From 4191be3d3be76909253158a6cd35fbf3a89cfb5f Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Sat, 21 Jun 2014 16:13:13 +0300
Subject: Fix a _potential_ flaw in password_hash()

---
 system/core/compat/password.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'system/core/compat')

diff --git a/system/core/compat/password.php b/system/core/compat/password.php
index a9355d5d0..d5a017d9a 100644
--- a/system/core/compat/password.php
+++ b/system/core/compat/password.php
@@ -145,7 +145,10 @@ if ( ! function_exists('password_hash'))
 		}
 
 		isset($options['cost']) OR $options['cost'] = 10;
-		return crypt($password, sprintf('$2y$%02d$%s', $options['cost'], $options['salt']));
+
+		return (strlen($password = crypt($password, sprintf('$2y$%02d$%s', $options['cost'], $options['salt']))) === 60)
+			? $password
+			: FALSE;
 	}
 }
 
-- 
cgit v1.2.3-24-g4f1b


From 5b3fe7c4af5e08e17480b911fbfa8cf0ef6475c0 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Mon, 7 Jul 2014 10:55:53 +0300
Subject: Fix a few typos and add a backport (compat) for hex2bin()

---
 system/core/compat/array.php    | 246 ---------------------------------
 system/core/compat/standard.php | 293 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 293 insertions(+), 246 deletions(-)
 delete mode 100644 system/core/compat/array.php
 create mode 100644 system/core/compat/standard.php

(limited to 'system/core/compat')

