From 3fd1b384273b7b6d56950bbad3e1fac18f5f82e4 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 13 Feb 2014 03:01:31 +0200 Subject: Introducing compatibility layers - Limited support for mbstring (mb_strlen(), mb_strpos(), mb_substr() only) via iconv. Falls back to regular strlen(), strpos(), substr() if iconv is not available. - Password hashing, dependant on CRYPT_BLOWFISH (2y version, available since PHP 5.3.7) availability. --- system/core/compat/mbstring.php | 141 ++++++++++++++++++++++++++ system/core/compat/password.php | 216 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 357 insertions(+) create mode 100644 system/core/compat/mbstring.php create mode 100644 system/core/compat/password.php (limited to 'system/core/compat') diff --git a/system/core/compat/mbstring.php b/system/core/compat/mbstring.php new file mode 100644 index 000000000..91ea8017c --- /dev/null +++ b/system/core/compat/mbstring.php @@ -0,0 +1,141 @@ + 0, 'algoName' => 'unknown', 'options' => array()) + : array('algo' => 1, 'algoName' => 'bcrypt', 'options' => array('cost' => $hash)); + } +} + +// ------------------------------------------------------------------------ + +if ( ! function_exists('password_hash')) +{ + /** + * password_hash() + * + * @link http://php.net/password_hash + * @param string $password + * @param int $algo + * @param array $options + * @return mixed + */ + function password_hash($password, $algo, array $options = array()) + { + if ($algo !== 1) + { + trigger_error('password_hash(): Unknown hashing algorithm: '.(int) $algo, E_USER_WARNING); + return NULL; + } + + if (isset($options['cost']) && ($options['cost'] < 4 OR $options['cost'] > 31)) + { + trigger_error('password_hash(): Invalid bcrypt cost parameter specified: '.(int) $options['cost'], E_USER_WARNING); + return NULL; + } + + if (isset($options['salt']) && strlen($options['salt']) < 22) + { + trigger_error('password_hash(): Provided salt is too short: '.strlen($options['salt']).' expecting 22', E_USER_WARNING); + return NULL; + } + elseif ( ! isset($options['salt'])) + { + if (defined('MCRYPT_DEV_URANDOM')) + { + $options['salt'] = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM); + } + elseif (function_exists('openssl_random_pseudo_bytes')) + { + $options['salt'] = openssl_random_pseudo_bytes(16); + } + elseif (DIRECTORY_SEPARATOR === '/' && (is_readable($dev = '/dev/arandom') OR is_readable($dev = '/dev/urandom'))) + { + if (($fp = fopen($dev, 'rb')) === FALSE) + { + log_message('error', 'compat/password: Unable to open '.$dev.' for reading.'); + return FALSE; + } + + $options['salt'] = ''; + for ($read = 0; $read < 16; $read = strlen($options['salt'])) + { + if (($read = fread($fp, 16 - $read)) === FALSE) + { + log_message('error', 'compat/password: Error while reading from '.$dev.'.'); + return FALSE; + } + $options['salt'] .= $read; + } + + fclose($fp); + } + else + { + log_message('error', 'compat/password: No CSPRNG available.'); + return FALSE; + } + + $options['salt'] = str_replace('+', '.', rtrim(base64_encode($options['salt']), '=')); + } + elseif ( ! preg_match('#^[a-zA-Z0-9./]+$#D', $options['salt'])) + { + $options['salt'] = str_replace('+', '.', rtrim(base64_encode($options['salt']), '=')); + } + + isset($options['cost']) OR $options['cost'] = 10; + return crypt($password, sprintf('$2y$%02d$%s', $options['cost'], $options['salt'])); + } +} + +// ------------------------------------------------------------------------ + +if ( ! function_exists('password_needs_rehash')) +{ + /** + * password_needs_rehash() + * + * @link http://php.net/password_needs_rehash + * @param string $hash + * @param int $algo + * @param array $options + * @return bool + */ + function password_needs_rehash($hash, $algo, array $options = array()) + { + $info = password_get_info($hash); + + if ($algo !== $info['algo']) + { + return TRUE; + } + elseif ($algo === 1) + { + $options['cost'] = isset($options['cost']) ? (int) $options['cost'] : 10; + return ($info['options']['cost'] !== $options['cost']); + } + + // Odd at first glance, but according to a comment in PHP's own unit tests, + // because it is an unknown algorithm - it's valid and therefore doesn't + // need rehashing. + return FALSE; + } +} + +// ------------------------------------------------------------------------ + +if ( ! function_exists('password_verify')) +{ + /** + * password_verify() + * + * @link http://php.net/password_verify + * @param string $password + * @param string $hash + * @return bool + */ + function password_verify($password, $hash) + { + if (strlen($hash) !== 60 OR strlen($password = crypt($password, $hash)) !== 60) + { + return FALSE; + } + + $compare = 0; + for ($i = 0; $i < 60; $i++) + { + $compare |= (ord($password[$i]) ^ ord($hash[$i])); + } + + return ($compare === 0); + } +} + +/* End of file password.php */ +/* Location: ./system/core/compat/password.php */ \ No newline at end of file -- cgit v1.2.3-24-g4f1b From 678606dc0d3b1554a7635354df82346a252b302b Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 13 Feb 2014 14:16:06 +0200 Subject: [ci skip] Add index.html to system/core/compat/ --- system/core/compat/index.html | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 system/core/compat/index.html (limited to 'system/core/compat') diff --git a/system/core/compat/index.html b/system/core/compat/index.html new file mode 100644 index 000000000..c942a79ce --- /dev/null +++ b/system/core/compat/index.html @@ -0,0 +1,10 @@ + + + 403 Forbidden + + + +

Directory access is forbidden.

+ + + \ No newline at end of file -- cgit v1.2.3-24-g4f1b From 9a152a91c982d5f2ba07d0197ef2fe5eb8c8510c Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Tue, 18 Feb 2014 16:29:53 +0200 Subject: Add an ext/hash compatibility layer (just hash_pbkdf2(), for now) --- system/core/compat/hash.php | 144 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 144 insertions(+) create mode 100644 system/core/compat/hash.php (limited to 'system/core/compat') diff --git a/system/core/compat/hash.php b/system/core/compat/hash.php new file mode 100644 index 000000000..a9f59f110 --- /dev/null +++ b/system/core/compat/hash.php @@ -0,0 +1,144 @@ + Date: Wed, 19 Feb 2014 00:45:11 +0200 Subject: Don't load password hashing compat for HHVM --- system/core/compat/password.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core/compat') diff --git a/system/core/compat/password.php b/system/core/compat/password.php index 92fdedb99..a9355d5d0 100644 --- a/system/core/compat/password.php +++ b/system/core/compat/password.php @@ -39,7 +39,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); // ------------------------------------------------------------------------ -if (is_php('5.5') OR ! is_php('5.3.7') OR ! defined('CRYPT_BLOWFISH') OR CRYPT_BLOWFISH !== 1) +if (is_php('5.5') OR ! is_php('5.3.7') OR ! defined('CRYPT_BLOWFISH') OR CRYPT_BLOWFISH !== 1 OR defined('HHVM_VERSION')) { return; } -- cgit v1.2.3-24-g4f1b From 02545895c1c6551be3b167bcada171fe9423d443 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 19 Feb 2014 23:49:31 +0200 Subject: Add compatibility layer for array_column(), array_replace(), array_replace_recursive() --- system/core/compat/array.php | 246 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 246 insertions(+) create mode 100644 system/core/compat/array.php (limited to 'system/core/compat') diff --git a/system/core/compat/array.php b/system/core/compat/array.php new file mode 100644 index 000000000..b291703ed --- /dev/null +++ b/system/core/compat/array.php @@ -0,0 +1,246 @@ + Date: Tue, 29 Apr 2014 01:00:42 +0300 Subject: Small fixes (PR #3022) - Fix incorrect variable in mb_strlen() compat - Micro-optimization of array_replace(), array_replace_recursive() compat --- system/core/compat/array.php | 4 ++-- system/core/compat/mbstring.php | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'system/core/compat') diff --git a/system/core/compat/array.php b/system/core/compat/array.php index b291703ed..07dae21c2 100644 --- a/system/core/compat/array.php +++ b/system/core/compat/array.php @@ -163,7 +163,7 @@ if ( ! function_exists('array_replace')) $array = array_shift($arrays); $c--; - for ($i = 0, $c = count($arrays); $i < $c; $i++) + for ($i = 0; $i < $c; $i++) { if ( ! is_array($arrays[$i])) { @@ -218,7 +218,7 @@ if ( ! function_exists('array_replace_recursive')) $array = array_shift($arrays); $c--; - for ($i = 0, $c = count($arrays); $i < $c; $i++) + for ($i = 0; $i < $c; $i++) { if ( ! is_array($arrays[$i])) { diff --git a/system/core/compat/mbstring.php b/system/core/compat/mbstring.php index 91ea8017c..314dbe9ba 100644 --- a/system/core/compat/mbstring.php +++ b/system/core/compat/mbstring.php @@ -63,7 +63,7 @@ if ( ! function_exists('mb_strlen')) { if (ICONV_ENABLED === TRUE) { - return iconv_strlen($str, isset($charset) ? $charset : config_item('charset')); + return iconv_strlen($str, isset($encoding) ? $encoding : config_item('charset')); } log_message('debug', 'Compatibility (mbstring): iconv_strlen() is not available, falling back to strlen().'); -- cgit v1.2.3-24-g4f1b From a5621b8965ebcec213d3a5b07500cfcc3a730ada Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 9 May 2014 11:23:08 +0300 Subject: Add hash_equals() to ext/hash compat layer Introduced in PHP 5.6 Beta 1 (unfortunately, still undocumented). RFC: https://wiki.php.net/rfc/timing_attack (Yes, I am aware that the RFC talks about hash_compare(), the function was later renamed in the implementation.) --- system/core/compat/hash.php | 46 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) (limited to 'system/core/compat') diff --git a/system/core/compat/hash.php b/system/core/compat/hash.php index a9f59f110..b2170103e 100644 --- a/system/core/compat/hash.php +++ b/system/core/compat/hash.php @@ -39,6 +39,52 @@ defined('BASEPATH') OR exit('No direct script access allowed'); // ------------------------------------------------------------------------ +if (is_php('5.6')) +{ + return; +} + +// ------------------------------------------------------------------------ + +if ( ! function_exists('hash_equals')) +{ + /** + * hash_equals() + * + * @link http://php.net/hash_equals + * @param string $known_string + * @param string $user_string + * @return bool + */ + function hash_equals($known_string, $user_string) + { + if ( ! is_string($known_string)) + { + trigger_error('hash_equals(): Expected known_string to be a string, '.strtolower(gettype($known_string)).' given', E_USER_WARNING); + return FALSE; + } + elseif ( ! is_string($user_string)) + { + trigger_error('hash_equals(): Expected user_string to be a string, '.strtolower(gettype($user_string)).' given', E_USER_WARNING); + return FALSE; + } + elseif (($length = strlen($known_string)) !== strlen($user_string)) + { + return FALSE; + } + + $diff = 0; + for ($i = 0; $i < $length; $i++) + { + $diff |= ord($known_string[$i]) ^ ord($user_string[$i]); + } + + return ($diff === 0); + } +} + +// ------------------------------------------------------------------------ + if (is_php('5.5')) { return; -- cgit v1.2.3-24-g4f1b From 4191be3d3be76909253158a6cd35fbf3a89cfb5f Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Sat, 21 Jun 2014 16:13:13 +0300 Subject: Fix a _potential_ flaw in password_hash() --- system/core/compat/password.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'system/core/compat') diff --git a/system/core/compat/password.php b/system/core/compat/password.php index a9355d5d0..d5a017d9a 100644 --- a/system/core/compat/password.php +++ b/system/core/compat/password.php @@ -145,7 +145,10 @@ if ( ! function_exists('password_hash')) } isset($options['cost']) OR $options['cost'] = 10; - return crypt($password, sprintf('$2y$%02d$%s', $options['cost'], $options['salt'])); + + return (strlen($password = crypt($password, sprintf('$2y$%02d$%s', $options['cost'], $options['salt']))) === 60) + ? $password + : FALSE; } } -- cgit v1.2.3-24-g4f1b From 5b3fe7c4af5e08e17480b911fbfa8cf0ef6475c0 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 7 Jul 2014 10:55:53 +0300 Subject: Fix a few typos and add a backport (compat) for hex2bin() --- system/core/compat/array.php | 246 --------------------------------- system/core/compat/standard.php | 293 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 293 insertions(+), 246 deletions(-) delete mode 100644 system/core/compat/array.php create mode 100644 system/core/compat/standard.php (limited to 'system/core/compat') diff --git a/system/core/compat/array.php b/system/core/compat/array.php deleted file mode 100644 index 07dae21c2..000000000 --- a/system/core/compat/array.php +++ /dev/null @@ -1,246 +0,0 @@ - Date: Mon, 7 Jul 2014 14:11:26 +0300 Subject: Add a backport (compat) for quoted_printable_encode() --- system/core/compat/standard.php | 92 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 90 insertions(+), 2 deletions(-) (limited to 'system/core/compat') diff --git a/system/core/compat/standard.php b/system/core/compat/standard.php index 6380fa1e8..afe9e9852 100644 --- a/system/core/compat/standard.php +++ b/system/core/compat/standard.php @@ -289,5 +289,93 @@ if ( ! function_exists('array_replace_recursive')) } } -/* End of file array.php */ -/* Location: ./system/core/compat/array.php */ \ No newline at end of file +// ------------------------------------------------------------------------ + +if ( ! function_exists('quoted_printable_encode')) +{ + /** + * quoted_printable_encode() + * + * @link http://php.net/quoted_printable_encode + * @param string $str + * @return string + */ + function quoted_printable_encode($str) + { + if (strlen($str) === 0) + { + return ''; + } + elseif (in_array($type = gettype($str), array('array', 'object'), TRUE)) + { + if ($type === 'object' && method_exists($str, '__toString')) + { + $str = (string) $str; + } + else + { + trigger_error('quoted_printable_encode() expects parameter 1 to be string, '.$type.' given', E_USER_WARNING); + return NULL; + } + } + + if (function_exists('imap_8bit')) + { + return imap_8bit($str); + } + + $i = $lp = 0; + $output = ''; + $hex = '0123456789ABCDEF'; + $length = (extension_loaded('mbstring') && ini_get('mbstring.func_overload')) + ? mb_strlen($str, '8bit') + : strlen($str); + + while ($length--) + { + if ((($c = $str[$i++]) === "\015") && isset($str[$i]) && ($str[$i] === "\012") && $length > 0) + { + $output .= "\015".$str[$i++]; + $length--; + $lp = 0; + continue; + } + + if ( + ctype_cntrl($c) + OR (ord($c) === 0x7f) + OR (ord($c) & 0x80) + OR ($c === '=') + OR ($c === ' ' && isset($str[$i]) && $str[$i] === "\015") + ) + { + if ( + (($lp += 3) > 75 && ord($c) <= 0x7f) + OR (ord($c) > 0x7f && ord($c) <= 0xdf && ($lp + 3) > 75) + OR (ord($c) > 0xdf && ord($c) <= 0xef && ($lp + 6) > 75) + OR (ord($c) > 0xef && ord($c) <= 0xf4 && ($lp + 9) > 75) + ) + { + $output .= "=\015\012"; + $lp = 3; + } + + $output .= '='.$hex[ord($c) >> 4].$hex[ord($c) & 0xf]; + continue; + } + + if ((++$lp) > 75) + { + $output .= "=\015\012"; + $lp = 1; + } + + $output .= $c; + } + + return $output; + } +} + +/* End of file standard.php */ +/* Location: ./system/core/compat/standard.php */ \ No newline at end of file -- cgit v1.2.3-24-g4f1b From 2da3550055ea20eba309ef68347a806a3986375d Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 7 Jul 2014 14:41:57 +0300 Subject: Fix potential bugs in password_hash(), CI_Encryption strlen(), substr() are not byte-safe when mbstring.func_overload is enabled --- system/core/compat/password.php | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'system/core/compat') diff --git a/system/core/compat/password.php b/system/core/compat/password.php index d5a017d9a..a8bc756f0 100644 --- a/system/core/compat/password.php +++ b/system/core/compat/password.php @@ -83,6 +83,9 @@ if ( ! function_exists('password_hash')) */ function password_hash($password, $algo, array $options = array()) { + static $func_override; + isset($func_override) OR $func_override = (extension_loaded('mbstring') && ini_get('mbstring.func_override')); + if ($algo !== 1) { trigger_error('password_hash(): Unknown hashing algorithm: '.(int) $algo, E_USER_WARNING); @@ -95,9 +98,9 @@ if ( ! function_exists('password_hash')) return NULL; } - if (isset($options['salt']) && strlen($options['salt']) < 22) + if (isset($options['salt']) && ($saltlen = ($func_override ? mb_strlen($options['salt'], '8bit') : strlen($options['salt']))) < 22) { - trigger_error('password_hash(): Provided salt is too short: '.strlen($options['salt']).' expecting 22', E_USER_WARNING); + trigger_error('password_hash(): Provided salt is too short: '.