From c11b5cea3c34cbb4f9f849b6940fa09c0e517f3d Mon Sep 17 00:00:00 2001 From: Michiel Vugteveen Date: Wed, 23 Nov 2011 10:09:52 +0100 Subject: docx and xlsx have a zip/application mimetype --- application/config/mimes.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/application/config/mimes.php b/application/config/mimes.php index f00e5b6ed..100f7d442 100644 --- a/application/config/mimes.php +++ b/application/config/mimes.php @@ -93,8 +93,8 @@ $mimes = array( 'hqx' => 'application/mac-binhex40', 'avi' => 'video/x-msvideo', 'movie' => 'video/x-sgi-movie', 'doc' => 'application/msword', - 'docx' => 'application/vnd.openxmlformats-officedocument.wordprocessingml.document', - 'xlsx' => 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', + 'docx' => array('application/vnd.openxmlformats-officedocument.wordprocessingml.document', 'application/zip'), + 'xlsx' => array('application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', 'application/zip'), 'word' => array('application/msword', 'application/octet-stream'), 'xl' => 'application/excel', 'eml' => 'message/rfc822', -- cgit v1.2.3-24-g4f1b From 8ff2da1c7457cfd04a28776705cea64cbb96716a Mon Sep 17 00:00:00 2001 From: Michiel Vugteveen Date: Wed, 23 Nov 2011 10:09:57 +0100 Subject: tmp_path does not exists, should be tmp_name --- system/libraries/Upload.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/libraries/Upload.php b/system/libraries/Upload.php index 05511b5d3..fe5907ab2 100644 --- a/system/libraries/Upload.php +++ b/system/libraries/Upload.php @@ -1055,7 +1055,7 @@ class CI_Upload { if (DIRECTORY_SEPARATOR !== '\\' && function_exists('exec')) { $output = array(); - @exec('file --brief --mime-type ' . escapeshellarg($file['tmp_path']), $output, $return_code); + @exec('file --brief --mime-type ' . escapeshellarg($file['tmp_name']), $output, $return_code); if ($return_code === 0 && strlen($output[0]) > 0) // A return status code != 0 would mean failed execution { $this->file_type = rtrim($output[0]); -- cgit v1.2.3-24-g4f1b From 0ce875c2b75b17ad0697fb9bc9d77513b3d2a48e Mon Sep 17 00:00:00 2001 From: Michiel Vugteveen Date: Wed, 23 Nov 2011 11:49:49 +0100 Subject: changelog updated --- user_guide/changelog.html | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/user_guide/changelog.html b/user_guide/changelog.html index 167616e57..3fac8bb45 100644 --- a/user_guide/changelog.html +++ b/user_guide/changelog.html @@ -57,6 +57,23 @@ Change Log

Change Log

+

Version 2.1.1

+

Release Date: not yet released

+ +
    +
  • General Changes +
      +
    • Fixed support for docx, xlsx files in mimes.php.
      • +
    +
    • +
+ +

Bug fixes for 2.1.1

+
    +
  • Fixed a bug (#697) - A wrong array key was used in de Upload library to check for mime-types.
    • +
+ +

Version 2.1.0

Release Date: November 14, 2011

-- cgit v1.2.3-24-g4f1b From 8ed78098369cd445bae796d0cd31b34cbc02585a Mon Sep 17 00:00:00 2001 From: Michiel Vugteveen Date: Wed, 23 Nov 2011 12:21:37 +0100 Subject: dutch typo --- user_guide/changelog.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user_guide/changelog.html b/user_guide/changelog.html index 3fac8bb45..a20f27956 100644 --- a/user_guide/changelog.html +++ b/user_guide/changelog.html @@ -70,7 +70,7 @@ Change Log

