From d45180cb98cd987e2d5cce57a7965a87ee2aed7b Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Sat, 15 Aug 2015 09:09:38 +0300 Subject: Fix #4056 --- system/core/Input.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system') diff --git a/system/core/Input.php b/system/core/Input.php index e1319be8d..d896495e9 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -803,7 +803,7 @@ class CI_Input { if ( ! isset($headers)) { - empty($this->headers) OR $this->request_headers(); + empty($this->headers) && $this->request_headers(); foreach ($this->headers as $key => $value) { $headers[strtolower($key)] = $value; -- cgit v1.2.3-24-g4f1b From 825fab7370a28b6c05da126842dd8df25e51e026 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 17 Aug 2015 09:52:42 +0300 Subject: Allow capitals in the middle of model names Requested in #4059 --- system/core/Loader.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system') diff --git a/system/core/Loader.php b/system/core/Loader.php index 5de7a9483..18e4c5287 100644 --- a/system/core/Loader.php +++ b/system/core/Loader.php @@ -290,7 +290,7 @@ class CI_Loader { load_class('Model', 'core'); } - $model = ucfirst(strtolower($model)); + $model = ucfirst($model); if ( ! class_exists($model)) { foreach ($this->_ci_model_paths as $mod_path) -- cgit v1.2.3-24-g4f1b From eb492589cb6ba0faaadadebe2a5cd333de80b6c4 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 19 Aug 2015 11:16:52 +0300 Subject: [ci skip] Fix 'sqlsrv' connect failure endless loop Reported via the forums: http://forum.codeigniter.com/thread-61494.html --- system/database/drivers/sqlsrv/sqlsrv_driver.php | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) (limited to 'system') diff --git a/system/database/drivers/sqlsrv/sqlsrv_driver.php b/system/database/drivers/sqlsrv/sqlsrv_driver.php index 16f77fab2..8d383b274 100644 --- a/system/database/drivers/sqlsrv/sqlsrv_driver.php +++ b/system/database/drivers/sqlsrv/sqlsrv_driver.php @@ -141,13 +141,14 @@ class CI_DB_sqlsrv_driver extends CI_DB { unset($connection['UID'], $connection['PWD']); } - $this->conn_id = sqlsrv_connect($this->hostname, $connection); - - // Determine how identifiers are escaped - $query = $this->query('SELECT CASE WHEN (@@OPTIONS | 256) = @@OPTIONS THEN 1 ELSE 0 END AS qi'); - $query = $query->row_array(); - $this->_quoted_identifier = empty($query) ? FALSE : (bool) $query['qi']; - $this->_escape_char = ($this->_quoted_identifier) ? '"' : array('[', ']'); + if (FALSE !== ($this->conn_id = sqlsrv_connect($this->hostname, $connection))) + { + // Determine how identifiers are escaped + $query = $this->query('SELECT CASE WHEN (@@OPTIONS | 256) = @@OPTIONS THEN 1 ELSE 0 END AS qi'); + $query = $query->row_array(); + $this->_quoted_identifier = empty($query) ? FALSE : (bool) $query['qi']; + $this->_escape_char = ($this->_quoted_identifier) ? '"' : array('[', ']'); + } return $this->conn_id; } -- cgit v1.2.3-24-g4f1b From be178a79382cae5079622396f8f9679a15e0f58b Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 20 Aug 2015 13:23:21 +0300 Subject: Fix #4065 --- system/database/DB_driver.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system') diff --git a/system/database/DB_driver.php b/system/database/DB_driver.php index 34d3a5979..9c4d7e007 100644 --- a/system/database/DB_driver.php +++ b/system/database/DB_driver.php @@ -1760,7 +1760,7 @@ abstract class CI_DB_driver { } // Convert tabs or multiple spaces into single spaces - $item = preg_replace('/\s+/', ' ', $item); + $item = preg_replace('/\s+/', ' ', trim($item)); // If the item has an alias declaration we remove it and set it aside. // Note: strripos() is used in order to support spaces in table names -- cgit v1.2.3-24-g4f1b From 24a4a6ac476b0ca1d47d01fdb8f2b3a6e7b39c24 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 31 Aug 2015 15:11:47 +0300 Subject: Fix #4066 --- system/libraries/Cache/drivers/Cache_memcached.php | 10 ++-------- system/libraries/Cache/drivers/Cache_redis.php | 14 ++++---------- 2 files changed, 6 insertions(+), 18 deletions(-) (limited to 'system') diff --git a/system/libraries/Cache/drivers/Cache_memcached.php b/system/libraries/Cache/drivers/Cache_memcached.php index 111e2109d..59cf4685d 100644 --- a/system/libraries/Cache/drivers/Cache_memcached.php +++ b/system/libraries/Cache/drivers/Cache_memcached.php @@ -106,7 +106,7 @@ class CI_Cache_memcached extends CI_Driver { } else { - throw new RuntimeException('Cache: Failed to create Memcache(d) object; extension not loaded?'); + log_message('error', 'Cache: Failed to create Memcache(d) object; extension not loaded?'); } foreach ($this->_memcache_conf as $cache_server) @@ -284,12 +284,6 @@ class CI_Cache_memcached extends CI_Driver { */ public function is_supported() { - if ( ! extension_loaded('memcached') && ! extension_loaded('memcache')) - { - log_message('debug', 'The Memcached Extension must be loaded to use Memcached Cache.'); - return FALSE; - } - - return TRUE; + return (extension_loaded('memcached') OR extension_loaded('memcache')); } } diff --git a/system/libraries/Cache/drivers/Cache_redis.php b/system/libraries/Cache/drivers/Cache_redis.php index d7dca1973..2825acfd3 100644 --- a/system/libraries/Cache/drivers/Cache_redis.php +++ b/system/libraries/Cache/drivers/Cache_redis.php @@ -115,17 +115,17 @@ class CI_Cache_redis extends CI_Driver if ( ! $success) { - throw new RuntimeException('Cache: Redis connection failed. Check your configuration.'); + log_message('error', 'Cache: Redis connection failed. Check your configuration.'); } } catch (RedisException $e) { - throw new RuntimeException('Cache: Redis connection refused ('.