From 67ccdc02e1b66750b0e13eadcfacc47f01c1de67 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 27 Feb 2012 23:57:58 +0200 Subject: Do not create a CSRF cookie if CSRF protection is not enabled --- system/core/Security.php | 39 ++++++++++++++++++++------------------- 1 file changed, 20 insertions(+), 19 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 1007f61f4..688aeba33 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -25,8 +25,6 @@ * @filesource */ -// ------------------------------------------------------------------------ - /** * Security Class * @@ -106,23 +104,27 @@ class CI_Security { public function __construct() { - // CSRF config - foreach(array('csrf_expire', 'csrf_token_name', 'csrf_cookie_name') as $key) + // Is CSRF protection enabled? + if (config_item('csrf_protection') === TRUE) { - if (FALSE !== ($val = config_item($key))) + // CSRF config + foreach (array('csrf_expire', 'csrf_token_name', 'csrf_cookie_name') as $key) { - $this->{'_'.$key} = $val; + if (FALSE !== ($val = config_item($key))) + { + $this->{'_'.$key} = $val; + } } - } - // Append application specific cookie prefix - if (config_item('cookie_prefix')) - { - $this->_csrf_cookie_name = config_item('cookie_prefix').$this->_csrf_cookie_name; - } + // Append application specific cookie prefix + if (config_item('cookie_prefix')) + { + $this->_csrf_cookie_name = config_item('cookie_prefix').$this->_csrf_cookie_name; + } - // Set the CSRF hash - $this->_csrf_set_hash(); + // Set the CSRF hash + $this->_csrf_set_hash(); + } log_message('debug', 'Security Class Initialized'); } @@ -189,7 +191,7 @@ class CI_Security { $expire = time() + $this->_csrf_expire; $secure_cookie = (bool) config_item('cookie_secure'); - if ($secure_cookie && ( ! isset($_SERVER['HTTPS']) OR $_SERVER['HTTPS'] == 'off' OR ! $_SERVER['HTTPS'])) + if ($secure_cookie && (empty($_SERVER['HTTPS']) OR $_SERVER['HTTPS'] === 'off')) { return FALSE; } @@ -358,7 +360,7 @@ class CI_Security { foreach ($words as $word) { - $word = implode("\s*", str_split($word)) . "\s*"; + $word = implode('\s*', str_split($word)).'\s*'; // We only want to do this when it is followed by a non-word character // That way valid stuff like "dealer to" does not become "dealerto" @@ -425,7 +427,6 @@ class CI_Security { '\\1\\2(\\3)', $str); - // Final clean up // This adds a bit of extra precaution in case // something got through the above filters @@ -601,7 +602,7 @@ class CI_Security { } // find occurrences of illegal attribute strings with quotes (042 and 047 are octal quotes) - preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*(\042|\047)([^\\2]*?)(\\2)/is', $str, $matches, PREG_SET_ORDER); + preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*(\042|\047)([^\\2]*?)(\\2)/is', $str, $matches, PREG_SET_ORDER); foreach ($matches as $attr) { @@ -633,7 +634,7 @@ class CI_Security { { return '<'.$matches[1].$matches[2].$matches[3] // encode opening brace // encode captured opening or closing brace to prevent recursive vectors: - . str_replace(array('>', '<'), array('>', '<'), $matches[4]); + .str_replace(array('>', '<'), array('>', '<'), $matches[4]); } // -------------------------------------------------------------------- -- cgit v1.2.3-24-g4f1b From a10c8e17bbd1eb75aed1bb74523449f81ee393a2 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 29 Feb 2012 18:56:12 +0200 Subject: Add strtolower to the HTTPS check --- system/core/Security.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 688aeba33..6f25fb5bb 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -191,7 +191,7 @@ class CI_Security { $expire = time() + $this->_csrf_expire; $secure_cookie = (bool) config_item('cookie_secure'); - if ($secure_cookie && (empty($_SERVER['HTTPS']) OR $_SERVER['HTTPS'] === 'off')) + if ($secure_cookie && (empty($_SERVER['HTTPS']) OR strtolower($_SERVER['HTTPS']) === 'off')) { return FALSE; } -- cgit v1.2.3-24-g4f1b From 5d27c43d29fc049497010ea62ac7877a64bfed92 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 8 Mar 2012 12:01:52 +0200 Subject: Fix issue #940 --- system/core/Security.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 6f25fb5bb..2bffa41b7 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -138,8 +138,8 @@ class CI_Security { */ public function csrf_verify() { - // If no POST data exists we will set the CSRF cookie - if (count($_POST) === 0) + // If it's not a POST request we will set the CSRF cookie + if (strtoupper($_SERVER['REQUEST_METHOD']) !== 'POST') { return $this->csrf_set_cookie(); } -- cgit v1.2.3-24-g4f1b From 07c1ac830b4e98aa40f48baef3dd05fb68c0a836 Mon Sep 17 00:00:00 2001 From: Phil Sturgeon Date: Fri, 9 Mar 2012 17:03:37 +0000 Subject: Bumped CodeIgniter's PHP requirement to 5.2.4. Yes I know PHP 5.4 just came out, and yes I know PHP 5.3 has lovely features, but there are plenty of corporate systems running on CodeIgniter and PHP 5.3 still is not widely supported enough. CodeIgniter is great for distributed applications, and this is the highest we can reasonably go without breaking support. PHP 5.3 will most likely happen in another year or so. Fingers crossed on that one anyway... --- system/core/Security.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 6f25fb5bb..bf73bd15d 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -2,7 +2,7 @@ /** * CodeIgniter * - * An open source application development framework for PHP 5.1.6 or newer + * An open source application development framework for PHP 5.2.4 or newer * * NOTICE OF LICENSE * -- cgit v1.2.3-24-g4f1b