From aeb2c3e532e78be9ac78ba6fd4a305b7be31d2ab Mon Sep 17 00:00:00 2001
From: Alex Bilbie <alex.bilbie@gmail.com>
Date: Sun, 21 Aug 2011 16:14:54 +0100
Subject: Added new config parameter "csrf_exclude_uris" which allows for URIs
 to be whitelisted from CSRF verification. Fixes #149

---
 system/core/Security.php | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

(limited to 'system/core/Security.php')

diff --git a/system/core/Security.php b/system/core/Security.php
index 3617cadcc..efd30eb14 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -93,6 +93,16 @@ class CI_Security {
 		{
 			return $this->csrf_set_cookie();
 		}
+		
+		// Check if URI has been whitelisted from CSRF checks
+		if ($exclude_uris = config_item('csrf_exclude_uris'))
+		{
+			$uri = load_class('URI', 'core');
+			if (in_array($uri->uri_string(), $exclude_uris))
+			{
+				return $this;
+			}
+		}
 
 		// Do the tokens exist in both the _POST and _COOKIE arrays?
 		if ( ! isset($_POST[$this->_csrf_token_name]) OR 
@@ -116,7 +126,7 @@ class CI_Security {
 		$this->_csrf_set_hash();
 		$this->csrf_set_cookie();
 
-		log_message('debug', "CSRF token verified ");
+		log_message('debug', "CSRF token verified");
 		
 		return $this;
 	}
-- 
cgit v1.2.3-24-g4f1b


From 8cc0cfe1ab1e10aad71d14e0b43e05444c00693d Mon Sep 17 00:00:00 2001
From: freewil <sean@eternalrise.com>
Date: Sat, 27 Aug 2011 21:53:00 -0400
Subject: always use charset config item

---
 system/core/Security.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'system/core/Security.php')

diff --git a/system/core/Security.php b/system/core/Security.php
index 342455f27..cc21ddc91 100755
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -525,9 +525,10 @@ class CI_Security {
 	 * @param	string
 	 * @return	string
 	 */
-	public function entity_decode($str, $charset='UTF-8')
+	public function entity_decode($str, $charset = NULL)
 	{
 		if (stristr($str, '&') === FALSE) return $str;
+		if (empty($charset)) $charset = config_item('charset');
 
 		// The reason we are not using html_entity_decode() by itself is because
 		// while it is not technically correct to leave out the semicolon
-- 
cgit v1.2.3-24-g4f1b


From 5c9b0d1b5618ade5c6aa70475b08b3066f14ff3e Mon Sep 17 00:00:00 2001
From: freewil <sean@eternalrise.com>
Date: Sun, 28 Aug 2011 12:15:23 -0400
Subject: always use charset config item

---
 system/core/Security.php | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

(limited to 'system/core/Security.php')

diff --git a/system/core/Security.php b/system/core/Security.php
index cc21ddc91..e99418bdd 100755
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -527,8 +527,15 @@ class CI_Security {
 	 */
 	public function entity_decode($str, $charset = NULL)
 	{
-		if (stristr($str, '&') === FALSE) return $str;
-		if (empty($charset)) $charset = config_item('charset');
+		if (stristr($str, '&') === FALSE)
+		{
+			return $str;
+		}
+		
+		if (empty($charset))
+		{
+			$charset = config_item('charset');
+		}
 
 		// The reason we are not using html_entity_decode() by itself is because
 		// while it is not technically correct to leave out the semicolon
-- 
cgit v1.2.3-24-g4f1b