diff --git a/system/core/compat/array.php b/system/core/compat/array.php
deleted file mode 100644
index 07dae21c2..000000000
--- a/system/core/compat/array.php
+++ /dev/null
@@ -1,246 +0,0 @@
-<?php
-/**
- * CodeIgniter
- *
- * An open source application development framework for PHP 5.2.4 or newer
- *
- * NOTICE OF LICENSE
- *
- * Licensed under the Open Software License version 3.0
- *
- * This source file is subject to the Open Software License (OSL 3.0) that is
- * bundled with this package in the files license.txt / license.rst.  It is
- * also available through the world wide web at this URL:
- * http://opensource.org/licenses/OSL-3.0
- * If you did not receive a copy of the license and are unable to obtain it
- * through the world wide web, please send an email to
- * licensing@ellislab.com so we can send you a copy immediately.
- *
- * @package		CodeIgniter
- * @author		EllisLab Dev Team
- * @copyright	Copyright (c) 2008 - 2014, EllisLab, Inc. (http://ellislab.com/)
- * @license		http://opensource.org/licenses/OSL-3.0 Open Software License (OSL 3.0)
- * @link		http://codeigniter.com
- * @since		Version 3.0
- * @filesource
- */
-defined('BASEPATH') OR exit('No direct script access allowed');
-
-/**
- * PHP ext/standard/array compatibility package
- *
- * @package		CodeIgniter
- * @subpackage	CodeIgniter
- * @category	Compatibility
- * @author		Andrey Andreev
- * @link		http://codeigniter.com/user_guide/
- * @link		http://php.net/book.array
- */
-
-// ------------------------------------------------------------------------
-
-if (is_php('5.5'))
-{
-	return;
-}
-
-// ------------------------------------------------------------------------
-
-if ( ! function_exists('array_column'))
-{
-	/**
-	 * array_column()
-	 *
-	 * @link	http://php.net/array_column
-	 * @param	string	$array
-	 * @param	mixed	$column_key
-	 * @param	mixed	$index_key
-	 * @return	array
-	 */
-	function array_column(array $array, $column_key, $index_key = NULL)
-	{
-		if ( ! in_array($type = gettype($column_key), array('integer', 'string', 'NULL'), TRUE))
-		{
-			if ($type === 'double')
-			{
-				$column_key = (int) $column_key;
-			}
-			elseif ($type === 'object' && method_exists($column_key, '__toString'))
-			{
-				$column_key = (string) $column_key;
-			}
-			else
-			{
-				trigger_error('array_column(): The column key should be either a string or an integer', E_USER_WARNING);
-				return FALSE;
-			}
-		}
-
-		if ( ! in_array($type = gettype($index_key), array('integer', 'string', 'NULL'), TRUE))
-		{
-			if ($type === 'double')
-			{
-				$index_key = (int) $index_key;
-			}
-			elseif ($type === 'object' && method_exists($index_key, '__toString'))
-			{
-				$index_key = (string) $index_key;
-			}
-			else
-			{
-				trigger_error('array_column(): The index key should be either a string or an integer', E_USER_WARNING);
-				return FALSE;
-			}
-		}
-
-		$result = array();
-		foreach ($array as &$a)
-		{
-			if ($column_key === NULL)
-			{
-				$value = $a;
-			}
-			elseif (is_array($a) && array_key_exists($column_key, $a))
-			{
-				$value = $a[$column_key];
-			}
-			else
-			{
-				continue;
-			}
-
-			if ($index_key === NULL OR ! array_key_exists($index_key, $a))
-			{
-				$result[] = $value;
-			}
-			else
-			{
-				$result[$a[$index_key]] = $value;
-			}
-		}
-
-		return $result;
-	}
-}
-
-// ------------------------------------------------------------------------
-
-if (is_php('5.3'))
-{
-	return;
-}
-
-// ------------------------------------------------------------------------
-
-if ( ! function_exists('array_replace'))
-{
-	/**
-	 * array_replace()
-	 *
-	 * @link	http://php.net/array_replace
-	 * @return	array
-	 */
-	function array_replace()
-	{
-		$arrays = func_get_args();
-
-		if (($c = count($arrays)) === 0)
-		{
-			trigger_error('array_replace() expects at least 1 parameter, 0 given', E_USER_WARNING);
-			return NULL;
-		}
-		elseif ($c === 1)
-		{
-			if ( ! is_array($arrays[0]))
-			{
-				trigger_error('array_replace(): Argument #1 is not an array', E_USER_WARNING);
-				return NULL;
-			}
-
-			return $arrays[0];
-		}
-
-		$array = array_shift($arrays);
-		$c--;
-
-		for ($i = 0; $i < $c; $i++)
-		{
-			if ( ! is_array($arrays[$i]))
-			{
-				trigger_error('array_replace(): Argument #'.($i + 2).' is not an array', E_USER_WARNING);
