strlen($str) - $start : -$start); + return mb_substr($str, $start, $length, '8bit'); + } + + return isset($length) + ? substr($str, $start, $length) + : substr($str, $start); + } } diff --git a/system/core/Output.php b/system/core/Output.php index 06ff1011c..cf6510ff1 100644 --- a/system/core/Output.php +++ b/system/core/Output.php @@ -122,6 +122,13 @@ class CI_Output { */ public $parse_exec_vars = TRUE; + /** + * mbstring.func_override flag + * + * @var bool + */ + protected static $func_override; + /** * Class constructor * @@ -138,6 +145,8 @@ class CI_Output { && extension_loaded('zlib') ); + isset(self::$func_override) OR self::$func_override = (extension_loaded('mbstring') && ini_get('mbstring.func_override')); + // Get mime types for later $this->mimes =& get_mimes(); @@ -304,9 +313,9 @@ class CI_Output { for ($i = 0, $c = count($headers); $i < $c; $i++) { - if (strncasecmp($header, $headers[$i], $l = strlen($header)) === 0) + if (strncasecmp($header, $headers[$i], $l = self::strlen($header)) === 0) { - return trim(substr($headers[$i], $l+1)); + return trim(self::substr($headers[$i], $l+1)); } } @@ -480,13 +489,13 @@ class CI_Output { if (isset($_SERVER['HTTP_ACCEPT_ENCODING']) && strpos($_SERVER['HTTP_ACCEPT_ENCODING'], 'gzip') !== FALSE) { header('Content-Encoding: gzip'); - header('Content-Length: '.strlen($output)); + header('Content-Length: '.self::strlen($output)); } else { // User agent doesn't support gzip compression, // so we'll have to decompress our cache - $output = gzinflate(substr($output, 10, -8)); + $output = gzinflate(self::substr($output, 10, -8)); } } @@ -601,9 +610,9 @@ class CI_Output { $output = $cache_info.'ENDCI--->'.$output; - for ($written = 0, $length = strlen($output); $written < $length; $written += $result) + for ($written = 0, $length = self::strlen($output); $written < $length; $written += $result) { - if (($result = fwrite($fp, substr($output, $written))) === FALSE) + if (($result = fwrite($fp, self::substr($output, $written))) === FALSE) { break; } @@ -711,7 +720,7 @@ class CI_Output { } // Display the cache - $this->_display(substr($cache, strlen($match[0]))); + $this->_display(self::substr($cache, self::strlen($match[0]))); log_message('debug', 'Cache file is current. Sending it to browser.'); return TRUE; } @@ -797,4 +806,43 @@ class CI_Output { } } + // -------------------------------------------------------------------- + + /** + * Byte-safe strlen() + * + * @param string $str + * @return int + */ + protected static function strlen($str) + { + return (self::$func_override) + ? mb_strlen($str, '8bit') + : strlen($str); + } + + // -------------------------------------------------------------------- + + /** + * Byte-safe substr() + * + * @param string $str + * @param int $start + * @param int $length + * @return string + */ + protected static function substr($str, $start, $length = NULL) + { + if (self::$func_override) + { + // mb_substr($str, $start, null, '8bit') returns an empty + // string on PHP 5.3 + isset($length) OR $length = ($start >= 0 ? self::strlen($str) - $start : -$start); + return mb_substr($str, $start, $length, '8bit'); + } + + return isset($length) + ? substr($str, $start, $length) + : substr($str, $start); + } } diff --git a/system/libraries/Email.php b/system/libraries/Email.php index 7f49c1b3d..676bbcafb 100644 --- a/system/libraries/Email.php +++ b/system/libraries/Email.php @@ -374,6 +374,13 @@ class CI_Email { 5 => '5 (Lowest)' ); + /** + * mbstring.func_override flag + * + * @var bool + */ + protected static $func_override; + // -------------------------------------------------------------------- /** @@ -390,6 +397,8 @@ class CI_Email { $this->initialize($config); $this->_safe_mode = ( ! is_php('5.4') && ini_get('safe_mode')); + isset(self::$func_override) OR self::$func_override = (extension_loaded('mbstring') && ini_get('mbstring.func_override')); + log_message('info', 'Email Class Initialized'); } @@ -1037,7 +1046,7 @@ class CI_Email { { if (function_exists('idn_to_ascii') && $atpos = strpos($email, '@')) { - $email = substr($email, 0, ++$atpos).idn_to_ascii(substr($email, $atpos)); + $email = self::substr($email, 0, ++$atpos).idn_to_ascii(self::substr($email, $atpos)); } return (bool) filter_var($email, FILTER_VALIDATE_EMAIL); @@ -1154,7 +1163,7 @@ class CI_Email { { // Is the line within the allowed character count? // If so we'll join it to the output and continue - if (mb_strlen($line) <= $charlim) + if (self::strlen($line) <= $charlim) { $output .