$saltlen.' expecting 22', E_USER_WARNING); return NULL; } elseif ( ! isset($options['salt'])) @@ -119,7 +122,7 @@ if ( ! function_exists('password_hash')) } $options['salt'] = ''; - for ($read = 0; $read < 16; $read = strlen($options['salt'])) + for ($read = 0; $read < 16; $read = ($func_override) ? mb_strlen($options['salt'], '8bit') : strlen($options['salt'])) { if (($read = fread($fp, 16 - $read)) === FALSE) { -- cgit v1.2.3-24-g4f1b From b627430ae60d7c5f13ecc2f289bce8185c218be0 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Tue, 30 Sep 2014 20:30:06 +0300 Subject: Make sure we don't waste entropy --- system/core/compat/password.php | 1 + 1 file changed, 1 insertion(+) (limited to 'system/core/compat') diff --git a/system/core/compat/password.php b/system/core/compat/password.php index a8bc756f0..60aa578db 100644 --- a/system/core/compat/password.php +++ b/system/core/compat/password.php @@ -121,6 +121,7 @@ if ( ! function_exists('password_hash')) return FALSE; } + stream_set_chunk_size($fp, 16); $options['salt'] = ''; for ($read = 0; $read < 16; $read = ($func_override) ? mb_strlen($options['salt'], '8bit') : strlen($options['salt'])) { -- cgit v1.2.3-24-g4f1b From e4b9cd64e2e7185ddf874ddf9861fe21961edb79 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 2 Oct 2014 02:19:06 +0300 Subject: stream_set_chunk_size() requires PHP 5.4 --- system/core/compat/password.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'system/core/compat') diff --git a/system/core/compat/password.php b/system/core/compat/password.php index 60aa578db..1f67a5269 100644 --- a/system/core/compat/password.php +++ b/system/core/compat/password.php @@ -121,7 +121,9 @@ if ( ! function_exists('password_hash')) return FALSE; } - stream_set_chunk_size($fp, 16); + // Try not to waste entropy ... + is_php('5.4') && stream_set_chunk_size($fp, 16); + $options['salt'] = ''; for ($read = 0; $read < 16; $read = ($func_override) ? mb_strlen($options['salt'], '8bit') : strlen($options['salt'])) { -- cgit v1.2.3-24-g4f1b From bdb96ca1b1dbfc1791172fd169d7751cbc4d7d55 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Tue, 28 Oct 2014 00:13:31 +0200 Subject: [ci skip] Switch to MIT license; close #3293 --- system/core/compat/hash.php | 39 +++++++++++++++++++++++++-------------- system/core/compat/mbstring.php | 39 +++++++++++++++++++++++++-------------- system/core/compat/password.php | 39 +++++++++++++++++++++++++-------------- system/core/compat/standard.php | 39 +++++++++++++++++++++++++-------------- 4 files changed, 100 insertions(+), 56 deletions(-) (limited to 'system/core/compat') diff --git a/system/core/compat/hash.php b/system/core/compat/hash.php index b2170103e..d59815c9d 100644 --- a/system/core/compat/hash.php +++ b/system/core/compat/hash.php @@ -4,24 +4,35 @@ * * An open source application development framework for PHP 5.2.4 or newer * - * NOTICE OF LICENSE + * This content is released under the MIT License (MIT) * - * Licensed under the Open Software License version 3.0 + * Copyright (c) 2014, British Columbia Institute of Technology * - * This source file is subject to the Open Software License (OSL 3.0) that is - * bundled with this package in the files license.txt / license.rst. It is - * also available through the world wide web at this URL: - * http://opensource.org/licenses/OSL-3.0 - * If you did not receive a copy of the license and are unable to obtain it - * through the world wide web, please send an email to - * licensing@ellislab.com so we can send you a copy immediately. + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: * - * @package CodeIgniter - * @author EllisLab Dev Team + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + * + * @package CodeIgniter + * @author EllisLab Dev Team * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (http://ellislab.com/) - * @license http://opensource.org/licenses/OSL-3.0 Open Software License (OSL 3.0) - * @link http://codeigniter.com - * @since Version 3.0 + * @copyright Copyright (c) 2014, British Columbia Institute of Technology (http://bcit.ca/) + * @license http://opensource.org/licenses/MIT MIT License + * @link http://codeigniter.com + * @since Version 3.0.0 * @filesource */ defined('BASEPATH') OR exit('No direct script access allowed'); diff --git a/system/core/compat/mbstring.php b/system/core/compat/mbstring.php index 314dbe9ba..bc1238e8e 100644 --- a/system/core/compat/mbstring.php +++ b/system/core/compat/mbstring.php @@ -4,24 +4,35 @@ * * An open source application development framework for PHP 5.2.4 or newer * - * NOTICE OF LICENSE + * This content is released under the MIT License (MIT) * - * Licensed under the Open Software License version 3.0 + * Copyright (c) 2014, British Columbia Institute of Technology * - * This source file is subject to the Open Software License (OSL 3.0) that is - * bundled with this package in the files license.txt / license.rst. It is - * also available through the world wide web at this URL: - * http://opensource.org/licenses/OSL-3.0 - * If you did not receive a copy of the license and are unable to obtain it - * through the world wide web, please send an email to - * licensing@ellislab.com so we can send you a copy immediately. + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: * - * @package CodeIgniter - * @author EllisLab Dev Team + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + * + * @package CodeIgniter + * @author EllisLab Dev Team * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (http://ellislab.com/) - * @license http://opensource.org/licenses/OSL-3.0 Open Software License (OSL 3.0) - * @link http://codeigniter.com - * @since Version 3.0 + * @copyright Copyright (c) 2014, British Columbia Institute of Technology (http://bcit.ca/) + * @license http://opensource.org/licenses/MIT MIT License + * @link http://codeigniter.com + * @since Version 3.0.0 * @filesource */ defined('BASEPATH') OR exit('No direct script access allowed'); diff --git a/system/core/compat/password.php b/system/core/compat/password.php index 1f67a5269..f1c9178a8 100644 --- a/system/core/compat/password.php +++ b/system/core/compat/password.php @@ -4,24 +4,35 @@ * * An open source application development framework for PHP 5.2.4 or newer * - * NOTICE OF LICENSE + * This content is released under the MIT License (MIT) * - * Licensed under the Open Software License version 3.0 + * Copyright (c) 2014, British Columbia Institute of Technology * - * This source file is subject to the Open Software License (OSL 3.0) that is - * bundled with this package in the files license.txt / license.rst. It is - * also available through the world wide web at this URL: - * http://opensource.org/licenses/OSL-3.0 - * If you did not receive a copy of the license and are unable to obtain it - * through the world wide web, please send an email to - * licensing@ellislab.com so we can send you a copy immediately. + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: * - * @package CodeIgniter - * @author EllisLab Dev Team + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + * + * @package CodeIgniter + * @author EllisLab Dev Team * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (http://ellislab.com/) - * @license http://opensource.org/licenses/OSL-3.0 Open Software License (OSL 3.0) - * @link http://codeigniter.com - * @since Version 3.0 + * @copyright Copyright (c) 2014, British Columbia Institute of Technology (http://bcit.ca/) + * @license http://opensource.org/licenses/MIT MIT License + * @link http://codeigniter.com + * @since Version 3.0.0 * @filesource */ defined('BASEPATH') OR exit('No direct script access allowed'); diff --git a/system/core/compat/standard.php b/system/core/compat/standard.php index afe9e9852..e4f1f679e 100644 --- a/system/core/compat/standard.php +++ b/system/core/compat/standard.php @@ -4,24 +4,35 @@ * * An open source application development framework for PHP 5.2.4 or newer * - * NOTICE OF LICENSE + * This content is released under the MIT License (MIT) * - * Licensed under the Open Software License version 3.0 + * Copyright (c) 2014, British Columbia Institute of Technology * - * This source file is subject to the Open Software License (OSL 3.0) that is - * bundled with this package in the files license.txt / license.rst. It is - * also available through the world wide web at this URL: - * http://opensource.org/licenses/OSL-3.0 - * If you did not receive a copy of the license and