From 37f4b9caa02783e06dd7c5318200113409a0deb1 Mon Sep 17 00:00:00 2001 From: Derek Jones Date: Fri, 1 Jul 2011 17:56:50 -0500 Subject: backed out 648b42a75739, which was a NON-trivial whitespace commit. It broke the Typography class's string replacements, for instance --- system/core/Benchmark.php | 4 +- system/core/CodeIgniter.php | 68 ++++++++++++++--------------- system/core/Common.php | 28 ++++++------ system/core/Config.php | 18 ++++---- system/core/Controller.php | 6 +-- system/core/Exceptions.php | 6 +-- system/core/Hooks.php | 4 +- system/core/Input.php | 24 +++++----- system/core/Lang.php | 2 +- system/core/Loader.php | 60 ++++++++++++------------- system/core/Model.php | 2 +- system/core/Output.php | 20 ++++----- system/core/Router.php | 26 +++++------ system/core/Security.php | 104 ++++++++++++++++++++++---------------------- system/core/URI.php | 14 +++--- system/core/Utf8.php | 2 +- 16 files changed, 194 insertions(+), 194 deletions(-) (limited to 'system/core') diff --git a/system/core/Benchmark.php b/system/core/Benchmark.php index 3686c2d73..515550e9f 100644 --- a/system/core/Benchmark.php +++ b/system/core/Benchmark.php @@ -1,4 +1,4 @@ -_call_hook('pre_system'); /* * ------------------------------------------------------ - * Instantiate the config class + * Instantiate the config class * ------------------------------------------------------ */ $CFG =& load_class('Config', 'core'); @@ -143,7 +143,7 @@ /* * ------------------------------------------------------ - * Instantiate the UTF-8 class + * Instantiate the UTF-8 class * ------------------------------------------------------ * * Note: Order here is rather important as the UTF-8 @@ -157,14 +157,14 @@ /* * ------------------------------------------------------ - * Instantiate the URI class + * Instantiate the URI class * ------------------------------------------------------ */ $URI =& load_class('URI', 'core'); /* * ------------------------------------------------------ - * Instantiate the routing class and set the routing + * Instantiate the routing class and set the routing * ------------------------------------------------------ */ $RTR =& load_class('Router', 'core'); @@ -178,14 +178,14 @@ /* * ------------------------------------------------------ - * Instantiate the output class + * Instantiate the output class * ------------------------------------------------------ */ $OUT =& load_class('Output', 'core'); /* * ------------------------------------------------------ - * Is there a valid cache file? If so, we're done... + * Is there a valid cache file? If so, we're done... * ------------------------------------------------------ */ if ($EXT->_call_hook('cache_override') === FALSE) @@ -205,21 +205,21 @@ /* * ------------------------------------------------------ - * Load the Input class and sanitize globals + * Load the Input class and sanitize globals * ------------------------------------------------------ */ $IN =& load_class('Input', 'core'); /* * ------------------------------------------------------ - * Load the Language class + * Load the Language class * ------------------------------------------------------ */ $LANG =& load_class('Lang', 'core'); /* * ------------------------------------------------------ - * Load the app controller and local controller + * Load the app controller and local controller * ------------------------------------------------------ * */ @@ -252,14 +252,14 @@ /* * ------------------------------------------------------ - * Security check + * Security check * ------------------------------------------------------ * - * None of the functions in the app controller or the - * loader class can be called via the URI, nor can - * controller functions that begin with an underscore + * None of the functions in the app controller or the + * loader class can be called via the URI, nor can + * controller functions that begin with an underscore */ - $class = $RTR->fetch_class(); + $class = $RTR->fetch_class(); $method = $RTR->fetch_method(); if ( ! class_exists($class) @@ -272,14 +272,14 @@ /* * ------------------------------------------------------ - * Is there a "pre_controller" hook? + * Is there a "pre_controller" hook? * ------------------------------------------------------ */ $EXT->_call_hook('pre_controller'); /* * ------------------------------------------------------ - * Instantiate the requested controller + * Instantiate the requested controller * ------------------------------------------------------ */ // Mark a start point so we can benchmark the controller @@ -289,14 +289,14 @@ /* * ------------------------------------------------------ - * Is there a "post_controller_constructor" hook? + * Is there a "post_controller_constructor" hook? * ------------------------------------------------------ */ $EXT->_call_hook('post_controller_constructor'); /* * ------------------------------------------------------ - * Call the requested method + * Call the requested method * ------------------------------------------------------ */ // Is there a "remap" function? If so, we call it instead @@ -345,14 +345,14 @@ /* * ------------------------------------------------------ - * Is there a "post_controller" hook? + * Is there a "post_controller" hook? * ------------------------------------------------------ */ $EXT->_call_hook('post_controller'); /* * ------------------------------------------------------ - * Send the final rendered output to the browser + * Send the final rendered output to the browser * ------------------------------------------------------ */ if ($EXT->_call_hook('display_override') === FALSE) @@ -362,14 +362,14 @@ /* * ------------------------------------------------------ - * Is there a "post_system" hook? + * Is there a "post_system" hook? * ------------------------------------------------------ */ $EXT->_call_hook('post_system'); /* * ------------------------------------------------------ - * Close the DB connection if one exists + * Close the DB connection if one exists * ------------------------------------------------------ */ if (class_exists('CI_DB') AND isset($CI->db)) diff --git a/system/core/Common.php b/system/core/Common.php index eb9e14425..d1e8e77e9 100644 --- a/system/core/Common.php +++ b/system/core/Common.php @@ -1,4 +1,4 @@ -show_php_error($severity, $message, $filepath, $line); } - // Should we log the error? No? We're done... + // Should we log the error? No? We're done... if (config_item('log_threshold') == 0) { return; @@ -479,16 +479,16 @@ function remove_invisible_characters($str, $url_encoded = TRUE) { $non_displayables = array(); - + // every control character except newline (dec 10) // carriage return (dec 13), and horizontal tab (dec 09) - + if ($url_encoded) { $non_displayables[] = '/%0[0-8bcef]/'; // url encoded 00-08, 11, 12, 14, 15 $non_displayables[] = '/%1[0-9a-f]/'; // url encoded 16-31 } - + $non_displayables[] = '/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]+/S'; // 00-08, 11, 12, 14-31, 127 do diff --git a/system/core/Config.php b/system/core/Config.php index fa71f4d3d..1096a9ea6 100644 --- a/system/core/Config.php +++ b/system/core/Config.php @@ -1,4 +1,4 @@ -load =& load_class('Loader', 'core'); $this->load->set_base_classes()->ci_autoloader(); - + log_message('debug', "Controller Class Initialized"); } diff --git a/system/core/Exceptions.php b/system/core/Exceptions.php index 2503c907f..bff86a92f 100644 --- a/system/core/Exceptions.php +++ b/system/core/Exceptions.php @@ -1,4 +1,4 @@ -ob_level = ob_get_level(); - // Note: Do not log messages from this constructor. + // Note: Do not log messages from this constructor. } // -------------------------------------------------------------------- @@ -75,7 +75,7 @@ class CI_Exceptions { { $severity = ( ! isset($this->levels[$severity])) ? $severity : $this->levels[$severity]; - log_message('error', 'Severity: '.$severity.' --> '.$message. ' '.$filepath.' '.$line, TRUE); + log_message('error', 'Severity: '.$severity.' --> '.$message. ' '.$filepath.' '.$line, TRUE); } // -------------------------------------------------------------------- diff --git a/system/core/Hooks.php b/system/core/Hooks.php index ffb3258d8..fd6380f0a 100644 --- a/system/core/Hooks.php +++ b/system/core/Hooks.php @@ -1,4 +1,4 @@ -_fetch_from_array($_POST, $index, $xss_clean); } @@ -201,7 +201,7 @@ class CI_Input { * @param mixed * @param string the value of the cookie * @param string the number of seconds until expiration - * @param string the cookie domain. Usually: .yourdomain.com + * @param string the cookie domain. Usually: .yourdomain.com * @param string the cookie path * @param string the cookie prefix * @param bool true makes the cookie secure @@ -402,9 +402,9 @@ class CI_Input { function _sanitize_globals() { // It would be "wrong" to unset any of these GLOBALS. - $protected = array('_SERVER', '_GET', '_POST', '_FILES', '_REQUEST', + $protected = array('_SERVER', '_GET', '_POST', '_FILES', '_REQUEST', '_SESSION', '_ENV', 'GLOBALS', 'HTTP_RAW_POST_DATA', - 'system_folder', 'application_folder', 'BM', 'EXT', + 'system_folder', 'application_folder', 'BM', 'EXT', 'CFG', 'URI', 'RTR', 'OUT', 'IN'); // Unset globals for securiy. @@ -523,7 +523,7 @@ class CI_Input { { $str = $this->uni->clean_string($str); } - + // Remove control characters $str = remove_invisible_characters($str); @@ -579,7 +579,7 @@ class CI_Input { /** * Request Headers * - * In Apache, you can simply call apache_request_headers(), however for + * In Apache, you can simply call apache_request_headers(), however for * people running other webservers the function is undefined. * * @return array @@ -609,10 +609,10 @@ class CI_Input { { $key = str_replace('_', ' ', strtolower($key)); $key = str_replace(' ', '-', ucwords($key)); - + $this->headers[$key] = $val; } - + return $this->headers; } @@ -633,7 +633,7 @@ class CI_Input { { $this->request_headers(); } - + if ( ! isset($this->headers[$index])) { return FALSE; @@ -644,7 +644,7 @@ class CI_Input { return $this->security->xss_clean($this->headers[$index]); } - return $this->headers[$index]; + return $this->headers[$index]; } // -------------------------------------------------------------------- diff --git a/system/core/Lang.php b/system/core/Lang.php index 79eb443a0..170e6c725 100644 --- a/system/core/Lang.php +++ b/system/core/Lang.php @@ -1,4 +1,4 @@ - 'unit', + protected $_ci_varmap = array('unit_test' => 'unit', 'user_agent' => 