= $line.$this->newline; continue; @@ -1170,10 +1179,10 @@ class CI_Email { } // Trim the word down - $temp .= mb_substr($line, 0, $charlim - 1); - $line = mb_substr($line, $charlim - 1); + $temp .= self::substr($line, 0, $charlim - 1); + $line = self::substr($line, $charlim - 1); } - while (mb_strlen($line) > $charlim); + while (self::strlen($line) > $charlim); // If $temp contains data it means we had to split up an over-length // word into smaller chunks so we'll add it back to our current line @@ -1385,7 +1394,7 @@ class CI_Email { $this->_header_str .= $hdr; } - strlen($body) && $body .= $this->newline.$this->newline; + self::strlen($body) && $body .= $this->newline.$this->newline; $body .= $this->_get_mime_message().$this->newline.$this->newline .'--'.$last_boundary.$this->newline @@ -1532,7 +1541,7 @@ class CI_Email { foreach (explode("\n", $str) as $line) { - $length = strlen($line); + $length = self::strlen($line); $temp = ''; // Loop through each character in the line to add soft-wrap @@ -1567,7 +1576,7 @@ class CI_Email { // If we're at the character limit, add the line to the output, // reset our temp variable, and keep on chuggin' - if ((strlen($temp) + strlen($char)) >= 76) + if ((self::strlen($temp) + self::strlen($char)) >= 76) { $output .= $temp.$escape.$this->crlf; $temp = ''; @@ -1582,7 +1591,7 @@ class CI_Email { } // get rid of extra CRLF tacked onto the end - return substr($output, 0, strlen($this->crlf) * -1); + return self::substr($output, 0, self::strlen($this->crlf) * -1); } // -------------------------------------------------------------------- @@ -1624,7 +1633,7 @@ class CI_Email { // iconv_mime_encode() will always put a header field name. // We've passed it an empty one, but it still prepends our // encoded string with ': ', so we need to strip it. - return substr($output, 2); + return self::substr($output, 2); } $chars = iconv_strlen($str, 'UTF-8'); @@ -1636,10 +1645,10 @@ class CI_Email { } // We might already have this set for UTF-8 - isset($chars) OR $chars = strlen($str); + isset($chars) OR $chars = self::strlen($str); $output = '=?'.$this->charset.'?Q?'; - for ($i = 0, $length = strlen($output); $i < $chars; $i++) + for ($i = 0, $length = self::strlen($output); $i < $chars; $i++) { $chr = ($this->charset === 'UTF-8' && ICONV_ENABLED === TRUE) ? '='.implode('=', str_split(strtoupper(bin2hex(iconv_substr($str, $i, 1, $this->charset))), 2)) @@ -1647,11 +1656,11 @@ class CI_Email { // RFC 2045 sets a limit of 76 characters per line. // We'll append ?= to the end of each line though. - if ($length + ($l = strlen($chr)) > 74) + if ($length + ($l = self::strlen($chr)) > 74) { $output .= '?='.$this->crlf // EOL .' =?'.$this->charset.'?Q?'.$chr; // New line - $length = 6 + strlen($this->charset) + $l; // Reset the length for the new line + $length = 6 + self::strlen($this->charset) + $l; // Reset the length for the new line } else { @@ -1744,14 +1753,14 @@ class CI_Email { if ($i === $float) { - $chunk[] = substr($set, 1); + $chunk[] = self::substr($set, 1); $float += $this->bcc_batch_size; $set = ''; } if ($i === $c-1) { - $chunk[] = substr($set, 1); + $chunk[] = self::substr($set, 1); } } @@ -2109,7 +2118,7 @@ class CI_Email { $this->_debug_msg[] = '
'.$cmd.': '.$reply.'