are unable to obtain it - * through the world wide web, please send an email to - * licensing@ellislab.com so we can send you a copy immediately. + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: * - * @package CodeIgniter - * @author EllisLab Dev Team + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + * + * @package CodeIgniter + * @author EllisLab Dev Team * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (http://ellislab.com/) - * @license http://opensource.org/licenses/OSL-3.0 Open Software License (OSL 3.0) - * @link http://codeigniter.com - * @since Version 3.0 + * @copyright Copyright (c) 2014, British Columbia Institute of Technology (http://bcit.ca/) + * @license http://opensource.org/licenses/MIT MIT License + * @link http://codeigniter.com + * @since Version 3.0.0 * @filesource */ defined('BASEPATH') OR exit('No direct script access allowed'); -- cgit v1.2.3-24-g4f1b From fe9309d22c1b088f5363954d6dac013c8c955894 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 9 Jan 2015 17:48:58 +0200 Subject: Bulk (mostly documentation) update - Remove PHP version from license notices - Bump year number in copyright notices - Recommend PHP 5.4 or newer to be used - Tell Travis-CI to test on PHP 5.3.0 instead of the latest 5.3 version Related: #3450 --- system/core/compat/hash.php | 6 +++--- system/core/compat/mbstring.php | 6 +++--- system/core/compat/password.php | 6 +++--- system/core/compat/standard.php | 6 +++--- 4 files changed, 12 insertions(+), 12 deletions(-) (limited to 'system/core/compat') diff --git a/system/core/compat/hash.php b/system/core/compat/hash.php index d59815c9d..aeacabdb9 100644 --- a/system/core/compat/hash.php +++ b/system/core/compat/hash.php @@ -2,11 +2,11 @@ /** * CodeIgniter * - * An open source application development framework for PHP 5.2.4 or newer + * An open source application development framework for PHP * * This content is released under the MIT License (MIT) * - * Copyright (c) 2014, British Columbia Institute of Technology + * Copyright (c) 2014 - 2015, British Columbia Institute of Technology * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal @@ -29,7 +29,7 @@ * @package CodeIgniter * @author EllisLab Dev Team * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (http://ellislab.com/) - * @copyright Copyright (c) 2014, British Columbia Institute of Technology (http://bcit.ca/) + * @copyright Copyright (c) 2014 - 2015, British Columbia Institute of Technology (http://bcit.ca/) * @license http://opensource.org/licenses/MIT MIT License * @link http://codeigniter.com * @since Version 3.0.0 diff --git a/system/core/compat/mbstring.php b/system/core/compat/mbstring.php index bc1238e8e..52ca6d02f 100644 --- a/system/core/compat/mbstring.php +++ b/system/core/compat/mbstring.php @@ -2,11 +2,11 @@ /** * CodeIgniter * - * An open source application development framework for PHP 5.2.4 or newer + * An open source application development framework for PHP * * This content is released under the MIT License (MIT) * - * Copyright (c) 2014, British Columbia Institute of Technology + * Copyright (c) 2014 - 2015, British Columbia Institute of Technology * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal @@ -29,7 +29,7 @@ * @package CodeIgniter * @author EllisLab Dev Team * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (http://ellislab.com/) - * @copyright Copyright (c) 2014, British Columbia Institute of Technology (http://bcit.ca/) + * @copyright Copyright (c) 2014 - 2015, British Columbia Institute of Technology (http://bcit.ca/) * @license http://opensource.org/licenses/MIT MIT License * @link http://codeigniter.com * @since Version 3.0.0 diff --git a/system/core/compat/password.php b/system/core/compat/password.php index f1c9178a8..00befb022 100644 --- a/system/core/compat/password.php +++ b/system/core/compat/password.php @@ -2,11 +2,11 @@ /** * CodeIgniter * - * An open source application development framework for PHP 5.2.4 or newer + * An open source application development framework for PHP * * This content is released under the MIT License (MIT) * - * Copyright (c) 2014, British Columbia Institute of Technology + * Copyright (c) 2014 - 2015, British Columbia Institute of Technology * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal @@ -29,7 +29,7 @@ * @package CodeIgniter * @author EllisLab Dev Team * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (http://ellislab.com/) - * @copyright Copyright (c) 2014, British Columbia Institute of Technology (http://bcit.ca/) + * @copyright Copyright (c) 2014 - 2015, British Columbia Institute of Technology (http://bcit.ca/) * @license http://opensource.org/licenses/MIT MIT License * @link http://codeigniter.com * @since Version 3.0.0 diff --git a/system/core/compat/standard.php b/system/core/compat/standard.php index e4f1f679e..f24f7f8ae 100644 --- a/system/core/compat/standard.php +++ b/system/core/compat/standard.php @@ -2,11 +2,11 @@ /** * CodeIgniter * - * An open source application development framework for PHP 5.2.4 or newer + * An open source application development framework for PHP * * This content is released under the MIT License (MIT) * - * Copyright (c) 2014, British Columbia Institute of Technology + * Copyright (c) 2014 - 2015, British Columbia Institute of Technology * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal @@ -29,7 +29,7 @@ * @package CodeIgniter * @author EllisLab Dev Team * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (http://ellislab.com/) - * @copyright Copyright (c) 2014, British Columbia Institute of Technology (http://bcit.ca/) + * @copyright Copyright (c) 2014 - 2015, British Columbia Institute of Technology (http://bcit.ca/) * @license http://opensource.org/licenses/MIT MIT License * @link http://codeigniter.com * @since Version 3.0.0 -- cgit v1.2.3-24-g4f1b From 4cbe463b4c442e0e2dae2f43565e77f7ac5ecb86 Mon Sep 17 00:00:00 2001 From: vlakoff Date: Wed, 21 Jan 2015 22:56:22 +0100 Subject: Remove closing blocks at end of PHP files --- system/core/compat/hash.php | 3 --- system/core/compat/mbstring.php | 3 --- system/core/compat/password.php | 3 --- system/core/compat/standard.php | 3 --- 4 files changed, 12 deletions(-) (limited to 'system/core/compat') diff --git a/system/core/compat/hash.php b/system/core/compat/hash.php index aeacabdb9..477535dca 100644 --- a/system/core/compat/hash.php +++ b/system/core/compat/hash.php @@ -196,6 +196,3 @@ if ( ! function_exists('hash_pbkdf2')) return substr($raw_output ? $hash : bin2hex($hash), 0, $length); } } - -/* End of file hash.php */ -/* Location: ./system/core/compat/hash.php */ \ No newline at end of file diff --git a/system/core/compat/mbstring.php b/system/core/compat/mbstring.php index 52ca6d02f..ddb2bae47 100644 --- a/system/core/compat/mbstring.php +++ b/system/core/compat/mbstring.php @@ -147,6 +147,3 @@ if ( ! function_exists('mb_substr')) : substr($str, $start); } } - -/* End of file mbstring.php */ -/* Location: ./system/core/compat/mbstring.php */ \ No newline at end of file diff --git a/system/core/compat/password.php b/system/core/compat/password.php index 00befb022..7b933aa04 100644 --- a/system/core/compat/password.php +++ b/system/core/compat/password.php @@ -231,6 +231,3 @@ if ( ! function_exists('password_verify')) return ($compare === 0); } } - -/* End of file password.php */ -/* Location: ./system/core/compat/password.php */ \ No newline at end of file diff --git a/system/core/compat/standard.php b/system/core/compat/standard.php index f24f7f8ae..5a428c114 100644 --- a/system/core/compat/standard.php +++ b/system/core/compat/standard.php @@ -387,6 +387,3 @@ if ( ! function_exists('quoted_printable_encode')) return $output; } } - -/* End of file standard.php */ -/* Location: ./system/core/compat/standard.php */ \ No newline at end of file -- cgit v1.2.3-24-g4f1b From b68a811f1a09b8d6012b6782b36a988daf68a82e Mon Sep 17 00:00:00 2001 From: Tjoosten Date: Sun, 15 Feb 2015 22:44:24 +0100 Subject: add --- system/core/compat/index.html | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'system/core/compat') diff --git a/system/core/compat/index.html b/system/core/compat/index.html index c942a79ce..b702fbc39 100644 --- a/system/core/compat/index.html +++ b/system/core/compat/index.html @@ -1,3 +1,4 @@ + 403 Forbidden @@ -7,4 +8,4 @@

Directory access is forbidden.