$e->getMessage().')'); + log_message('error', 'Cache: Redis connection refused ('.$e->getMessage().')'); } if (isset($config['password']) && ! $this->_redis->auth($config['password'])) { - throw new RuntimeException('Cache: Redis authentication failed.'); + log_message('error', 'Cache: Redis authentication failed.'); } // Initialize the index of serialized values. @@ -298,13 +298,7 @@ class CI_Cache_redis extends CI_Driver */ public function is_supported() { - if ( ! extension_loaded('redis')) - { - log_message('debug', 'The Redis extension must be loaded to use Redis cache.'); - return FALSE; - } - - return TRUE; + return extension_loaded('redis'); } // ------------------------------------------------------------------------ -- cgit v1.2.3-24-g4f1b From 8e138eced12fa88da721cc9b840fe4aa02c9e031 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 31 Aug 2015 15:23:42 +0300 Subject: Fix #4073 --- system/libraries/Email.php | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) (limited to 'system') diff --git a/system/libraries/Email.php b/system/libraries/Email.php index 459c8f590..acf3629c3 100644 --- a/system/libraries/Email.php +++ b/system/libraries/Email.php @@ -1869,20 +1869,26 @@ class CI_Email { return FALSE; } - $this->_send_command('from', $this->clean_email($this->_headers['From'])); + if ( ! $this->_send_command('from', $this->clean_email($this->_headers['From']))) + { + return FALSE; + } foreach ($this->_recipients as $val) { - $this->_send_command('to', $val); + if ( ! $this->_send_command('to', $val)) + { + return FALSE; + } } if (count($this->_cc_array) > 0) { foreach ($this->_cc_array as $val) { - if ($val !== '') + if ($val !== '' && ! $this->_send_command('to', $val)) { - $this->_send_command('to', $val); + return FALSE; } } } @@ -1891,14 +1897,17 @@ class CI_Email { { foreach ($this->_bcc_array as $val) { - if ($val !== '') + if ($val !== '' && ! $this->_send_command('to', $val)) { - $this->_send_command('to', $val); + return FALSE; } } } - $this->_send_command('data'); + if ( ! $this->_send_command('data')) + { + return FALSE; + } // perform dot transformation on any lines that begin with a dot $this->_send_data($this->_header_str.preg_replace('/^\./m', '..$1', $this->_finalbody)); -- cgit v1.2.3-24-g4f1b From 348a2d445b9d059aab4f5113a380f05eb2cd92d9 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 31 Aug 2015 17:39:04 +0300 Subject: Fix #4086 --- system/database/DB_driver.php | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) (limited to 'system') diff --git a/system/database/DB_driver.php b/system/database/DB_driver.php index 9c4d7e007..2fb70ac58 100644 --- a/system/database/DB_driver.php +++ b/system/database/DB_driver.php @@ -1,4 +1,4 @@ -_like_escape_str, $this->_like_escape_chr)), '/') : ''; $_operators = array( - '\s*(?:<|>|!)?=\s*', // =, <=, >=, != - '\s*<>?\s*', // <, <> - '\s*>\s*', // > - '\s+IS NULL', // IS NULL - '\s+IS NOT NULL', // IS NOT NULL - '\s+EXISTS\s*\([^\)]+\)', // EXISTS(sql) - '\s+NOT EXISTS\s*\([^\)]+\)', // NOT EXISTS(sql) - '\s+BETWEEN\s+\S+\s+AND\s+\S+', // BETWEEN value AND value - '\s+IN\s*\([^\)]+\)', // IN(list) - '\s+NOT IN\s*\([^\)]+\)', // NOT IN (list) - '\s+LIKE\s+\S+'.$_les, // LIKE 'expr'[ ESCAPE '%s'] - '\s+NOT LIKE\s+\S+'.$_les // NOT LIKE 'expr'[ ESCAPE '%s'] + '\s*(?:<|>|!)?=\s*', // =, <=, >=, != + '\s*<>?\s*', // <, <> + '\s*>\s*', // > + '\s+IS NULL', // IS NULL + '\s+IS NOT NULL', // IS NOT NULL + '\s+EXISTS\s*\([^\)]+\)', // EXISTS(sql) + '\s+NOT EXISTS\s*\([^\)]+\)', // NOT EXISTS(sql) + '\s+BETWEEN\s+\S+\s+AND\s+\S+', // BETWEEN value AND value + '\s+IN\s*\([^\)]+\)', // IN(list) + '\s+NOT IN\s*\([^\)]+\)', // NOT IN (list) + '\s+LIKE\s+\S.*('.$_les.')?', // LIKE 'expr'[ ESCAPE '%s'] + '\s+NOT LIKE\s+\S.*('.$_les.')?' // NOT LIKE 'expr'[ ESCAPE '%s'] ); } -- cgit v1.2.3-24-g4f1b From 4dac6ebaf363c60b2c1413db11f0dcd862177fa1 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 31 Aug 2015 17:52:27 +0300 Subject: [ci skip] Fix #4091 --- system/libraries/Cache/drivers/Cache_file.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system') diff --git a/system/libraries/Cache/drivers/Cache_file.php b/system/libraries/Cache/drivers/Cache_file.php index 68bc1ec96..c046f3b7d 100644 --- a/system/libraries/Cache/drivers/Cache_file.php +++ b/system/libraries/Cache/drivers/Cache_file.php @@ -267,7 +267,7 @@ class CI_Cache_file extends CI_Driver { */ protected function _get($id) { - if ( ! file_exists($this->_cache_path.$id)) + if ( ! is_file($this->_cache_path.$id)) { return FALSE; } -- cgit v1.2.3-24-g4f1b From 89726cd625e57103890fff3c556578586be825b6 Mon Sep 17 00:00:00 2001 From: Marco Monteiro Date: Tue, 1 Sep 2015 09:50:21 +0100 Subject: There was an extra = sign in this file --- system/database/DB_driver.