Bug fixes for 2.1.1

    -
  • Fixed a bug (#697) - A wrong array key was used in de Upload library to check for mime-types.
    • +
  • Fixed a bug (#697) - A wrong array key was used in the Upload library to check for mime-types.
-- cgit v1.2.3-24-g4f1b From 511f225d855919b78df42ff802a513d84afa0693 Mon Sep 17 00:00:00 2001 From: Túbal Martín Date: Thu, 24 Nov 2011 14:43:45 +0100 Subject: Added dummy _reset_select() method to CI_DB_Driver class to allow Active Record class to be disabled. Otherwise a fatal error is triggered. --- system/database/DB_driver.php | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/system/database/DB_driver.php b/system/database/DB_driver.php index 3680b85c2..8f530b482 100644 --- a/system/database/DB_driver.php +++ b/system/database/DB_driver.php @@ -1381,7 +1381,21 @@ class CI_DB_driver { return $item.$alias; } + + // -------------------------------------------------------------------- + /** + * Dummy method that allows Active Record class to be disabled + * + * This function is used extensively by every db driver. + * + * @access private + * @return void + */ + protected function _reset_select() + { + + } } -- cgit v1.2.3-24-g4f1b From 9a05d2b0d838bb000a89ab9ea78a307b557768e7 Mon Sep 17 00:00:00 2001 From: John Nicely Date: Thu, 24 Nov 2011 10:50:39 -0800 Subject: Changed form_open() to compare $action against base_url() Checking for strpos($action, $CI->config->site_url()) === FALSE causes CSRF token to not be added in form_open() output. When site_url()'s first parameter ($uri) is empty, site_url's return value is the base URL plus the $CI->config->item('index_page') value. form_open() and CodeIgniter's URI routing do not require index.php to be in the URL, so any call to form_open() in which the $action parameter does not have index.php will always return false for the strpos() call. --- system/helpers/form_helper.php | 2 +- user_guide/changelog.html | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/system/helpers/form_helper.php b/system/helpers/form_helper.php index d9305c00b..8733ae053 100644 --- a/system/helpers/form_helper.php +++ b/system/helpers/form_helper.php @@ -65,7 +65,7 @@ if ( ! function_exists('form_open')) $form .= '>'; // Add CSRF field if enabled, but leave it out for GET requests and requests to external websites - if ($CI->config->item('csrf_protection') === TRUE AND ! (strpos($action, $CI->config->site_url()) === FALSE OR strpos($form, 'method="get"'))) + if ($CI->config->item('csrf_protection') === TRUE AND ! (strpos($action, $CI->config->base_url()) === FALSE OR strpos($form, 'method="get"'))) { $hidden[$CI->security->get_csrf_token_name()] = $CI->security->get_csrf_hash(); } diff --git a/user_guide/changelog.html b/user_guide/changelog.html index a20f27956..ae66add33 100644 --- a/user_guide/changelog.html +++ b/user_guide/changelog.html @@ -71,6 +71,7 @@ Change Log