- \ No newline at end of file + -- cgit v1.2.3-24-g4f1b From b6d174649a6e3a975e077d6ffa9b91a48f291ca0 Mon Sep 17 00:00:00 2001 From: bjjay Date: Thu, 12 Mar 2015 10:31:14 +0800 Subject: Correct a comment link typo --- system/core/compat/mbstring.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core/compat') diff --git a/system/core/compat/mbstring.php b/system/core/compat/mbstring.php index ddb2bae47..e335c85f7 100644 --- a/system/core/compat/mbstring.php +++ b/system/core/compat/mbstring.php @@ -92,7 +92,7 @@ if ( ! function_exists('mb_strpos')) * WARNING: This function WILL fall-back to strpos() * if iconv is not available! * - * @link http://php.net/mb_strpos() + * @link http://php.net/mb_strpos * @param string $haystack * @param string $needle * @param int $offset -- cgit v1.2.3-24-g4f1b From 68bad62fc4d88b6423bd15ab94a53c54a919f041 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 1 Apr 2015 14:51:25 +0300 Subject: Mitigate potential DoS attacks against hash_pbkdf2() Related: #3720 --- system/core/compat/hash.php | 51 +++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 49 insertions(+), 2 deletions(-) (limited to 'system/core/compat') diff --git a/system/core/compat/hash.php b/system/core/compat/hash.php index 477535dca..15954559c 100644 --- a/system/core/compat/hash.php +++ b/system/core/compat/hash.php @@ -174,9 +174,56 @@ if ( ! function_exists('hash_pbkdf2')) } $hash_length = strlen(hash($algo, NULL, TRUE)); - if (empty($length)) + empty($length) && $length = $hash_length; + + // Pre-hash password inputs longer than the algorithm's block size + // (i.e. prepare HMAC key) to mitigate potential DoS attacks. + static $block_sizes; + empty($block_sizes) && $block_sizes = array( + 'gost' => 32, + 'haval128,3' => 128, + 'haval160,3' => 128, + 'haval192,3' => 128, + 'haval224,3' => 128, + 'haval256,3' => 128, + 'haval128,4' => 128, + 'haval160,4' => 128, + 'haval192,4' => 128, + 'haval224,4' => 128, + 'haval256,4' => 128, + 'haval128,5' => 128, + 'haval160,5' => 128, + 'haval192,5' => 128, + 'haval224,5' => 128, + 'haval256,5' => 128, + 'md2' => 16, + 'md4' => 64, + 'md5' => 64, + 'ripemd128' => 64, + 'ripemd160' => 64, + 'ripemd256' => 64, + 'ripemd320' => 64, + 'salsa10' => 64, + 'salsa20' => 64, + 'sha1' => 64, + 'sha224' => 64, + 'sha256' => 64, + 'sha384' => 128, + 'sha512' => 128, + 'snefru' => 32, + 'snefru256' => 32, + 'tiger128,3' => 64, + 'tiger160,3' => 64, + 'tiger192,3' => 64, + 'tiger128,4' => 64, + 'tiger160,4' => 64, + 'tiger192,4' => 64, + 'whirlpool' => 64 + ); + + if (isset($block_sizes[$algo]) && strlen($password) > $block_sizes[$algo]) { - $length = $hash_length; + $password = hash($algo, $password, TRUE); } $hash = ''; -- cgit v1.2.3-24-g4f1b From 125ef4751080a2118cb203357d77687699e3eb25 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 11 Jan 2016 12:33:00 +0200 Subject: [ci skip] Bump year to 2016 --- system/core/compat/hash.php | 4 ++-- system/core/compat/mbstring.php | 4 ++-- system/core/compat/password.php | 4 ++-- system/core/compat/standard.php | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) (limited to 'system/core/compat') diff --git a/system/core/compat/hash.php b/system/core/compat/hash.php index 15954559c..7e5f1335d 100644 --- a/system/core/compat/hash.php +++ b/system/core/compat/hash.php @@ -6,7 +6,7 @@ * * This content is released under the MIT License (MIT) * - * Copyright (c) 2014 - 2015, British Columbia Institute of Technology + * Copyright (c) 2014 - 2016, British Columbia Institute of Technology * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal @@ -29,7 +29,7 @@ * @package CodeIgniter * @author EllisLab Dev Team * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (http://ellislab.com/) - * @copyright Copyright (c) 2014 - 2015, British Columbia Institute of Technology (http://bcit.ca/) + * @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/) * @license http://opensource.org/licenses/MIT MIT License * @link http://codeigniter.com * @since Version 3.0.0 diff --git a/system/core/compat/mbstring.php b/system/core/compat/mbstring.php index e335c85f7..ff8e79257 100644 --- a/system/core/compat/mbstring.php +++ b/system/core/compat/mbstring.php @@ -6,7 +6,7 @@ * * This content is released under the MIT License (MIT) * - * Copyright (c) 2014 - 2015, British Columbia Institute of Technology + * Copyright (c) 2014 - 2016, British Columbia Institute of Technology * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal @@ -29,7 +29,7 @@ * @package CodeIgniter * @author EllisLab Dev Team * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (http://ellislab.com/) - * @copyright Copyright (c) 2014 - 2015, British Columbia Institute of Technology (http://bcit.ca/) + * @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/) * @license http://opensource.org/licenses/MIT MIT License * @link http://codeigniter.com * @since Version 3.0.0 diff --git a/system/core/compat/password.php b/system/core/compat/password.php index 7b933aa04..3062b89c0 100644 --- a/system/core/compat/password.php +++ b/system/core/compat/password.php @@ -6,7 +6,7 @@ * * This content is released under the MIT License (MIT) * - * Copyright (c) 2014 - 2015, British Columbia Institute of Technology + * Copyright (c) 2014 - 2016, British Columbia Institute of Technology * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal @@ -29,7 +29,7 @@ * @package CodeIgniter * @author EllisLab Dev Team * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (http://ellislab.com/) - * @copyright Copyright (c) 2014 - 2015, British Columbia Institute of Technology (http://bcit.ca/) + * @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/) * @license http://opensource.org/licenses/MIT MIT License * @link http://codeigniter.com * @since Version 3.0.0 diff --git a/system/core/compat/standard.php b/system/core/compat/standard.php index 5a428c114..c9f7ce225 100644 --- a/system/core/compat/standard.php +++ b/system/core/compat/standard.php @@ -6,7 +6,7 @@ * * This content is released under the MIT License (MIT) * - * Copyright (c) 2014 - 2015, British Columbia Institute of Technology + * Copyright (c) 2014 - 2016, British Columbia Institute of Technology * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal @@ -29,7 +29,7 @@ * @package CodeIgniter * @author EllisLab Dev Team * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (http://ellislab.com/) - * @copyright Copyright (c) 2014 - 2015, British Columbia Institute of Technology (http://bcit.ca/) + * @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/) * @license http://opensource.org/licenses/MIT MIT License * @link http://codeigniter.com * @since Version 3.0.0 -- cgit v1.2.3-24-g4f1b From bd202c91b0e9cf0a8c93bcaa71df9574f5909346 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 11 Jan 2016 12:50:18 +0200 Subject: [ci skip] Update codeigniter.com links to https --- system/core/compat/hash.php | 4 ++-- system/core/compat/mbstring.php | 4 ++-- system/core/compat/password.php | 4 ++-- system/core/compat/standard.php | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) (limited to 'system/core/compat') diff --git a/system/core/compat/hash.php b/system/core/compat/hash.php index 7e5f1335d..405c014ab 100644 --- a/system/core/compat/hash.php +++ b/system/core/compat/hash.php @@ -31,7 +31,7 @@ * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (http://ellislab.com/) * @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/) * @license http://opensource.org/licenses/MIT MIT License - * @link http://codeigniter.com + * @link https://codeigniter.com * @since Version 3.0.0 * @filesource */ @@ -44,7 +44,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @subpackage CodeIgniter * @category Compatibility * @author Andrey Andreev - * @link http://codeigniter.com/user_guide/ + * @link https://codeigniter.com/user_guide/ * @link http://php.net/hash */ diff --git a/system/core/compat/mbstring.php b/system/core/compat/mbstring.php index ff8e79257..0c64ed346 100644 --- a/system/core/compat/mbstring.php +++ b/system/core/compat/mbstring.php @@ -31,7 +31,7 @@ * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (http://ellislab.com/) * @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/) * @license http://opensource.org/licenses/MIT MIT License - * @link http://codeigniter.com + * @link https://codeigniter.com * @since Version 3.0.0 * @filesource */ @@ -44,7 +44,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @subpackage CodeIgniter * @category Compatibility * @author Andrey Andreev - * @link http://codeigniter.com/user_guide/ + * @link https://codeigniter.com/user_guide/ * @link http://php.net/mbstring */ diff --git a/system/core/compat/password.php b/system/core/compat/password.php index 3062b89c0..6b6a0fc60 100644 --- a/system/core/compat/password.php +++ b/system/core/compat/password.php @@ -31,7 +31,7 @@ * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (http://ellislab.com/) * @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/) * @license http://opensource.org/licenses/MIT MIT License - * @link http://codeigniter.com + * @link https://codeigniter.com * @since Version 3.0.0 * @filesource */ @@ -44,7 +44,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @subpackage CodeIgniter * @category Compatibility * @author Andrey Andreev - * @link http://codeigniter.com/user_guide/ + * @link https://codeigniter.com/user_guide/ * @link http://php.net/password */ diff --git a/system/core/compat/standard.php b/system/core/compat/standard.php index c9f7ce225..3d439e469 100644 --- a/system/core/compat/standard.php +++ b/system/core/compat/standard.php @@ -31,7 +31,7 @@ * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (http://ellislab.com/) * @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/) * @license http://opensource.org/licenses/MIT MIT License - * @link http://codeigniter.com + * @link https://codeigniter.com * @since Version 3.0.0 * @filesource */ @@ -44,7 +44,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @subpackage CodeIgniter * @category Compatibility * @author Andrey Andreev - * @link http://codeigniter.com/user_guide/ + * @link https://codeigniter.com/user_guide/ */ // ------------------------------------------------------------------------ -- cgit v1.2.3-24-g4f1b From 1924e879b165fb119847a49a7a5eab2f28295fa2 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 11 Jan 2016 12:55:34 +0200 Subject: [ci skip] Update ellislab.com links to https too --- system/core/compat/hash.php | 2 +- system/core/compat/mbstring.php | 2 +- system/core/compat/password.php | 2 +- system/core/compat/standard.php | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) (limited to 'system/core/compat') diff --git a/system/core/compat/hash.php b/system/core/compat/hash.php index 405c014ab..6854e4c26 100644 --- a/system/core/compat/hash.php +++ b/system/core/compat/hash.php @@ -28,7 +28,7 @@ * * @package CodeIgniter * @author EllisLab Dev Team - * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (http://ellislab.com/) + * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (https://ellislab.com/) * @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/) * @license http://opensource.org/licenses/MIT MIT License * @link https://codeigniter.com diff --git a/system/core/compat/mbstring.php b/system/core/compat/mbstring.php index 0c64ed346..554d10040 100644 --- a/system/core/compat/mbstring.php +++ b/system/core/compat/mbstring.php @@ -28,7 +28,7 @@ * * @package CodeIgniter * @author EllisLab Dev Team - * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (http://ellislab.com/) + * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (https://ellislab.com/) * @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/) * @license http://opensource.org/licenses/MIT MIT License * @link https://codeigniter.com diff --git a/system/core/compat/password.php b/system/core/compat/password.php index 6b6a0fc60..f0c22c780 100644 --- a/system/core/compat/password.php +++ b/system/core/compat/password.php @@ -28,7 +28,7 @@ * * @package CodeIgniter * @author EllisLab Dev Team - * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (http://ellislab.com/) + * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (https://ellislab.com/) * @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/) * @license http://opensource.org/licenses/MIT MIT License * @link https://codeigniter.com diff --git a/system/core/compat/standard.php b/system/core/compat/standard.php index 3d439e469..47d47aeff 100644 --- a/system/core/compat/standard.php +++ b/system/core/compat/standard.php @@ -28,7 +28,7 @@ * * @package CodeIgniter * @author EllisLab Dev Team - * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (http://ellislab.com/) + * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (https://ellislab.com/) * @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/) * @license http://opensource.org/licenses/MIT MIT License * @link https://codeigniter.com -- cgit v1.2.3-24-g4f1b From 4d2628e8aab6d0673ac0a010acbfaa9d76b7d568 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Tue, 22 Mar 2016 13:42:03 +0200 Subject: random_bytes()-related improvements See #4260 --- system/core/compat/password.php | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) (limited to 'system/core/compat') diff --git a/system/core/compat/password.php b/system/core/compat/password.php index f0c22c780..76dd2cf0a 100644 --- a/system/core/compat/password.php +++ b/system/core/compat/password.php @@ -116,13 +116,21 @@ if ( ! function_exists('password_hash')) } elseif ( ! isset($options['salt'])) { - if (defined('MCRYPT_DEV_URANDOM')) + if (function_exists('random_bytes')) { - $options['salt'] = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM); + try + { + $options['salt'] = random_bytes(16); + } + catch (Exception $e) + { + log_message('error', 'compat/password: Error while trying to use random_bytes(): '.$e->getMessage()); + return FALSE; + } } - elseif (function_exists('openssl_random_pseudo_bytes')) + elseif (defined('MCRYPT_DEV_URANDOM')) { - $options['salt'] = openssl_random_pseudo_bytes(16); + $options['salt'] = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM); } elseif (DIRECTORY_SEPARATOR === '/' && (is_readable($dev = '/dev/arandom') OR is_readable($dev = '/dev/urandom'))) { @@ -148,6 +156,16 @@ if ( ! function_exists('password_hash')) fclose($fp); } + elseif (function_exists('openssl_random_pseudo_bytes')) + { + $is_secure = NULL; + $options['salt'] = openssl_random_pseudo_bytes(16, $is_secure); + if ($is_secure !== TRUE) + { + log_message('error', 'compat/password: openssl_random_pseudo_bytes() set the $cryto_strong flag to FALSE'); + return FALSE; + } + } else { log_message('error', 'compat/password: No CSPRNG available.'); -- cgit v1.2.3-24-g4f1b From e13fa9fdb3f2e311bd7331e49b26889f24bc81cb Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 20 May 2016 17:30:07 +0300 Subject: Merge pull request #4638 from kasimtan/phpdoc_fixes [ci skip] Fixed PHPDoc parameter name and type discrepancies --- system/core/compat/standard.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core/compat') diff --git a/system/core/compat/standard.php b/system/core/compat/standard.php index 47d47aeff..c54cab951 100644 --- a/system/core/compat/standard.php +++ b/system/core/compat/standard.php @@ -62,7 +62,7 @@ if ( ! function_exists('array_column')) * array_column() * * @link http://php.net/array_column - * @param string $array + * @param array $array * @param mixed $column_key * @param mixed $index_key * @return array -- cgit v1.2.3-24-g4f1b From a838279625becfba98ccb7635d35c67297129c42 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 28 Jul 2016 16:40:12 +0300 Subject: Remove dead code written for PHP 5.2 --- system/core/compat/password.php | 2 +- system/core/compat/standard.php | 207 ---------------------------------------- 2 files changed, 1 insertion(+), 208 deletions(-) (limited to 'system/core/compat') diff --git a/system/core/compat/password.php b/system/core/compat/password.php index 76dd2cf0a..1b5219e7b 100644 --- a/system/core/compat/password.php +++ b/system/core/compat/password.php @@ -50,7 +50,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); // ------------------------------------------------------------------------ -if (is_php('5.5') OR ! is_php('5.3.7') OR ! defined('CRYPT_BLOWFISH') OR CRYPT_BLOWFISH !