From 02a16129a23409af956392a5a36755489290a2e8 Mon Sep 17 00:00:00 2001 From: brenjt Date: Sat, 14 Sep 2013 11:10:25 -0600 Subject: Updated config to include list of valid characters to `sess_cookie_name` Added list of valid characters to sess_cookie_name --- application/config/config.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'application/config/config.php') diff --git a/application/config/config.php b/application/config/config.php index 0608348c6..3114f417b 100644 --- a/application/config/config.php +++ b/application/config/config.php @@ -282,7 +282,7 @@ $config['encryption_key'] = ''; | 'sess_driver' = the driver to load: cookie (Classic), native (PHP sessions), | or your custom driver name | 'sess_valid_drivers' = additional valid drivers which may be loaded -| 'sess_cookie_name' = the name you want for the cookie +| 'sess_cookie_name' = the name you want for the cookie, must contain only [0-9a-z_-] characters | 'sess_expiration' = the number of SECONDS you want the session to last. | by default sessions last 7200 seconds (two hours). Set to zero for no expiration. | 'sess_expire_on_close' = Whether to cause the session to expire automatically @@ -435,4 +435,4 @@ $config['proxy_ips'] = ''; /* End of file config.php */ -/* Location: ./application/config/config.php */ \ No newline at end of file +/* Location: ./application/config/config.php */ -- cgit v1.2.3-24-g4f1b From 9c98991705432d9c179715bc7f3b4fb0c6d51b4b Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Sat, 14 Sep 2013 20:55:12 +0300 Subject: [ci skip] Remove empty line at application/config/config.php EOF --- application/config/config.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'application/config/config.php') diff --git a/application/config/config.php b/application/config/config.php index 3114f417b..8d08a7401 100644 --- a/application/config/config.php +++ b/application/config/config.php @@ -435,4 +435,4 @@ $config['proxy_ips'] = ''; /* End of file config.php */ -/* Location: ./application/config/config.php */ +/* Location: ./application/config/config.php */ \ No newline at end of file -- cgit v1.2.3-24-g4f1b From bfb635b276d880336db795f1a603de66ccfc80f6 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 8 Jan 2014 18:32:05 +0200 Subject: Make newline standardization configurable Added ['standardize_newlines'] Also altered the Session cookie driver, which experienced issues with this feature due to it's HMAC verification failing after the Input class alters newlines in non-encrypted session cookies. Supersedes PR #2470 --- application/config/config.php | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'application/config/config.php') diff --git a/application/config/config.php b/application/config/config.php index 8d08a7401..cd2ca479b 100644 --- a/application/config/config.php +++ b/application/config/config.php @@ -325,6 +325,20 @@ $config['cookie_path'] = '/'; $config['cookie_secure'] = FALSE; $config['cookie_httponly'] = FALSE; +/* +|-------------------------------------------------------------------------- +| Standardize newlines +|-------------------------------------------------------------------------- +| +| Determines whether to standardize newline characters in input data, +| meaning to replace \r\n, \r, \n occurences with the PHP_EOL value. +| +| This is particularly useful for portability between UNIX-based OSes, +| (usually \n) and Windows (\r\n). +| +*/ +$config['standardize_newlines'] = TRUE; + /* |-------------------------------------------------------------------------- | Global XSS Filtering -- cgit v1.2.3-24-g4f1b From 155ee7231c0ef72dc362c7d6423b2e4600024d3c Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 10 Jan 2014 15:50:54 +0200 Subject: Compress output before storing it to cache, if output compression is enabled Based on PR #964 --- application/config/config.php | 3 +++ 1 file changed, 3 insertions(+) (limited to 'application/config/config.php') diff --git a/application/config/config.php b/application/config/config.php index cd2ca479b..c46839330 100644 --- a/application/config/config.php +++ b/application/config/config.php @@ -381,6 +381,9 @@ $config['csrf_exclude_uris'] = array(); | Even if it does, however, not all browsers support compression | so enable only if you are reasonably sure your visitors can handle it. | +| Only used if zlib.output_compression is turned off in your php.ini. +| Please do not use it together with httpd-level output compression. +| | VERY IMPORTANT: If you are getting a blank page when compression is enabled it | means you are prematurely outputting something to your browser. It could | even be a line of whitespace at the end of one of your scripts. For -- cgit v1.2.3-24-g4f1b From de14aa5a29b1b122bfd536f979dfda7f2fd9f53d Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 15 Jan 2014 15:51:08 +0200 Subject: CI_URI changes related to the 'permitted_uri_chars' setting - Initialize and cache the value in the class constructor instead of searching for it every time - Removed the preg_quote() call from _filter_uri() to allow more fine-tuning from configuration - Renamed _filter_uri() to filter_uri() - it was public anyway and using it cannot break anything Related: issue #2799 --- application/config/config.php | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'application/config/config.php') diff --git a/application/config/config.php b/application/config/config.php index cd2ca479b..5240f6c26 100644 --- a/application/config/config.php +++ b/application/config/config.php @@ -141,15 +141,18 @@ $config['subclass_prefix'] = 'MY_'; | Allowed URL Characters |-------------------------------------------------------------------------- | -| This lets you specify with a regular expression which characters are permitted -| within your URLs. When someone tries to submit a URL with disallowed -| characters they will get a warning message. +| This lets you specify which characters are permitted within your URLs. +| When someone tries to submit a URL with disallowed characters they will +| get a warning message. | | As a security measure you are STRONGLY encouraged to restrict URLs to | as few characters as possible. By default only these are allowed: a-z 0-9~%.:_- | | Leave blank to allow all characters -- but only if you are insane. | +| The configured value is actually a regular expression character group +| and it will be executed as: ! preg_match('/^[]+$/i +| | DO NOT CHANGE THIS UNLESS YOU FULLY UNDERSTAND THE REPERCUSSIONS!! | */ -- cgit v1.2.3-24-g4f1b