Bug fixes for 2.1.1

  • Fixed a bug (#697) - A wrong array key was used in the Upload library to check for mime-types.
    • +
  • Fixed a bug - form_open() compared $action against site_url() instead of base_url()
-- cgit v1.2.3-24-g4f1b From d92bd57f007e9561a37be8a8ccaf93a4f8948343 Mon Sep 17 00:00:00 2001 From: Repox Date: Thu, 1 Dec 2011 10:08:52 +0100 Subject: This fixes issue #725 --- system/database/DB_driver.php | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/system/database/DB_driver.php b/system/database/DB_driver.php index 3680b85c2..3952d7276 100644 --- a/system/database/DB_driver.php +++ b/system/database/DB_driver.php @@ -1015,8 +1015,14 @@ class CI_DB_driver { else { $args = (func_num_args() > 1) ? array_splice(func_get_args(), 1) : null; - - return call_user_func_array($function, $args); + if (is_null($args)) + { + return call_user_func($function); + } + else + { + return call_user_func_array($function, $args); + } } } -- cgit v1.2.3-24-g4f1b From 59654319d20a7ec406e7d6f15cf6804e94897d14 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 2 Dec 2011 14:28:54 +0200 Subject: Hotfix for a file type detection bug in the Upload library --- system/libraries/Upload.php | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/system/libraries/Upload.php b/system/libraries/Upload.php index fe5907ab2..ff3461586 100644 --- a/system/libraries/Upload.php +++ b/system/libraries/Upload.php @@ -1042,14 +1042,17 @@ class CI_Upload { if (function_exists('mime_content_type')) { $this->file_type = @mime_content_type($file['tmp_name']); - return; + if (strlen($this->file_type) > 0) // Turned out it's possible ... + { + return; + } } /* This is an ugly hack, but UNIX-type systems provide a native way to detect the file type, * which is still more secure than depending on the value of $_FILES[$field]['type']. * * Notes: - * - a 'W' in the substr() expression bellow, would mean that we're using Windows + * - the DIRECTORY_SEPARATOR comparison ensures that we're not on a Windows system * - many system admins would disable the exec() function due to security concerns, hence the function_exists() check */ if (DIRECTORY_SEPARATOR !== '\\' && function_exists('exec')) -- cgit v1.2.3-24-g4f1b From f796655d37163e7fd046395ddfe765baf752ec77 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 2 Dec 2011 15:00:36 +0200 Subject: Update a comment, just to be clearer --- system/libraries/Upload.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/libraries/Upload.php b/system/libraries/Upload.php index ff3461586..506d15897 100644 --- a/system/libraries/Upload.php +++ b/system/libraries/Upload.php @@ -1042,7 +1042,7 @@ class CI_Upload { if (function_exists('mime_content_type')) { $this->file_type = @mime_content_type($file['tmp_name']); - if (strlen($this->file_type) > 0) // Turned out it's possible ... + if (strlen($this->file_type) > 0) // Turns out it's possible that mime_content_type() returns FALSE or an empty string { return; } -- cgit v1.2.3-24-g4f1b From 451aa026e3e82122cdd41cd8574894cc93610010 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 2 Dec 2011 15:15:25 +0200 Subject: Update the change log --- user_guide/changelog.html | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/user_guide/changelog.html b/user_guide/changelog.html index ae66add33..272db5f37 100644 --- a/user_guide/changelog.html +++ b/user_guide/changelog.html @@ -28,7 +28,7 @@
- +

