From 95311be467faa2e744bbd9e932900a7cf96b081f Mon Sep 17 00:00:00 2001 From: Alex Bilbie Date: Sat, 20 Aug 2011 17:35:22 +0100 Subject: Renamed some Session library functions to make them shorter. Includes backwards compatibility. --- system/libraries/Cart.php | 10 ++++---- system/libraries/Session.php | 59 +++++++++++++++++++++++++++++++++----------- 2 files changed, 50 insertions(+), 19 deletions(-) diff --git a/system/libraries/Cart.php b/system/libraries/Cart.php index b2eaa9ad7..1caef49cd 100644 --- a/system/libraries/Cart.php +++ b/system/libraries/Cart.php @@ -59,9 +59,9 @@ class CI_Cart { $this->CI->load->library('session', $config); // Grab the shopping cart array from the session table, if it exists - if ($this->CI->session->userdata('cart_contents') !== FALSE) + if ($this->CI->session->get('cart_contents') !== FALSE) { - $this->_cart_contents = $this->CI->session->userdata('cart_contents'); + $this->_cart_contents = $this->CI->session->get('cart_contents'); } else { @@ -397,7 +397,7 @@ class CI_Cart { // Is our cart empty? If so we delete it from the session if (count($this->_cart_contents) <= 2) { - $this->CI->session->unset_userdata('cart_contents'); + $this->CI->session->rm('cart_contents'); // Nothing more to do... coffee time! return FALSE; @@ -405,7 +405,7 @@ class CI_Cart { // If we made it this far it means that our cart has data. // Let's pass it to the Session class so it can be stored - $this->CI->session->set_userdata(array('cart_contents' => $this->_cart_contents)); + $this->CI->session->set(array('cart_contents' => $this->_cart_contents)); // Woot! return TRUE; @@ -541,7 +541,7 @@ class CI_Cart { $this->_cart_contents['cart_total'] = 0; $this->_cart_contents['total_items'] = 0; - $this->CI->session->unset_userdata('cart_contents'); + $this->CI->session->rm('cart_contents'); } diff --git a/system/libraries/Session.php b/system/libraries/Session.php index 2c8a80163..3203468b2 100644 --- a/system/libraries/Session.php +++ b/system/libraries/Session.php @@ -395,7 +395,7 @@ class CI_Session { * @access public * @return void */ - function sess_destroy() + function destroy() { // Kill the session DB row if ($this->sess_use_database === TRUE AND isset($this->userdata['session_id'])) @@ -424,7 +424,7 @@ class CI_Session { * @param string * @return string */ - function userdata($item) + function get($item) { return ( ! isset($this->userdata[$item])) ? FALSE : $this->userdata[$item]; } @@ -437,7 +437,7 @@ class CI_Session { * @access public * @return array */ - function all_userdata() + function get_all() { return $this->userdata; } @@ -452,7 +452,7 @@ class CI_Session { * @param string * @return void */ - function set_userdata($newdata = array(), $newval = '') + function set($newdata = array(), $newval = '') { if (is_string($newdata)) { @@ -478,7 +478,7 @@ class CI_Session { * @access array * @return void */ - function unset_userdata($newdata = array()) + function rm($newdata = array()) { if (is_string($newdata)) { @@ -519,7 +519,7 @@ class CI_Session { foreach ($newdata as $key => $val) { $flashdata_key = $this->flashdata_key.':new:'.$key; - $this->set_userdata($flashdata_key, $val); + $this->set($flashdata_key, $val); } } } @@ -540,10 +540,10 @@ class CI_Session { // Note the function will return FALSE if the $key // provided cannot be found $old_flashdata_key = $this->flashdata_key.':old:'.$key; - $value = $this->userdata($old_flashdata_key); + $value = $this->get($old_flashdata_key); $new_flashdata_key = $this->flashdata_key.':new:'.$key; - $this->set_userdata($new_flashdata_key, $value); + $this->set($new_flashdata_key, $value); } // ------------------------------------------------------------------------ @@ -558,7 +558,7 @@ class CI_Session { function flashdata($key) { $flashdata_key = $this->flashdata_key.':old:'.$key; - return $this->userdata($flashdata_key); + return $this->get($flashdata_key); } // ------------------------------------------------------------------------ @@ -572,15 +572,15 @@ class CI_Session { */ function _flashdata_mark() { - $userdata = $this->all_userdata(); + $userdata = $this->get_all(); foreach ($userdata as $name => $value) { $parts = explode(':new:', $name); if (is_array($parts) && count($parts) === 2) { $new_name = $this->flashdata_key.':old:'.