-				return NULL;
-			}
-			elseif (empty($arrays[$i]))
-			{
-				continue;
-			}
-
-			foreach (array_keys($arrays[$i]) as $key)
-			{
-				$array[$key] = $arrays[$i][$key];
-			}
-		}
-
-		return $array;
-	}
-}
-
-// ------------------------------------------------------------------------
-
-if ( ! function_exists('array_replace_recursive'))
-{
-	/**
-	 * array_replace_recursive()
-	 *
-	 * @link	http://php.net/array_replace_recursive
-	 * @return	array
-	 */
-	function array_replace_recursive()
-	{
-		$arrays = func_get_args();
-
-		if (($c = count($arrays)) === 0)
-		{
-			trigger_error('array_replace_recursive() expects at least 1 parameter, 0 given', E_USER_WARNING);
-			return NULL;
-		}
-		elseif ($c === 1)
-		{
-			if ( ! is_array($arrays[0]))
-			{
-				trigger_error('array_replace_recursive(): Argument #1 is not an array', E_USER_WARNING);
-				return NULL;
-			}
-
-			return $arrays[0];
-		}
-
-		$array = array_shift($arrays);
-		$c--;
-
-		for ($i = 0; $i < $c; $i++)
-		{
-			if ( ! is_array($arrays[$i]))
-			{
-				trigger_error('array_replace_recursive(): Argument #'.($i + 2).' is not an array', E_USER_WARNING);
-				return NULL;
-			}
-			elseif (empty($arrays[$i]))
-			{
-				continue;
-			}
-
-			foreach (array_keys($arrays[$i]) as $key)
-			{
-				$array[$key] = (is_array($arrays[$i][$key]) && isset($array[$key]) && is_array($array[$key]))
-					? array_replace_recursive($array[$key], $arrays[$i][$key])
-					: $arrays[$i][$key];
-			}
-		}
-
-		return $array;
-	}
-}
-
-/* End of file array.php */
-/* Location: ./system/core/compat/array.php */
\ No newline at end of file
diff --git a/system/core/compat/standard.php b/system/core/compat/standard.php
new file mode 100644
index 000000000..6380fa1e8
--- /dev/null
+++ b/system/core/compat/standard.php
@@ -0,0 +1,293 @@
+<?php
+/**
+ * CodeIgniter
+ *
+ * An open source application development framework for PHP 5.2.4 or newer
+ *
+ * NOTICE OF LICENSE
+ *
+ * Licensed under the Open Software License version 3.0
+ *
+ * This source file is subject to the Open Software License (OSL 3.0) that is
+ * bundled with this package in the files license.txt / license.rst.  It is
+ * also available through the world wide web at this URL:
+ * http://opensource.org/licenses/OSL-3.0
+ * If you did not receive a copy of the license and are unable to obtain it
+ * through the world wide web, please send an email to
+ * licensing@ellislab.com so we can send you a copy immediately.
+ *
+ * @package		CodeIgniter
+ * @author		EllisLab Dev Team
+ * @copyright	Copyright (c) 2008 - 2014, EllisLab, Inc. (http://ellislab.com/)
+ * @license		http://opensource.org/licenses/OSL-3.0 Open Software License (OSL 3.0)
+ * @link		http://codeigniter.com
+ * @since		Version 3.0
+ * @filesource
+ */
+defined('BASEPATH') OR exit('No direct script access allowed');
+
+/**
+ * PHP ext/standard compatibility package
+ *
+ * @package		CodeIgniter
+ * @subpackage	CodeIgniter
+ * @category	Compatibility
+ * @author		Andrey Andreev
+ * @link		http://codeigniter.com/user_guide/
+ */
+
+// ------------------------------------------------------------------------
+
+if (is_php('5.5'))
+{
+	return;
+}
+
+// ------------------------------------------------------------------------
+
+if ( ! function_exists('array_column'))
+{
+	/**
+	 * array_column()
+	 *
+	 * @link	http://php.net/array_column
+	 * @param	string	$array
+	 * @param	mixed	$column_key
+	 * @param	mixed	$index_key
+	 * @return	array
+	 */
+	function array_column(array $array, $column_key, $index_key = NULL)
+	{
+		if ( ! in_array($type = gettype($column_key), array('integer', 'string', 'NULL'), TRUE))
+		{
+			if ($type === 'double')
+			{
+				$column_key = (int) $column_key;
+			}
+			elseif ($type === 'object' && method_exists($column_key, '__toString'))
+			{
+				$column_key = (string) $column_key;
+			}
+			else
+			{
+				trigger_error('array_column(): The column key should be either a string or an integer', E_USER_WARNING);
+				return FALSE;
+			}
+		}
+
+		if ( ! in_array($type = gettype($index_key), array('integer', 'string', 'NULL'), TRUE))
+		{
+			if ($type === 'double')
+			{
+				$index_key = (int) $index_key;
+			}
+			elseif ($type === 'object' && method_exists($index_key, '__toString'))
+			{
+				$index_key = (string) $index_key;
