From aeb2c3e532e78be9ac78ba6fd4a305b7be31d2ab Mon Sep 17 00:00:00 2001 From: Alex Bilbie Date: Sun, 21 Aug 2011 16:14:54 +0100 Subject: Added new config parameter "csrf_exclude_uris" which allows for URIs to be whitelisted from CSRF verification. Fixes #149 --- system/core/Security.php | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) (limited to 'system/core') diff --git a/system/core/Security.php b/system/core/Security.php index 3617cadcc..efd30eb14 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -93,6 +93,16 @@ class CI_Security { { return $this->csrf_set_cookie(); } + + // Check if URI has been whitelisted from CSRF checks + if ($exclude_uris = config_item('csrf_exclude_uris')) + { + $uri = load_class('URI', 'core'); + if (in_array($uri->uri_string(), $exclude_uris)) + { + return $this; + } + } // Do the tokens exist in both the _POST and _COOKIE arrays? if ( ! isset($_POST[$this->_csrf_token_name]) OR @@ -116,7 +126,7 @@ class CI_Security { $this->_csrf_set_hash(); $this->csrf_set_cookie(); - log_message('debug', "CSRF token verified "); + log_message('debug', "CSRF token verified"); return $this; } -- cgit v1.2.3-24-g4f1b From 52c10b68c275248eb7e12ec1d039876cd5f81f11 Mon Sep 17 00:00:00 2001 From: John Bellone Date: Sun, 21 Aug 2011 11:41:32 -0400 Subject: Making changes to stop remote spoofing --- system/core/Input.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'system/core') diff --git a/system/core/Input.php b/system/core/Input.php index cfbef942d..365f779de 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -287,13 +287,13 @@ class CI_Input { $this->ip_address = in_array($_SERVER['REMOTE_ADDR'], $proxies) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']; } - elseif ($this->server('REMOTE_ADDR') AND $this->server('HTTP_CLIENT_IP')) + elseif ($this->server('REMOTE_ADDR') AND ! $this->server('HTTP_CLIENT_IP')) { - $this->ip_address = $_SERVER['HTTP_CLIENT_IP']; + $this->ip_address = $_SERVER['REMOTE_ADDR']; } - elseif ($this->server('REMOTE_ADDR')) + elseif ($this->server('REMOTE_ADDR') AND $this->server('HTTP_CLIENT_IP')) { - $this->ip_address = $_SERVER['REMOTE_ADDR']; + $this->ip_address = $_SERVER['HTTP_CLIENT_IP']; } elseif ($this->server('HTTP_CLIENT_IP')) { -- cgit v1.2.3-24-g4f1b From 16f27b402049dc2ff0cc09faf4885aee944ba639 Mon Sep 17 00:00:00 2001 From: John Bellone Date: Sun, 21 Aug 2011 11:45:11 -0400 Subject: Changed order --- system/core/Input.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core') diff --git a/system/core/Input.php b/system/core/Input.php index 365f779de..df9d2a5b7 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -287,7 +287,7 @@ class CI_Input { $this->ip_address = in_array($_SERVER['REMOTE_ADDR'], $proxies) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']; } - elseif ($this->server('REMOTE_ADDR') AND ! $this->server('HTTP_CLIENT_IP')) + elseif (! $this->server('HTTP_CLIENT_IP') AND $this->server('REMOTE_ADDR')) { $this->ip_address = $_SERVER['REMOTE_ADDR']; } -- cgit v1.2.3-24-g4f1b From ab57a3520eafacaf2f130b3f4778a57a632fac1c Mon Sep 17 00:00:00 2001 From: Shane Pearson Date: Mon, 22 Aug 2011 16:11:20 -0500 Subject: Fix #8 - Load core classes from the application folder first. --- system/core/Common.