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system') diff --git a/system/database/DB_driver.php b/system/database/DB_driver.php index 2fb70ac58..0c2e49974 100644 --- a/system/database/DB_driver.php +++ b/system/database/DB_driver.php @@ -1,4 +1,4 @@ -= Date: Tue, 1 Sep 2015 13:51:26 +0300 Subject: Fix #4093 --- system/database/DB_query_builder.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system') diff --git a/system/database/DB_query_builder.php b/system/database/DB_query_builder.php index 7f3334763..cf1100d27 100644 --- a/system/database/DB_query_builder.php +++ b/system/database/DB_query_builder.php @@ -2342,7 +2342,7 @@ abstract class CI_DB_query_builder extends CI_DB_driver { // Split multiple conditions $conditions = preg_split( - '/((^|\s+)AND\s+|(^|\s+)OR\s+)/i', + '/((?:^|\s+)AND\s+|(?:^|\s+)OR\s+)/i', $this->{$qb_key}[$i]['condition'], -1, PREG_SPLIT_DELIM_CAPTURE | PREG_SPLIT_NO_EMPTY -- cgit v1.2.3-24-g4f1b From 0d0c53c50ccf34a216b19e90d2dc6adc51436f44 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 3 Sep 2015 11:23:44 +0300 Subject: Fix #4096 --- system/database/DB_driver.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system') diff --git a/system/database/DB_driver.php b/system/database/DB_driver.php index 0c2e49974..fe0cd7d32 100644 --- a/system/database/DB_driver.php +++ b/system/database/DB_driver.php @@ -1487,7 +1487,7 @@ abstract class CI_DB_driver { '\s+IS NOT NULL', // IS NOT NULL '\s+EXISTS\s*\([^\)]+\)', // EXISTS(sql) '\s+NOT EXISTS\s*\([^\)]+\)', // NOT EXISTS(sql) - '\s+BETWEEN\s+\S+\s+AND\s+\S+', // BETWEEN value AND value + '\s+BETWEEN\s+', // BETWEEN value AND value '\s+IN\s*\([^\)]+\)', // IN(list) '\s+NOT IN\s*\([^\)]+\)', // NOT IN (list) '\s+LIKE\s+\S.*('.$_les.')?', // LIKE 'expr'[ ESCAPE '%s'] -- cgit v1.2.3-24-g4f1b From dd28a888e8d9934260b14d0b7601da375fe75b8d Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 7 Sep 2015 16:03:05 +0300 Subject: Move csrf_verify() call out of _sanitize_globals() It doesn't belong in there. --- system/core/Input.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'system') diff --git a/system/core/Input.php b/system/core/Input.php index d896495e9..67a495e74 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -153,6 +153,12 @@ class CI_Input { // Sanitize global arrays $this->_sanitize_globals(); + // CSRF Protection check + if ($this->_enable_csrf === TRUE && ! is_cli()) + { + $this->security->csrf_verify(); + } + log_message('info', 'Input Class Initialized'); } @@ -647,12 +653,6 @@ class CI_Input { // Sanitize PHP_SELF $_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']); - // CSRF Protection check - if ($this->_enable_csrf === TRUE && ! is_cli()) - { - $this->security->csrf_verify(); - } - log_message('debug', 'Global POST, GET and COOKIE data sanitized'); } -- cgit v1.2.3-24-g4f1b From e70238e8acd4ebdf1a3e30d63e8ffb1a46ab6d15 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 7 Sep 2015 16:07:45 +0300 Subject: Remove unnecessary count() calls from _sanitize_globals() foreach() just won't execute for an empty array, it does that check internally. --- system/core/Input.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'system') diff --git a/system/core/Input.php b/system/core/Input.php index 67a495e74..4e7a4e95e 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -606,7 +606,7 @@ class CI_Input { { $_GET = array(); } - elseif (is_array($_GET) && count($_GET) > 0) + elseif (is_array($_GET)) { foreach ($_GET as $key => $val) { @@ -615,7 +615,7 @@ class CI_Input { } // Clean $_POST Data - if (is_array($_POST) && count($_POST) > 0) + if (is_array($_POST)) { foreach ($_POST as $key => $val) { @@ -624,7 +624,7 @@ class CI_Input { } // Clean $_COOKIE Data - if (is_array($_COOKIE) && count($_COOKIE) > 0) + if (is_array($_COOKIE)) { // Also get rid of specially treated cookies that might be set by a server // or silly application, that are of no use to a CI application anyway -- cgit v1.2.3-24-g4f1b From 700619cebf75c4e4fcda6a2d7bea1afb84a029e4 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 10 Sep 2015 12:44:50 +0300 Subject: Fix #4106 --- system/core/Security.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'system') diff --git a/system/core/Security.php b/system/core/Security.php index 7c5199255..8ca66d297 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -787,11 +787,11 @@ class CI_Security { $count = $temp_count = 0; // replace occurrences of illegal attribute strings with quotes (042 and 047 are octal quotes) - $str = preg_replace('/(<[^>]+)(?]+((?<=\042)[^\042]*(?=\042)|(?<=\047)[^\047]*(?=047))*[^>]*)(?]+)(?]*)/is', '$1[removed]', $str, -1, $temp_count); + $str = preg_replace('/<([^>]+((?<=\042)[^\042]*(?=\042)|(?<=\047)[^\047]*(?=047))*[^>]*)(?]*)/is', '<$1[removed]', $str, -1, $temp_count); $count += $temp_count; } while ($count); -- cgit v1.2.3-24-g4f1b From cc9363541a461fbf52c9892d35d1183a379253e3 Mon Sep 17 00:00:00 2001 From: rich Date: Wed, 9 Sep 2015 15:52:26 -0400 Subject: Change form validation library to allow the pipe character within square brackets --- system/libraries/Form_validation.