== 1 OR defined('HHVM_VERSION')) +if (is_php('5.5') OR ! defined('CRYPT_BLOWFISH') OR CRYPT_BLOWFISH !== 1 OR defined('HHVM_VERSION')) { return; } diff --git a/system/core/compat/standard.php b/system/core/compat/standard.php index c54cab951..c839c9bc9 100644 --- a/system/core/compat/standard.php +++ b/system/core/compat/standard.php @@ -180,210 +180,3 @@ if ( ! function_exists('hex2bin')) return pack('H*', $data); } } - -// ------------------------------------------------------------------------ - -if (is_php('5.3')) -{ - return; -} - -// ------------------------------------------------------------------------ - -if ( ! function_exists('array_replace')) -{ - /** - * array_replace() - * - * @link http://php.net/array_replace - * @return array - */ - function array_replace() - { - $arrays = func_get_args(); - - if (($c = count($arrays)) === 0) - { - trigger_error('array_replace() expects at least 1 parameter, 0 given', E_USER_WARNING); - return NULL; - } - elseif ($c === 1) - { - if ( ! is_array($arrays[0])) - { - trigger_error('array_replace(): Argument #1 is not an array', E_USER_WARNING); - return NULL; - } - - return $arrays[0]; - } - - $array = array_shift($arrays); - $c--; - - for ($i = 0; $i < $c; $i++) - { - if ( ! is_array($arrays[$i])) - { - trigger_error('array_replace(): Argument #'.($i + 2).' is not an array', E_USER_WARNING); - return NULL; - } - elseif (empty($arrays[$i])) - { - continue; - } - - foreach (array_keys($arrays[$i]) as $key) - { - $array[$key] = $arrays[$i][$key]; - } - } - - return $array; - } -} - -// ------------------------------------------------------------------------ - -if ( ! function_exists('array_replace_recursive')) -{ - /** - * array_replace_recursive() - * - * @link http://php.net/array_replace_recursive - * @return array - */ - function array_replace_recursive() - { - $arrays = func_get_args(); - - if (($c = count($arrays)) === 0) - { - trigger_error('array_replace_recursive() expects at least 1 parameter, 0 given', E_USER_WARNING); - return NULL; - } - elseif ($c === 1) - { - if ( ! is_array($arrays[0])) - { - trigger_error('array_replace_recursive(): Argument #1 is not an array', E_USER_WARNING); - return NULL; - } - - return $arrays[0]; - } - - $array = array_shift($arrays); - $c--; - - for ($i = 0; $i < $c; $i++) - { - if ( ! is_array($arrays[$i])) - { - trigger_error('array_replace_recursive(): Argument #'.($i + 2).' is not an array', E_USER_WARNING); - return NULL; - } - elseif (empty($arrays[$i])) - { - continue; - } - - foreach (array_keys($arrays[$i]) as $key) - { - $array[$key] = (is_array($arrays[$i][$key]) && isset($array[$key]) && is_array($array[$key])) - ? array_replace_recursive($array[$key], $arrays[$i][$key]) - : $arrays[$i][$key]; - } - } - - return $array; - } -} - -// ------------------------------------------------------------------------ - -if ( ! function_exists('quoted_printable_encode')) -{ - /** - * quoted_printable_encode() - * - * @link http://php.net/quoted_printable_encode - * @param string $str - * @return string - */ - function quoted_printable_encode($str) - { - if (strlen($str) === 0) - { - return ''; - } - elseif (in_array($type = gettype($str), array('array', 'object'), TRUE)) - { - if ($type === 'object' && method_exists($str, '__toString')) - { - $str = (string) $str; - } - else - { - trigger_error('quoted_printable_encode() expects parameter 1 to be string, '.$type.' given', E_USER_WARNING); - return NULL; - } - } - - if (function_exists('imap_8bit')) - { - return imap_8bit($str); - } - - $i = $lp = 0; - $output = ''; - $hex = '0123456789ABCDEF'; - $length = (extension_loaded('mbstring') && ini_get('mbstring.func_overload')) - ? mb_strlen($str, '8bit') - : strlen($str); - - while ($length--) - { - if ((($c = $str[$i++]) === "\015") && isset($str[$i]) && ($str[$i] === "\012") && $length > 0) - { - $output .= "\015".$str[$i++]; - $length--; - $lp = 0; - continue; - } - - if ( - ctype_cntrl($c) - OR (ord($c) === 0x7f) - OR (ord($c) & 0x80) - OR ($c === '=') - OR ($c === ' ' && isset($str[$i]) && $str[$i] === "\015") - ) - { - if ( - (($lp += 3) > 75 && ord($c) <= 0x7f) - OR (ord($c) > 0x7f && ord($c) <= 0xdf && ($lp + 3) > 75) - OR (ord($c) > 0xdf && ord($c) <= 0xef && ($lp + 6) > 75) - OR (ord($c) > 0xef && ord($c) <= 0xf4 && ($lp + 9) > 75) - ) - { - $output .= "=\015\012"; - $lp = 3; - } - - $output .= '='.$hex[ord($c) >> 4].$hex[ord($c) & 0xf]; - continue; - } - - if ((++$lp) > 75) - { - $output .= "=\015\012"; - $lp = 1; - } - - $output .= $c; - } - - return $output; - } -} -- cgit v1.2.3-24-g4f1b From fa1ca8bdee7021a67f58a5278900266c16ef7cd7 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 22 Aug 2016 14:13:54 +0300 Subject: Merge pull request #4780 from tianhe1986/develop_standard_hex2bin [ci skip] Trigger error for "resource" type in hex2bin() inputs --- system/core/compat/standard.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core/compat') diff --git a/system/core/compat/standard.php b/system/core/compat/standard.php index c839c9bc9..6b7caa485 100644 --- a/system/core/compat/standard.php +++ b/system/core/compat/standard.php @@ -153,7 +153,7 @@ if ( ! function_exists('hex2bin')) */ function hex2bin($data) { - if (in_array($type = gettype($data), array('array', 'double', 'object'), TRUE)) + if (in_array($type = gettype($data), array('array', 'double', 'object', 'resource'), TRUE)) { if ($type === 'object' && method_exists($data, '__toString')) { -- cgit v1.2.3-24-g4f1b From a9d83fb0ddef91f0fb386cbe8bdb9cef69ca2af3 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Tue, 23 Aug 2016 14:07:11 +0300 Subject: Merge pull request #4781 from tianhe1986/develop_hash_pbkdf2 Hash: processing algorithm name case-insensitively in hash_pbkdf2() --- system/core/compat/hash.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core/compat') diff --git a/system/core/compat/hash.php b/system/core/compat/hash.php index 6854e4c26..d567d0f80 100644 --- a/system/core/compat/hash.php +++ b/system/core/compat/hash.php @@ -119,7 +119,7 @@ if ( ! function_exists('hash_pbkdf2')) */ function hash_pbkdf2($algo, $password, $salt, $iterations, $length = 0, $raw_output = FALSE) { - if ( ! in_array($algo, hash_algos(), TRUE)) + if ( ! in_array(strtolower($algo), hash_algos(), TRUE)) { trigger_error('hash_pbkdf2(): Unknown hashing algorithm: '.$algo, E_USER_WARNING); return FALSE; -- cgit v1.2.3-24-g4f1b From da60e9bc66ec90970fbd2dfd08b0a6e66b9f5f5f Mon Sep 17 00:00:00 2001 From: Master Yoda Date: Sat, 31 Dec 2016 08:46:18 -0800 Subject: Update copyright data to 2017 --- system/core/compat/hash.php | 4 ++-- system/core/compat/mbstring.php | 4 ++-- system/core/compat/password.php | 4 ++-- system/core/compat/standard.php | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) (limited to 'system/core/compat') diff --git a/system/core/compat/hash.php b/system/core/compat/hash.php index d567d0f80..ba0198e10 100644 --- a/system/core/compat/hash.php +++ b/system/core/compat/hash.php @@ -6,7 +6,7 @@ * * This content is released under the MIT License (MIT) * - * Copyright (c) 2014 - 2016, British Columbia Institute of Technology + * Copyright (c) 2014 - 2017, British Columbia Institute of Technology * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal @@ -29,7 +29,7 @@ * @package CodeIgniter * @author EllisLab Dev Team * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (https://ellislab.com/) - * @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/) + * @copyright Copyright (c) 2014 - 2017, British Columbia Institute of Technology (http://bcit.ca/) * @license http://opensource.org/licenses/MIT MIT License * @link https://codeigniter.com * @since Version 3.0.0 diff --git