From d45180cb98cd987e2d5cce57a7965a87ee2aed7b Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Sat, 15 Aug 2015 09:09:38 +0300 Subject: Fix #4056 --- system/core/Input.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core/Input.php') diff --git a/system/core/Input.php b/system/core/Input.php index e1319be8d..d896495e9 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -803,7 +803,7 @@ class CI_Input { if ( ! isset($headers)) { - empty($this->headers) OR $this->request_headers(); + empty($this->headers) && $this->request_headers(); foreach ($this->headers as $key => $value) { $headers[strtolower($key)] = $value; -- cgit v1.2.3-24-g4f1b From dd28a888e8d9934260b14d0b7601da375fe75b8d Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 7 Sep 2015 16:03:05 +0300 Subject: Move csrf_verify() call out of _sanitize_globals() It doesn't belong in there. --- system/core/Input.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'system/core/Input.php') diff --git a/system/core/Input.php b/system/core/Input.php index d896495e9..67a495e74 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -153,6 +153,12 @@ class CI_Input { // Sanitize global arrays $this->_sanitize_globals(); + // CSRF Protection check + if ($this->_enable_csrf === TRUE && ! is_cli()) + { + $this->security->csrf_verify(); + } + log_message('info', 'Input Class Initialized'); } @@ -647,12 +653,6 @@ class CI_Input { // Sanitize PHP_SELF $_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']); - // CSRF Protection check - if ($this->_enable_csrf === TRUE && ! is_cli()) - { - $this->security->csrf_verify(); - } - log_message('debug', 'Global POST, GET and COOKIE data sanitized'); } -- cgit v1.2.3-24-g4f1b From e70238e8acd4ebdf1a3e30d63e8ffb1a46ab6d15 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 7 Sep 2015 16:07:45 +0300 Subject: Remove unnecessary count() calls from _sanitize_globals() foreach() just won't execute for an empty array, it does that check internally. --- system/core/Input.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'system/core/Input.php') diff --git a/system/core/Input.php b/system/core/Input.php index 67a495e74..4e7a4e95e 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -606,7 +606,7 @@ class CI_Input { { $_GET = array(); } - elseif (is_array($_GET) && count($_GET) > 0) + elseif (is_array($_GET)) { foreach ($_GET as $key => $val) { @@ -615,7 +615,7 @@ class CI_Input { } // Clean $_POST Data - if (is_array($_POST) && count($_POST) > 0) + if (is_array($_POST)) { foreach ($_POST as $key => $val) { @@ -624,7 +624,7 @@ class CI_Input { } // Clean $_COOKIE Data - if (is_array($_COOKIE) && count($_COOKIE) > 0) + if (is_array($_COOKIE)) { // Also get rid of specially treated cookies that might be set by a server // or silly application, that are of no use to a CI application anyway -- cgit v1.2.3-24-g4f1b From 125ef4751080a2118cb203357d77687699e3eb25 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 11 Jan 2016 12:33:00 +0200 Subject: [ci skip] Bump year to 2016 --- system/core/Input.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'system/core/Input.php') diff --git a/system/core/Input.php b/system/core/Input.php index 4e7a4e95e..55474fd0c 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -6,7 +6,7 @@ * * This content is released under the MIT License (MIT) * - * Copyright (c) 2014 - 2015, British Columbia Institute of Technology + * Copyright (c) 2014 - 2016, British Columbia Institute of Technology * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal @@ -29,7 +29,7 @@ * @package CodeIgniter * @author EllisLab Dev Team * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (http://ellislab.com/) - * @copyright Copyright (c) 2014 - 2015, British Columbia Institute of Technology (http://bcit.ca/) + * @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/) * @license http://opensource.org/licenses/MIT MIT License * @link http://codeigniter.com * @since Version 1.0.0 -- cgit v1.2.3-24-g4f1b From bd202c91b0e9cf0a8c93bcaa71df9574f5909346 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 11 Jan 2016 12:50:18 +0200 Subject: [ci skip] Update codeigniter.com links to https --- system/core/Input.