From b68a811f1a09b8d6012b6782b36a988daf68a82e Mon Sep 17 00:00:00 2001
From: Tjoosten <Tjoosten3@gmail.com>
Date: Sun, 15 Feb 2015 22:44:24 +0100
Subject: add <!DOCTYPE html>

---
 system/core/compat/index.html | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'system/core/compat')

diff --git a/system/core/compat/index.html b/system/core/compat/index.html
index c942a79ce..b702fbc39 100644
--- a/system/core/compat/index.html
+++ b/system/core/compat/index.html
@@ -1,3 +1,4 @@
+<!DOCTYPE html>
 <html>
 <head>
 	<title>403 Forbidden</title>
@@ -7,4 +8,4 @@
 <p>Directory access is forbidden.</p>
 
 </body>
-</html>
\ No newline at end of file
+</html>
-- 
cgit v1.2.3-24-g4f1b


From b6d174649a6e3a975e077d6ffa9b91a48f291ca0 Mon Sep 17 00:00:00 2001
From: bjjay <fris@vip.qq.com>
Date: Thu, 12 Mar 2015 10:31:14 +0800
Subject: Correct  a comment link typo

---
 system/core/compat/mbstring.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'system/core/compat')

diff --git a/system/core/compat/mbstring.php b/system/core/compat/mbstring.php
index ddb2bae47..e335c85f7 100644
--- a/system/core/compat/mbstring.php
+++ b/system/core/compat/mbstring.php
@@ -92,7 +92,7 @@ if ( ! function_exists('mb_strpos'))
 	 * WARNING: This function WILL fall-back to strpos()
 	 * if iconv is not available!
 	 *
-	 * @link	http://php.net/mb_strpos()
+	 * @link	http://php.net/mb_strpos
 	 * @param	string	$haystack
 	 * @param	string	$needle
 	 * @param	int	$offset
-- 
cgit v1.2.3-24-g4f1b


From 68bad62fc4d88b6423bd15ab94a53c54a919f041 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Wed, 1 Apr 2015 14:51:25 +0300
Subject: Mitigate potential DoS attacks against hash_pbkdf2()

Related: #3720
---
 system/core/compat/hash.php | 51 +++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 49 insertions(+), 2 deletions(-)

(limited to 'system/core/compat')

diff --git a/system/core/compat/hash.php b/system/core/compat/hash.php
index 477535dca..15954559c 100644
--- a/system/core/compat/hash.php
+++ b/system/core/compat/hash.php
@@ -174,9 +174,56 @@ if ( ! function_exists('hash_pbkdf2'))
 		}
 
 		$hash_length = strlen(hash($algo, NULL, TRUE));
-		if (empty($length))
+		empty($length) && $length = $hash_length;
+
+		// Pre-hash password inputs longer than the algorithm's block size
+		// (i.e. prepare HMAC key) to mitigate potential DoS attacks.
+		static $block_sizes;
+		empty($block_sizes) && $block_sizes = array(
+			'gost' => 32,
+			'haval128,3' => 128,
+			'haval160,3' => 128,
+			'haval192,3' => 128,
+			'haval224,3' => 128,
+			'haval256,3' => 128,
+			'haval128,4' => 128,
+			'haval160,4' => 128,
+			'haval192,4' => 128,
+			'haval224,4' => 128,
+			'haval256,4' => 128,
+			'haval128,5' => 128,
+			'haval160,5' => 128,
+			'haval192,5' => 128,
+			'haval224,5' => 128,
+			'haval256,5' => 128,
+			'md2' => 16,
+			'md4' => 64,
+			'md5' => 64,
+			'ripemd128' => 64,
+			'ripemd160' => 64,
+			'ripemd256' => 64,
+			'ripemd320' => 64,
+			'salsa10' => 64,
+			'salsa20' => 64,
+			'sha1' => 64,
+			'sha224' => 64,
+			'sha256' => 64,
+			'sha384' => 128,
+			'sha512' => 128,
+			'snefru' => 32,
+			'snefru256' => 32,
+			'tiger128,3' => 64,
+			'tiger160,3' => 64,
+			'tiger192,3' => 64,
+			'tiger128,4' => 64,
+			'tiger160,4' => 64,
+			'tiger192,4' => 64,
+			'whirlpool' => 64
+		);
+
+		if (isset($block_sizes[$algo]) && strlen($password) > $block_sizes[$algo])
 		{
-			$length = $hash_length;
+			$password = hash($algo, $password, TRUE);
 		}
 
 		$hash = '';
-- 
cgit v1.2.3-24-g4f1b