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system') diff --git a/system/libraries/Form_validation.php b/system/libraries/Form_validation.php index d9ecc45f9..af90316a4 100644 --- a/system/libraries/Form_validation.php +++ b/system/libraries/Form_validation.php @@ -211,7 +211,7 @@ class CI_Form_validation { return $this; } - $rules = explode('|', $rules); + $rules = preg_split('/\|(?![^\[]*\])/', $rules); } // If the field label wasn't passed we use the field name -- cgit v1.2.3-24-g4f1b From abc6006884658acb4e2302460f87e2f89a5a7e80 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 10 Sep 2015 16:36:22 +0300 Subject: Fix & extend 700619cebf75c4e4fcda6a2d7bea1afb84a029e4 --- system/core/Security.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'system') diff --git a/system/core/Security.php b/system/core/Security.php index 8ca66d297..e4bd327b5 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -787,11 +787,11 @@ class CI_Security { $count = $temp_count = 0; // replace occurrences of illegal attribute strings with quotes (042 and 047 are octal quotes) - $str = preg_replace('/<([^>]+((?<=\042)[^\042]*(?=\042)|(?<=\047)[^\047]*(?=047))*[^>]*)(?]+(((?<=\042)[^\042]*(?=\042)|(?<=\047)[^\047]*(?=\047))[^>]*)*)(?]+((?<=\042)[^\042]*(?=\042)|(?<=\047)[^\047]*(?=047))*[^>]*)(?]*)/is', '<$1[removed]', $str, -1, $temp_count); + $str = preg_replace('/<([^>]+(((?<=\042)[^\042]*(?=\042)|(?<=\047)[^\047]*(?=\047))[^>]*)*)(?]*)/is', '<$1[removed]', $str, -1, $temp_count); $count += $temp_count; } while ($count); -- cgit v1.2.3-24-g4f1b From 12023a79b0c3b45f68cce0357e3009c5884da663 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 10 Sep 2015 18:00:57 +0300 Subject: Last commit didn't adjust a RE index --- system/core/Security.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system') diff --git a/system/core/Security.php b/system/core/Security.php index e4bd327b5..1bc228a11 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -787,7 +787,7 @@ class CI_Security { $count = $temp_count = 0; // replace occurrences of illegal attribute strings with quotes (042 and 047 are octal quotes) - $str = preg_replace('/<([^>]+(((?<=\042)[^\042]*(?=\042)|(?<=\047)[^\047]*(?=\047))[^>]*)*)(?]+(((?<=\042)[^\042]*(?=\042)|(?<=\047)[^\047]*(?=\047))[^>]*)*)(? Date: Fri, 11 Sep 2015 13:59:40 +0300 Subject: Replace the latest XSS patches This one fixes yet another issue, is cleaner and faster. --- system/core/Security.php | 30 +++++++++++++++++++++--------- 1 file changed, 21 insertions(+), 9 deletions(-) (limited to 'system') diff --git a/system/core/Security.php b/system/core/Security.php index 1bc228a11..829aac7d2 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -783,16 +783,28 @@ class CI_Security { unset($evil_attributes[array_search('xmlns', $evil_attributes)]); } - do { - $count = $temp_count = 0; - - // replace occurrences of illegal attribute strings with quotes (042 and 047 are octal quotes) - $str = preg_replace('/<([^>]+(((?<=\042)[^\042]*(?=\042)|(?<=\047)[^\047]*(?=\047))[^>]*)*)(?a-z0-9])' // tag start and name, followed by a non-tag character + // optional attributes + .'([\s\042\047/=]+' // non-attribute characters, excluding > (tag close) for obvious reasons + .'[^\s\042\047>/=]+' // attribute characters + // optional attribue-value + .'(\s*=\s*' // attribute-value separator + .'(\042[^\042]*\042|\047[^\047]*\047|[^\s\042\047=><`]*)' // single, double or non-quoted value + .')?' // end optional attribute-value group + .')*' // end optional attributes group + .')' // end catching evil attribute prefix + // evil attribute starts here + .'([\s\042\047>/=]+' // non-attribute characters (we'll replace that with a single space) + .'('.implode('|', $evil_attributes).')' + .'\s*=\s*' // attribute-value separator + .'(\042[^042]+\042|\047[^047]+\047|[^\s\042\047=><`]+)' // attribute value; single, double or non-quotes + .')' // end evil attribute + .'#isS'; - // find occurrences of illegal attribute strings without quotes - $str = preg_replace('/<([^>]+(((?<=\042)[^\042]*(?=\042)|(?<=\047)[^\047]*(?=\047))[^>]*)*)(?]*)/is', '<$1[removed]', $str, -1, $temp_count); - $count += $temp_count; + do { + $count = 0; + $str = preg_replace($pattern, '$1 [removed]', $str, -1, $count); } while ($count); -- cgit v1.2.3-24-g4f1b From 2f71c625b8d9ed7efc34b2139695702d6a08f6be Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 11 Sep 2015 15:21:10 +0300 Subject: Improve on previous commit --- system/core/Security.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system') diff --git a/system/core/Security.php b/system/core/Security.php index 829aac7d2..ca0991ac4 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -795,7 +795,7 @@ class CI_Security { .')*' // end optional attributes group .')' // end catching evil attribute prefix // evil attribute starts here - .'([\s\042\047>/=]+' // non-attribute characters (we'll replace that with a single space) + .'([\s\042\047/=]+' // non-attribute characters (we'll replace that with a single space), again excluding '>' .'('.implode('|', $evil_attributes).')' .'\s*=\s*' // attribute-value separator .'