From 20573bd472bdeaa831074e563f239585554ffaf5 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Tue, 1 Sep 2015 12:46:06 +0300 Subject: [ci skip] Correct session database setup docs --- application/config/config.php | 3 +++ 1 file changed, 3 insertions(+) (limited to 'application/config/config.php') diff --git a/application/config/config.php b/application/config/config.php index a4d883fab..479d591a4 100644 --- a/application/config/config.php +++ b/application/config/config.php @@ -344,6 +344,9 @@ $config['encryption_key'] = ''; | | Whether to match the user's IP address when reading the session data. | +| WARNING: If you're using the database driver, don't forget to update +| your session table's PRIMARY KEY when changing this setting. +| | 'sess_time_to_update' | | How many seconds between CI regenerating the session ID. -- cgit v1.2.3-24-g4f1b From 0a6b0661305f20ac1fbd219d43f59193bea90d1d Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 26 Oct 2015 15:31:38 +0200 Subject: Prevent Host header injections --- application/config/config.php | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) (limited to 'application/config/config.php') diff --git a/application/config/config.php b/application/config/config.php index 479d591a4..4f8f81406 100644 --- a/application/config/config.php +++ b/application/config/config.php @@ -11,10 +11,16 @@ defined('BASEPATH') OR exit('No direct script access allowed'); | | http://example.com/ | -| If this is not set then CodeIgniter will try guess the protocol, domain -| and path to your installation. However, you should always configure this -| explicitly and never rely on auto-guessing, especially in production -| environments. +| WARNING: You MUST set this value! +| +| If it is not set, then CodeIgniter will try guess the protocol and path +| your installation, but due to security concerns the hostname will be set +| to $_SERVER['SERVER_ADDR'] if available, or localhost otherwise. +| The auto-detection mechanism exists only for convenience during +| development and MUST NOT be used in production! +| +| If you need to allow multiple domains, remember that this file is still +| a PHP script and you can easily do that on your own. | */ $config['base_url'] = ''; -- cgit v1.2.3-24-g4f1b From bd202c91b0e9cf0a8c93bcaa71df9574f5909346 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 11 Jan 2016 12:50:18 +0200 Subject: [ci skip] Update codeigniter.com links to https --- application/config/config.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'application/config/config.php') diff --git a/application/config/config.php b/application/config/config.php index 4f8f81406..23ef5a528 100644 --- a/application/config/config.php +++ b/application/config/config.php @@ -62,7 +62,7 @@ $config['uri_protocol'] = 'REQUEST_URI'; | This option allows you to add a suffix to all URLs generated by CodeIgniter. | For more information please see the user guide: | -| http://codeigniter.com/user_guide/general/urls.html +| https://codeigniter.com/user_guide/general/urls.html */ $config['url_suffix'] = ''; @@ -110,8 +110,8 @@ $config['enable_hooks'] = FALSE; | This item allows you to set the filename/classname prefix when extending | native libraries. For more information please see the user guide: | -| http://codeigniter.com/user_guide/general/core_classes.html -| http://codeigniter.com/user_guide/general/creating_libraries.html +| https://codeigniter.com/user_guide/general/core_classes.html +| https://codeigniter.com/user_guide/general/creating_libraries.html | */ $config['subclass_prefix'] = 'MY_'; @@ -311,7 +311,7 @@ $config['cache_query_string'] = FALSE; | If you use the Encryption class, you must set an encryption key. | See the user guide for more info. | -| http://codeigniter.com/user_guide/libraries/encryption.html +| https://codeigniter.com/user_guide/libraries/encryption.html | */ $config['encryption_key'] = ''; -- cgit v1.2.3-24-g4f1b From 2426635afc58f7bbf8355e80d4228076321a669d Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 15 Feb 2016 14:21:13 +0200 Subject: [ci skip] Add notes in config about CLI for url_suffix, permitted_uri_chars --- application/config/config.php | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'application/config/config.php') diff --git a/application/config/config.php b/application/config/config.php index 23ef5a528..0a7b8202b 100644 --- a/application/config/config.php +++ b/application/config/config.php @@ -63,6 +63,8 @@ $config['uri_protocol'] = 'REQUEST_URI'; | For more information please see the user guide: | | https://codeigniter.com/user_guide/general/urls.html +| +| Note: This option is ignored for CLI requests. */ $config['url_suffix'] = ''; @@ -157,6 +159,8 @@ $config['composer_autoload'] = FALSE; | | DO NOT CHANGE THIS UNLESS YOU FULLY UNDERSTAND THE REPERCUSSIONS!! | +| Note: This option is ignored for CLI requests. +| */ $config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-'; -- cgit v1.2.3-24-g4f1b From 25aab832ff5b064166b5af4f5c4269407c56b338 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 14 Dec 2016 13:04:40 +0200 Subject: [ci skip] Deprecate 'allow_get_array', 'standardize_newlines' --- application/config/config.php | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) (limited to 'application/config/config.php') diff --git a/application/config/config.php b/application/config/config.php index 23ef5a528..10315220e 100644 --- a/application/config/config.php +++ b/application/config/config.php @@ -168,9 +168,6 @@ $config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-'; | By default CodeIgniter uses search-engine friendly segment based URLs: | example.com/who/what/where/ | -| By default CodeIgniter enables access to the $_GET array. If for some -| reason you would like to disable it, set 'allow_get_array' to FALSE. -| | You can optionally