CodeIgniter User Guide Version 2.1.0

CodeIgniter User Guide Version 2.1.1
@@ -72,6 +72,7 @@ Change Log
  • Fixed a bug (#697) - A wrong array key was used in the Upload library to check for mime-types.
  • Fixed a bug - form_open() compared $action against site_url() instead of base_url()
    • +
  • Fixed a bug - CI_Upload::_file_mime_type() could've failed if mime_content_type() is used for the detection and returns FALSE.
-- cgit v1.2.3-24-g4f1b From a49e381fde010a7a83845910c0f772fb139f0b1e Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 9 Dec 2011 13:05:22 +0200 Subject: Improve CI_Upload::_file_mime_type() --- system/libraries/Upload.php | 102 +++++++++++++++++++++++++++++++++----------- 1 file changed, 78 insertions(+), 24 deletions(-) diff --git a/system/libraries/Upload.php b/system/libraries/Upload.php index 506d15897..564d6000e 100644 --- a/system/libraries/Upload.php +++ b/system/libraries/Upload.php @@ -1018,50 +1018,104 @@ class CI_Upload { */ protected function _file_mime_type($file) { - // Use if the Fileinfo extension, if available (only versions above 5.3 support the FILEINFO_MIME_TYPE flag) - if ( (float) substr(phpversion(), 0, 3) >= 5.3 && function_exists('finfo_file')) + // We'll need this to validate the MIME info string (e.g. text/plain; charset=us-ascii) + $regexp = '/^([a-z\-]+\/[a-z0-9\-]+);\s.+$/'; + + /* Fileinfo extension - most reliable method + * + * Unfortunately, prior to PHP 5.3 - it's only available as a PECL extension and the + * more convenient FILEINFO_MIME_TYPE flag doesn't exist. + */ + if (function_exists('finfo_file')) { - $finfo = new finfo(FILEINFO_MIME_TYPE); - if ($finfo !== FALSE) // This is possible, if there is no magic MIME database file found on the system + $finfo = finfo_open(FILEINFO_MIME); + if (is_resource($finfo)) // It is possible that a FALSE value is returned, if there is no magic MIME database file found on the system { - $file_type = $finfo->file($file['tmp_name']); + $mime = @finfo_file($finfo, $file['tmp_name']); + finfo_close($finfo); /* According to the comments section of the PHP manual page, * it is possible that this function returns an empty string * for some files (e.g. if they don't exist in the magic MIME database) */ - if (strlen($file_type) > 1) + if (is_string($mime) && preg_match($regexp, $mime, $matches)) { - $this->file_type = $file_type; + $this->file_type = $matches[1]; return; } } } - // Fall back to the deprecated mime_content_type(), if available - if (function_exists('mime_content_type')) + /* This is an ugly hack, but UNIX-type systems provide a "native" way to detect the file type, + * which is still more secure than depending on the value of $_FILES[$field]['type'], and as it + * was reported in issue #750 (https://github.com/EllisLab/CodeIgniter/issues/750) - it's better + * than mime_content_type() as well, hence the attempts to try calling the command line with + * three different functions. + * + * Notes: + * - the DIRECTORY_SEPARATOR comparison ensures that we're not on a Windows system + * - many system admins would disable the exec(), shell_exec(), popen() and similar functions + * due to security concerns, hence the function_exists() checks + */ + if (DIRECTORY_SEPARATOR !== '\\') { - $this->file_type = @mime_content_type($file['tmp_name']); - if (strlen($this->file_type) > 0) // Turns out it's possible that mime_content_type() returns FALSE or an empty string + $cmd = 'file --brief --mime ' . escapeshellarg($file['tmp_name']) . ' 2>&1'; + + if (function_exists('exec')) { - return; + /* This might look confusing, as $mime is being populated with all of the output when set in the second parameter. + * However, we only neeed the last line, which is the actual return value of exec(), and as such - it overwrites + * anything that could already be set for $mime previously. This effectively makes the second parameter a dummy + * value, which is only put to allow us to get the return status code. + */ + $mime = @exec($cmd, $mime, $return_status); + if ($return_status === 0 && is_string($mime) && preg_match($regexp, $mime, $matches)) + { + $this->file_type = $matches[1]; + return; + } + } + + if ( (bool) @ini_get('safe_mode') === FALSE && function_exists('shell_exec')) + { + $mime = @shell_exec($cmd); + if (strlen($mime) > 0) + { + $mime = explode("\n", trim($mime)); + if (preg_match($regexp, $mime[(count($mime) - 1)], $matches)) + { + $this->file_type = $matches[1]; + return; + } + } + } + + if (function_exists('popen')) + { + $proc = @popen($cmd, 'r'); + if (is_resource($proc)) + { + $mime = @fread($test, 512); + @pclose($proc); + if ($mime !== FALSE) + { + $mime = explode("\n", trim($mime)); + if (preg_match($regexp, $mime[(count($mime) - 1)], $matches)) + { + $this->file_type = $matches[1]; + return; + } + } + } } } - /* This is an ugly hack, but UNIX-type systems provide a native way to detect the file type, - * which is still more secure than depending on the value of $_FILES[$field]['type']. - * - * Notes: - * - the DIRECTORY_SEPARATOR comparison ensures that we're not on a Windows system - * - many system admins would disable the exec() function due to security concerns, hence the function_exists() check - */ - if (DIRECTORY_SEPARATOR !== '\\' && function_exists('exec')) + // Fall back to the deprecated mime_content_type(), if available (still better than $_FILES[$field]['type']) + if (function_exists('mime_content_type')) { - $output = array(); - @exec('file --brief --mime-type ' . escapeshellarg($file['tmp_name']), $output, $return_code); - if ($return_code === 0 && strlen($output[0]) > 0) // A return status code != 0 would mean failed execution + $this->file_type = @mime_content_type($file['tmp_name']); + if (strlen($this->file_type) > 0) // It's possible that mime_content_type() returns FALSE or an empty string { - $this->file_type = rtrim($output[0]); return; } } -- cgit v1.2.3-24-g4f1b From 2f93794ba928d7f70a38dd7d3813a2d17962a4e5 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 9 Dec 2011 13:11:04 +0200 Subject: Update the ChangeLog --- user_guide/changelog.html | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/user_guide/changelog.html b/user_guide/changelog.html index 272db5f37..7a5fcf222 100644 --- a/user_guide/changelog.html +++ b/user_guide/changelog.html @@ -66,6 +66,11 @@ Change Log
  • Fixed support for docx, xlsx files in mimes.php.
    • +
  • Libraries + +