(\042[^042]+\042|\047[^047]+\047|[^\s\042\047=><`]+)' // attribute value; single, double or non-quotes -- cgit v1.2.3-24-g4f1b From bc78748b24ec2d49f0218fa701d1e95259b41187 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 11 Sep 2015 18:11:32 +0300 Subject: Harden xss_clean() more This time eliminate false positives for the 'naughty html' logic. --- system/core/Security.php | 42 +++++++++++++++++++++++++++++++++++++----- 1 file changed, 37 insertions(+), 5 deletions(-) (limited to 'system') diff --git a/system/core/Security.php b/system/core/Security.php index ca0991ac4..ade77491d 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -495,8 +495,28 @@ class CI_Security { * So this: * Becomes: <blink> */ - $naughty = 'alert|prompt|confirm|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|button|select|isindex|layer|link|meta|keygen|object|plaintext|style|script|textarea|title|math|video|svg|xml|xss'; - $str = preg_replace_callback('#<(/*\s*)('.$naughty.')([^><]*)([><]*)#is', array($this, '_sanitize_naughty_html'), $str); + $pattern = '#' + .'<((/*\s*)([a-z0-9]+)(?=[^a-z0-9])' // tag start and name, followed by a non-tag character + // optional attributes + .'([\s\042\047/=]+' // non-attribute characters, excluding > (tag close) for obvious reasons + .'[^\s\042\047>/=]+' // attribute characters + // optional attribue-value + .'(\s*=\s*' // attribute-value separator + .'(\042[^\042]*\042|\047[^\047]*\047|[^\s\042\047=><`]*)' // single, double or non-quoted value + .')?' // end optional attribute-value group + .')*' // end optional attributes group + .'[^>]*)>#isS'; + + // Note: It would be nice to optimize this for speed, BUT + // only matching the naughty elements here results in + // false positives and in turn - vulnerabilities! + do + { + $old_str = $str; + $str = preg_replace_callback($pattern, array($this, '_sanitize_naughty_html'), $str); + } + while ($old_str !== $str); + unset($old_str); /* * Sanitize naughty scripting elements @@ -824,9 +844,21 @@ class CI_Security { */ protected function _sanitize_naughty_html($matches) { - return '<'.$matches[1].$matches[2].$matches[3] // encode opening brace - // encode captured opening or closing brace to prevent recursive vectors: - .str_replace(array('>', '<'), array('>', '<'), $matches[4]); + static $naughty = array( + 'alert', 'prompt', 'confirm', 'applet', 'audio', 'basefont', 'base', 'behavior', 'bgsound', + 'blink', 'body', 'embed', 'expression', 'form', 'frameset', 'frame', 'head', 'html', 'ilayer', + 'iframe', 'input', 'button', 'select', 'isindex', 'layer', 'link', 'meta', 'keygen', 'object', + 'plaintext', 'style', 'script', 'textarea', 'title', 'math', 'video', 'svg', 'xml', 'xss' + ); + + // Is the element that we caught naughty? + // If not, just return it back. + if ( ! in_array(strtolower($matches[3]), $naughty, TRUE)) + { + return $matches[0]; + } + + return '<'.$matches[1].'>'; } // -------------------------------------------------------------------- -- cgit v1.2.3-24-g4f1b From 70f60d07253d301ec62789f78587db0dac826a27 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 14 Sep 2015 11:11:20 +0300 Subject: Move _remove_evil_attributes() call --- system/core/Security.php | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'system') diff --git a/system/core/Security.php b/system/core/Security.php index ade77491d..dd3b2c8f0 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -480,12 +480,8 @@ class CI_Security { } } while ($original !== $str); - unset($original); - // Remove evil attributes such as style, onclick and xmlns - $str = $this->_remove_evil_attributes($str, $is_image); - /* * Sanitize naughty HTML elements * @@ -518,6 +514,9 @@ class CI_Security { while ($old_str !== $str); unset($old_str); + // Remove evil attributes such as style, onclick and xmlns + $str = $this->_remove_evil_attributes($str, $is_image); + /* * Sanitize naughty scripting elements * -- cgit v1.2.3-24-g4f1b From 2a2578b396401ac81017b9cd52189f1fcb497b1e Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 14 Sep 2015 11:16:33 +0300 Subject: Add 'eval' to a JS blacklist in xss_clean() --- system/core/Security.php | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) (limited to 'system') diff --git a/system/core/Security.php b/system/core/Security.php index dd3b2c8f0..3142f7da2 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -436,7 +436,7 @@ class CI_Security { $words = array( 'javascript', 'expression', 'vbscript', 'jscript', 'wscript', 'vbs', 'script', 'base64', 'applet', 'alert', 'document', - 'write', 'cookie', 'window', 'confirm', 'prompt' + 'write', 'cookie', 'window', 'confirm', 'prompt', 'eval' ); foreach ($words as $word) @@ -902,12 +902,15 @@ class CI_Security { */ protected function _js_img_removal($match) { - return str_replace($match[1], - preg_replace('#src=.*?(?:(?:alert|prompt|confirm)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|_filter_attributes(str_replace(array('<', '>'), '', $match[1])) - ), - $match[0]); + return str_replace( + $match[1], + preg_replace( + '#src=.*?