enable standard query string based URLs: | example.com?who=me&what=something&where=here | @@ -185,12 +182,25 @@ $config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-'; | use segment based URLs. | */ -$config['allow_get_array'] = TRUE; $config['enable_query_strings'] = FALSE; $config['controller_trigger'] = 'c'; $config['function_trigger'] = 'm'; $config['directory_trigger'] = 'd'; +/* +|-------------------------------------------------------------------------- +| Allow $_GET array +|-------------------------------------------------------------------------- +| +| By default CodeIgniter enables access to the $_GET array. If for some +| reason you would like to disable it, set 'allow_get_array' to FALSE. +| +| WARNING: This feature is DEPRECATED and currently available only +| for backwards compatibility purposes! +| +*/ +$config['allow_get_array'] = TRUE; + /* |-------------------------------------------------------------------------- | Error Logging Threshold @@ -404,8 +414,8 @@ $config['cookie_httponly'] = FALSE; | Determines whether to standardize newline characters in input data, | meaning to replace \r\n, \r, \n occurrences with the PHP_EOL value. | -| This is particularly useful for portability between UNIX-based OSes, -| (usually \n) and Windows (\r\n). +| WARNING: This feature is DEPRECATED and currently available only +| for backwards compatibility purposes! | */ $config['standardize_newlines'] = FALSE; -- cgit v1.2.3-24-g4f1b From 8e37b8560c75d3994e59f401be977dcf386bb210 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 14 Dec 2016 13:13:05 +0200 Subject: Remove 'allow_get_array', 'standardize_newlines' config settings --- application/config/config.php | 28 ---------------------------- 1 file changed, 28 deletions(-) (limited to 'application/config/config.php') diff --git a/application/config/config.php b/application/config/config.php index c088e80c0..535f0f817 100644 --- a/application/config/config.php +++ b/application/config/config.php @@ -191,20 +191,6 @@ $config['controller_trigger'] = 'c'; $config['function_trigger'] = 'm'; $config['directory_trigger'] = 'd'; -/* -|-------------------------------------------------------------------------- -| Allow $_GET array -|-------------------------------------------------------------------------- -| -| By default CodeIgniter enables access to the $_GET array. If for some -| reason you would like to disable it, set 'allow_get_array' to FALSE. -| -| WARNING: This feature is DEPRECATED and currently available only -| for backwards compatibility purposes! -| -*/ -$config['allow_get_array'] = TRUE; - /* |-------------------------------------------------------------------------- | Error Logging Threshold @@ -410,20 +396,6 @@ $config['cookie_path'] = '/'; $config['cookie_secure'] = FALSE; $config['cookie_httponly'] = FALSE; -/* -|-------------------------------------------------------------------------- -| Standardize newlines -|-------------------------------------------------------------------------- -| -| Determines whether to standardize newline characters in input data, -| meaning to replace \r\n, \r, \n occurrences with the PHP_EOL value. -| -| WARNING: This feature is DEPRECATED and currently available only -| for backwards compatibility purposes! -| -*/ -$config['standardize_newlines'] = FALSE; - /* |-------------------------------------------------------------------------- | Global XSS Filtering -- cgit v1.2.3-24-g4f1b From 4e0c208f24b0755c47905e17b82854c538a0c530 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 14 Dec 2016 13:23:06 +0200 Subject: Remove 'global_xss_filtering' config setting --- application/config/config.php | 14 -------------- 1 file changed, 14 deletions(-) (limited to 'application/config/config.php') diff --git a/application/config/config.php b/application/config/config.php index 535f0f817..d37af34b7 100644 --- a/application/config/config.php +++ b/application/config/config.php @@ -396,20 +396,6 @@ $config['cookie_path'] = '/'; $config['cookie_secure'] = FALSE; $config['cookie_httponly'] = FALSE; -/* -|-------------------------------------------------------------------------- -| Global XSS Filtering -|-------------------------------------------------------------------------- -| -| Determines whether the XSS filter is always active when GET, POST or -| COOKIE data is encountered -| -| WARNING: This feature is DEPRECATED and currently available only -| for backwards compatibility purposes! -| -*/ -$config['global_xss_filtering'] = FALSE; - /* |-------------------------------------------------------------------------- | Cross Site Request Forgery -- cgit v1.2.3-24-g4f1b From 24c866628d0ce5463d7e8b4eba512fa9e7752dfd Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 14 Dec 2016 16:14:13 +0200 Subject: Drop all PHP 5.3-related code --- application/config/config.php | 14 -------------- 1 file changed, 14 deletions(-) (limited to 'application/config/config.php') diff --git a/application/config/config.php b/application/config/config.php index d37af34b7..c6e1a7af5 100644 --- a/application/config/config.php +++ b/application/config/config.php @@ -452,20 +452,6 @@ $config['compress_output'] = FALSE; */ $config['time_reference'] = 'local'; -/* -|-------------------------------------------------------------------------- -| Rewrite PHP Short Tags -|-------------------------------------------------------------------------- -| -| If your PHP installation does not have short tag support enabled CI -| can rewrite the tags on-the-fly, enabling you to utilize that syntax -| in your view files. Options are TRUE or FALSE (boolean) -| -| Note: You need to have eval() enabled for this to work. -| -*/ -$config['rewrite_short_tags'] = FALSE; - /* |-------------------------------------------------------------------------- | Reverse Proxy IPs -- cgit v1.2.3-24-g4f1b