    • Bug fixes for 2.1.1

    -- cgit v1.2.3-24-g4f1b From 750ffb9f6d545772c7139b5ee0c1402241c6ceb2 Mon Sep 17 00:00:00 2001 From: Andrew Mackrodt Date: Sat, 10 Dec 2011 23:42:07 +0000 Subject: Fix for Issue #538. --- system/libraries/Image_lib.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/libraries/Image_lib.php b/system/libraries/Image_lib.php index 8902f524d..7f905128b 100644 --- a/system/libraries/Image_lib.php +++ b/system/libraries/Image_lib.php @@ -208,7 +208,7 @@ class CI_Image_lib { } else { - if (strpos($this->new_image, '/') === FALSE) + if (strpos($this->new_image, '/') === FALSE AND strpos($this->new_image, '\\') === FALSE) { $this->dest_folder = $this->source_folder; $this->dest_image = $this->new_image; -- cgit v1.2.3-24-g4f1b From 3b6ff4ddc5ca433ba7b68a51a617c00b93511889 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Sun, 11 Dec 2011 14:57:36 +0200 Subject: Fix regular expression for validating MIME type string --- system/libraries/Upload.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/libraries/Upload.php b/system/libraries/Upload.php index 564d6000e..c72fa3c6d 100644 --- a/system/libraries/Upload.php +++ b/system/libraries/Upload.php @@ -1019,7 +1019,7 @@ class CI_Upload { protected function _file_mime_type($file) { // We'll need this to validate the MIME info string (e.g. text/plain; charset=us-ascii) - $regexp = '/^([a-z\-]+\/[a-z0-9\-]+);\s.+$/'; + $regexp = '/^([a-z\-]+\/[a-z0-9\-\.\+]+);\s.+$/'; /* Fileinfo extension - most reliable method * -- cgit v1.2.3-24-g4f1b From c7f67e99ff9ea55945537bc89033adc39997c678 Mon Sep 17 00:00:00 2001 From: Andrew Mackrodt Date: Sun, 11 Dec 2011 20:00:55 +0000 Subject: Updated changelog with fix for bug #538. --- user_guide/changelog.html | 1 + 1 file changed, 1 insertion(+) diff --git a/user_guide/changelog.html b/user_guide/changelog.html index 272db5f37..b8fdcfc34 100644 --- a/user_guide/changelog.html +++ b/user_guide/changelog.html @@ -73,6 +73,7 @@ Change Log
  • Fixed a bug (#697) - A wrong array key was used in the Upload library to check for mime-types.
  • Fixed a bug - form_open() compared $action against site_url() instead of base_url()
  • Fixed a bug - CI_Upload::_file_mime_type() could've failed if mime_content_type() is used for the detection and returns FALSE.
    • +
  • Fixed a bug (#538) - Windows paths were ignored when using the Image Manipulation Class to create a new file.
    • -- cgit v1.2.3-24-g4f1b From f7aed129051475b4baeeb549a764464560c9dd34 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Tue, 13 Dec 2011 11:01:06 +0200 Subject: Tweak MIME regular expression check again --- system/libraries/Upload.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/libraries/Upload.php b/system/libraries/Upload.php index c72fa3c6d..91fbf66ca 100644 --- a/system/libraries/Upload.php +++ b/system/libraries/Upload.php @@ -1019,7 +1019,7 @@ class CI_Upload { protected function _file_mime_type($file) { // We'll need this to validate the MIME info string (e.g. text/plain; charset=us-ascii) - $regexp = '/^([a-z\-]+\/[a-z0-9\-\.\+]+);\s.+$/'; + $regexp = '/^([a-z\-]+\/[a-z0-9\-\.\+]+)(;\s.+)?$/'; /* Fileinfo extension - most reliable method * -- cgit v1.2.3-24-g4f1b