(?:(?:alert|prompt|confirm|eval)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|_filter_attributes(str_replace(array('<', '>'), '', $match[1])) + ), + $match[0] + ); } // -------------------------------------------------------------------- -- cgit v1.2.3-24-g4f1b From f2239fe1f6e0578a00afb88e9fc2b2cdd2ac2626 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 14 Sep 2015 13:48:03 +0300 Subject: Fix #4109 --- system/core/Router.php | 42 ++++++++++++++++++++++-------------------- 1 file changed, 22 insertions(+), 20 deletions(-) (limited to 'system') diff --git a/system/core/Router.php b/system/core/Router.php index eb868cd5b..a84be1f1d 100644 --- a/system/core/Router.php +++ b/system/core/Router.php @@ -153,6 +153,28 @@ class CI_Router { */ protected function _set_routing() { + // Load the routes.php file. It would be great if we could + // skip this for enable_query_strings = TRUE, but then + // default_controller would be empty ... + if (file_exists(APPPATH.'config/routes.php')) + { + include(APPPATH.'config/routes.php'); + } + + if (file_exists(APPPATH.'config/'.ENVIRONMENT.'/routes.php')) + { + include(APPPATH.'config/'.ENVIRONMENT.'/routes.php'); + } + + // Validate & get reserved routes + if (isset($route) && is_array($route)) + { + isset($route['default_controller']) && $this->default_controller = $route['default_controller']; + isset($route['translate_uri_dashes']) && $this->translate_uri_dashes = $route['translate_uri_dashes']; + unset($route['default_controller'], $route['translate_uri_dashes']); + $this->routes = $route; + } + // Are query strings enabled in the config file? Normally CI doesn't utilize query strings // since URI segments are more search-engine friendly, but they can optionally be used. // If this feature is enabled, we will gather the directory/class/method a little differently @@ -199,26 +221,6 @@ class CI_Router { return; } - // Load the routes.php file. - if (file_exists(APPPATH.'config/routes.php')) - { - include(APPPATH.'config/routes.php'); - } - - if (file_exists(APPPATH.'config/'.ENVIRONMENT.'/routes.php')) - { - include(APPPATH.'config/'.ENVIRONMENT.'/routes.php'); - } - - // Validate & get reserved routes - if (isset($route) && is_array($route)) - { - isset($route['default_controller']) && $this->default_controller = $route['default_controller']; - isset($route['translate_uri_dashes']) && $this->translate_uri_dashes = $route['translate_uri_dashes']; - unset($route['default_controller'], $route['translate_uri_dashes']); - $this->routes = $route; - } - // Is there anything to parse? if ($this->uri->uri_string !== '') { -- cgit v1.2.3-24-g4f1b From 24ff6dbcf88a9095785c1cb8fdba213843756595 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 14 Sep 2015 13:56:41 +0300 Subject: Fix #4044 --- system/libraries/Cache/drivers/Cache_redis.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'system') diff --git a/system/libraries/Cache/drivers/Cache_redis.php b/system/libraries/Cache/drivers/Cache_redis.php index 2825acfd3..ea0059ff7 100644 --- a/system/libraries/Cache/drivers/Cache_redis.php +++ b/system/libraries/Cache/drivers/Cache_redis.php @@ -117,17 +117,17 @@ class CI_Cache_redis extends CI_Driver { log_message('error', 'Cache: Redis connection failed. Check your configuration.'); } + + if (isset($config['password']) && ! $this->_redis->auth($config['password'])) + { + log_message('error', 'Cache: Redis authentication failed.'); + } } catch (RedisException $e) { log_message('error', 'Cache: Redis connection refused ('.$e->getMessage().')'); } - if (isset($config['password']) && ! $this->_redis->auth($config['password'])) - { - log_message('error', 'Cache: Redis authentication failed.'); - } - // Initialize the index of serialized values. $serialized = $this->_redis->sMembers('_ci_redis_serialized'); empty($serialized) OR $this->_serialized = array_flip($serialized); -- cgit v1.2.3-24-g4f1b From c08f27b471816493900702229eb105b0ec117706 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 14 Sep 2015 14:03:39 +0300 Subject: Fix #4032 --- system/database/DB_driver.php | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) (limited to 'system') diff --git a/system/database/DB_driver.php b/system/database/DB_driver.php index fe0cd7d32..cc94edc16 100644 --- a/system/database/DB_driver.php +++ b/system/database/DB_driver.php @@ -791,10 +791,13 @@ abstract class CI_DB_driver { /** * Enable/disable Transaction Strict Mode + * * When strict mode is enabled, if you are running multiple groups of - * transactions, if one group fails all groups will be rolled back. - * If strict mode is disabled, each group is treated autonomously, meaning - * a failure of one group will not affect any others + * transactions, if one group fails all subsequent groups will be + * rolled back. + * + * If strict mode is disabled, each group is treated autonomously, + * meaning a failure of one group will not affect any others * * @param bool $mode = TRUE * @return void @@ -861,8 +864,8 @@ abstract class CI_DB_driver { $this->trans_rollback(); // If we are NOT running in strict mode, we will reset - // the _trans_status flag so that subsequent groups of transactions - // will be permitted. + // the _trans_status flag so that subsequent groups of + // transactions will be permitted. if ($this->trans_strict === FALSE) { $this->_trans_status = TRUE; -- cgit v1.2.3-24-g4f1b From 392f8da2ebc22efeb1b688a75c49c1a52e12f0f2 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 14 Sep 2015 14:52:48 +0300 Subject: Close #4098 --- system/core/Config.php | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) (limited to 'system') diff --git a/system/core/Config.php b/system/core/Config.php index d07000ac9..feea7c85a 