+			}
+			else
+			{
+				trigger_error('array_column(): The index key should be either a string or an integer', E_USER_WARNING);
+				return FALSE;
+			}
+		}
+
+		$result = array();
+		foreach ($array as &$a)
+		{
+			if ($column_key === NULL)
+			{
+				$value = $a;
+			}
+			elseif (is_array($a) && array_key_exists($column_key, $a))
+			{
+				$value = $a[$column_key];
+			}
+			else
+			{
+				continue;
+			}
+
+			if ($index_key === NULL OR ! array_key_exists($index_key, $a))
+			{
+				$result[] = $value;
+			}
+			else
+			{
+				$result[$a[$index_key]] = $value;
+			}
+		}
+
+		return $result;
+	}
+}
+
+// ------------------------------------------------------------------------
+
+if (is_php('5.4'))
+{
+	return;
+}
+
+// ------------------------------------------------------------------------
+
+if ( ! function_exists('hex2bin'))
+{
+	/**
+	 * hex2bin()
+	 *
+	 * @link	http://php.net/hex2bin
+	 * @param	string	$data
+	 * @return	string
+	 */
+	function hex2bin($data)
+	{
+		if (in_array($type = gettype($data), array('array', 'double', 'object'), TRUE))
+		{
+			if ($type === 'object' && method_exists($data, '__toString'))
+			{
+				$data = (string) $data;
+			}
+			else
+			{
+				trigger_error('hex2bin() expects parameter 1 to be string, '.$type.' given', E_USER_WARNING);
+				return NULL;
+			}
+		}
+
+		if (strlen($data) % 2 !== 0)
+		{
+			trigger_error('Hexadecimal input string must have an even length', E_USER_WARNING);
+			return FALSE;
+		}
+		elseif ( ! preg_match('/^[0-9a-f]*$/i', $data))
+		{
+			trigger_error('Input string must be hexadecimal string', E_USER_WARNING);
+			return FALSE;
+		}
+
+		return pack('H*', $data);
+	}
+}
+
+// ------------------------------------------------------------------------
+
+if (is_php('5.3'))
+{
+	return;
+}
+
+// ------------------------------------------------------------------------
+
+if ( ! function_exists('array_replace'))
+{
+	/**
+	 * array_replace()
+	 *
+	 * @link	http://php.net/array_replace
+	 * @return	array
+	 */
+	function array_replace()
+	{
+		$arrays = func_get_args();
+
+		if (($c = count($arrays)) === 0)
+		{
+			trigger_error('array_replace() expects at least 1 parameter, 0 given', E_USER_WARNING);
+			return NULL;
+		}
+		elseif ($c === 1)
+		{
+			if ( ! is_array($arrays[0]))
+			{
+				trigger_error('array_replace(): Argument #1 is not an array', E_USER_WARNING);
+				return NULL;
+			}
+
+			return $arrays[0];
+		}
+
+		$array = array_shift($arrays);
+		$c--;
+
+		for ($i = 0; $i < $c; $i++)
+		{
+			if ( ! is_array($arrays[$i]))
+			{
+				trigger_error('array_replace(): Argument #'.($i + 2).' is not an array', E_USER_WARNING);
+				return NULL;
+			}
+			elseif (empty($arrays[$i]))
+			{
+				continue;
+			}
+
+			foreach (array_keys($arrays[$i]) as $key)
+			{
+				$array[$key] = $arrays[$i][$key];
+			}
+		}
+
+		return $array;
+	}
+}
+
+// ------------------------------------------------------------------------
+
+if ( ! function_exists('array_replace_recursive'))
+{
+	/**
+	 * array_replace_recursive()
+	 *
+	 * @link	http://php.net/array_replace_recursive
+	 * @return	array
+	 */
+	function array_replace_recursive()
+	{
+		$arrays = func_get_args();
+
+		if (($c = count($arrays)) === 0)
+		{
+			trigger_error('array_replace_recursive() expects at least 1 parameter, 0 given', E_USER_WARNING);
+			return NULL;
+		}
+		elseif ($c === 1)
+		{
+			if ( ! is_array($arrays[0]))
+			{
+				trigger_error('array_replace_recursive(): Argument #1 is not an array', E_USER_WARNING);
+				return NULL;
+			}
+
+			return $arrays[0];
+		}
+
+		$array = array_shift($arrays);
+		$c--;
+
+		for ($i = 0; $i < $c; $i++)
+		{
+			if ( ! is_array($arrays[$i]))
+			{
+				trigger_error('array_replace_recursive(): Argument #'.($i + 2).' is not an array', E_USER_WARNING);
+				return NULL;
+			}
+			elseif (empty($arrays[$i]))
+			{
+				continue;
+			}
+
+			foreach (array_keys($arrays[$i]) as $key)
+			{
+				$array[$key] = (is_array($arrays[$i][$key]) && isset($array[$key]) && is_array($array[$key]))
+					? array_replace_recursive($array[$key], $arrays[$i][$key])
+					: $arrays[$i][$key];
+			}
+		}
+
+		return $array;
+	}
+}
+
+/* End of file array.php */
+/* Location: ./system/core/compat/array.php */
\ No newline at end of file
-- 
cgit v1.2.3-24-g4f1b