a/system/core/compat/mbstring.php b/system/core/compat/mbstring.php index 554d10040..f466e1c34 100644 --- a/system/core/compat/mbstring.php +++ b/system/core/compat/mbstring.php @@ -6,7 +6,7 @@ * * This content is released under the MIT License (MIT) * - * Copyright (c) 2014 - 2016, British Columbia Institute of Technology + * Copyright (c) 2014 - 2017, British Columbia Institute of Technology * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal @@ -29,7 +29,7 @@ * @package CodeIgniter * @author EllisLab Dev Team * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (https://ellislab.com/) - * @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/) + * @copyright Copyright (c) 2014 - 2017, British Columbia Institute of Technology (http://bcit.ca/) * @license http://opensource.org/licenses/MIT MIT License * @link https://codeigniter.com * @since Version 3.0.0 diff --git a/system/core/compat/password.php b/system/core/compat/password.php index 1b5219e7b..b209cbe70 100644 --- a/system/core/compat/password.php +++ b/system/core/compat/password.php @@ -6,7 +6,7 @@ * * This content is released under the MIT License (MIT) * - * Copyright (c) 2014 - 2016, British Columbia Institute of Technology + * Copyright (c) 2014 - 2017, British Columbia Institute of Technology * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal @@ -29,7 +29,7 @@ * @package CodeIgniter * @author EllisLab Dev Team * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (https://ellislab.com/) - * @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/) + * @copyright Copyright (c) 2014 - 2017, British Columbia Institute of Technology (http://bcit.ca/) * @license http://opensource.org/licenses/MIT MIT License * @link https://codeigniter.com * @since Version 3.0.0 diff --git a/system/core/compat/standard.php b/system/core/compat/standard.php index 6b7caa485..7db2efb57 100644 --- a/system/core/compat/standard.php +++ b/system/core/compat/standard.php @@ -6,7 +6,7 @@ * * This content is released under the MIT License (MIT) * - * Copyright (c) 2014 - 2016, British Columbia Institute of Technology + * Copyright (c) 2014 - 2017, British Columbia Institute of Technology * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal @@ -29,7 +29,7 @@ * @package CodeIgniter * @author EllisLab Dev Team * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (https://ellislab.com/) - * @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/) + * @copyright Copyright (c) 2014 - 2017, British Columbia Institute of Technology (http://bcit.ca/) * @license http://opensource.org/licenses/MIT MIT License * @link https://codeigniter.com * @since Version 3.0.0 -- cgit v1.2.3-24-g4f1b From c0c74d5201c171cd6d0cdc2133e63077ebe1a407 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 19 Jan 2017 15:26:35 +0200 Subject: More byte-safety --- system/core/compat/password.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'system/core/compat') diff --git a/system/core/compat/password.php b/system/core/compat/password.php index b209cbe70..8176f0088 100644 --- a/system/core/compat/password.php +++ b/system/core/compat/password.php @@ -94,8 +94,8 @@ if ( ! function_exists('password_hash')) */ function password_hash($password, $algo, array $options = array()) { - static $func_override; - isset($func_override) OR $func_override = (extension_loaded('mbstring') && ini_get('mbstring.func_override')); + static $func_overload; + isset($func_overload) OR $func_overload = (extension_loaded('mbstring') && ini_get('mbstring.func_overload')); if ($algo !== 1) { @@ -109,7 +109,7 @@ if ( ! function_exists('password_hash')) return NULL; } - if (isset($options['salt']) && ($saltlen = ($func_override ? mb_strlen($options['salt'], '8bit') : strlen($options['salt']))) < 22) + if (isset($options['salt']) && ($saltlen = ($func_overload ? mb_strlen($options['salt'], '8bit') : strlen($options['salt']))) < 22) { trigger_error('password_hash(): Provided salt is too short: '.$saltlen.' expecting 22', E_USER_WARNING); return NULL; @@ -144,7 +144,7 @@ if ( ! function_exists('password_hash')) is_php('5.4') && stream_set_chunk_size($fp, 16); $options['salt'] = ''; - for ($read = 0; $read < 16; $read = ($func_override) ? mb_strlen($options['salt'], '8bit') : strlen($options['salt'])) + for ($read = 0; $read < 16; $read = ($func_overload) ? mb_strlen($options['salt'], '8bit') : strlen($options['salt'])) { if (($read = fread($fp, 16 - $read)) === FALSE) { -- cgit v1.2.3-24-g4f1b From 25461d8eac80c0f1242150f7316ec58ac14c5d39 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 19 Jan 2017 15:42:43 +0200 Subject: hash_pbkdf2() byte-safety --- system/core/compat/hash.php | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) (limited to 'system/core/compat') diff --git a/system/core/compat/hash.php b/system/core/compat/hash.php index ba0198e10..7eb292188 100644 --- a/system/core/compat/hash.php +++ b/system/core/compat/hash.php @@ -173,7 +173,9 @@ if ( ! function_exists('hash_pbkdf2')) return FALSE; } - $hash_length = strlen(hash($algo, NULL, TRUE)); + $hash_length = defined('MB_OVERLOAD_STRING') + ? mb_strlen(hash($algo, NULL, TRUE)) + : strlen(hash($algo, NULL, TRUE)); empty($length) && $length = $hash_length; // Pre-hash password inputs longer than the algorithm's block size @@ -221,14 +223,14 @@ if ( ! function_exists('hash_pbkdf2')) 'whirlpool' => 64 ); - if (isset($block_sizes[$algo]) && strlen($password) > $block_sizes[$algo]) + if (isset($block_sizes[$algo], $password[$block_sizes[$algo]])) { $password = hash($algo, $password, TRUE); } $hash = ''; // Note: Blocks are NOT 0-indexed - for ($bc = ceil($length / $hash_length), $bi = 1; $bi <= $bc; $bi++) + for ($bc = (int) ceil($length / $hash_length), $bi = 1; $bi <= $bc; $bi++) { $key = $derived_key = hash_hmac($algo, $salt.pack('N', $bi), $password, TRUE); for ($i = 1; $i < $iterations; $i++) @@ -240,6 +242,13 @@ if ( ! function_exists('hash_pbkdf2')) } // This is not RFC-compatible, but we're aiming for natural PHP compatibility - return substr($raw_output ? $hash : bin2hex($hash), 0, $length); + if ( ! $raw_output) + { + $hash = bin2hex($hash); + } + + return defined('MB_OVERLOAD_STRING') + ? mb_substr($hash, 0, $length) + : substr($hash, 0, $length); } } -- cgit v1.2.3-24-g4f1b From 93141a13e77a88be044e4c7f51ba3c2a35bf0ccc Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 19 Jan 2017 15:46:32 +0200 Subject: hash_pbkdf2() byte-safety again ... actually tell mbstring to use 8bit --- system/core/compat/hash.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'system/core/compat') diff --git a/system/core/compat/hash.php b/system/core/compat/hash.php index 7eb292188..c65203aaf 100644 --- a/system/core/compat/hash.php +++ b/system/core/compat/hash.php @@ -174,7 +174,7 @@ if ( ! function_exists('hash_pbkdf2')) } $hash_length = defined('MB_OVERLOAD_STRING') - ? mb_strlen(hash($algo, NULL, TRUE)) + ? mb_strlen(hash($algo, NULL, TRUE), '8bit') : strlen(hash($algo, NULL, TRUE)); empty($length) && $length = $hash_length; @@ -248,7 +248,7 @@ if ( ! function_exists('hash_pbkdf2')) } return defined('MB_OVERLOAD_STRING') - ? mb_substr($hash, 0, $length) + ? mb_substr($hash, 0, $length, '8bit') : substr($hash, 0, $length); } } -- cgit v1.2.3-24-g4f1b From ee9d428171dc201f51eaffdb62616312915681ff Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 5 Jun 2017 10:44:37 +0300 Subject: [ci skip] Merge pull request #5143 from TysonAndre/misc-phpdoc-nits Fix misc inconsistencies between code and doc comments --- system/core/compat/mbstring.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core/compat') diff --git a/system/core/compat/mbstring.php b/system/core/compat/mbstring.php index f466e1c34..1b2f2c63b 100644 --- a/system/core/compat/mbstring.php +++ b/system/core/compat/mbstring.php @@ -68,7 +68,7 @@ if ( ! function_exists('mb_strlen')) * @link http://php.net/mb_strlen * @param string $str * @param string $encoding - * @return string + * @return int */ function mb_strlen($str, $encoding = NULL) { -- cgit v1.2.3-24-g4f1b