100644 --- a/system/core/Config.php +++ b/system/core/Config.php @@ -238,7 +238,15 @@ class CI_Config { if (isset($protocol)) { - $base_url = $protocol.substr($base_url, strpos($base_url, '://')); + // For protocol-relative links + if ($protocol === '') + { + $base_url = substr($base_url, strpos($base_url, '//')); + } + else + { + $base_url = $protocol.substr($base_url, strpos($base_url, '://')); + } } if (empty($uri)) @@ -293,7 +301,15 @@ class CI_Config { if (isset($protocol)) { - $base_url = $protocol.substr($base_url, strpos($base_url, '://')); + // For protocol-relative links + if ($protocol === '') + { + $base_url = substr($base_url, strpos($base_url, '//')); + } + else + { + $base_url = $protocol.substr($base_url, strpos($base_url, '://')); + } } return $base_url.ltrim($this->_uri_string($uri), '/'); -- cgit v1.2.3-24-g4f1b From 1e6d4d611d80dc7f20566ecc125354d84deebd1c Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 14 Sep 2015 16:06:37 +0300 Subject: Another addition to tag detection patterns in xss_clean() --- system/core/Security.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'system') diff --git a/system/core/Security.php b/system/core/Security.php index 3142f7da2..9e5e72576 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -493,6 +493,7 @@ class CI_Security { */ $pattern = '#' .'<((/*\s*)([a-z0-9]+)(?=[^a-z0-9])' // tag start and name, followed by a non-tag character + .'[^>a-z0-9]*' // a valid attribute character immediately after the tag would count as a separator // optional attributes .'([\s\042\047/=]+' // non-attribute characters, excluding > (tag close) for obvious reasons .'[^\s\042\047>/=]+' // attribute characters @@ -804,6 +805,7 @@ class CI_Security { $pattern = '#(' // catch everything in the tag preceeding the evil attribute .'<[a-z0-9]+(?=[^>a-z0-9])' // tag start and name, followed by a non-tag character + .'[^>a-z0-9]*' // a valid attribute character immediately after the tag would count as a separator // optional attributes .'([\s\042\047/=]+' // non-attribute characters, excluding > (tag close) for obvious reasons .'[^\s\042\047>/=]+' // attribute characters @@ -821,7 +823,8 @@ class CI_Security { .')' // end evil attribute .'#isS'; - do { + do + { $count = 0; $str = preg_replace($pattern, '$1 [removed]', $str, -1, $count); } -- cgit v1.2.3-24-g4f1b From e079203e20506397104c2caed28395ebfa8cfc70 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Tue, 15 Sep 2015 17:07:40 +0300 Subject: Missing character in the evil attributes pattern --- system/core/Security.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system') diff --git a/system/core/Security.php b/system/core/Security.php index 9e5e72576..4b42ed448 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -819,7 +819,7 @@ class CI_Security { .'([\s\042\047/=]+' // non-attribute characters (we'll replace that with a single space), again excluding '>' .'('.implode('|', $evil_attributes).')' .'\s*=\s*' // attribute-value separator - .'(\042[^042]+\042|\047[^047]+\047|[^\s\042\047=><`]+)' // attribute value; single, double or non-quotes + .'(\042[^\042]+\042|\047[^\047]+\047|[^\s\042\047=><`]+)' // attribute value; single, double or non-quotes .')' // end evil attribute .'#isS'; -- cgit v1.2.3-24-g4f1b From ad4882fef8cdfb5d1795898de34440b001527d37 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 16 Sep 2015 11:29:50 +0300 Subject: Fix #4120 --- system/database/drivers/mssql/mssql_driver.php | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) (limited to 'system') diff --git a/system/database/drivers/mssql/mssql_driver.php b/system/database/drivers/mssql/mssql_driver.php index 8f15d8d69..05e5418c3 100644 --- a/system/database/drivers/mssql/mssql_driver.php +++ b/system/database/drivers/mssql/mssql_driver.php @@ -381,9 +381,19 @@ class CI_DB_mssql_driver extends CI_DB { */ public function error() { - $query = $this->query('SELECT @@ERROR AS code'); - $query = $query->row(); - return array('code' => $query->code, 'message' => mssql_get_last_message()); + // We need this because the error info is discarded by the + // server the first time you request it, and query() already + // calls error() once for logging purposes when a query fails. + static $error = array('code' => 0, 'message' => NULL); + + $message = mssql_get_last_message(); + if ( ! empty($message)) + { + $error['code'] = $this->query('SELECT @@ERROR AS code')->row()->code; + $error['message'] = $message; + } + + return $error; } // -------------------------------------------------------------------- -- cgit v1.2.3-24-g4f1b From 135b64a30d9746b8d55046ee4c8fded00a1e211a Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 16 Sep 2015 14:20:50 +0300 Subject: Fix #4116 Close #4117 --- system/libraries/Pagination.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'system') diff --git a/system/libraries/Pagination.php b/system/libraries/Pagination.php index 5b3aa01f4..4d18998b9 100644 --- a/system/libraries/Pagination.php +++ b/system/libraries/Pagination.php @@ -571,7 +571,7 @@ class CI_Pagination { { $i = ($this->use_page_numbers) ? $uri_page_number - 1 : $uri_page_number - $this->per_page; - $attributes = sprintf('%s %s="%d"', $this->_attributes, $this->data_page_attr, (int) $i); + $attributes = sprintf('%s %s="%d"', $this->_attributes, $this->data_page_attr, ($this->cur_page - 1)); if ($i === $base_page) { @@ -592,11 +592,11 @@ class CI_Pagination { if ($this->display_pages !