'agent'); /** @@ -50,29 +50,29 @@ class CI_Loader { */ public function __construct() { - $this->_ci_ob_level = ob_get_level(); + $this->_ci_ob_level = ob_get_level(); $this->_ci_library_paths = array(APPPATH, BASEPATH); $this->_ci_helper_paths = array(APPPATH, BASEPATH); $this->_ci_model_paths = array(APPPATH); $this->_ci_view_paths = array(APPPATH.'views/' => TRUE); - + log_message('debug', "Loader Class Initialized"); } // -------------------------------------------------------------------- - + /** * Set _base_classes variable * * This method is called once in CI_Controller. * - * @param array + * @param array * @return object */ public function set_base_classes() { $this->_base_classes =& is_loaded(); - + return $this; } @@ -96,7 +96,7 @@ class CI_Loader { { return $this->_ci_classes[$class]; } - + return FALSE; } @@ -260,7 +260,7 @@ class CI_Loader { return DB($params, $active_record); } - // Initialize the db variable. Needed to prevent + // Initialize the db variable. Needed to prevent // reference errors with some configurations $CI->db = ''; @@ -323,11 +323,11 @@ class CI_Loader { /** * Load View * - * This function is used to load a "view" file. It has three parameters: + * This function is used to load a "view" file. It has three parameters: * * 1. The name of the "view" file to be included. * 2. An associative array of data to be extracted for use in the view. - * 3. TRUE/FALSE - whether to return the data or load it. In + * 3. TRUE/FALSE - whether to return the data or load it. In * some cases it's advantageous to be able to return data so that * a developer can process it in some way. * @@ -538,13 +538,13 @@ class CI_Loader { * Prepends a parent path to the library, model, helper, and config path arrays * * @param string - * @param boolean + * @param boolean * @return void */ public function add_package_path($path, $view_cascade=TRUE) { $path = rtrim($path, '/').'/'; - + array_unshift($this->_ci_library_paths, $path); array_unshift($this->_ci_model_paths, $path); array_unshift($this->_ci_helper_paths, $path); @@ -604,7 +604,7 @@ class CI_Loader { unset($this->{$var}[$key]); } } - + if (isset($this->_ci_view_paths[$path.'views/'])) { unset($this->_ci_view_paths[$path.'views/']); @@ -643,7 +643,7 @@ class CI_Loader { { $$_ci_val = ( ! isset($_ci_data[$_ci_val])) ? FALSE : $_ci_data[$_ci_val]; } - + $file_exists = FALSE; // Set the path to the requested file @@ -665,11 +665,11 @@ class CI_Loader { $file_exists = TRUE; break; } - + if ( ! $cascade) { break; - } + } } } @@ -710,9 +710,9 @@ class CI_Loader { * We buffer the output for two reasons: * 1. Speed. You get a significant speed boost. * 2. So that the final rendered template can be - * post-processed by the output class. Why do we - * need post processing? For one thing, in order to - * show the elapsed page load time. Unless we + * post-processed by the output class. Why do we + * need post processing? For one thing, in order to + * show the elapsed page load time. Unless we * can intercept the content right before it's sent to * the browser and then stop the timer it won't be accurate. */ @@ -809,11 +809,11 @@ class CI_Loader { show_error("Unable to load the requested class: ".$class); } - // Safety: Was the class already loaded by a previous call? + // Safety: Was the class already loaded by a previous call? if (in_array($subclass, $this->_ci_loaded_files)) { // Before we deem this to be a duplicate request, let's see - // if a custom object name is being supplied. If so, we'll + // if a custom object name is being supplied. If so, we'll // return a new instance of the object if ( ! is_null($object_name)) { @@ -842,17 +842,17 @@ class CI_Loader { { $filepath = $path.'libraries/'.$subdir.$class.'.php'; - // Does the file exist? No? Bummer... + // Does the file exist? No? Bummer... if ( ! file_exists($filepath)) { continue; } - // Safety: Was the class already loaded by a previous call? + // Safety: Was the class already loaded by a previous call? if (in_array($filepath, $this->_ci_loaded_files)) { // Before we deem this to be a duplicate request, let's see - // if a custom object name is being supplied. If so, we'll + // if a custom object name is being supplied. If so, we'll // return a new instance of the object if ( ! is_null($object_name)) { @@ -875,7 +875,7 @@ class CI_Loader { } // END FOREACH - // One last attempt. Maybe the library is in a subdirectory, but it wasn't specified? + // One last attempt. Maybe the library is in a subdirectory, but it wasn't specified? if ($subdir == '') { $path = strtolower($class).'/'.$class; @@ -903,7 +903,7 @@ class CI_Loader { */ protected function _ci_init_class($class, $prefix = '', $config = FALSE, $object_name = NULL) { - // Is there an associated config file for this class? Note: these should always be lowercase + // Is there an associated config file for this class? Note: these should always be lowercase if ($config === NULL) { // Fetch the config paths containing any package paths @@ -970,7 +970,7 @@ class CI_Loader { } // Set the variable name we will assign the class to - // Was a custom class name supplied? If so we'll use it + // Was a custom class name supplied? If so we'll use it $class = strtolower($class); if (is_null($object_name)) @@ -1005,7 +1005,7 @@ class CI_Loader { * The config/autoload.php file contains an array that permits sub-systems, * libraries, and helpers to be loaded automatically. * - * This function is public, as it's used in the CI_Controller class. + * This function is public, as it's used in the CI_Controller class. * However, there is no reason you should ever needs to use it. * * @param array @@ -1021,7 +1021,7 @@ class CI_Loader { { include_once(APPPATH.'config/autoload.php'); } - + if ( ! isset($autoload)) { diff --git a/system/core/Model.php b/system/core/Model.php index 61c71b672..8566a0b66 100644 --- a/system/core/Model.php +++ b/system/core/Model.php @@ -1,4 +1,4 @@ -final_output * * This function sends the finalized output data to the browser along - * with any server headers and profile data. It also stops the + * with any server headers and profile data. It also stops the * benchmark timer so the page rendering speed and memory usage can be shown. * * @access public @@ -269,7 +269,7 @@ class CI_Output { */ function _display($output = '') { - // Note: We use globals because we can't use $CI =& get_instance() + // Note: We use globals because we can't use $CI =& get_instance() // since this function is sometimes called by the caching mechanism, // which happens before the CI super object is available. global $BM, $CFG; @@ -290,7 +290,7 @@ class CI_Output { // -------------------------------------------------------------------- - // Do we need to write a cache file? Only if the controller does not have its + // Do we need to write a cache file? Only if the controller does not have its // own _output() method and we are not dealing with a cache file, which we // can determine by the existence of the $CI object above if ($this->cache_expiration > 0 && isset($CI) && ! method_exists($CI, '_output')) @@ -368,7 +368,7 @@ class CI_Output { // we will remove them and add them back after we insert the profile data if (preg_match("|.*?|is", $output)) { - $output = preg_replace("|.*?|is", '', $output); + $output = preg_replace("|.*?|is", '', $output); $output .= $CI->profiler->run(); $output .= ''; } @@ -381,14 +381,14 @@ class CI_Output { // -------------------------------------------------------------------- // Does the controller contain a function named _output()? - // If so send the output there. Otherwise, echo it. + // If so send the output there. Otherwise, echo it. if (method_exists($CI, '_output')) { $CI->_output($output); } else { - echo $output; // Send it to the browser! + echo $output; // Send it to the browser! } log_message('debug', "Final output sent to browser"); @@ -458,7 +458,7 @@ class CI_Output { { $cache_path = ($CFG->item('cache_path') == '') ? APPPATH.'cache/' : $CFG->item('cache_path'); - // Build the file path. The file name is an MD5 hash of the full URI + // Build the file path. The file name is an MD5 hash of the full URI $uri = $CFG->item('base_url'). $CFG->item('index_page'). $URI->uri_string; diff --git a/system/core/Router.php b/system/core/Router.php index a76a7bd0a..5e92a04b1 100644 --- a/system/core/Router.php +++ b/system/core/Router.php @@ -1,4 +1,4 @@ -routes = ( ! isset($route) OR ! is_array($route)) ? array() : $route; unset($route); @@ -103,7 +103,7 @@ class CI_Router { // the URI doesn't correlated to a valid controller. $this->default_controller = ( ! isset($this->routes['default_controller']) OR $this->routes['default_controller'] == '') ? FALSE : strtolower($this->routes['default_controller']); - // Were there any query string segments? If so, we'll validate them and bail out since we're done. + // Were there any query string segments? If so, we'll validate them and bail out since we're done. if (count($segments) > 0) { return $this->_validate_request($segments); @@ -212,7 +212,7 @@ class CI_Router { // -------------------------------------------------------------------- /** - * Validates the supplied segments. Attempts to determine the path to + * Validates the supplied segments. Attempts to determine the path to * the controller. * * @access private @@ -277,7 +277,7 @@ class CI_Router { // If we've gotten this far it means that the URI does not correlate to a valid - // controller class. We will now see if there is an override + // controller class. We will now see if there is an override if ( ! empty($this->routes['404_override'])) { $x = explode('/', $this->routes['404_override']); @@ -296,7 +296,7 @@ class CI_Router { // -------------------------------------------------------------------- /** - * Parse Routes + * Parse Routes * * This function matches any routes that may exist in * the config/routes.php file against the URI to @@ -310,7 +310,7 @@ class CI_Router { // Turn the segment array into a URI string $uri = implode('/', $this->uri->segments); - // Is there a literal match? If so we're done + // Is there a literal match? If so we're done if (isset($this->routes[$uri])) { return $this->_set_request(explode('/', $this->routes[$uri])); @@ -370,7 +370,7 @@ class CI_Router { // -------------------------------------------------------------------- /** - * Set the method name + * Set the method name * * @access public * @param string @@ -384,7 +384,7 @@ class CI_Router { // -------------------------------------------------------------------- /** - * Fetch the current method + * Fetch the current method * * @access public * @return string @@ -402,7 +402,7 @@ class CI_Router { // -------------------------------------------------------------------- /** - * Set the directory name + * Set the directory name * * @access public * @param string @@ -416,7 +416,7 @@ class CI_Router { // -------------------------------------------------------------------- /** - * Fetch the sub-directory (if any) that contains the requested controller class + * Fetch the sub-directory (if any) that contains the requested controller class * * @access public * @return string @@ -429,7 +429,7 @@ class CI_Router { // -------------------------------------------------------------------- /** - * Set the controller overrides + * Set the controller overrides * * @access public * @param array diff --git a/system/core/Security.php b/system/core/Security.php index f5bfafd9b..3617cadcc 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -1,4 +1,4 @@ - '[removed]', // IE, surprise! "Redirect\s+302" => '[removed]' ); - + /** * Constructor */ @@ -95,7 +95,7 @@ class CI_Security { } // Do the tokens exist in both the _POST and _COOKIE arrays? - if ( ! isset($_POST[$this->_csrf_token_name]) OR + if ( ! isset($_POST[$this->_csrf_token_name]) OR ! isset($_COOKIE[$this->_csrf_cookie_name])) { $this->csrf_show_error(); @@ -107,7 +107,7 @@ class CI_Security { $this->csrf_show_error(); } - // We kill this since we're done and we don't want to + // We kill this since we're done and we don't want to // polute the _POST array unset($_POST[$this->_csrf_token_name]); @@ -117,7 +117,7 @@ class CI_Security { $this->csrf_set_cookie(); log_message('debug', "CSRF token verified "); - + return $this; } @@ -146,7 +146,7 @@ class CI_Security { setcookie($this->_csrf_cookie_name, $this->_csrf_hash, $expire, config_item('cookie_path'), config_item('cookie_domain'), $secure_cookie); log_message('debug', "CRSF cookie Set"); - + return $this; } @@ -165,9 +165,9 @@ class CI_Security { // -------------------------------------------------------------------- /** - * Get CSRF Hash + * Get CSRF Hash * - * Getter Method + * Getter Method * * @return string self::_csrf_hash */ @@ -196,14 +196,14 @@ class CI_Security { * XSS Clean * * Sanitizes data so that Cross Site Scripting Hacks can be - * prevented. This function does a fair amount of work but + * prevented. This function does a fair amount of work but * it is extremely thorough, designed to prevent even the - * most obscure XSS attempts. Nothing is ever 100% foolproof, + * most obscure XSS attempts. Nothing is ever 100% foolproof, * of course, but I haven't been able to get anything passed * the filter. * * Note: This function should only be used to deal with data - * upon submission. It's not something that should + * upon submission. It's not something that should * be used for general runtime processing. * * This function was based in part on some code and ideas I @@ -263,7 +263,7 @@ class CI_Security { */ $str = preg_replace_callback("/[a-z]+=([\'\"]).*?\\1/si", array($this, '_convert_attribute'), $str); - + $str = preg_replace_callback("/<\w+.*?(?=>|<|$)/si", array($this, '_decode_entity'), $str); /* @@ -276,7 +276,7 @@ class CI_Security { * * This prevents strings like this: ja vascript * NOTE: we deal with spaces between characters later. - * NOTE: preg_replace was found to be amazingly slow here on + * NOTE: preg_replace was found to be amazingly slow here on * large blocks of data, so we use str_replace. */ @@ -304,27 +304,27 @@ class CI_Security { */ if ($is_image === TRUE) { - // Images have a tendency to have the PHP short opening and - // closing tags every so often so we skip those and only + // Images have a tendency to have the PHP short opening and + // closing tags every so often so we skip those and only // do the long opening tags. $str = preg_replace('/<\?(php)/i', "<?\\1", $str); } else { - $str = str_replace(array(''), array('<?', '?>'), $str); + $str = str_replace(array(''), array('<?', '?>'), $str); } /* * Compact any exploded words * - * This corrects words like: j a v a s c r i p t + * This corrects words like: j a v a s c r i p t * These words are compacted back to their correct state. */ $words = array( - 'javascript', 'expression', 'vbscript', 'script', + 'javascript', 'expression', 'vbscript', 'script', 'applet', 'alert', 'document', 'write', 'cookie', 'window' ); - + foreach ($words as $word) { $temp = ''; @@ -341,8 +341,8 @@ class CI_Security { /* * Remove disallowed Javascript in links or img tags - * We used to do some version comparisons and use of stripos for PHP5, - * but it is dog slow compared to these simplified non-capturing + * We used to do some version comparisons and use of stripos for PHP5, + * but it is dog slow compared to these simplified non-capturing * preg_match(), especially if the pattern exists in the string */ do @@ -388,7 +388,7 @@ class CI_Security { * * Similar to above, only instead of looking for * tags it looks for PHP and JavaScript commands - * that are disallowed. Rather than removing the + * that are disallowed. Rather than removing the * code, it simply converts the parenthesis to entities * rendering the code un-executable. * @@ -405,11 +405,11 @@ class CI_Security { /* * Images are Handled in a Special Way - * - Essentially, we want to know that after all of the character - * conversion is done whether any unwanted, likely XSS, code was found. + * - Essentially, we want to know that after all of the character + * conversion is done whether any unwanted, likely XSS, code was found. * If not, we return TRUE, as the image is clean. - * However, if the string post-conversion does not matched the - * string post-removal of XSS, then it fails, as there was unwanted XSS + * However, if the string post-conversion does not matched the + * string post-removal of XSS, then it fails, as there was unwanted XSS * code found and removed/changed during processing. */ @@ -457,7 +457,7 @@ class CI_Security { * * In some versions of PHP the native function does not work * when UTF-8 is the specified character set, so this gives us - * a work-around. More info here: + * a work-around. More info here: * http://bugs.php.net/bug.php?id=25670 * * NOTE: html_entity_decode() has a bug in some PHP versions when UTF-8 is the @@ -475,10 +475,10 @@ class CI_Security { // The reason we are not using html_entity_decode() by itself is because // while it is not technically correct to leave out the semicolon // at the end of an entity most browsers will still interpret the entity - // correctly. html_entity_decode() does not convert entities without + // correctly. html_entity_decode() does not convert entities without // semicolons, so we are left with our own little solution here. Bummer. - if (function_exists('html_entity_decode') && + if (function_exists('html_entity_decode') && (strtolower($charset) != 'utf-8')) { $str = html_entity_decode($str, ENT_COMPAT, $charset); @@ -542,7 +542,7 @@ class CI_Security { "%3b", // ; "%3d" // = ); - + if ( ! $relative_path) { $bad[] = './'; @@ -570,7 +570,7 @@ class CI_Security { } // -------------------------------------------------------------------- - + /* * Remove Evil HTML Attributes (like evenhandlers and style) * @@ -578,7 +578,7 @@ class CI_Security { * - Everything up until a space * For example, everything between the pipes: * - * - Everything inside the quotes + * - Everything inside the quotes * For example, everything between the pipes: * * @@ -594,12 +594,12 @@ class CI_Security { if ($is_image === TRUE) { /* - * Adobe Photoshop puts XML metadata into JFIF images, + * Adobe Photoshop puts XML metadata into JFIF images, * including namespacing, so we have to allow this for images. */ unset($evil_attributes[array_search('xmlns', $evil_attributes)]); } - + do { $str = preg_replace( "#<(/?[^><]+?)([^A-Za-z\-])(".implode('|', $evil_attributes).")(\s*=\s*)([\"][^>]*?[\"]|[\'][^>]*?[\']|[^>]*?)([\s><])([><]*)#i", @@ -607,10 +607,10 @@ class CI_Security { $str, -1, $count ); } while ($count); - + return $str; } - + // -------------------------------------------------------------------- /** @@ -627,7 +627,7 @@ class CI_Security { $str = '<'.$matches[1].$matches[2].$matches[3]; // encode captured opening or closing brace to prevent recursive vectors - $str .= str_replace(array('>', '<'), array('>', '<'), + $str .= str_replace(array('>', '<'), array('>', '<'), $matches[4]); return $str; @@ -649,7 +649,7 @@ class CI_Security { protected function _js_link_removal($match) { $attributes = $this->_filter_attributes(str_replace(array('<', '>'), '', $match[1])); - + return str_replace($match[1], preg_replace("#href=.*?(alert\(|alert&\#40;|javascript\:|livescript\:|mocha\:|charset\=|window\.|document\.|\.cookie|_filter_attributes(str_replace(array('<', '>'), '', $match[1])); - + return str_replace($match[1], preg_replace("#src=.*?(alert\(|alert&\#40;|javascript\:|livescript\:|mocha\:|charset\=|window\.|document\.|\.cookie|xss_hash()."\\1=\\2", $str); /* * Validate standard character entities * - * Add a semicolon if missing. We do this to enable + * Add a semicolon if missing. We do this to enable * the conversion of entities to ASCII later. * */ @@ -769,7 +769,7 @@ class CI_Security { * Un-Protect GET variables in URLs */ $str = str_replace($this->xss_hash(), '&', $str); - + return $str; } @@ -794,7 +794,7 @@ class CI_Security { { $str = preg_replace("#".$key."#i", $val, $str); } - + return $str; } @@ -809,16 +809,16 @@ class CI_Security { { if ($this->_csrf_hash == '') { - // If the cookie exists we will use it's value. + // If the cookie exists we will use it's value. // We don't necessarily want to regenerate it with - // each page load since a page could contain embedded + // each page load since a page could contain embedded // sub-pages causing this feature to fail - if (isset($_COOKIE[$this->_csrf_cookie_name]) && + if (isset($_COOKIE[$this->_csrf_cookie_name]) && $_COOKIE[$this->_csrf_cookie_name] != '') { return $this->_csrf_hash = $_COOKIE[$this->_csrf_cookie_name]; } - + return $this->_csrf_hash = md5(uniqid(rand(), TRUE)); } diff --git a/system/core/URI.php b/system/core/URI.php index 94fac59ac..d56548654 100644 --- a/system/core/URI.php +++ b/system/core/URI.php @@ -1,4 +1,4 @@ -_set_uri_string($path); @@ -251,7 +251,7 @@ class CI_URI { */ function _remove_url_suffix() { - if ($this->config->item('url_suffix') != "") + if ($this->config->item('url_suffix') != "") { $this->uri_string = preg_replace("|".preg_quote($this->config->item('url_suffix'))."