From 67ccdc02e1b66750b0e13eadcfacc47f01c1de67 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 27 Feb 2012 23:57:58 +0200 Subject: Do not create a CSRF cookie if CSRF protection is not enabled --- system/core/Security.php | 39 ++++++++++++++++++++------------------- 1 file changed, 20 insertions(+), 19 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 1007f61f4..688aeba33 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -25,8 +25,6 @@ * @filesource */ -// ------------------------------------------------------------------------ - /** * Security Class * @@ -106,23 +104,27 @@ class CI_Security { public function __construct() { - // CSRF config - foreach(array('csrf_expire', 'csrf_token_name', 'csrf_cookie_name') as $key) + // Is CSRF protection enabled? + if (config_item('csrf_protection') === TRUE) { - if (FALSE !== ($val = config_item($key))) + // CSRF config + foreach (array('csrf_expire', 'csrf_token_name', 'csrf_cookie_name') as $key) { - $this->{'_'.$key} = $val; + if (FALSE !== ($val = config_item($key))) + { + $this->{'_'.$key} = $val; + } } - } - // Append application specific cookie prefix - if (config_item('cookie_prefix')) - { - $this->_csrf_cookie_name = config_item('cookie_prefix').$this->_csrf_cookie_name; - } + // Append application specific cookie prefix + if (config_item('cookie_prefix')) + { + $this->_csrf_cookie_name = config_item('cookie_prefix').$this->_csrf_cookie_name; + } - // Set the CSRF hash - $this->_csrf_set_hash(); + // Set the CSRF hash + $this->_csrf_set_hash(); + } log_message('debug', 'Security Class Initialized'); } @@ -189,7 +191,7 @@ class CI_Security { $expire = time() + $this->_csrf_expire; $secure_cookie = (bool) config_item('cookie_secure'); - if ($secure_cookie && ( ! isset($_SERVER['HTTPS']) OR $_SERVER['HTTPS'] == 'off' OR ! $_SERVER['HTTPS'])) + if ($secure_cookie && (empty($_SERVER['HTTPS']) OR $_SERVER['HTTPS'] === 'off')) { return FALSE; } @@ -358,7 +360,7 @@ class CI_Security { foreach ($words as $word) { - $word = implode("\s*", str_split($word)) . "\s*"; + $word = implode('\s*', str_split($word)).'\s*'; // We only want to do this when it is followed by a non-word character // That way valid stuff like "dealer to" does not become "dealerto" @@ -425,7 +427,6 @@ class CI_Security { '\\1\\2(\\3)', $str); - // Final clean up // This adds a bit of extra precaution in case // something got through the above filters @@ -601,7 +602,7 @@ class CI_Security { } // find occurrences of illegal attribute strings with quotes (042 and 047 are octal quotes) - preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*(\042|\047)([^\\2]*?)(\\2)/is', $str, $matches, PREG_SET_ORDER); + preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*(\042|\047)([^\\2]*?)(\\2)/is', $str, $matches, PREG_SET_ORDER); foreach ($matches as $attr) { @@ -633,7 +634,7 @@ class CI_Security { { return '<'.$matches[1].$matches[2].$matches[3] // encode opening brace // encode captured opening or closing brace to prevent recursive vectors: - . str_replace(array('>', '<'), array('>', '<'), $matches[4]); + .str_replace(array('>', '<'), array('>', '<'), $matches[4]); } // -------------------------------------------------------------------- -- cgit v1.2.3-24-g4f1b From a10c8e17bbd1eb75aed1bb74523449f81ee393a2 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 29 Feb 2012 18:56:12 +0200 Subject: Add strtolower to the HTTPS check --- system/core/Security.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 688aeba33..6f25fb5bb 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -191,7 +191,7 @@ class CI_Security { $expire = time() + $this->_csrf_expire; $secure_cookie = (bool) config_item('cookie_secure'); - if ($secure_cookie && (empty($_SERVER['HTTPS']) OR $_SERVER['HTTPS'] === 'off')) + if ($secure_cookie && (empty($_SERVER['HTTPS']) OR strtolower($_SERVER['HTTPS']) === 'off')) { return FALSE; } -- cgit v1.2.3-24-g4f1b