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'system/core/Input.php') diff --git a/system/core/Input.php b/system/core/Input.php index 55474fd0c..bb7ad23ba 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -31,7 +31,7 @@ * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (http://ellislab.com/) * @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/) * @license http://opensource.org/licenses/MIT MIT License - * @link http://codeigniter.com + * @link https://codeigniter.com * @since Version 1.0.0 * @filesource */ @@ -46,7 +46,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @subpackage Libraries * @category Input * @author EllisLab Dev Team - * @link http://codeigniter.com/user_guide/libraries/input.html + * @link https://codeigniter.com/user_guide/libraries/input.html */ class CI_Input { -- cgit v1.2.3-24-g4f1b From 1924e879b165fb119847a49a7a5eab2f28295fa2 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 11 Jan 2016 12:55:34 +0200 Subject: [ci skip] Update ellislab.com links to https too --- system/core/Input.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core/Input.php') diff --git a/system/core/Input.php b/system/core/Input.php index bb7ad23ba..a7c9ecd0d 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -28,7 +28,7 @@ * * @package CodeIgniter * @author EllisLab Dev Team - * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (http://ellislab.com/) + * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (https://ellislab.com/) * @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/) * @license http://opensource.org/licenses/MIT MIT License * @link https://codeigniter.com -- cgit v1.2.3-24-g4f1b From fa34429e85b4bf452ba595072124a884ca3e8b89 Mon Sep 17 00:00:00 2001 From: sprakash4 Date: Fri, 26 Feb 2016 16:02:07 -0800 Subject: Downgraded log level for some pesky messages to INFO --- system/core/Input.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core/Input.php') diff --git a/system/core/Input.php b/system/core/Input.php index a7c9ecd0d..59b39620c 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -653,7 +653,7 @@ class CI_Input { // Sanitize PHP_SELF $_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']); - log_message('debug', 'Global POST, GET and COOKIE data sanitized'); + log_message('info', 'Global POST, GET and COOKIE data sanitized'); } // -------------------------------------------------------------------- -- cgit v1.2.3-24-g4f1b From cd3d5956f7880091740489c5f24af0e72f677c0c Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 4 Apr 2016 10:28:31 +0300 Subject: Fix #4563 --- system/core/Input.php | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) (limited to 'system/core/Input.php') diff --git a/system/core/Input.php b/system/core/Input.php index a7c9ecd0d..50ca047e8 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -760,30 +760,32 @@ class CI_Input { // If header is already defined, return it immediately if ( ! empty($this->headers)) { - return $this->headers; + return $this->_fetch_from_array($this->headers, NULL, $xss_clean); } // In Apache, you can simply call apache_request_headers() if (function_exists('apache_request_headers')) { - return $this->headers = apache_request_headers(); + $this->headers = apache_request_headers(); } - - $this->headers['Content-Type'] = isset($_SERVER['CONTENT_TYPE']) ? $_SERVER['CONTENT_TYPE'] : @getenv('CONTENT_TYPE'); - - foreach ($_SERVER as $key => $val) + else { - if (sscanf($key, 'HTTP_%s', $header) === 1) + isset($_SERVER['CONTENT_TYPE']) && $this->headers['Content-Type'] = $_SERVER['CONTENT_TYPE']; + + foreach ($_SERVER as $key => $val) { - // take SOME_HEADER and turn it into Some-Header - $header = str_replace('_', ' ', strtolower($header)); - $header = str_replace(' ', '-', ucwords($header)); + if (sscanf($key, 'HTTP_%s', $header) === 1) + { + // take SOME_HEADER and turn