'; - if ((int) substr($reply, 0, 3) !== $resp) + if ((int) self::substr($reply, 0, 3) !== $resp) { $this->_set_error_message('lang:email_smtp_error', $reply); return FALSE; @@ -2196,9 +2205,9 @@ class CI_Email { protected function _send_data($data) { $data .= $this->newline; - for ($written = $timestamp = 0, $length = strlen($data); $written < $length; $written += $result) + for ($written = $timestamp = 0, $length = self::strlen($data); $written < $length; $written += $result) { - if (($result = fwrite($this->_smtp_connect, substr($data, $written))) === FALSE) + if (($result = fwrite($this->_smtp_connect, self::substr($data, $written))) === FALSE) { break; } @@ -2382,4 +2391,44 @@ class CI_Email { { is_resource($this->_smtp_connect) && $this->_send_command('quit'); } + + // -------------------------------------------------------------------- + + /** + * Byte-safe strlen() + * + * @param string $str + * @return int + */ + protected static function strlen($str) + { + return (self::$func_override) + ? mb_strlen($str, '8bit') + : strlen($str); + } + + // -------------------------------------------------------------------- + + /** + * Byte-safe substr() + * + * @param string $str + * @param int $start + * @param int $length + * @return string + */ + protected static function substr($str, $start, $length = NULL) + { + if (self::$func_override) + { + // mb_substr($str, $start, null, '8bit') returns an empty + // string on PHP 5.3 + isset($length) OR $length = ($start >= 0 ? self::strlen($str) - $start : -$start); + return mb_substr($str, $start, $length, '8bit'); + } + + return isset($length) + ? substr($str, $start, $length) + : substr($str, $start); + } } diff --git a/system/libraries/Zip.php b/system/libraries/Zip.php index 140ad7212..25315c92e 100644 --- a/system/libraries/Zip.php +++ b/system/libraries/Zip.php @@ -105,6 +105,13 @@ class CI_Zip { */ public $compression_level = 2; + /** + * mbstring.func_override flag + * + * @var bool + */ + protected static $func_override; + /** * Initialize zip compression class * @@ -112,6 +119,8 @@ class CI_Zip { */ public function __construct() { + isset(self::$func_override) OR self::$func_override = (extension_loaded('mbstring') && ini_get('mbstring.func_override')); + $this->now = time(); log_message('info', 'Zip Compression Class Initialized'); } @@ -182,7 +191,7 @@ class CI_Zip { .pack('V', 0) // crc32 .pack('V', 0) // compressed filesize .pack('V', 0) // uncompressed filesize - .pack('v', strlen($dir)) // length of pathname + .pack('v', self::strlen($dir)) // length of pathname .pack('v', 0) // extra field length .$dir // below is "data descriptor" segment @@ -197,7 +206,7 @@ class CI_Zip { .pack('V',0) // crc32 .pack('V',0) // compressed filesize .pack('V',0) // uncompressed filesize - .pack('v', strlen($dir)) // length of pathname + .pack('v', self::strlen($dir)) // length of pathname .pack('v', 0) // extra field length .pack('v', 0) // file comment length .pack('v', 0) // disk number start @@ -206,7 +215,7 @@ class CI_Zip { .pack('V', $this->offset) // relative offset of local header .$dir; - $this->offset = strlen($this->zipdata); + $this->offset = self::strlen($this->zipdata); $this->entries++; } @@ -255,10 +264,10 @@ class CI_Zip { { $filepath = str_replace('\\', '/', $filepath); - $uncompressed_size = strlen($data); + $uncompressed_size = self::strlen($data); $crc32 = crc32($data); - $gzdata = substr(gzcompress($data, $this->compression_level), 2, -4); - $compressed_size = strlen($gzdata); + $gzdata = self::substr(gzcompress($data, $this->compression_level), 2, -4); + $compressed_size = self::strlen($gzdata); $this->zipdata .= "\x50\x4b\x03\x04\x14\x00\x00\x00\x08\x00" @@ -267,7 +276,7 @@ class CI_Zip { .pack('V', $crc32) .pack('V', $compressed_size) .pack('V', $uncompressed_size) - .pack('v', strlen($filepath)) // length of filename + .pack('v', self::strlen($filepath)) // length of filename .pack('v', 0) // extra field length .$filepath .