$parts[1]; - $this->set_userdata($new_name, $value); - $this->unset_userdata($name); + $this->set($new_name, $value); + $this->unset($name); } } } @@ -596,12 +596,12 @@ class CI_Session { function _flashdata_sweep() { - $userdata = $this->all_userdata(); + $userdata = $this->get_all(); foreach ($userdata as $key => $value) { if (strpos($key, ':old:')) { - $this->unset_userdata($key); + $this->unset($key); } } @@ -767,6 +767,37 @@ class CI_Session { log_message('debug', 'Session garbage collection performed.'); } } + + // -------------------------------------------------------------------- + + /** + * Backwards compatible functions + */ + + function userdata($item) + { + return $this->get($item); + } + + function all_userdata() + { + return $this->get_all(); + } + + function set_userdata($newdata) + { + $this->set($newdata); + } + + function unset_userdata($newdata) + { + $this->rm($newdata); + } + + function sess_destroy() + { + $this->destroy(); + } } -- cgit v1.2.3-24-g4f1b From a1a8ef711ec179a183a32f6cf4502ddc48782a84 Mon Sep 17 00:00:00 2001 From: Alex Bilbie Date: Sun, 21 Aug 2011 15:44:10 +0100 Subject: Revert 43194ea1af658914a89ca49aed4dca4617b9c4ff^..HEAD --- system/libraries/Cart.php | 10 ++++---- system/libraries/Session.php | 59 +++++++++++--------------------------------- 2 files changed, 19 insertions(+), 50 deletions(-) diff --git a/system/libraries/Cart.php b/system/libraries/Cart.php index 1caef49cd..b2eaa9ad7 100644 --- a/system/libraries/Cart.php +++ b/system/libraries/Cart.php @@ -59,9 +59,9 @@ class CI_Cart { $this->CI->load->library('session', $config); // Grab the shopping cart array from the session table, if it exists - if ($this->CI->session->get('cart_contents') !== FALSE) + if ($this->CI->session->userdata('cart_contents') !== FALSE) { - $this->_cart_contents = $this->CI->session->get('cart_contents'); + $this->_cart_contents = $this->CI->session->userdata('cart_contents'); } else { @@ -397,7 +397,7 @@ class CI_Cart { // Is our cart empty? If so we delete it from the session if (count($this->_cart_contents) <= 2) { - $this->CI->session->rm('cart_contents'); + $this->CI->session->unset_userdata('cart_contents'); // Nothing more to do... coffee time! return FALSE; @@ -405,7 +405,7 @@ class CI_Cart { // If we made it this far it means that our cart has data. // Let's pass it to the Session class so it can be stored - $this->CI->session->set(array('cart_contents' => $this->_cart_contents)); + $this->CI->session->set_userdata(array('cart_contents' => $this->_cart_contents)); // Woot! return TRUE; @@ -541,7 +541,7 @@ class CI_Cart { $this->_cart_contents['cart_total'] = 0; $this->_cart_contents['total_items'] = 0; - $this->CI->session->rm('cart_contents'); + $this->CI->session->unset_userdata('cart_contents'); } diff --git a/system/libraries/Session.php b/system/libraries/Session.php index 3203468b2..2c8a80163 100644 --- a/system/libraries/Session.php +++ b/system/libraries/Session.php @@ -395,7 +395,7 @@ class CI_Session { * @access public * @return void */ - function destroy() + function sess_destroy() { // Kill the session DB row if ($this->sess_use_database === TRUE AND isset($this->userdata['session_id'])) @@ -424,7 +424,7 @@ class CI_Session { * @param string * @return string */ - function get($item) + function userdata($item) { return ( ! isset($this->userdata[$item])) ? FALSE : $this->userdata[$item]; } @@ -437,7 +437,7 @@ class CI_Session { * @access public * @return array */ - function get_all() + function all_userdata() { return $this->userdata; } @@ -452,7 +452,7 @@ class CI_Session { * @param string * @return void */ - function set($newdata = array(), $newval = '') + function set_userdata($newdata = array(), $newval = '') { if (is_string($newdata)) { @@ -478,7 +478,7 @@ class CI_Session { * @access array * @return void */ - function rm($newdata = array()) + function unset_userdata($newdata = array()) { if (is_string($newdata)) { @@ -519,7 +519,7 @@ class CI_Session { foreach ($newdata as $key => $val) { $flashdata_key = $this->flashdata_key.':new:'.$key; - $this->set($flashdata_key, $val); + $this->set_userdata($flashdata_key, $val); } } } @@ -540,10 +540,10 @@ class CI_Session { // Note the function will return FALSE if the $key // provided cannot be found $old_flashdata_key = $this->flashdata_key.':old:'.$key; - $value = $this->get($old_flashdata_key); + $value = $this->userdata($old_flashdata_key); $new_flashdata_key = $this->flashdata_key.':new:'.$key; - $this->set($new_flashdata_key, $value); + $this->set_userdata($new_flashdata_key, $value); } // ------------------------------------------------------------------------ @@ -558,7 +558,7 @@ class CI_Session { function flashdata($key) { $flashdata_key = $this->flashdata_key.':old:'.$key; - return $this->get($flashdata_key); + return $this->userdata($flashdata_key); } // ------------------------------------------------------------------------ @@ -572,15 +572,15 @@ class CI_Session { */ function _flashdata_mark() { - $userdata = $this->get_all(); + $userdata = $this->all_userdata(); foreach ($userdata as $name => $value) { $parts = explode(':new:', $name); if (is_array($parts) && count($parts) === 2) { $new_name = $this->flashdata_key.':old:'.