it into Some-Header + $header = str_replace('_', ' ', strtolower($header)); + $header = str_replace(' ', '-', ucwords($header)); - $this->headers[$header] = $this->_fetch_from_array($_SERVER, $key, $xss_clean); + $this->headers[$header] = $_SERVER[$key]; + } } } - return $this->headers; + return $this->_fetch_from_array($this->headers, NULL, $xss_clean); } // -------------------------------------------------------------------- -- cgit v1.2.3-24-g4f1b From 9fd9248a2d712d5ae95bf2e6c6cd036e6b522cbb Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Tue, 19 Jul 2016 14:04:17 +0300 Subject: Fix #4679 --- system/core/Input.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'system/core/Input.php') diff --git a/system/core/Input.php b/system/core/Input.php index 50ca047e8..b81d51ebf 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -519,9 +519,9 @@ class CI_Input { if ($separator === ':') { $netaddr = explode(':', str_replace('::', str_repeat(':', 9 - substr_count($netaddr, ':')), $netaddr)); - for ($i = 0; $i < 8; $i++) + for ($j = 0; $j < 8; $j++) { - $netaddr[$i] = intval($netaddr[$i], 16); + $netaddr[$i] = intval($netaddr[$j], 16); } } else -- cgit v1.2.3-24-g4f1b From 3a89d3c05303d25486576de3d056f39585decfe4 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 3 Nov 2016 16:26:31 +0200 Subject: Fix #4679, for real --- system/core/Input.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core/Input.php') diff --git a/system/core/Input.php b/system/core/Input.php index b81d51ebf..24fe8a9cc 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -521,7 +521,7 @@ class CI_Input { $netaddr = explode(':', str_replace('::', str_repeat(':', 9 - substr_count($netaddr, ':')), $netaddr)); for ($j = 0; $j < 8; $j++) { - $netaddr[$i] = intval($netaddr[$j], 16); + $netaddr[$j] = intval($netaddr[$j], 16); } } else -- cgit v1.2.3-24-g4f1b From 9687441bc9b77514e847a5e3c56cf7e051f14be4 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 1 Dec 2016 14:36:44 +0200 Subject: Remove previously deprecated CI_Input::is_cli_request() --- system/core/Input.php | 15 --------------- 1 file changed, 15 deletions(-) (limited to 'system/core/Input.php') diff --git a/system/core/Input.php b/system/core/Input.php index cbb185a8d..2e38e4501 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -840,21 +840,6 @@ class CI_Input { // -------------------------------------------------------------------- - /** - * Is CLI request? - * - * Test to see if a request was made from the command line. - * - * @deprecated 3.0.0 Use is_cli() instead - * @return bool - */ - public function is_cli_request() - { - return is_cli(); - } - - // -------------------------------------------------------------------- - /** * Get Request Method * -- cgit v1.2.3-24-g4f1b From 56d1efc5b14d7bd5a92800ba9394bf9201d48b61 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 14 Dec 2016 12:32:32 +0200 Subject: Move 'standardize_newlines' proc out of CI_Input::_clean_input_data() Preparation for CI_Input::_sanitize_globals() removal. Also, WTF?! I'm deprecating this functionality in 3.1.next. --- system/core/Input.php | 24 +++++++----------------- 1 file changed, 7 insertions(+), 17 deletions(-) (limited to 'system/core/Input.php') diff --git a/system/core/Input.php b/system/core/Input.php index 2e38e4501..ec57cd448 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -66,15 +66,6 @@ class CI_Input { */ protected $_allow_get_array = TRUE; - /** - * Standardize new lines flag - * - * If set to TRUE, then newlines are standardized. - * - * @var bool - */ - protected $_standardize_newlines; - /** * Enable XSS flag * @@ -140,7 +131,6 @@ class CI_Input { $this->_allow_get_array = (config_item('allow_get_array') === TRUE); $this->_enable_xss = (config_item('global_xss_filtering') === TRUE); $this->_enable_csrf = (config_item('csrf_protection') === TRUE); - $this->_standardize_newlines = (bool) config_item('standardize_newlines'); $this->security =& load_class('Security', 'core'); @@ -159,6 +149,13 @@ class CI_Input { $this->security->csrf_verify(); } + if ( ! empty($_POST) && config_item('standardize_newlines') === TRUE) + { + array_walk_recursive($_POST, function(&$value) { + $value = preg_replace('/(?:\r\n|[\r\n])/', PHP_EOL, $value); + }); + } + log_message('info', 'Input Class Initialized'); } @@ -595,7 +592,6 @@ class CI_Input { * * - Unsets $_GET data, if query strings are not enabled * - Cleans POST, COOKIE and SERVER data - * - Standardizes newline characters to PHP_EOL * * @return void */ @@ -698,12 +694,6 @@ class CI_Input { // Remove control characters $str = remove_invisible_characters($str, FALSE); - // Standardize newlines if needed - if ($this->_standardize_newlines === TRUE) - { - return preg_replace('/(?:\r\n|[\r\n])/', PHP_EOL, $str); - } - return $str; } -- cgit v1.2.3-24-g4f1b From 8e37b8560c75d3994e59f401be977dcf386bb210 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 14 Dec 2016 13:13:05 +0200 Subject: Remove 'allow_get_array', 'standardize_newlines' config settings --- system/core/Input.php | 23 +---------------------- 1 file changed, 1 insertion(+), 22 deletions(-) (limited to 'system/core/Input.php') diff --git a/system/core/Input.php b/system/core/Input.php index ec57cd448..a6be7b517 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -57,15 +57,6 @@ class CI_Input { */ protected $ip_address = FALSE; - /** - * Allow GET array flag - * - * If set to FALSE, then $_GET will be set to an empty array. - * - * @var bool - */ - protected $_allow_get_array = TRUE; - /** * Enable XSS flag * @@ -128,7 +119,6 @@ class CI_Input { */ public function __construct() { - $this->_allow_get_array = (config_item('allow_get_array') === TRUE); $this->_enable_xss = (config_item('global_xss_filtering') === TRUE); $this->_enable_csrf = (config_item('csrf_protection') === TRUE); @@ -149,13 +139,6 @@ class CI_Input { $this->security->csrf_verify(); } - if ( ! empty($_POST) && config_item('standardize_newlines') === TRUE) - { - array_walk_recursive($_POST, function(&$value) { - $value = preg_replace('/(?:\r\n|[\r\n])/', PHP_EOL, $value); - }); - } - log_message('info', 'Input Class Initialized'); } @@ -598,11 +581,7 @@ class CI_Input { protected function _sanitize_globals() { // Is $_GET data allowed? If not we'll set the $_GET to an empty array - if ($this->_allow_get_array === FALSE) - { - $_GET = array(); - } - elseif (is_array($_GET)) + if (is_array($_GET)) { foreach ($_GET as $key => $val) { -- cgit v1.2.3-24-g4f1b From 4e0c208f24b0755c47905e17b82854c538a0c530 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 14 Dec 2016 13:23:06 +0200 Subject: Remove 'global_xss_filtering' config setting --- system/core/Input.php | 32 +++++++++----------------------- 1 file changed, 9 insertions(+), 23 deletions(-) (limited to 'system/core/Input.php') diff --git a/system/core/Input.php b/system/core/Input.php index a6be7b517..d4f79ee68 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -57,17 +57,6 @@ class CI_Input { */ protected $ip_address = FALSE; - /** - * Enable XSS flag - * - * Determines whether the XSS filter is always active when - * GET, POST or COOKIE data is encountered. - * Set automatically based on config setting. - * - * @var bool - */ - protected $_enable_xss = FALSE; - /** * Enable CSRF flag * @@ -119,7 +108,6 @@ class CI_Input { */ public function __construct() { - $this->_enable_xss = (config_item('global_xss_filtering') === TRUE); $this->_enable_csrf = (config_item('csrf_protection') === TRUE); $this->security =& load_class('Security', 'core'); @@ -154,10 +142,8 @@ class CI_Input { * @param bool $xss_clean Whether to apply XSS filtering * @return mixed */ - protected function _fetch_from_array(&$array, $index = NULL, $xss_clean = NULL) + protected function _fetch_from_array(&$array, $index = NULL, $xss_clean = FALSE) { - is_bool($xss_clean) OR $xss_clean = $this->_enable_xss; - // If $index is NULL, it means that the whole $array is requested isset($index) OR $index = array_keys($array); @@ -217,7 +203,7 @@ class CI_Input { * @param bool $xss_clean Whether to apply XSS filtering * @return mixed */ - public function get($index = NULL, $xss_clean = NULL) + public function get($index = NULL, $xss_clean = FALSE) { return $this->_fetch_from_array($_GET, $index, $xss_clean); } @@ -231,7 +217,7 @@ class CI_Input { * @param bool $xss_clean Whether to apply XSS filtering * @return mixed */ - public function post($index = NULL, $xss_clean = NULL) + public function post($index = NULL, $xss_clean = FALSE) { return $this->_fetch_from_array($_POST, $index, $xss_clean); } @@ -245,7 +231,7 @@ class CI_Input { * @param bool $xss_clean Whether to apply XSS filtering * @return mixed */ - public function post_get($index, $xss_clean = NULL) + public function post_get($index, $xss_clean = FALSE) { return isset($_POST[$index]) ? $this->post($index, $xss_clean) @@ -261,7 +247,7 @@ class CI_Input { * @param bool $xss_clean Whether to apply XSS filtering * @return mixed */ - public function get_post($index, $xss_clean = NULL) + public function get_post($index, $xss_clean = FALSE) { return isset($_GET[$index]) ? $this->get($index, $xss_clean) @@ -277,7 +263,7 @@ class CI_Input { * @param bool $xss_clean Whether to apply XSS filtering * @return mixed */ - public function cookie($index = NULL, $xss_clean = NULL) + public function cookie($index = NULL, $xss_clean = FALSE) { return $this->_fetch_from_array($_COOKIE, $index, $xss_clean); } @@ -291,7 +277,7 @@ class CI_Input { * @param bool $xss_clean Whether to apply XSS filtering * @return mixed */ - public function server($index, $xss_clean = NULL) + public function server($index, $xss_clean = FALSE) { return $this->_fetch_from_array($_SERVER, $index, $xss_clean); } @@ -307,7 +293,7 @@ class CI_Input { * @param bool $xss_clean Whether to apply XSS filtering * @return mixed */ - public function input_stream($index = NULL, $xss_clean = NULL) + public function input_stream($index = NULL, $xss_clean = FALSE) { // Prior to PHP 5.6, the input stream can only be read once, // so we'll need to check if we have already done that first. @@ -561,7 +547,7 @@ class CI_Input { * * @return string|null User Agent string or NULL if it doesn't exist */ - public function user_agent($xss_clean = NULL) + public function user_agent($xss_clean = FALSE) { return $this->_fetch_from_array($_SERVER, 'HTTP_USER_AGENT', $xss_clean); } -- cgit v1.2.3-24-g4f1b From ff773c059cb984920767dd6187c30a77e5bf78c9 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 14 Dec 2016 13:45:45 +0200 Subject: Finally drop CI_Input::_sanitize_globals() Close #4101 --- system/core/Input.php | 168 +++----------------------------------------------- 1 file changed, 8 insertions(+), 160 deletions(-) (limited to 'system/core/Input.php') diff --git a/system/core/Input.php b/system/core/Input.php index d4f79ee68..aefc3b7d8 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -93,8 +93,15 @@ class CI_Input { */ protected $_input_stream; + /** + * CI_Security instance + * + * Used for the optional $xss_filter parameter that most + * getter methods have here. + * + * @var CI_Security + */ protected $security; - protected $uni; // -------------------------------------------------------------------- @@ -112,15 +119,6 @@ class CI_Input { $this->security =& load_class('Security', 'core'); - // Do we need the UTF-8 class? - if (UTF8_ENABLED === TRUE) - { - $this->uni =& load_class('Utf8', 'core'); - } - - // Sanitize global arrays - $this->_sanitize_globals(); - // CSRF Protection check if ($this->_enable_csrf === TRUE && ! is_cli()) { @@ -554,156 +552,6 @@ class CI_Input { // -------------------------------------------------------------------- - /** - * Sanitize Globals - * - * Internal method serving for the following purposes: - * - * - Unsets $_GET data, if query strings are not enabled - * - Cleans POST, COOKIE and SERVER data - * - * @return void - */ - protected function _sanitize_globals() - { - // Is $_GET data allowed? If not we'll set the $_GET to an empty array - if (is_array($_GET)) - { - foreach ($_GET as $key => $val) - { - $_GET[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); - } - } - - // Clean $_POST Data - if (is_array($_POST)) - { - foreach ($_POST as $key => $val) - { - $_POST[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); - } - } - - // Clean $_COOKIE Data - if (is_array($_COOKIE)) - { - // Also get rid of specially treated cookies that might be set by a server - // or silly application, that are of no use to a CI application anyway - // but that when present will trip our 'Disallowed Key Characters' alarm - // http://www.ietf.org/rfc/rfc2109.txt - // note that the key names below are single quoted strings, and are not PHP variables - unset( - $_COOKIE['$Version'], - $_COOKIE['$Path'], - $_COOKIE['$Domain'] - ); - - foreach ($_COOKIE as $key => $val) - { - if (($cookie_key = $this->_clean_input_keys($key)) !== FALSE) - { - $_COOKIE[$cookie_key] = $this->_clean_input_data($val); - } - else - { - unset($_COOKIE[$key]); - } - } - } - - // Sanitize PHP_SELF - $_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']); - - log_message('info', 'Global POST, GET and COOKIE data sanitized'); - } - - // -------------------------------------------------------------------- - - /** - * Clean Input Data - * - * Internal method that aids in escaping data and - * standardizing newline characters to PHP_EOL. - * - * @param string|string[] $str Input string(s) - * @return string - */ - protected function _clean_input_data($str) - { - if (is_array($str)) - { - $new_array = array(); - foreach (array_keys($str) as $key) - { - $new_array[$this->_clean_input_keys($key)] = $this->_clean_input_data($str[$key]); - } - return $new_array; - } - - /* We strip slashes if magic quotes is on to keep things consistent - - NOTE: In PHP 5.4 get_magic_quotes_gpc() will always return 0 and - it will probably not exist in future versions at all. - */ - if ( ! is_php('5.4') && get_magic_quotes_gpc()) - { - $str = stripslashes($str); - } - - // Clean UTF-8 if supported - if (UTF8_ENABLED === TRUE) - { - $str = $this->uni->clean_string($str); - } - - // Remove control characters - $str = remove_invisible_characters($str, FALSE); - - return $str; - } - - // -------------------------------------------------------------------- - - /** - * Clean Keys - * - * Internal method that helps to prevent malicious users - * from trying to exploit keys we make sure that keys are - * only named with alpha-numeric text and a few other items. - * - * @param string $str Input string - * @param bool $fatal Whether to terminate script exection - * or to return FALSE if an invalid - * key is encountered - * @return string|bool - */ - protected function _clean_input_keys($str, $fatal = TRUE) - { - if ( ! preg_match('/^[a-z0-9:_\/|-]+$/i', $str)) - { - if ($fatal === TRUE) - { - return FALSE; - } - else - { - set_status_header(503); - echo 'Disallowed Key Characters.'; - exit(7); // EXIT_USER_INPUT - } - } - - // Clean UTF-8 if supported - if (UTF8_ENABLED === TRUE) - { - return $this->uni->clean_string($str); - } - - return $str; - } - - // -------------------------------------------------------------------- - /** * Request Headers * -- cgit v1.2.3-24-g4f1b From dcd6f5153b7e7e6d798d5a77af65b7460f152e5c Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 14 Dec 2016 18:14:35 +0200 Subject: Isolate CI_Security instantiation from CI_Input; improve tests --- system/core/Input.php | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'system/core/Input.php') diff --git a/system/core/Input.php b/system/core/Input.php index aefc3b7d8..d881e253d 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -113,11 +113,10 @@ class CI_Input { * * @return void */ - public function __construct() + public function __construct(CI_Security &$security) { - $this->_enable_csrf = (config_item('csrf_protection') === TRUE); - - $this->security =& load_class('Security', 'core'); + $this->_enable_csrf = (config_item('csrf_protection') === TRUE); + $this->security = $security; // CSRF