From f6779f5e2510811a1d4fe39864923226a475f298 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 5 Feb 2014 23:15:26 +0200 Subject: Fix #2856 --- system/database/drivers/odbc/odbc_driver.php | 2 +- user_guide_src/source/changelog.rst | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/system/database/drivers/odbc/odbc_driver.php b/system/database/drivers/odbc/odbc_driver.php index 45e91cbc5..6f635bdfb 100644 --- a/system/database/drivers/odbc/odbc_driver.php +++ b/system/database/drivers/odbc/odbc_driver.php @@ -222,7 +222,7 @@ class CI_DB_odbc_driver extends CI_DB { */ public function affected_rows() { - return @odbc_num_rows($this->conn_id); + return @odbc_num_rows($this->result_id); } // -------------------------------------------------------------------- diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index c6d42d923..a5839a2e6 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -519,7 +519,7 @@ Bug fixes for 3.0 - Fixed a bug (#177) - ``CI_Form_validation::set_value()`` didn't set the default value if POST data is NULL. - Fixed a bug (#68, #414) - Oracle's escape_str() didn't properly escape LIKE wild characters. - Fixed a bug (#81) - ODBC's list_fields() and field_data() methods skipped the first column due to odbc_field_*() functions' index starting at 1 instead of 0. -- Fixed a bug (#129) - ODBC's num_rows() returned -1 in some cases, due to not all subdrivers supporting the odbc_num_rows() function. +- Fixed a bug (#129) - ODBC's ``num_rows()`` method returned -1 in some cases, due to not all subdrivers supporting the ``odbc_num_rows()`` function. - Fixed a bug (#153) - E_NOTICE being generated by getimagesize() in the :doc:`File Uploading Library `. - Fixed a bug (#611) - SQLSRV's error handling methods used to issue warnings when there's no actual error. - Fixed a bug (#1036) - ``is_write_type()`` method in the :doc:`Database Library ` didn't return TRUE for RENAME queries. @@ -684,6 +684,7 @@ Bug fixes for 3.0 - Fixed a bug (#2729) - ``CI_Security::_validate_entities()`` used overly-intrusive ``preg_replace()`` patterns that produced false-positives. - Fixed a bug (#2771) - ``CI_Security::xss_clean()`` didn't take into account HTML5 entities. - Fixed a bug in the :doc:`Session Library ` 'cookie' driver where authentication was not performed for encrypted cookies. +- Fixed a bug (#2856) - ODBC method ``affected_rows()`` passed an incorrect value to ``odbc_num_rows()``. Version 2.1.4 ============= -- cgit v1.2.3-24-g4f1b From 3aa781a65267d72000009df0fa2feee5cb3bdd8d Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 6 Feb 2014 05:34:19 +0200 Subject: Make CI_Session's HMAC comparison time-attack-safe --- system/libraries/Session/drivers/Session_cookie.php | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/system/libraries/Session/drivers/Session_cookie.php b/system/libraries/Session/drivers/Session_cookie.php index 971dfeabe..c8dfad6c9 100644 --- a/system/libraries/Session/drivers/Session_cookie.php +++ b/system/libraries/Session/drivers/Session_cookie.php @@ -395,7 +395,15 @@ class CI_Session_cookie extends CI_Session_driver { $hmac = substr($session, $len); $session = substr($session, 0, $len); - if ($hmac !== hash_hmac('sha1', $session, $this->encryption_key)) + // Time-attack-safe comparison + $hmac_check = hash_hmac('sha1', $session, $this->encryption_key); + $diff = 0; + for ($i = 0; $i < 40; $i++) + { + $diff |= ord($hmac[$i]) ^ ord($hmac_check[$i]); + } + + if ($diff !== 0) { log_message('error', 'The session cookie data did not match what was expected.'); $this->sess_destroy(); -- cgit v1.2.3-24-g4f1b