$|", "", $this->uri_string); } @@ -285,7 +285,7 @@ class CI_URI { * Re-index Segments * * This function re-indexes the $this->segment array so that it - * starts at 1 rather than 0. Doing so makes it simpler to + * starts at 1 rather than 0. Doing so makes it simpler to * use functions like $this->uri->segment(n) since there is * a 1:1 relationship between the segment array and the actual segments. * @@ -323,7 +323,7 @@ class CI_URI { * Fetch a URI "routed" Segment * * This function returns the re-routed URI segment (assuming routing rules are used) - * based on the number provided. If there is no routing this function returns the + * based on the number provided. If there is no routing this function returns the * same result as $this->segment() * * @access public @@ -425,7 +425,7 @@ class CI_URI { $i = 0; $lastval = ''; - $retval = array(); + $retval = array(); foreach ($segments as $seg) { if ($i % 2) diff --git a/system/core/Utf8.php b/system/core/Utf8.php index 738d7e9d8..2a27d1f35 100644 --- a/system/core/Utf8.php +++ b/system/core/Utf8.php @@ -1,4 +1,4 @@ - Date: Fri, 22 Jul 2011 16:11:34 -0600 Subject: Added ->load->get_var() to check against ->load->_ci_cached_vars[]. --- system/core/Loader.php | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'system/core') diff --git a/system/core/Loader.php b/system/core/Loader.php index 721c196cc..7c8b298ac 100644 --- a/system/core/Loader.php +++ b/system/core/Loader.php @@ -388,6 +388,21 @@ class CI_Loader { // -------------------------------------------------------------------- + /** + * Get Variable + * + * Check if a variable is set and retrieve it. + * + * @param array + * @return void + */ + public function get_var($key) + { + return isset($this->_ci_cached_vars[$key]) ? $this->_ci_cached_vars[$key] : NULL; + } + + // -------------------------------------------------------------------- + /** * Load Helper * -- cgit v1.2.3-24-g4f1b From 664a9357cd36be2f8e673cae3643318a695de5fb Mon Sep 17 00:00:00 2001 From: Shane Pearson Date: Wed, 10 Aug 2011 16:02:32 -0500 Subject: 404_override route now works for missing controllers in subdirectories and functions that fail the security check in CodeIgniter.php --- system/core/CodeIgniter.php | 20 +++++++++++++++++++- system/core/Router.php | 15 ++++++++++++++- 2 files changed, 33 insertions(+), 2 deletions(-) (limited to 'system/core') diff --git a/system/core/CodeIgniter.php b/system/core/CodeIgniter.php index 03b25ab9e..b49449005 100644 --- a/system/core/CodeIgniter.php +++ b/system/core/CodeIgniter.php @@ -267,7 +267,25 @@ OR in_array(strtolower($method), array_map('strtolower', get_class_methods('CI_Controller'))) ) { - show_404("{$class}/{$method}"); + if ( ! empty($RTR->routes['404_override'])) + { + $x = explode('/', $RTR->routes['404_override']); + $class = $x[0]; + $method = (isset($x[1]) ? $x[1] : 'index'); + if ( ! class_exists($class)) + { + if ( ! file_exists(APPPATH.'controllers/'.$class.'.php')) + { + show_404("{$class}/{$method}"); + } + + include_once(APPPATH.'controllers/'.$class.'.php'); + } + } + else + { + show_404("{$class}/{$method}"); + } } /* diff --git a/system/core/Router.php b/system/core/Router.php index 5e92a04b1..668ac0954 100644 --- a/system/core/Router.php +++ b/system/core/Router.php @@ -244,7 +244,20 @@ class CI_Router { // Does the requested controller exist in the sub-folder? if ( ! file_exists(APPPATH.'controllers/'.$this->fetch_directory().$segments[0].'.php')) { - show_404($this->fetch_directory().$segments[0]); + if ( ! empty($this->routes['404_override'])) + { + $x = explode('/', $this->routes['404_override']); + + $this->set_directory(''); + $this->set_class($x[0]); + $this->set_method(isset($x[1]) ? $x[1] : 'index'); + + return $x; + } + else + { + show_404($this->fetch_directory().$segments[0]); + } } } else -- cgit v1.2.3-24-g4f1b From 6adfe636980da3a7b25e5b87ed8bcd1d008a1243 Mon Sep 17 00:00:00 2001 From: Shane Pearson Date: Wed, 10 Aug 2011 16:42:53 -0500 Subject: Reset loaded files arrays in the Loader so the 404_override controller can access autoloaded libraries. If a controller exists but a method is not found the current $CI instance is unset and a new one is created for the 404 override controller. Any autoloaded libraries will not be available to the 404 override controller because the Loader sees them as already have been loaded. To fix this we need to reset the loader. I implemented it via an initialize function that resets the loaded files arrays and then calls the autoloader. This also simplifies things in CI_Controller because it only has to call one loader function instead. --- system/core/Controller.php | 2 +- system/core/Loader.php | 21 +++++++++++---------- 2 files changed, 12 insertions(+), 11 deletions(-) (limited to 'system/core') diff --git a/system/core/Controller.php b/system/core/Controller.php index ec86b7920..fddb81e19 100644 --- a/system/core/Controller.php +++ b/system/core/Controller.php @@ -48,7 +48,7 @@ class CI_Controller { $this->load =& load_class('Loader', 'core'); - $this->load->set_base_classes()->ci_autoloader(); + $this->load->initialize(); log_message('debug', "Controller Class Initialized"); } diff --git a/system/core/Loader.php b/system/core/Loader.php index 7c8b298ac..2b36c1cad 100644 --- a/system/core/Loader.php +++ b/system/core/Loader.php @@ -62,17 +62,22 @@ class CI_Loader { // -------------------------------------------------------------------- /** - * Set _base_classes variable + * Initialize the Loader * * This method is called once in CI_Controller. * * @param array * @return object */ - public function set_base_classes() + public function initialize() { + $this->_ci_classes = array(); + $this->_ci_loaded_files = array(); + $this->_ci_models = array(); $this->_base_classes =& is_loaded(); - + + $this->_ci_autoloader(); + return $this; } @@ -1020,23 +1025,19 @@ class CI_Loader { * The config/autoload.php file contains an array that permits sub-systems, * libraries, and helpers to be loaded automatically. * - * This function is public, as it's used in the CI_Controller class. - * However, there is no reason you should ever needs to use it. - * * @param array * @return void */ - public function ci_autoloader() + private function _ci_autoloader() { if (defined('ENVIRONMENT') AND file_exists(APPPATH.'config/'.ENVIRONMENT.'/autoload.php')) { - include_once(APPPATH.'config/'.ENVIRONMENT.'/autoload.php'); + include(APPPATH.'config/'.ENVIRONMENT.'/autoload.php'); } else { - include_once(APPPATH.'config/autoload.php'); + include(APPPATH.'config/autoload.php'); } - if ( ! isset($autoload)) { -- cgit v1.2.3-24-g4f1b From 6f1b3841b6f660dfbaa5e00df456d793e67fe60f Mon Sep 17 00:00:00 2001 From: Phil Sturgeon Date: Sat, 13 Aug 2011 10:28:28 -0600 Subject: If a config class was loaded first then a library with the same name is loaded, the config would be ignored. --- system/core/Loader.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'system/core') diff --git a/system/core/Loader.php b/system/core/Loader.php index 7c8b298ac..18024242e 100644 --- a/system/core/Loader.php +++ b/system/core/Loader.php @@ -935,22 +935,22 @@ class CI_Loader { // first, global next if (defined('ENVIRONMENT') AND file_exists($path .'config/'.ENVIRONMENT.'/'.strtolower($class).'.php')) { - include_once($path .'config/'.ENVIRONMENT.'/'.strtolower($class).'.php'); + include($path .'config/'.ENVIRONMENT.'/'.strtolower($class).'.php'); break; } elseif (defined('ENVIRONMENT') AND file_exists($path .'config/'.ENVIRONMENT.'/'.ucfirst(strtolower($class)).'.php')) { - include_once($path .'config/'.ENVIRONMENT.'/'.ucfirst(strtolower($class)).'.php'); + include($path .'config/'.ENVIRONMENT.'/'.ucfirst(strtolower($class)).'.php'); break; } elseif (file_exists($path .'config/'.strtolower($class).'.php')) { - include_once($path .'config/'.strtolower($class).'.php'); + include($path .'config/'.strtolower($class).'.php'); break; } elseif (file_exists($path .'config/'.ucfirst(strtolower($class)).'.php')) { - include_once($path .'config/'.ucfirst(strtolower($class)).'.php'); + include($path .'config/'.ucfirst(strtolower($class)).'.php'); break; } } -- cgit v1.2.3-24-g4f1b From c5dccf70ef6d8420b0b858f36318fc4375b0e25d Mon Sep 17 00:00:00 2001 From: Phil Sturgeon Date: Sat, 13 Aug 2011 11:06:57 -0600 Subject: Get php_sapi_name() == 'cli' involved in the 'is this the command line?' decision. --- system/core/Input.php | 2 +- system/core/URI.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'system/core') diff --git a/system/core/Input.php b/system/core/Input.php index dc7612e64..cfbef942d 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -672,7 +672,7 @@ class CI_Input { */ public function is_cli_request() { - return (bool) defined('STDIN'); + return (php_sapi_name() == 'cli') or defined('STDIN'); } } diff --git a/system/core/URI.php b/system/core/URI.php index d56548654..20f0f006b 100644 --- a/system/core/URI.php +++ b/system/core/URI.php @@ -62,7 +62,7 @@ class CI_URI { if (strtoupper($this->config->item('uri_protocol')) == 'AUTO') { // Is the request coming from the command line? - if (defined('STDIN')) + if (php_sapi_name() == 'cli' or defined('STDIN')) { $this->_set_uri_string($this->_parse_cli_args()); return; -- cgit v1.2.3-24-g4f1b From 83e7a8ed2536aca790a83e8c533dcdc150e6a79b Mon Sep 17 00:00:00 2001 From: root Date: Sun, 14 Aug 2011 19:55:57 +0200 Subject: Added some docs to CI core files --- system/core/Benchmark.php | 5 +++++ system/core/CodeIgniter.php | 13 +++++++++++++ 2 files changed, 18 insertions(+) mode change 100644 => 100755 system/core/Benchmark.php mode change 100644 => 100755 system/core/CodeIgniter.php (limited to 'system/core') diff --git a/system/core/Benchmark.php b/system/core/Benchmark.php old mode 100644 new mode 100755 index 515550e9f..a200727ab --- a/system/core/Benchmark.php +++ b/system/core/Benchmark.php @@ -29,6 +29,11 @@ */ class CI_Benchmark { + /** + * List of all benchmark markers and when they were added + * + * @var array + */ var $marker = array(); // -------------------------------------------------------------------- diff --git a/system/core/CodeIgniter.php