Protection check if ($this->_enable_csrf === TRUE && ! is_cli()) -- cgit v1.2.3-24-g4f1b From 9f20c8011a80d74edb740081cd96388bb6a967e6 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 14 Dec 2016 18:41:52 +0200 Subject: Move csrf_verify() call out of CI_Input --- system/core/Input.php | 20 +------------------- 1 file changed, 1 insertion(+), 19 deletions(-) (limited to 'system/core/Input.php') diff --git a/system/core/Input.php b/system/core/Input.php index d881e253d..ab60e45c3 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -57,16 +57,6 @@ class CI_Input { */ protected $ip_address = FALSE; - /** - * Enable CSRF flag - * - * Enables a CSRF cookie token to be set. - * Set automatically based on config setting. - * - * @var bool - */ - protected $_enable_csrf = FALSE; - /** * List of all HTTP request headers * @@ -115,15 +105,7 @@ class CI_Input { */ public function __construct(CI_Security &$security) { - $this->_enable_csrf = (config_item('csrf_protection') === TRUE); - $this->security = $security; - - // CSRF Protection check - if ($this->_enable_csrf === TRUE && ! is_cli()) - { - $this->security->csrf_verify(); - } - + $this->security = $security; log_message('info', 'Input Class Initialized'); } -- cgit v1.2.3-24-g4f1b From fced25f5728ce81fe810216fcaa4ccec7523f6c9 Mon Sep 17 00:00:00 2001 From: Master Yoda Date: Sat, 31 Dec 2016 08:46:18 -0800 Subject: Update copyright data to 2017 --- system/core/Input.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'system/core/Input.php') diff --git a/system/core/Input.php b/system/core/Input.php index ab60e45c3..a7918aefb 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -6,7 +6,7 @@ * * This content is released under the MIT License (MIT) * - * Copyright (c) 2014 - 2016, British Columbia Institute of Technology + * Copyright (c) 2014 - 2017, British Columbia Institute of Technology * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal @@ -29,7 +29,7 @@ * @package CodeIgniter * @author EllisLab Dev Team * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (https://ellislab.com/) - * @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/) + * @copyright Copyright (c) 2014 - 2017, British Columbia Institute of Technology (http://bcit.ca/) * @license http://opensource.org/licenses/MIT MIT License * @link https://codeigniter.com * @since Version 1.0.0 -- cgit v1.2.3-24-g4f1b From 806e014ec46f739398d7510b07be62593e0c3377 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 4 Jan 2017 17:19:30 +0200 Subject: Close #4904 --- system/core/Input.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'system/core/Input.php') diff --git a/system/core/Input.php b/system/core/Input.php index a7918aefb..0585b42fe 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -304,7 +304,7 @@ class CI_Input { * @param bool $httponly Whether to only makes the cookie accessible via HTTP (no javascript) * @return void */ - public function set_cookie($name, $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = FALSE, $httponly = FALSE) + public function set_cookie($name, $value = '', $expire = 0, $domain = '', $path = '/', $prefix = '', $secure = FALSE, $httponly = FALSE) { if (is_array($name)) { @@ -343,9 +343,9 @@ class CI_Input { $httponly = config_item('cookie_httponly'); } - if ( ! is_numeric($expire)) + if ( ! is_numeric($expire) || $expire < 0) { - $expire = time() - 86500; + $expire = 1; } else { -- cgit v1.2.3-24-g4f1b From 7061e8f75f9b0e64864b2565573252dce00d3ea9 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 5 Jan 2017 11:39:49 +0200 Subject: [ci skip] || -> OR --- system/core/Input.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core/Input.php') diff --git a/system/core/Input.php b/system/core/Input.php index 0585b42fe..70a3c61ee 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -343,7 +343,7 @@ class CI_Input { $httponly = config_item('cookie_httponly'); } - if ( ! is_numeric($expire) || $expire < 0) + if ( ! is_numeric($expire) OR $expire < 0) { $expire = 1; } -- cgit v1.2.3-24-g4f1b