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'system/core') diff --git a/system/core/Common.php b/system/core/Common.php index db9fbeb9f..3c62403ac 100644 --- a/system/core/Common.php +++ b/system/core/Common.php @@ -132,9 +132,9 @@ if ( ! function_exists('load_class')) $name = FALSE; - // Look for the class first in the native system/libraries folder - // thenin the local application/libraries folder - foreach (array(BASEPATH, APPPATH) as $path) + // Look for the class first in the local application/libraries folder + // then in the native system/libraries folder + foreach (array(APPPATH, BASEPATH) as $path) { if (file_exists($path.$directory.'/'.$class.'.php')) { -- cgit v1.2.3-24-g4f1b From 665baec264c04fb3284e313d59e102b2bf041e37 Mon Sep 17 00:00:00 2001 From: Shane Pearson Date: Mon, 22 Aug 2011 18:52:19 -0500 Subject: make _ci_autoloader() protected so it can be properly extended. --- system/core/Loader.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core') diff --git a/system/core/Loader.php b/system/core/Loader.php index 452dc0b4c..de0fc06d2 100755 --- a/system/core/Loader.php +++ b/system/core/Loader.php @@ -1106,7 +1106,7 @@ class CI_Loader { * @param array * @return void */ - private function _ci_autoloader() + protected function _ci_autoloader() { if (defined('ENVIRONMENT') AND file_exists(APPPATH.'config/'.ENVIRONMENT.'/autoload.php')) { -- cgit v1.2.3-24-g4f1b From fbac8b4553942db4be52e872d9fd68717e5006e4 Mon Sep 17 00:00:00 2001 From: kenjis Date: Thu, 25 Aug 2011 10:51:44 +0900 Subject: add html_escape() function to escape HTML. --- system/core/Common.php | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) (limited to 'system/core') diff --git a/system/core/Common.php b/system/core/Common.php index 3c62403ac..d79375475 100644 --- a/system/core/Common.php +++ b/system/core/Common.php @@ -536,5 +536,29 @@ if ( ! function_exists('remove_invisible_characters')) } } +// ------------------------------------------------------------------------ + +/** +* Returns HTML escaped variable +* +* @access public +* @param mixed +* @return mixed +*/ +if ( ! function_exists('html_escape')) +{ + function html_escape($var) + { + if (is_array($var)) + { + return array_map('html_escape', $var); + } + else + { + return htmlspecialchars($var, ENT_QUOTES, config_item('charset')); + } + } +} + /* End of file Common.php */ /* Location: ./system/core/Common.php */ \ No newline at end of file -- cgit v1.2.3-24-g4f1b From 373043fef2723d7cbdd768d1930363ac6fecba68 Mon Sep 17 00:00:00 2001 From: Frank Michel Date: Thu, 25 Aug 2011 00:11:00 -0400 Subject: fix for issue #292 with multiple language files --- system/core/Lang.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'system/core') diff --git a/system/core/Lang.php b/system/core/Lang.php index 5ac671838..e140a6a60 100755 --- a/system/core/Lang.php +++ b/system/core/Lang.php @@ -112,7 +112,7 @@ class CI_Lang { } - if ( ! isset($lang)) + if ( ! isset($lang) || ! is_array($lang)) { log_message('error', 'Language file contains no data: language/'.$idiom.'/'.$langfile); return; @@ -124,7 +124,7 @@ class CI_Lang { } $this->is_loaded[] = $langfile; - $this->language = array_merge($this->language, $lang); + $this->language = $this->language + $lang; unset($lang); log_message('debug', 'Language file loaded: language/'.$idiom.'/'.$langfile); -- cgit v1.2.3-24-g4f1b From cb272b60e55882246677db929bc2e0a58f31397d Mon Sep 17 00:00:00 2001 From: Frank Michel Date: Thu, 25 Aug 2011 10:59:55 -0400 Subject: fixed logical operator OR in core/lang --- system/core/Lang.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core') diff --git a/system/core/Lang.php b/system/core/Lang.php index e140a6a60..d61d1029a 100755 --- a/system/core/Lang.php +++ b/system/core/Lang.php @@ -112,7 +112,7 @@ class CI_Lang { } - if ( ! isset($lang) || ! is_array($lang)) + if ( ! isset($lang) OR ! is_array($lang)) { log_message('error', 'Language file contains no data: language/'.