$gzdata; // "file data" segment @@ -279,7 +288,7 @@ class CI_Zip { .pack('V', $crc32) .pack('V', $compressed_size) .pack('V', $uncompressed_size) - .pack('v', strlen($filepath)) // length of filename + .pack('v', self::strlen($filepath)) // length of filename .pack('v', 0) // extra field length .pack('v', 0) // file comment length .pack('v', 0) // disk number start @@ -288,7 +297,7 @@ class CI_Zip { .pack('V', $this->offset) // relative offset of local header .$filepath; - $this->offset = strlen($this->zipdata); + $this->offset = self::strlen($this->zipdata); $this->entries++; $this->file_num++; } @@ -401,8 +410,8 @@ class CI_Zip { .$this->directory."\x50\x4b\x05\x06\x00\x00\x00\x00" .pack('v', $this->entries) // total # of entries "on this disk" .pack('v', $this->entries) // total # of entries overall - .pack('V', strlen($this->directory)) // size of central dir - .pack('V', strlen($this->zipdata)) // offset to start of central dir + .pack('V', self::strlen($this->directory)) // size of central dir + .pack('V', self::strlen($this->zipdata)) // offset to start of central dir ."\x00\x00"; // .zip file comment length } @@ -425,9 +434,9 @@ class CI_Zip { flock($fp, LOCK_EX); - for ($result = $written = 0, $data = $this->get_zip(), $length = strlen($data); $written < $length; $written += $result) + for ($result = $written = 0, $data = $this->get_zip(), $length = self::strlen($data); $written < $length; $written += $result) { - if (($result = fwrite($fp, substr($data, $written))) === FALSE) + if (($result = fwrite($fp, self::substr($data, $written))) === FALSE) { break; } @@ -481,4 +490,43 @@ class CI_Zip { return $this; } + // -------------------------------------------------------------------- + + /** + * Byte-safe strlen() + * + * @param string $str + * @return int + */ + protected static function strlen($str) + { + return (self::$func_override) + ? mb_strlen($str, '8bit') + : strlen($str); + } + + // -------------------------------------------------------------------- + + /** + * Byte-safe substr() + * + * @param string $str + * @param int $start + * @param int $length + * @return string + */ + protected static function substr($str, $start, $length = NULL) + { + if (self::$func_override) + { + // mb_substr($str, $start, null, '8bit') returns an empty + // string on PHP 5.3 + isset($length) OR $length = ($start >= 0 ? self::strlen($str) - $start : -$start); + return mb_substr($str, $start, $length, '8bit'); + } + + return isset($length) + ? substr($str, $start, $length) + : substr($str, $start); + } } diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 0a8160acb..4be0b31d3 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -21,6 +21,7 @@ Bug fixes for 3.1.2 - Fixed a regression (#4874) - :doc:`Session Library ` didn't take into account ``session.hash_bits_per_character`` when validating session IDs. - Fixed a bug (#4871) - :doc:`Query Builder ` method ``update_batch()`` didn't properly handle identifier escaping. - Fixed a bug (#4884) - :doc:`Query Builder ` didn't properly parse field names ending in 'is' when used inside WHERE and HAVING statements. +- Fixed a bug where ``CI_Log``, ``CI_Output``, ``CI_Email`` and ``CI_Zip`` didn't handle strings in a byte-safe manner when ``mbstring.func_override`` is enabled. Version 3.1.1 ============= -- cgit v1.2.3-24-g4f1b From e02ebabb19242e1cfc6b37217bc799ff7591e941 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 28 Oct 2016 16:35:12 +0300 Subject: [ci skip] Add a bash script to help with releases --- build-release.sh | 95 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 95 insertions(+) create mode 100755 build-release.sh diff --git a/build-release.sh b/build-release.sh new file mode 100755 index 000000000..490680e79 --- /dev/null +++ b/build-release.sh @@ -0,0 +1,95 @@ +#!