$parts[1]; - $this->set($new_name, $value); - $this->unset($name); + $this->set_userdata($new_name, $value); + $this->unset_userdata($name); } } } @@ -596,12 +596,12 @@ class CI_Session { function _flashdata_sweep() { - $userdata = $this->get_all(); + $userdata = $this->all_userdata(); foreach ($userdata as $key => $value) { if (strpos($key, ':old:')) { - $this->unset($key); + $this->unset_userdata($key); } } @@ -767,37 +767,6 @@ class CI_Session { log_message('debug', 'Session garbage collection performed.'); } } - - // -------------------------------------------------------------------- - - /** - * Backwards compatible functions - */ - - function userdata($item) - { - return $this->get($item); - } - - function all_userdata() - { - return $this->get_all(); - } - - function set_userdata($newdata) - { - $this->set($newdata); - } - - function unset_userdata($newdata) - { - $this->rm($newdata); - } - - function sess_destroy() - { - $this->destroy(); - } } -- cgit v1.2.3-24-g4f1b From aeb2c3e532e78be9ac78ba6fd4a305b7be31d2ab Mon Sep 17 00:00:00 2001 From: Alex Bilbie Date: Sun, 21 Aug 2011 16:14:54 +0100 Subject: Added new config parameter "csrf_exclude_uris" which allows for URIs to be whitelisted from CSRF verification. Fixes #149 --- application/config/config.php | 2 ++ system/core/Security.php | 12 +++++++++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/application/config/config.php b/application/config/config.php index 1ec65435e..b64b11669 100644 --- a/application/config/config.php +++ b/application/config/config.php @@ -292,11 +292,13 @@ $config['global_xss_filtering'] = FALSE; | 'csrf_token_name' = The token name | 'csrf_cookie_name' = The cookie name | 'csrf_expire' = The number in seconds the token should expire. +| 'csrf_exclude_uris' = Array of URIs which ignore CSRF checks */ $config['csrf_protection'] = FALSE; $config['csrf_token_name'] = 'csrf_test_name'; $config['csrf_cookie_name'] = 'csrf_cookie_name'; $config['csrf_expire'] = 7200; +$config['csrf_exclude_uris'] = array(); /* |-------------------------------------------------------------------------- diff --git a/system/core/Security.php b/system/core/Security.php index 3617cadcc..efd30eb14 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -93,6 +93,16 @@ class CI_Security { { return $this->csrf_set_cookie(); } + + // Check if URI has been whitelisted from CSRF checks + if ($exclude_uris = config_item('csrf_exclude_uris')) + { + $uri = load_class('URI', 'core'); + if (in_array($uri->uri_string(), $exclude_uris)) + { + return $this; + } + } // Do the tokens exist in both the _POST and _COOKIE arrays? if ( ! isset($_POST[$this->_csrf_token_name]) OR @@ -116,7 +126,7 @@ class CI_Security { $this->_csrf_set_hash(); $this->csrf_set_cookie(); - log_message('debug', "CSRF token verified "); + log_message('debug', "CSRF token verified"); return $this; } -- cgit v1.2.3-24-g4f1b From 87c74c885991075cf42e9e78d7843290e2b0c3a7 Mon Sep 17 00:00:00 2001 From: Alex Bilbie Date: Sun, 21 Aug 2011 16:28:43 +0100 Subject: Updated Security library documentation with details on how to whitelist URIs from CSRF protection --- user_guide/libraries/security.html | 3 +++ 1 file changed, 3 insertions(+) diff --git a/user_guide/libraries/security.html b/user_guide/libraries/security.html index dd62a4386..cbe12d852 100644 --- a/user_guide/libraries/security.html +++ b/user_guide/libraries/security.html @@ -116,6 +116,9 @@ Note: This function should only be used to deal with data upon submission. It's

If you use the form helper the form_open() function will automatically insert a hidden csrf field in your forms.

+

Select URIs can be whitelisted from csrf protection (for example API endpoints expecting externally POSTed content). You can add these URIs by editing the 'csrf_exclude_uris' config parameter:

+$config['csrf_exclude_uris'] = array('api/person/add'); + -- cgit v1.2.3-24-g4f1b From 6a93995f2a24c0ac8d636ecac5f3eb0d0243e23d Mon Sep 17 00:00:00 2001 From: Alex Bilbie Date: Wed, 24 Aug 2011 09:20:36 +0100 Subject: Added note in changelog --- user_guide/changelog.html | 1 + 1 file changed, 1 insertion(+) diff --git a/user_guide/changelog.html b/user_guide/changelog.html index c52a33e5a..5e412ca44 100644 --- a/user_guide/changelog.html +++ b/user_guide/changelog.html @@ -75,6 +75,7 @@ Change Log
  • Visual updates to the welcome_message view file and default error templates. Thanks to danijelb for the pull request.
  • Added insert_batch() function to the PostgreSQL database driver. Thanks to epallerols for the patch.
  • Added "application/x-csv" to mimes.php.
    • +
  • Added CSRF protection URI whitelisting.
  • Fixed a bug where Email library attachments with a "." in the name would using invalid MIME-types.
    • -- cgit v1.2.3-24-g4f1b