From 6500bc77232657141dbc34aa3c840dd9e205b84f Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Mon, 7 Jul 2014 14:11:26 +0300
Subject: Add a backport (compat) for quoted_printable_encode()

---
 system/core/compat/standard.php | 92 ++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 90 insertions(+), 2 deletions(-)

(limited to 'system/core/compat')

diff --git a/system/core/compat/standard.php b/system/core/compat/standard.php
index 6380fa1e8..afe9e9852 100644
--- a/system/core/compat/standard.php
+++ b/system/core/compat/standard.php
@@ -289,5 +289,93 @@ if ( ! function_exists('array_replace_recursive'))
 	}
 }
 
-/* End of file array.php */
-/* Location: ./system/core/compat/array.php */
\ No newline at end of file
+// ------------------------------------------------------------------------
+
+if ( ! function_exists('quoted_printable_encode'))
+{
+	/**
+	 * quoted_printable_encode()
+	 *
+	 * @link	http://php.net/quoted_printable_encode
+	 * @param	string	$str
+	 * @return	string
+	 */
+	function quoted_printable_encode($str)
+	{
+		if (strlen($str) === 0)
+		{
+			return '';
+		}
+		elseif (in_array($type = gettype($str), array('array', 'object'), TRUE))
+		{
+			if ($type === 'object' && method_exists($str, '__toString'))
+			{
+				$str = (string) $str;
+			}
+			else
+			{
+				trigger_error('quoted_printable_encode() expects parameter 1 to be string, '.$type.' given', E_USER_WARNING);
+				return NULL;
+			}
+		}
+
+		if (function_exists('imap_8bit'))
+		{
+			return imap_8bit($str);
+		}
+
+		$i = $lp = 0;
+		$output = '';
+		$hex = '0123456789ABCDEF';
+		$length = (extension_loaded('mbstring') && ini_get('mbstring.func_overload'))
+			? mb_strlen($str, '8bit')
+			: strlen($str);
+
+		while ($length--)
+		{
+			if ((($c = $str[$i++]) === "\015") && isset($str[$i]) && ($str[$i] === "\012") && $length > 0)
+			{
+				$output .= "\015".$str[$i++];
+				$length--;
+				$lp = 0;
+				continue;
+			}
+
+			if (
+				ctype_cntrl($c)
+				OR (ord($c) === 0x7f)
+				OR (ord($c) & 0x80)
+				OR ($c === '=')
+				OR ($c === ' ' && isset($str[$i]) && $str[$i] === "\015")
+			)
+			{
+				if (
+					(($lp += 3) > 75 && ord($c) <= 0x7f)
+					OR (ord($c) > 0x7f && ord($c) <= 0xdf && ($lp + 3) > 75)
+					OR (ord($c) > 0xdf && ord($c) <= 0xef && ($lp + 6) > 75)
+					OR (ord($c) > 0xef && ord($c) <= 0xf4 && ($lp + 9) > 75)
+				)
+				{
+					$output .= "=\015\012";
+					$lp = 3;
+				}
+
+				$output .= '='.$hex[ord($c) >> 4].$hex[ord($c) & 0xf];
+				continue;
+			}
+
+			if ((++$lp) > 75)
+			{
+				$output .= "=\015\012";
+				$lp = 1;
+			}
+
+			$output .= $c;
+		}
+
+		return $output;
+	}
+}
+
+/* End of file standard.php */
+/* Location: ./system/core/compat/standard.php */
\ No newline at end of file
-- 
cgit v1.2.3-24-g4f1b