/usr/bin/env bash + +cd $(dirname $BASH_SOURCE) + +if [ $# -eq 0 ]; then + echo 'Usage: '$BASH_SOURCE' ' + exit 1 +fi + +version_number=$1 + +if [ ${#version_number} -lt 5 ] +then + echo "Provided version number is too short" + exit 1 +elif [ ${version_number: -4} == "-dev" ] +then + echo "'-dev' releases are not allowed" + exit 1 +fi + +version_id=${version_number:0:5} +version_id=${version_id//./} +upgrade_rst='user_guide_src/source/installation/upgrade_'$version_id'.rst' + +if [ ${#version_id} -ne 3 ] +then + echo "Invalid version number format" + exit 1 +elif [ `grep -c -F --regexp="'$version_number'" system/core/CodeIgniter.php` -ne 1 ] +then + echo "Provided version number doesn't match in system/core/CodeIgniter.php" + exit 1 +elif [ `grep -c -F --regexp="'$version_number'" user_guide_src/source/conf.py` -ne 2 ] +then + echo "Provided version number doesn't match in user_guide_src/source/conf.py" + exit 1 +elif [ ! -f "$upgrade_rst" ] +then + echo "${upgrade_rst} doesn't exist" + exit 1 +fi + +echo "Running tests ..." + +cd tests/ +phpunit + +if [ $? -ne 0 ] +then + echo "Build FAILED!" + exit 1 +fi + +cd .. +cd user_guide_src/ + +echo "" +echo "Building HTML docs; please check output for warnings ..." +echo "" + +make html + +echo "" + +if [ $? -ne 0 ] +then + echo "Build FAILED!" + exit 1 +fi + +echo "Building EPUB docs; please check output for warnings ..." +echo "" + +make epub + +echo "" + +if [ $? -ne 0 ] +then + echo "Build FAILED!" + exit 1 +fi + +cd .. + +if [ -d user_guide/ ] +then + rm -r user_guide/ +fi + +cp -r user_guide_src/build/html/ user_guide/ +cp user_guide_src/build/epub/CodeIgniter.epub "CodeIgniter ${version_number}.epub" + +echo "Build complete." -- cgit v1.2.3-24-g4f1b From 57fa143448577b670d8dd0e02b6e4cf31c4a7cff Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 28 Oct 2016 17:46:31 +0300 Subject: [ci skip] xss_clean() hardening - percent-sign tag (IE) - data: URI scheme inclinding whitespace (Chrome) --- system/core/Security.php | 21 +++++++++++---------- user_guide_src/source/changelog.rst | 2 +- 2 files changed, 12 insertions(+), 11 deletions(-) diff --git a/system/core/Security.php b/system/core/Security.php index b9160a252..d0308c5f9 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -133,15 +133,16 @@ class CI_Security { * @var array */ protected $_never_allowed_str = array( - 'document.cookie' => '[removed]', - 'document.write' => '[removed]', - '.parentNode' => '[removed]', - '.innerHTML' => '[removed]', - '-moz-binding' => '[removed]', - '' => '-->', - ' '<![CDATA[', - '' => '<comment>' + 'document.cookie' => '[removed]', + 'document.write' => '[removed]', + '.parentNode' => '[removed]', + '.innerHTML' => '[removed]', + '-moz-binding' => '[removed]', + '' => '-->', + ' '<![CDATA[', + '' => '<comment>', + '<%' => '<%' ); /** @@ -924,7 +925,7 @@ class CI_Security { return str_replace( $match[1], preg_replace( - '#href=.*?(?:(?:alert|prompt|confirm)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|_filter_attributes($match[1]) ), diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 4be0b31d3..2482c493c 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -9,7 +9,7 @@ Release Date: Not Released - **Security** - - Fixed a new URL-encoding attack vector in :doc:`Security Library ` method ``xss_clean()`` affecting Firefox. + - Fixed a number of new vulnerabilities in :doc:`Security Library ` method ``xss_clean()``. - General Changes -- cgit v1.2.3-24-g4f1b From f52ad7a1a6340ea9d0e63dbf5fbf054b082fa3e9 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 28 Oct 2016 17:56:50 +0300 Subject: [ci skip] Add download link check to build-release.sh --- build-release.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/build-release.sh b/build-release.sh index 490680e79..6b3b31d12 100755 --- a/build-release.sh +++ b/build-release.sh @@ -35,6 +35,10 @@ elif [ `grep -c -F --regexp="'$version_number'" user_guide_src/source/conf.py` - then echo "Provided version number doesn't match in user_guide_src/source/conf.py" exit 1 +elif [ `grep -c -F --regexp="$version_number (Current version) " user_guide_src/source/installation/downloads.rst` -ne 1 ] +then + echo "user_guide_src/source/installation/downloads.rst doesn't appear to contain a link for this version" + exit 1 elif [ ! -f "$upgrade_rst" ] then echo "${upgrade_rst} doesn't exist" -- cgit v1.2.3-24-g4f1b From c877ac5d961831a087242ff780731c7372f84b6f Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 28 Oct 2016 17:56:50 +0300 Subject: [ci skip] Add download link check to build-release.sh --- build-release.