b/system/core/CodeIgniter.php old mode 100644 new mode 100755 index 03b25ab9e..4eb918b15 --- a/system/core/CodeIgniter.php +++ b/system/core/CodeIgniter.php @@ -32,6 +32,12 @@ * Define the CodeIgniter Version * ------------------------------------------------------ */ + /** + * CodeIgniter Version + * + * @var string + * + */ define('CI_VERSION', '2.0.2'); /* @@ -39,6 +45,13 @@ * Define the CodeIgniter Branch (Core = TRUE, Reactor = FALSE) * ------------------------------------------------------ */ + + /** + * CodeIgniter Branch (Core = TRUE, Reactor = FALSE) + * + * @var string + * + */ define('CI_CORE', FALSE); /* -- cgit v1.2.3-24-g4f1b From 2d2c9c6be50c246463ec08ad7d152b3da9708c61 Mon Sep 17 00:00:00 2001 From: David Behler Date: Sun, 14 Aug 2011 20:03:08 +0200 Subject: Added some docs to CI core files --- system/core/Config.php | 29 ++++++++++++++++++++++------- 1 file changed, 22 insertions(+), 7 deletions(-) mode change 100644 => 100755 system/core/Config.php (limited to 'system/core') diff --git a/system/core/Config.php b/system/core/Config.php old mode 100644 new mode 100755 index 0e6f10e07..714c4667b --- a/system/core/Config.php +++ b/system/core/Config.php @@ -28,8 +28,23 @@ */ class CI_Config { + /** + * List of all loaded config values + * + * @var array + */ var $config = array(); + /** + * List of all loaded config files + * + * @var array + */ var $is_loaded = array(); + /** + * List of paths to search when trying to load a config file + * + * @var array + */ var $_config_paths = array(APPPATH); /** @@ -251,13 +266,13 @@ class CI_Config { return $this->slash_item('base_url').$this->item('index_page').'?'.$this->_uri_string($uri); } } - + // ------------------------------------------------------------- - + /** * Base URL * Returns base_url [. uri_string] - * + * * @access public * @param string $uri * @return string @@ -266,12 +281,12 @@ class CI_Config { { return $this->slash_item('base_url').ltrim($this->_uri_string($uri),'/'); } - + // ------------------------------------------------------------- - + /** * Build URI string for use in Config::site_url() and Config::base_url() - * + * * @access protected * @param $uri * @return string @@ -305,7 +320,7 @@ class CI_Config { } // -------------------------------------------------------------------- - + /** * System URL * -- cgit v1.2.3-24-g4f1b From 050abb8aa6347cb076153f44b2ea0b5f0da006c0 Mon Sep 17 00:00:00 2001 From: David Behler Date: Sun, 14 Aug 2011 20:30:50 +0200 Subject: Added some docs to CI core files --- system/core/Benchmark.php | 5 +++++ system/core/CodeIgniter.php | 12 ++++++++++++ system/core/Config.php | 15 +++++++++++++++ 3 files changed, 32 insertions(+) mode change 100644 => 100755 system/core/Benchmark.php mode change 100644 => 100755 system/core/CodeIgniter.php mode change 100644 => 100755 system/core/Config.php (limited to 'system/core') diff --git a/system/core/Benchmark.php b/system/core/Benchmark.php old mode 100644 new mode 100755 index 515550e9f..a200727ab --- a/system/core/Benchmark.php +++ b/system/core/Benchmark.php @@ -29,6 +29,11 @@ */ class CI_Benchmark { + /** + * List of all benchmark markers and when they were added + * + * @var array + */ var $marker = array(); // -------------------------------------------------------------------- diff --git a/system/core/CodeIgniter.php b/system/core/CodeIgniter.php old mode 100644 new mode 100755 index b49449005..7b92ddf11 --- a/system/core/CodeIgniter.php +++ b/system/core/CodeIgniter.php @@ -32,6 +32,12 @@ * Define the CodeIgniter Version * ------------------------------------------------------ */ + /** + * CodeIgniter Version + * + * @var string + * + */ define('CI_VERSION', '2.0.2'); /* @@ -39,6 +45,12 @@ * Define the CodeIgniter Branch (Core = TRUE, Reactor = FALSE) * ------------------------------------------------------ */ + /** + * CodeIgniter Branch (Core = TRUE, Reactor = FALSE) + * + * @var string + * + */ define('CI_CORE', FALSE); /* diff --git a/system/core/Config.php b/system/core/Config.php old mode 100644 new mode 100755 index 1096a9ea6..5cacf867c --- a/system/core/Config.php +++ b/system/core/Config.php @@ -28,8 +28,23 @@ */ class CI_Config { + /** + * List of all loaded config values + * + * @var array + */ var $config = array(); + /** + * List of all loaded config files + * + * @var array + */ var $is_loaded = array(); + /** + * List of paths to search when trying to load a config file + * + * @var array + */ var $_config_paths = array(APPPATH); /** -- cgit v1.2.3-24-g4f1b From 9b5df59a6be4da0016b738de8c4fcd3a14d43867 Mon Sep 17 00:00:00 2001 From: David Behler Date: Sun, 14 Aug 2011 21:04:17 +0200 Subject: Added some docs to CI core files --- system/core/Hooks.php | 15 +++++++++++++ system/core/Input.php | 62 ++++++++++++++++++++++++++++++++++++++++----------- 2 files changed, 64 insertions(+), 13 deletions(-) mode change 100644 => 100755 system/core/Hooks.php mode change 100644 => 100755 system/core/Input.php (limited to 'system/core') diff --git a/system/core/Hooks.php b/system/core/Hooks.php old mode 100644 new mode 100755 index fd6380f0a..33f1c034c --- a/system/core/Hooks.php +++ b/system/core/Hooks.php @@ -28,8 +28,23 @@ */ class CI_Hooks { + /** + * Determines wether hooks are enabled + * + * @var bool + */ var $enabled = FALSE; + /** + * List of all hooks set in config/hooks.php + * + * @var array + */ var $hooks = array(); + /** + * Determines wether hook is in progress, used to prevent infinte loops + * + * @var bool + */ var $in_progress = FALSE; /** diff --git a/system/core/Input.php b/system/core/Input.php old mode 100644 new mode 100755 index dc7612e64..64d6c3600 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -28,15 +28,51 @@ */ class CI_Input { + /** + * IP address of the current user + * + * @var string + */ var $ip_address = FALSE; + /** + * user agent (web browser) being used by the current user + * + * @var string + */ var $user_agent = FALSE; + /** + * If FALSE, then $_GET will be set to an empty array + * + * @var bool + */ var $_allow_get_array = TRUE; + /** + * If TRUE, then newlines are standardized + * + * @var bool + */ var $_standardize_newlines = TRUE; - var $_enable_xss = FALSE; // Set automatically based on config setting - var $_enable_csrf = FALSE; // Set automatically based on config setting - + /** + * Determines whether the XSS filter is always active when GET, POST or COOKIE data is encountered + * Set automatically based on config setting + * + * @var bool + */ + var $_enable_xss = FALSE; + /** + * Enables a CSRF cookie token to be set. + * Set automatically based on config setting + * + * @var bool + */ + var $_enable_csrf = FALSE; + /** + * List of all HTTP request headers + * + * @var array + */ protected $headers = array(); - + /** * Constructor @@ -147,7 +183,7 @@ class CI_Input { } return $post; } - + return $this->_fetch_from_array($_POST, $index, $xss_clean); } @@ -402,9 +438,9 @@ class CI_Input { function _sanitize_globals() { // It would be "wrong" to unset any of these GLOBALS. - $protected = array('_SERVER', '_GET', '_POST', '_FILES', '_REQUEST', + $protected = array('_SERVER', '_GET', '_POST', '_FILES', '_REQUEST', '_SESSION', '_ENV', 'GLOBALS', 'HTTP_RAW_POST_DATA', - 'system_folder', 'application_folder', 'BM', 'EXT', + 'system_folder', 'application_folder', 'BM', 'EXT', 'CFG', 'URI', 'RTR', 'OUT', 'IN'); // Unset globals for securiy. @@ -523,7 +559,7 @@ class CI_Input { { $str = $this->uni->clean_string($str); } - + // Remove control characters $str = remove_invisible_characters($str); @@ -579,7 +615,7 @@ class CI_Input { /** * Request Headers * - * In Apache, you can simply call apache_request_headers(), however for + * In Apache, you can simply call apache_request_headers(), however for * people running other webservers the function is undefined. * * @return array @@ -609,10 +645,10 @@ class CI_Input { { $key = str_replace('_', ' ', strtolower($key)); $key = str_replace(' ', '-', ucwords($key)); - + $this->headers[$key] = $val; } - + return $this->headers; } @@ -633,7 +669,7 @@ class CI_Input { { $this->request_headers(); } - + if ( ! isset($this->headers[$index])) { return FALSE; @@ -644,7 +680,7 @@ class CI_Input { return $this->security->xss_clean($this->headers[$index]); } - return $this->headers[$index]; + return $this->headers[$index]; } // -------------------------------------------------------------------- -- cgit v1.2.3-24-g4f1b From 209b2cf0feac54b4e4fd4c3896524cfc65bf8a46 Mon Sep 17 00:00:00 2001 From: David Behler Date: Sun, 14 Aug 2011 23:00:43 +0200 Subject: Added some docs to CI core files --- system/core/Exceptions.php | 14 ++++++++++++++ 1 file changed, 14 insertions(+) mode change 100644 => 100755 system/core/Exceptions.php (limited to 'system/core') diff --git a/system/core/Exceptions.php b/system/core/Exceptions.php old mode 100644 new mode 100755 index bff86a92f..6a63ca733 --- a/system/core/Exceptions.php +++ b/system/core/Exceptions.php @@ -30,8 +30,22 @@ class CI_Exceptions { var $message; var $filename; var $line; + + /** + * Nesting level of the output buffering mechanism + * Used to + * + * @var int + * @access public + */ var $ob_level; + /** + * List if available error levels + * + * @var array + * @access public + */ var $levels = array( E_ERROR => 'Error', E_WARNING => 'Warning', -- cgit v1.2.3-24-g4f1b From cda768a957172d5da7aa7637337405c39e0f774d Mon Sep 17 00:00:00 2001 From: David Behler Date: Sun, 14 Aug 2011 23:52:48 +0200 Subject: Added some docs to CI core files --- system/core/Exceptions.php | 5 ++- system/core/Input.php | 2 + system/core/Lang.php | 13 ++++++ system/core/Loader.php | 102 ++++++++++++++++++++++++++++++++++++++++----- system/core/Model.php | 1 + 5 files changed, 110 insertions(+), 13 deletions(-) mode change 100644 => 100755 system/core/Lang.php mode change 100644 => 100755 system/core/Loader.php mode change 100644 => 100755 system/core/Model.php (limited to 'system/core') diff --git a/system/core/Exceptions.php b/system/core/Exceptions.php index 6a63ca733..869739a5a 100755 --- a/system/core/Exceptions.php +++ b/system/core/Exceptions.php @@ -33,7 +33,6 @@ class CI_Exceptions { /** * Nesting level of the output buffering mechanism - * Used to * * @var int * @access public @@ -98,7 +97,8 @@ class CI_Exceptions { * 404 Page Not Found Handler * * @access private - * @param string + * @param string the page + * @param bool log error yes/no * @return string */ function show_404($page = '', $log_error = TRUE) @@ -129,6 +129,7 @@ class CI_Exceptions { * @param string the heading * @param string the message * @param string the template name + * @param int the status code * @return string */ function show_error($heading, $message, $template = 'error_general', $status_code = 500) diff --git a/system/core/Input.php b/system/core/Input.php index 64d6c3600..bc202b3fc 100755 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -618,6 +618,8 @@ class CI_Input { * In Apache, you can simply call apache_request_headers(), however for * people running other webservers the function is undefined. * + * @param bool XSS cleaning + * * @return array */ public function request_headers($xss_clean = FALSE) diff --git a/system/core/Lang.php b/system/core/Lang.php old mode 100644 new mode 100755 index 170e6c725..5ac671838 --- a/system/core/Lang.php +++ b/system/core/Lang.php @@ -26,7 +26,17 @@ */ class CI_Lang { + /** + * List of translations + * + * @var array + */ var $language = array(); + /** + * List of loaded language files + * + * @var array + */ var $is_loaded = array(); /** @@ -47,6 +57,9 @@ class CI_Lang { * @access public * @param mixed the name of the language file to be loaded. Can be an array * @param string the language (english, etc.) + * @param bool return loaded array of translations + * @param bool add suffix to $langfile + * @param string alternative path to look for language file * @return mixed */ function load($langfile = '', $idiom = '', $return = FALSE, $add_suffix = TRUE, $alt_path = '') diff --git a/system/core/Loader.php b/system/core/Loader.php old mode 100644 new mode 100755 index 2b36c1cad..019de82c1 --- a/system/core/Loader.php +++ b/system/core/Loader.php @@ -29,18 +29,91 @@ class CI_Loader { // All these are set automatically. Don't mess with them. + /** + * Nesting level of the output buffering mechanism + * + * @var int + * @access protected + */ protected $_ci_ob_level; + /** + * List of paths to load views from + * + * @var array + * @access protected + */ protected $_ci_view_paths = array(); + /** + * List of paths to load libraries from + * + * @var array + * @access protected + */ protected $_ci_library_paths = array(); + /** + * List of paths to load models from + * + * @var array + * @access protected + */ protected $_ci_model_paths = array(); + /** + * List of paths to load helpers from + * + * @var array + * @access protected + */ protected $_ci_helper_paths = array(); + /** + * List of loaded base classes + * Set by the controller class + * + * @var array + * @access protected + */ protected $_base_classes = array(); // Set by the controller class + /** + * List of cached variables + * + * @var array + * @access protected + */ protected $_ci_cached_vars = array(); + /** + * List of loaded classes + * + * @var array + * @access protected + */ protected $_ci_classes = array(); + /** + * List of loaded files + * + * @var array + * @access protected + */ protected $_ci_loaded_files = array(); + /** + * List of loaded models + * + * @var array + * @access protected + */ protected $_ci_models = array(); + /** + * List of loaded helpers + * + * @var array + * @access protected + */ protected $_ci_helpers = array(); - protected $_ci_varmap = array('unit_test' => 'unit', + /** + * List of class name mappings + * + * @var array + * @access protected + */ + protected $_ci_varmap = array('unit_test' => 'unit', 'user_agent' => 'agent'); /** @@ -55,18 +128,18 @@ class CI_Loader { $this->_ci_helper_paths = array(APPPATH, BASEPATH); $this->_ci_model_paths = array(APPPATH); $this->_ci_view_paths = array(APPPATH.'views/' => TRUE); - + log_message('debug', "Loader Class Initialized"); } // -------------------------------------------------------------------- - + /** * Initialize the Loader * * This method is called once in CI_Controller. * - * @param array + * @param array * @return object */ public function initialize() @@ -101,7 +174,7 @@ class CI_Loader { { return $this->_ci_classes[$class]; } - + return FALSE; } @@ -371,6 +444,7 @@ class CI_Loader { * the controller class and its "view" files. * * @param array + * @param string * @return void */ public function vars($vars = array(), $val = '') @@ -512,6 +586,8 @@ class CI_Loader { * Loads a config file * * @param string + * @param bool + * @param bool * @return void */ public function config($file = '', $use_sections = FALSE, $fail_gracefully = FALSE) @@ -558,13 +634,13 @@ class CI_Loader { * Prepends a parent path to the library, model, helper, and config path arrays * * @param string - * @param boolean + * @param boolean * @return void */ public function add_package_path($path, $view_cascade=TRUE) { $path = rtrim($path, '/').'/'; - + array_unshift($this->_ci_library_paths, $path); array_unshift($this->_ci_model_paths, $path); array_unshift($this->_ci_helper_paths, $path); @@ -600,6 +676,7 @@ class CI_Loader { * If no path is provided, the most recently added path is removed. * * @param type + * @param bool * @return type */ public function remove_package_path($path = '', $remove_config_path = TRUE) @@ -624,7 +701,7 @@ class CI_Loader { unset($this->{$var}[$key]); } } - + if (isset($this->_ci_view_paths[$path.'views/'])) { unset($this->_ci_view_paths[$path.'views/']); @@ -663,7 +740,7 @@ class CI_Loader { { $$_ci_val = ( ! isset($_ci_data[$_ci_val])) ? FALSE : $_ci_data[$_ci_val]; } - + $file_exists = FALSE; // Set the path to the requested file @@ -685,11 +762,11 @@ class CI_Loader { $file_exists = TRUE; break; } - + if ( ! $cascade) { break; - } + } } } @@ -918,6 +995,7 @@ class CI_Loader { * * @param string * @param string + * @param bool * @param string an optional object name * @return null */ @@ -1123,6 +1201,7 @@ class CI_Loader { /** * Get a reference to a specific library or model * + * @param string * @return bool */ protected function &_ci_get_component($component) @@ -1139,6 +1218,7 @@ class CI_Loader { * This function preps the name of various items to make loading them more reliable. * * @param mixed + * @param string * @return array */ protected function _ci_prep_filename($filename, $extension) diff --git a/system/core/Model.php b/system/core/Model.php old mode 100644 new mode 100755 index 8566a0b66..e15ffbebc --- a/system/core/Model.php +++ b/system/core/Model.php @@ -42,6 +42,7 @@ class CI_Model { * Allows models to access CI's loaded classes using the same * syntax as controllers. * + * @param string * @access private */ function __get($key) -- cgit v1.2.3-24-g4f1b From 07b53422f8d61e6b0b7e6479b0de92ad1a1ce05e Mon Sep 17 00:00:00 2001 From: David Behler Date: Mon, 15 Aug 2011 00:25:06 +0200 Subject: Added some docs to CI core files --- system/core/Output.php | 61 +++++++++++++++++++++- system/core/Router.php | 46 ++++++++++++++++- system/core/Security.php | 131 +++++++++++++++++++++++++++++++---------------- system/core/URI.php | 31 +++++++++++ 4 files changed, 221 insertions(+), 48 deletions(-) mode change 100644 => 100755 system/core/Output.php mode change 100644 => 100755 system/core/Router.php mode change 100644 => 100755 system/core/Security.php mode change 100644 => 100755 system/core/URI.php (limited to 'system/core') diff --git a/system/core/Output.php b/system/core/Output.php old mode 100644 new mode 100755 index 05ace919c..ccecafd2b --- a/system/core/Output.php +++ b/system/core/Output.php @@ -28,15 +28,67 @@ */ class CI_Output { + /** + * Current output string + * + * @var string + * @access protected + */ protected $final_output; + /** + * Cache expiration time + * + * @var int + * @access protected + */ protected $cache_expiration = 0; + /** + * List of server headers + * + * @var array + * @access protected + */ protected $headers = array(); - protected $mime_types = array(); + /** + * List of mime types + * + * @var array + * @access protected + */ + protected $mime_types = array(); + /** + * Determines wether profiler is enabled + * + * @var book + * @access protected + */ protected $enable_profiler = FALSE; + /** + * Determines if output compression is enabled + * + * @var bool + * @access protected + */ protected $_zlib_oc = FALSE; + /** + * List of profiler sections + * + * @var array + * @access protected + */ protected $_profiler_sections = array(); - protected $parse_exec_vars = TRUE; // whether or not to parse variables like {elapsed_time} and {memory_usage} + /** + * Whether or not to parse variables like {elapsed_time} and {memory_usage} + * + * @var bool + * @access protected + */ + protected $parse_exec_vars = TRUE; + /** + * Constructor + * + */ function __construct() { $this->_zlib_oc = @ini_get('zlib.output_compression'); @@ -127,6 +179,7 @@ class CI_Output { * * @access public * @param string + * @param bool * @return void */ function set_header($header, $replace = TRUE) @@ -265,6 +318,7 @@ class CI_Output { * benchmark timer so the page rendering speed and memory usage can be shown. * * @access public + * @param string * @return mixed */ function _display($output = '') @@ -401,6 +455,7 @@ class CI_Output { * Write a Cache File * * @access public + * @param string * @return void */ function _write_cache($output) @@ -452,6 +507,8 @@ class CI_Output { * Update/serve a cached file * * @access public + * @param object config class + * @param object uri class * @return void */ function _display_cache(&$CFG, &$URI) diff --git a/system/core/Router.php b/system/core/Router.php old mode 100644 new mode 100755 index 668ac0954..6da667472 --- a/system/core/Router.php +++ b/system/core/Router.php @@ -28,12 +28,54 @@ */ class CI_Router { + /** + * Config class + * + * @var object + * @access public + */ var $config; + /** + * List of routes + * + * @var array + * @access public + */ var $routes = array(); + /** + * List of error routes + * + * @var array + * @access public + */ var $error_routes = array(); + /** + * Current class name + * + * @var string + * @access public + */ var $class = ''; + /** + * Current method name + * + * @var string + * @access public + */ var $method = 'index'; + /** + * Sub-directory that contains the requested controller class + * + * @var string + * @access public + */ var $directory = ''; + /** + * Default controller (and method if specific) + * + * @var string + * @access public + */ var $default_controller; /** @@ -95,7 +137,7 @@ class CI_Router { { include(APPPATH.'config/routes.php'); } - + $this->routes = ( ! isset($route) OR ! is_array($route)) ? array() : $route; unset($route); @@ -251,7 +293,7 @@ class CI_Router { $this->set_directory(''); $this->set_class($x[0]); $this->set_method(isset($x[1]) ? $x[1] : 'index'); - + return $x; } else diff --git a/system/core/Security.php b/system/core/Security.php old mode 100644 new mode 100755 index 3617cadcc..dcc680a11 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -25,14 +25,49 @@ * @link http://codeigniter.com/user_guide/libraries/security.html */ class CI_Security { - + + /** + * Random Hash for protecting URLs + * + * @var string + * @access protected + */ protected $_xss_hash = ''; + /** + * Random Hash for Cross Site Request Forgery Protection Cookie + * + * @var string + * @access protected + */ protected $_csrf_hash = ''; - protected $_csrf_expire = 7200; // Two hours (in seconds) + /** + * Expiration time for Cross Site Request Forgery Protection Cookie + * Defaults to two hours (in seconds) + * + * @var int + * @access protected + */ + protected $_csrf_expire = 7200; + /** + * Token name for Cross Site Request Forgery Protection Cookie + * + * @var string + * @access protected + */ protected $_csrf_token_name = 'ci_csrf_token'; + /** + * Cookie name for Cross Site Request Forgery Protection Cookie + * + * @var string + * @access protected + */ protected $_csrf_cookie_name = 'ci_csrf_token'; - - /* never allowed, string replacement */ + /** + * List of never allowed strings + * + * @var array + * @access protected + */ protected $_never_allowed_str = array( 'document.cookie' => '[removed]', 'document.write' => '[removed]', @@ -46,13 +81,19 @@ class CI_Security { ); /* never allowed, regex replacement */ + /** + * List of never allowed regex replacement + * + * @var array + * @access protected + */ protected $_never_allowed_regex = array( "javascript\s*:" => '[removed]', "expression\s*(\(|&\#40;)" => '[removed]', // CSS and IE "vbscript\s*:" => '[removed]', // IE, surprise! "Redirect\s+302" => '[removed]' ); - + /** * Constructor */ @@ -95,7 +136,7 @@ class CI_Security { } // Do the tokens exist in both the _POST and _COOKIE arrays? - if ( ! isset($_POST[$this->_csrf_token_name]) OR + if ( ! isset($_POST[$this->_csrf_token_name]) OR ! isset($_COOKIE[$this->_csrf_cookie_name])) { $this->csrf_show_error(); @@ -107,7 +148,7 @@ class CI_Security { $this->csrf_show_error(); } - // We kill this since we're done and we don't want to + // We kill this since we're done and we don't want to // polute the _POST array unset($_POST[$this->_csrf_token_name]); @@ -117,7 +158,7 @@ class CI_Security { $this->csrf_set_cookie(); log_message('debug', "CSRF token verified "); - + return $this; } @@ -146,7 +187,7 @@ class CI_Security { setcookie($this->_csrf_cookie_name, $this->_csrf_hash, $expire, config_item('cookie_path'), config_item('cookie_domain'), $secure_cookie); log_message('debug', "CRSF cookie Set"); - + return $this; } @@ -165,9 +206,9 @@ class CI_Security { // -------------------------------------------------------------------- /** - * Get CSRF Hash + * Get CSRF Hash * - * Getter Method + * Getter Method * * @return string self::_csrf_hash */ @@ -215,6 +256,7 @@ class CI_Security { * http://ha.ckers.org/xss.html * * @param mixed string or array + * @param bool * @return string */ public function xss_clean($str, $is_image = FALSE) @@ -263,7 +305,7 @@ class CI_Security { */ $str = preg_replace_callback("/[a-z]+=([\'\"]).*?\\1/si", array($this, '_convert_attribute'), $str); - + $str = preg_replace_callback("/<\w+.*?(?=>|<|$)/si", array($this, '_decode_entity'), $str); /* @@ -276,7 +318,7 @@ class CI_Security { * * This prevents strings like this: ja vascript * NOTE: we deal with spaces between characters later. - * NOTE: preg_replace was found to be amazingly slow here on + * NOTE: preg_replace was found to be amazingly slow here on * large blocks of data, so we use str_replace. */ @@ -304,8 +346,8 @@ class CI_Security { */ if ($is_image === TRUE) { - // Images have a tendency to have the PHP short opening and - // closing tags every so often so we skip those and only + // Images have a tendency to have the PHP short opening and + // closing tags every so often so we skip those and only // do the long opening tags. $str = preg_replace('/<\?(php)/i', "<?\\1", $str); } @@ -321,10 +363,10 @@ class CI_Security { * These words are compacted back to their correct state. */ $words = array( - 'javascript', 'expression', 'vbscript', 'script', + 'javascript', 'expression', 'vbscript', 'script', 'applet', 'alert', 'document', 'write', 'cookie', 'window' ); - + foreach ($words as $word) { $temp = ''; @@ -341,8 +383,8 @@ class CI_Security { /* * Remove disallowed Javascript in links or img tags - * We used to do some version comparisons and use of stripos for PHP5, - * but it is dog slow compared to these simplified non-capturing + * We used to do some version comparisons and use of stripos for PHP5, + * but it is dog slow compared to these simplified non-capturing * preg_match(), especially if the pattern exists in the string */ do @@ -405,11 +447,11 @@ class CI_Security { /* * Images are Handled in a Special Way - * - Essentially, we want to know that after all of the character - * conversion is done whether any unwanted, likely XSS, code was found. + * - Essentially, we want to know that after all of the character + * conversion is done whether any unwanted, likely XSS, code was found. * If not, we return TRUE, as the image is clean. - * However, if the string post-conversion does not matched the - * string post-removal of XSS, then it fails, as there was unwanted XSS + * However, if the string post-conversion does not matched the + * string post-removal of XSS, then it fails, as there was unwanted XSS * code found and removed/changed during processing. */ @@ -478,7 +520,7 @@ class CI_Security { // correctly. html_entity_decode() does not convert entities without // semicolons, so we are left with our own little solution here. Bummer. - if (function_exists('html_entity_decode') && + if (function_exists('html_entity_decode') && (strtolower($charset) != 'utf-8')) { $str = html_entity_decode($str, ENT_COMPAT, $charset); @@ -505,6 +547,7 @@ class CI_Security { * Filename Security * * @param string + * @param bool * @return string */ public function sanitize_filename($str, $relative_path = FALSE) @@ -542,7 +585,7 @@ class CI_Security { "%3b", // ; "%3d" // = ); - + if ( ! $relative_path) { $bad[] = './'; @@ -570,7 +613,7 @@ class CI_Security { } // -------------------------------------------------------------------- - + /* * Remove Evil HTML Attributes (like evenhandlers and style) * @@ -578,7 +621,7 @@ class CI_Security { * - Everything up until a space * For example, everything between the pipes: * - * - Everything inside the quotes + * - Everything inside the quotes * For example, everything between the pipes: * * @@ -594,12 +637,12 @@ class CI_Security { if ($is_image === TRUE) { /* - * Adobe Photoshop puts XML metadata into JFIF images, + * Adobe Photoshop puts XML metadata into JFIF images, * including namespacing, so we have to allow this for images. */ unset($evil_attributes[array_search('xmlns', $evil_attributes)]); } - + do { $str = preg_replace( "#<(/?[^><]+?)([^A-Za-z\-])(".implode('|', $evil_attributes).")(\s*=\s*)([\"][^>]*?[\"]|[\'][^>]*?[\']|[^>]*?)([\s><])([><]*)#i", @@ -607,10 +650,10 @@ class CI_Security { $str, -1, $count ); } while ($count); - + return $str; } - + // -------------------------------------------------------------------- /** @@ -627,7 +670,7 @@ class CI_Security { $str = '<'.$matches[1].$matches[2].$matches[3]; // encode captured opening or closing brace to prevent recursive vectors - $str .= str_replace(array('>', '<'), array('>', '<'), + $str .= str_replace(array('>', '<'), array('>', '<'), $matches[4]); return $str; @@ -649,7 +692,7 @@ class CI_Security { protected function _js_link_removal($match) { $attributes = $this->_filter_attributes(str_replace(array('<', '>'), '', $match[1])); - + return str_replace($match[1], preg_replace("#href=.*?(alert\(|alert&\#40;|javascript\:|livescript\:|mocha\:|charset\=|window\.|document\.|\.cookie|_filter_attributes(str_replace(array('<', '>'), '', $match[1])); - + return str_replace($match[1], preg_replace("#src=.*?(alert\(|alert&\#40;|javascript\:|livescript\:|mocha\:|charset\=|window\.|document\.|\.cookie|xss_hash()."\\1=\\2", $str); /* @@ -769,7 +812,7 @@ class CI_Security { * Un-Protect GET variables in URLs */ $str = str_replace($this->xss_hash(), '&', $str); - + return $str; } @@ -794,7 +837,7 @@ class CI_Security { { $str = preg_replace("#".$key."#i", $val, $str); } - + return $str; } @@ -809,16 +852,16 @@ class CI_Security { { if ($this->_csrf_hash == '') { - // If the cookie exists we will use it's value. + // If the cookie exists we will use it's value. // We don't necessarily want to regenerate it with - // each page load since a page could contain embedded + // each page load since a page could contain embedded // sub-pages causing this feature to fail - if (isset($_COOKIE[$this->_csrf_cookie_name]) && + if (isset($_COOKIE[$this->_csrf_cookie_name]) && $_COOKIE[$this->_csrf_cookie_name] != '') { return $this->_csrf_hash = $_COOKIE[$this->_csrf_cookie_name]; } - + return $this->_csrf_hash = md5(uniqid(rand(), TRUE)); } diff --git a/system/core/URI.php b/system/core/URI.php old mode 100644 new mode 100755 index d56548654..10b0b7fa3 --- a/system/core/URI.php +++ b/system/core/URI.php @@ -28,9 +28,34 @@ */ class CI_URI { + /** + * List of cached uri segments + * + * @var array + * @access public + */ var $keyval = array(); + /** + * Current uri string + * + * @var string + * @access public + */ var $uri_string; + /** + * List of uri segments + * + * @var array + * @access public + */ var $segments = array(); + /** + * Re-indexed list of uri segments + * Starts at 1 instead of 0 + * + * @var array + * @access public + */ var $rsegments = array(); /** @@ -127,6 +152,7 @@ class CI_URI { * Set the URI String * * @access public + * @param string * @return string */ function _set_uri_string($str) @@ -366,6 +392,11 @@ class CI_URI { /** * Identical to above only it uses the re-routed segment array * + * @access public + * @param integer the starting segment number + * @param array an array of default values + * @return array + * */ function ruri_to_assoc($n = 3, $default = array()) { -- cgit v1.2.3-24-g4f1b From e8349294d8638dac1e689d137188bb7c7c7c19c5 Mon Sep 