$idiom.'/'.$langfile); return; -- cgit v1.2.3-24-g4f1b From f7345e4f5f6e44886eac337d8da064f541df8b9a Mon Sep 17 00:00:00 2001 From: Paul Date: Sat, 27 Aug 2011 06:51:16 +1200 Subject: changed private functions to protected so MY_URI can override them. --- system/core/URI.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'system/core') diff --git a/system/core/URI.php b/system/core/URI.php index a3ae20cc3..8946bc76b 100755 --- a/system/core/URI.php +++ b/system/core/URI.php @@ -175,7 +175,7 @@ class CI_URI { * @access private * @return string */ - private function _detect_uri() + protected function _detect_uri() { if ( ! isset($_SERVER['REQUEST_URI']) OR ! isset($_SERVER['SCRIPT_NAME'])) { @@ -232,7 +232,7 @@ class CI_URI { * @access private * @return string */ - private function _parse_cli_args() + protected function _parse_cli_args() { $args = array_slice($_SERVER['argv'], 1); -- cgit v1.2.3-24-g4f1b From b183ece10dcde599c04af412f0f5c1c776ed29d8 Mon Sep 17 00:00:00 2001 From: Eric Barnes Date: Fri, 26 Aug 2011 14:42:52 -0400 Subject: Changed CI_VERSION to represent develop branch --- system/core/CodeIgniter.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core') diff --git a/system/core/CodeIgniter.php b/system/core/CodeIgniter.php index 0a1391d18..aca4fb23c 100755 --- a/system/core/CodeIgniter.php +++ b/system/core/CodeIgniter.php @@ -39,7 +39,7 @@ * @var string * */ - define('CI_VERSION', '2.0.2'); + define('CI_VERSION', '2.1.0-dev'); /** * CodeIgniter Branch (Core = TRUE, Reactor = FALSE) -- cgit v1.2.3-24-g4f1b From 8cc0cfe1ab1e10aad71d14e0b43e05444c00693d Mon Sep 17 00:00:00 2001 From: freewil Date: Sat, 27 Aug 2011 21:53:00 -0400 Subject: always use charset config item --- system/core/Security.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'system/core') diff --git a/system/core/Security.php b/system/core/Security.php index 342455f27..cc21ddc91 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -525,9 +525,10 @@ class CI_Security { * @param string * @return string */ - public function entity_decode($str, $charset='UTF-8') + public function entity_decode($str, $charset = NULL) { if (stristr($str, '&') === FALSE) return $str; + if (empty($charset)) $charset = config_item('charset'); // The reason we are not using html_entity_decode() by itself is because // while it is not technically correct to leave out the semicolon -- cgit v1.2.3-24-g4f1b From 5c9b0d1b5618ade5c6aa70475b08b3066f14ff3e Mon Sep 17 00:00:00 2001 From: freewil Date: Sun, 28 Aug 2011 12:15:23 -0400 Subject: always use charset config item --- system/core/Security.php | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) (limited to 'system/core') diff --git a/system/core/Security.php b/system/core/Security.php index cc21ddc91..e99418bdd 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -527,8 +527,15 @@ class CI_Security { */ public function entity_decode($str, $charset = NULL) { - if (stristr($str, '&') === FALSE) return $str; - if (empty($charset)) $charset = config_item('charset'); + if (stristr($str, '&') === FALSE) + { + return $str; + } + + if (empty($charset)) + { + $charset = config_item('charset'); + } // The reason we are not using html_entity_decode() by itself is because // while it is not technically correct to leave out the semicolon -- cgit v1.2.3-24-g4f1b