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/build-release.sh b/build-release.sh index 490680e79..6b3b31d12 100755 --- a/build-release.sh +++ b/build-release.sh @@ -35,6 +35,10 @@ elif [ `grep -c -F --regexp="'$version_number'" user_guide_src/source/conf.py` - then echo "Provided version number doesn't match in user_guide_src/source/conf.py" exit 1 +elif [ `grep -c -F --regexp="$version_number (Current version) " user_guide_src/source/installation/downloads.rst` -ne 1 ] +then + echo "user_guide_src/source/installation/downloads.rst doesn't appear to contain a link for this version" + exit 1 elif [ ! -f "$upgrade_rst" ] then echo "${upgrade_rst} doesn't exist" -- cgit v1.2.3-24-g4f1b From a1f830dedc53e31a48c8722ed11e3e645526bdcc Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 28 Oct 2016 17:59:47 +0300 Subject: [ci skip] Prepare for 3.1.2 release --- system/core/CodeIgniter.php | 2 +- user_guide_src/source/changelog.rst | 2 +- user_guide_src/source/conf.py | 4 ++-- user_guide_src/source/installation/downloads.rst | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/system/core/CodeIgniter.php b/system/core/CodeIgniter.php index 32ad61899..a2067fb10 100644 --- a/system/core/CodeIgniter.php +++ b/system/core/CodeIgniter.php @@ -55,7 +55,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @var string * */ - const CI_VERSION = '3.1.2-dev'; + const CI_VERSION = '3.1.2'; /* * ------------------------------------------------------ diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 2482c493c..437fdbabe 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -5,7 +5,7 @@ Change Log Version 3.1.2 ============= -Release Date: Not Released +Release Date: Oct 28, 2016 - **Security** diff --git a/user_guide_src/source/conf.py b/user_guide_src/source/conf.py index 17771fa9e..2f44e0cbe 100644 --- a/user_guide_src/source/conf.py +++ b/user_guide_src/source/conf.py @@ -48,9 +48,9 @@ copyright = u'2014 - 2016, British Columbia Institute of Technology' # built documents. # # The short X.Y version. -version = '3.1.2-dev' +version = '3.1.2' # The full version, including alpha/beta/rc tags. -release = '3.1.2-dev' +release = '3.1.2' # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages. diff --git a/user_guide_src/source/installation/downloads.rst b/user_guide_src/source/installation/downloads.rst index 1eacd4d33..6c1f007e3 100644 --- a/user_guide_src/source/installation/downloads.rst +++ b/user_guide_src/source/installation/downloads.rst @@ -2,7 +2,7 @@ Downloading CodeIgniter ####################### -- `CodeIgniter v3.1.2-dev (Current version) `_ +- `CodeIgniter v3.1.2 (Current version) `_ - `CodeIgniter v3.1.1 `_ - `CodeIgniter v3.1.0 `_ - `CodeIgniter v3.0.6 `_ -- cgit v1.2.3-24-g4f1b From b6995a6a1bdfb2275b3befb89d51da0a1769771e Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 28 Oct 2016 18:05:24 +0300 Subject: [ci skip] Fix upgrading instruction link titles --- user_guide_src/source/installation/upgrading.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user_guide_src/source/installation/upgrading.rst b/user_guide_src/source/installation/upgrading.rst index 61b16e038..4e0b0453d 100644 --- a/user_guide_src/source/installation/upgrading.rst +++ b/user_guide_src/source/installation/upgrading.rst @@ -8,9 +8,9 @@ upgrading from. .. toctree:: :titlesonly: - Upgrading from 3.1.2 to 3.1.2 + Upgrading from 3.1.1 to 3.1.2 Upgrading from 3.1.0 to 3.1.1 - Upgrading from 3.0.6 to 3.1.x + Upgrading from 3.0.6 to 3.1.0 Upgrading from 3.0.5 to 3.0.6 Upgrading from 3.0.4 to 3.0.5 Upgrading from 3.0.3 to 3.0.4 -- cgit v1.2.3-24-g4f1b From 014be1e8726ebce6dd19284ae3deaee866d6b0e5 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 28 Oct 2016 18:05:24 +0300 Subject: [ci skip] Fix upgrading instruction link titles --- user_guide_src/source/installation/upgrading.