17 00:00:00 2001 From: Tom Klingenberg Date: Fri, 7 Oct 2011 20:03:30 +0200 Subject: CI_Loader::driver() processes empty library. Fixed. This causes endless recursion calls _ci_load_class(), see #550 --- system/core/Loader.php | 5 +++++ 1 file changed, 5 insertions(+) mode change 100755 => 100644 system/core/Loader.php (limited to 'system/core') diff --git a/system/core/Loader.php b/system/core/Loader.php old mode 100755 new mode 100644 index e7fa3d3f6..6b7ee0c28 --- a/system/core/Loader.php +++ b/system/core/Loader.php @@ -616,6 +616,11 @@ class CI_Loader { require BASEPATH.'libraries/Driver.php'; } + if ($library == '') + { + return FALSE; + } + // We can save the loader some time since Drivers will *always* be in a subfolder, // and typically identically named to the library if ( ! strpos($library, '/')) -- cgit v1.2.3-24-g4f1b From 75b1f3991013c17cacac18e47879c483fe1cf542 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 20 Oct 2011 10:11:59 +0300 Subject: get_magic_quotes_gpc() to be executed only if PHP version is 5.3 or lower --- system/core/Input.php | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) (limited to 'system/core') diff --git a/system/core/Input.php b/system/core/Input.php index 5a033e7b8..9bfb5f1fb 100755 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -548,8 +548,12 @@ class CI_Input { return $new_array; } - // We strip slashes if magic quotes is on to keep things consistent - if (function_exists('get_magic_quotes_gpc') AND get_magic_quotes_gpc()) + /* We strip slashes if magic quotes is on to keep things consistent + + NOTE: In PHP 5.4 get_magic_quotes_gpc() will always return 0 and + it will probably not exist in future versions at all. + */ + if ( ! is_php('5.4') && get_magic_quotes_gpc()) { $str = stripslashes($str); } @@ -714,7 +718,6 @@ class CI_Input { } } -// END Input class /* End of file Input.php */ -/* Location: ./system/core/Input.php */ +/* Location: ./system/core/Input.php */ \ No newline at end of file -- cgit v1.2.3-24-g4f1b From 9c63d0bb34be4007178d5a7e46348d5e23fee3ff Mon Sep 17 00:00:00 2001 From: Phil Sturgeon Date: Thu, 27 Oct 2011 01:55:44 +0100 Subject: Bumped CodeIgniter version to 2.1.0. --- system/core/CodeIgniter.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core') diff --git a/system/core/CodeIgniter.php b/system/core/CodeIgniter.php index 0a1391d18..d9977e1ca 100755 --- a/system/core/CodeIgniter.php +++ b/system/core/CodeIgniter.php @@ -39,7 +39,7 @@ * @var string * */ - define('CI_VERSION', '2.0.2'); + define('CI_VERSION', '2.1.0'); /** * CodeIgniter Branch (Core = TRUE, Reactor = FALSE) -- cgit v1.2.3-24-g4f1b From 55027807e4826dfe722598172ab7ffbd9dc0b48c Mon Sep 17 00:00:00 2001 From: kenjis Date: Thu, 25 Aug 2011 10:51:44 +0900 Subject: add html_escape() function to escape HTML. --- system/core/Common.php | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) (limited to 'system/core') diff --git a/system/core/Common.php b/system/core/Common.php index db9fbeb9f..3d6931bc0 100644 --- a/system/core/Common.php +++ b/system/core/Common.php @@ -536,5 +536,29 @@ if ( ! function_exists('remove_invisible_characters')) } } +// ------------------------------------------------------------------------ + +/** +* Returns HTML escaped variable +* +* @access public +* @param mixed +* @return mixed +*/ +if ( ! function_exists('html_escape')) +{ + function html_escape($var) + { + if (is_array($var)) + { + return array_map('html_escape', $var); + } + else + { + return htmlspecialchars($var, ENT_QUOTES, config_item('charset')); + } + } +} + /* End of file Common.php */ /* Location: ./system/core/Common.php */ \ No newline at end of file -- cgit v1.2.3-24-g4f1b From 8d0a31314fbf8040cce5d7601a12fffe208ae884 Mon Sep 17 00:00:00 2001 From: Shane Pearson Date: Mon, 22 Aug 2011 16:11:20 -0500 Subject: Fix #8 - Load core classes from the application folder first. --- system/core/Common.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'system/core') diff --git a/system/core/Common.php b/system/core/Common.php index 3d6931bc0..d79375475 100644 --- a/system/core/Common.php +++ b/system/core/Common.php @@ -132,9 +132,9 @@ if ( ! function_exists('load_class')) $name = FALSE; - // Look for the class first in the native system/libraries folder - // thenin the local application/libraries folder - foreach (array(BASEPATH, APPPATH) as $path) + // Look for the class first in the local application/libraries folder + // then in the native system/libraries folder + foreach (array(APPPATH, BASEPATH) as $path) { if (file_exists($path.$directory.'/'.$class.'.php')) { -- cgit v1.2.3-24-g4f1b From fbcf88b9687ed25c71f0036112f9a120a7623302 Mon Sep 17 00:00:00 2001 From: Pascal Kriete Date: Mon, 14 Nov 2011 13:39:37 -0500 Subject: Removing stray docblocks --- system/core/CodeIgniter.php | 12 ------------ 1 file changed, 12 deletions(-) (limited to 'system/core') diff --git a/system/core/CodeIgniter.php b/system/core/CodeIgniter.php index d9977e1ca..db1aee574 100755 --- a/system/core/CodeIgniter.php +++ b/system/core/CodeIgniter.php @@ -33,12 +33,6 @@ * @var string * */ - /** - * CodeIgniter Version - * - * @var string - * - */ define('CI_VERSION', '2.1.0'); /** @@ -47,12 +41,6 @@ * @var boolean * */ - /** - * CodeIgniter Branch (Core = TRUE, Reactor = FALSE) - * - * @var string - * - */ define('CI_CORE', FALSE); /* -- cgit v1.2.3-24-g4f1b From c38e3b672335e3a00d68decf2b629a0afc7c769d Mon Sep 17 00:00:00 2001 From: Pascal Kriete Date: Mon, 14 Nov 2011 13:55:00 -0500 Subject: Tweaking the xss filter for IE tags, parameter injection, and weird html5 attributes. --- system/core/Security.php | 91 ++++++++++++++++++++++-------------------------- 1 file changed, 41 insertions(+), 50 deletions(-) (limited to 'system/core') diff --git a/system/core/Security.php b/system/core/Security.php index dcc680a11..a3e227437 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -77,7 +77,8 @@ class CI_Security { '-moz-binding' => '[removed]', '' => '-->', - ' '<![CDATA[' + ' '<![CDATA[', + '' => '<comment>' ); /* never allowed, regex replacement */ @@ -475,15 +476,7 @@ class CI_Security { { if ($this->_xss_hash == '') { - if (phpversion() >= 4.2) - { - mt_srand(); - } - else - { - mt_srand(hexdec(substr(md5(microtime()), -8)) & 0x7fffffff); - } - + mt_srand(); $this->_xss_hash = md5(time() + mt_rand(0, 1999999999)); } @@ -497,14 +490,11 @@ class CI_Security { * * This function is a replacement for html_entity_decode() * - * In some versions of PHP the native function does not work - * when UTF-8 is the specified character set, so this gives us - * a work-around. More info here: - * http://bugs.php.net/bug.php?id=25670 - * - * NOTE: html_entity_decode() has a bug in some PHP versions when UTF-8 is the - * character set, and the PHP developers said they were not back porting the - * fix to versions other than PHP 5.x. + * The reason we are not using html_entity_decode() by itself is because + * while it is not technically correct to leave out the semicolon + * at the end of an entity most browsers will still interpret the entity + * correctly. html_entity_decode() does not convert entities without + * semicolons, so we are left with our own little solution here. Bummer. * * @param string * @param string @@ -512,33 +502,14 @@ class CI_Security { */ public function entity_decode($str, $charset='UTF-8') { - if (stristr($str, '&') === FALSE) return $str; - - // The reason we are not using html_entity_decode() by itself is because - // while it is not technically correct to leave out the semicolon - // at the end of an entity most browsers will still interpret the entity - // correctly. html_entity_decode() does not convert entities without - // semicolons, so we are left with our own little solution here. Bummer. - - if (function_exists('html_entity_decode') && - (strtolower($charset) != 'utf-8')) - { - $str = html_entity_decode($str, ENT_COMPAT, $charset); - $str = preg_replace('~&#x(0*[0-9a-f]{2,5})~ei', 'chr(hexdec("\\1"))', $str); - return preg_replace('~&#([0-9]{2,4})~e', 'chr(\\1)', $str); - } - - // Numeric Entities - $str = preg_replace('~&#x(0*[0-9a-f]{2,5});{0,1}~ei', 'chr(hexdec("\\1"))', $str); - $str = preg_replace('~&#([0-9]{2,4});{0,1}~e', 'chr(\\1)', $str); - - // Literal Entities - Slightly slow so we do another check if (stristr($str, '&') === FALSE) { - $str = strtr($str, array_flip(get_html_translation_table(HTML_ENTITIES))); + return $str; } - return $str; + $str = html_entity_decode($str, ENT_COMPAT, $charset); + $str = preg_replace('~&#x(0*[0-9a-f]{2,5})~ei', 'chr(hexdec("\\1"))', $str); + return preg_replace('~&#([0-9]{2,4})~e', 'chr(\\1)', $str); } // -------------------------------------------------------------------- @@ -632,25 +603,45 @@ class CI_Security { protected function _remove_evil_attributes($str, $is_image) { // All javascript event handlers (e.g. onload, onclick, onmouseover), style, and xmlns - $evil_attributes = array('on\w*', 'style', 'xmlns'); + $evil_attributes = array('on\w*', 'style', 'xmlns', 'formaction'); if ($is_image === TRUE) { /* - * Adobe Photoshop puts XML metadata into JFIF images, + * Adobe Photoshop puts XML metadata into JFIF images, * including namespacing, so we have to allow this for images. */ unset($evil_attributes[array_search('xmlns', $evil_attributes)]); } - + do { - $str = preg_replace( - "#<(/?[^><]+?)([^A-Za-z\-])(".implode('|', $evil_attributes).")(\s*=\s*)([\"][^>]*?[\"]|[\'][^>]*?[\']|[^>]*?)([\s><])([><]*)#i", - "<$1$6", - $str, -1, $count - ); - } while ($count); + $count = 0; + $attribs = array(); + + // find occurrences of illegal attribute strings without quotes + preg_match_all("/(".implode('|', $evil_attributes).")\s*=\s*([^\s]*)/is", $str, $matches, PREG_SET_ORDER); + + foreach ($matches as $attr) + { + $attribs[] = preg_quote($attr[0], '/'); + } + + // find occurrences of illegal attribute strings with quotes (042 and 047 are octal quotes) + preg_match_all("/(".implode('|', $evil_attributes).")\s*=\s*(\042|\047)([^\\2]*?)(\\2)/is", $str, $matches, PREG_SET_ORDER); + foreach ($matches as $attr) + { + $attribs[] = preg_quote($attr[0], '/'); + } + + // replace illegal attribute strings that are inside an html tag + if (count($attribs) > 0) + { + $str = preg_replace("/<(\/?[^><]+?)([^A-Za-z\-])(".implode('|', $attribs).")([\s><])([><]*)/i", '<$1$2$4$5', $str, -1, $count); + } + + } while ($count); + return $str; } -- cgit v1.2.3-24-g4f1b