From 2da3550055ea20eba309ef68347a806a3986375d Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Mon, 7 Jul 2014 14:41:57 +0300
Subject: Fix potential bugs in password_hash(), CI_Encryption

strlen(), substr() are not byte-safe when mbstring.func_overload is enabled
---
 system/core/compat/password.php | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'system/core/compat')

diff --git a/system/core/compat/password.php b/system/core/compat/password.php
index d5a017d9a..a8bc756f0 100644
--- a/system/core/compat/password.php
+++ b/system/core/compat/password.php
@@ -83,6 +83,9 @@ if ( ! function_exists('password_hash'))
 	 */
 	function password_hash($password, $algo, array $options = array())
 	{
+		static $func_override;
+		isset($func_override) OR $func_override = (extension_loaded('mbstring') && ini_get('mbstring.func_override'));
+
 		if ($algo !== 1)
 		{
 			trigger_error('password_hash(): Unknown hashing algorithm: '.(int) $algo, E_USER_WARNING);
@@ -95,9 +98,9 @@ if ( ! function_exists('password_hash'))
 			return NULL;
 		}
 
-		if (isset($options['salt']) && strlen($options['salt']) < 22)
+		if (isset($options['salt']) && ($saltlen = ($func_override ? mb_strlen($options['salt'], '8bit') : strlen($options['salt']))) < 22)
 		{
-			trigger_error('password_hash(): Provided salt is too short: '.strlen($options['salt']).' expecting 22', E_USER_WARNING);
+			trigger_error('password_hash(): Provided salt is too short: '.$saltlen.' expecting 22', E_USER_WARNING);
 			return NULL;
 		}
 		elseif ( ! isset($options['salt']))
@@ -119,7 +122,7 @@ if ( ! function_exists('password_hash'))
 				}
 
 				$options['salt'] = '';
-				for ($read = 0; $read < 16; $read = strlen($options['salt']))
+				for ($read = 0; $read < 16; $read = ($func_override) ? mb_strlen($options['salt'], '8bit') : strlen($options['salt']))
 				{
 					if (($read = fread($fp, 16 - $read)) === FALSE)
 					{
-- 
cgit v1.2.3-24-g4f1b


From b627430ae60d7c5f13ecc2f289bce8185c218be0 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Tue, 30 Sep 2014 20:30:06 +0300
Subject: Make sure we don't waste entropy

---
 system/core/compat/password.php | 1 +
 1 file changed, 1 insertion(+)

(limited to 'system/core/compat')

diff --git a/system/core/compat/password.php b/system/core/compat/password.php
index a8bc756f0..60aa578db 100644
--- a/system/core/compat/password.php
+++ b/system/core/compat/password.php
@@ -121,6 +121,7 @@ if ( ! function_exists('password_hash'))
 					return FALSE;
 				}
 
+				stream_set_chunk_size($fp, 16);
 				$options['salt'] = '';
 				for ($read = 0; $read < 16; $read = ($func_override) ? mb_strlen($options['salt'], '8bit') : strlen($options['salt']))
 				{
-- 
cgit v1.2.3-24-g4f1b


From e4b9cd64e2e7185ddf874ddf9861fe21961edb79 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Thu, 2 Oct 2014 02:19:06 +0300
Subject: stream_set_chunk_size() requires PHP 5.4

---
 system/core/compat/password.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'system/core/compat')

diff --git a/system/core/compat/password.php b/system/core/compat/password.php
index 60aa578db..1f67a5269 100644
--- a/system/core/compat/password.php
+++ b/system/core/compat/password.php
@@ -121,7 +121,9 @@ if ( ! function_exists('password_hash'))
 					return FALSE;
 				}
 
-				stream_set_chunk_size($fp, 16);
+				// Try not to waste entropy ...
+				is_php('5.4') && stream_set_chunk_size($fp, 16);
+
 				$options['salt'] = '';
 				for ($read = 0; $read < 16; $read = ($func_override) ? mb_strlen($options['salt'], '8bit') : strlen($options['salt']))
 				{
-- 
cgit v1.2.3-24-g4f1b