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user_guide_src/source/installation/upgrading.rst b/user_guide_src/source/installation/upgrading.rst index 61b16e038..4e0b0453d 100644 --- a/user_guide_src/source/installation/upgrading.rst +++ b/user_guide_src/source/installation/upgrading.rst @@ -8,9 +8,9 @@ upgrading from. .. toctree:: :titlesonly: - Upgrading from 3.1.2 to 3.1.2 + Upgrading from 3.1.1 to 3.1.2 Upgrading from 3.1.0 to 3.1.1 - Upgrading from 3.0.6 to 3.1.x + Upgrading from 3.0.6 to 3.1.0 Upgrading from 3.0.5 to 3.0.6 Upgrading from 3.0.4 to 3.0.5 Upgrading from 3.0.3 to 3.0.4 -- cgit v1.2.3-24-g4f1b From 499c6080cd41927df088206155e4055d4da3e58e Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 28 Oct 2016 18:28:34 +0300 Subject: [ci skip] Mark the start of 3.1.3-dev --- system/core/CodeIgniter.php | 2 +- user_guide_src/source/conf.py | 4 ++-- user_guide_src/source/installation/downloads.rst | 3 ++- user_guide_src/source/installation/upgrade_313.rst | 14 ++++++++++++++ user_guide_src/source/installation/upgrading.rst | 1 + 5 files changed, 20 insertions(+), 4 deletions(-) create mode 100644 user_guide_src/source/installation/upgrade_313.rst diff --git a/system/core/CodeIgniter.php b/system/core/CodeIgniter.php index a2067fb10..71656be29 100644 --- a/system/core/CodeIgniter.php +++ b/system/core/CodeIgniter.php @@ -55,7 +55,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @var string * */ - const CI_VERSION = '3.1.2'; + const CI_VERSION = '3.1.3-dev'; /* * ------------------------------------------------------ diff --git a/user_guide_src/source/conf.py b/user_guide_src/source/conf.py index 2f44e0cbe..4d2edbe60 100644 --- a/user_guide_src/source/conf.py +++ b/user_guide_src/source/conf.py @@ -48,9 +48,9 @@ copyright = u'2014 - 2016, British Columbia Institute of Technology' # built documents. # # The short X.Y version. -version = '3.1.2' +version = '3.1.3-dev' # The full version, including alpha/beta/rc tags. -release = '3.1.2' +release = '3.1.3-dev' # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages. diff --git a/user_guide_src/source/installation/downloads.rst b/user_guide_src/source/installation/downloads.rst index 6c1f007e3..5992ba291 100644 --- a/user_guide_src/source/installation/downloads.rst +++ b/user_guide_src/source/installation/downloads.rst @@ -2,7 +2,8 @@ Downloading CodeIgniter ####################### -- `CodeIgniter v3.1.2 (Current version) `_ +- `CodeIgniter v3.1.3 (Current version) `_ +- `CodeIgniter v3.1.2 `_ - `CodeIgniter v3.1.1 `_ - `CodeIgniter v3.1.0 `_ - `CodeIgniter v3.0.6 `_ diff --git a/user_guide_src/source/installation/upgrade_313.rst b/user_guide_src/source/installation/upgrade_313.rst new file mode 100644 index 000000000..71afc6f6a --- /dev/null +++ b/user_guide_src/source/installation/upgrade_313.rst @@ -0,0 +1,14 @@ +############################# +Upgrading from 3.1.2 to 3.1.3 +############################# + +Before performing an update you should take your site offline by +replacing the index.php file with a static one. + +Step 1: Update your CodeIgniter files +===================================== + +Replace all files and directories in your *system/* directory. + +.. note:: If you have any custom developed files in these directories, + please make copies of them first. diff --git a/user_guide_src/source/installation/upgrading.rst b/user_guide_src/source/installation/upgrading.rst index 4e0b0453d..bc96e209f 100644 --- a/user_guide_src/source/installation/upgrading.rst +++ b/user_guide_src/source/installation/upgrading.rst @@ -8,6 +8,7 @@ upgrading from. .. toctree:: :titlesonly: + Upgrading from 3.1.2 to 3.1.3 Upgrading from 3.1.1 to 3.1.2 Upgrading from 3.1.0 to 3.1.1 Upgrading from 3.0.6 to 3.1.0 -- cgit v1.2.3-24-g4f1b