== FALSE) { // Write the digit links - for ($loop = $start -1; $loop <= $end; $loop++) + for ($loop = $start - 1; $loop <= $end; $loop++) { $i = ($this->use_page_numbers) ? $loop : ($loop * $this->per_page) - $this->per_page; - $attributes = sprintf('%s %s="%d"', $this->_attributes, $this->data_page_attr, (int) $i); + $attributes = sprintf('%s %s="%d"', $this->_attributes, $this->data_page_attr, $loop); if ($i >= $base_page) { @@ -614,7 +614,7 @@ class CI_Pagination { else { $append = $this->prefix.$i.$this->suffix; - $output .= $this->num_tag_open.'_attr_rel('start').'>' + $output .= $this->num_tag_open.'' .$loop.''.$this->num_tag_close; } } @@ -626,7 +626,7 @@ class CI_Pagination { { $i = ($this->use_page_numbers) ? $this->cur_page + 1 : $this->cur_page * $this->per_page; - $attributes = sprintf('%s %s="%d"', $this->_attributes, $this->data_page_attr, (int) $i); + $attributes = sprintf('%s %s="%d"', $this->_attributes, $this->data_page_attr, $this->cur_page + 1); $output .= $this->next_tag_open.'_attr_rel('next').'>'.$this->next_link.''.$this->next_tag_close; @@ -637,7 +637,7 @@ class CI_Pagination { { $i = ($this->use_page_numbers) ? $num_pages : ($num_pages * $this->per_page) - $this->per_page; - $attributes = sprintf('%s %s="%d"', $this->_attributes, $this->data_page_attr, (int) $i); + $attributes = sprintf('%s %s="%d"', $this->_attributes, $this->data_page_attr, $num_pages); $output .= $this->last_tag_open.'' .$this->last_link.''.$this->last_tag_close; -- cgit v1.2.3-24-g4f1b From 3ceb14a4325a8a3d47747dff3d50fbc392fc3206 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 17 Sep 2015 15:03:03 +0300 Subject: Refactor 'evil attributes' sanitization logic Turned out pretty much impossible to do remove 'evil attributes' with just one pattern - it either breaks something else, hits pcre.backtrack_limit or causes PHP to segfault. No benchmarks made, but there shouldn't be any performance regressions since we're now trying to strip attributes only after it is determined that they are inside a tag; up until now this was done seprately for _sanitize_naughty_html() and _remove_evil_attributes(). --- system/core/Security.php | 158 ++++++++++++++++++++--------------------------- 1 file changed, 66 insertions(+), 92 deletions(-) (limited to 'system') diff --git a/system/core/Security.php b/system/core/Security.php index 4b42ed448..08cfcbe8f 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -492,16 +492,16 @@ class CI_Security { * Becomes: <blink> */ $pattern = '#' - .'<((/*\s*)([a-z0-9]+)(?=[^a-z0-9])' // tag start and name, followed by a non-tag character - .'[^>a-z0-9]*' // a valid attribute character immediately after the tag would count as a separator + .'<((?/*\s*)(?[a-z0-9]+)(?=[^a-z0-9])' // tag start and name, followed by a non-tag character + .'[^\s\042\047a-z0-9>/=]*' // a valid attribute character immediately after the tag would count as a separator // optional attributes - .'([\s\042\047/=]+' // non-attribute characters, excluding > (tag close) for obvious reasons + .'(?(?:[\s\042\047/=]*' // non-attribute characters, excluding > (tag close) for obvious reasons .'[^\s\042\047>/=]+' // attribute characters - // optional attribue-value - .'(\s*=\s*' // attribute-value separator - .'(\042[^\042]*\042|\047[^\047]*\047|[^\s\042\047=><`]*)' // single, double or non-quoted value - .')?' // end optional attribute-value group - .')*' // end optional attributes group + // optional attribute-value + .'(?:\s*=\s*' // attribute-value separator + .'(?:\042[^\042]*\042|\047[^\047]*\047|[^\s\042\047=><`]*)' // single, double or non-quoted value + .')?' // end optional attribute-value group + .')*)' // end optional attributes group .'[^>]*)>#isS'; // Note: It would be nice to optimize this for speed, BUT @@ -515,9 +515,6 @@ class CI_Security { while ($old_str !== $str); unset($old_str); - // Remove evil attributes such as style, onclick and xmlns - $str = $this->_remove_evil_attributes($str, $is_image); - /* * Sanitize naughty scripting elements * @@ -530,9 +527,11 @@ class CI_Security { * For example: eval('some code') * Becomes: eval('some code') */ - $str = preg_replace('#(alert|prompt|confirm|cmd|passthru|eval|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)\((.*?)\)#si', - '\\1\\2(\\3)', - $str); + $str = preg_replace( + '#(alert|prompt|confirm|cmd|passthru|eval|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)\((.*?)\)#si', + '\\1\\2(\\3)', + $str + ); // Final clean up // This adds a bit of extra precaution in case @@ -769,72 +768,6 @@ class CI_Security { // -------------------------------------------------------------------- - /** - * Remove Evil HTML Attributes (like event handlers and style) - * - * It removes the evil attribute and either: - * - * - Everything up until a space. For example, everything between the pipes: - * - * - * - * - * - * - Everything inside the quotes. For example, everything between the pipes: - * - * - * - * - * - * @param string $str The string to check - * @param bool $is_image Whether the input is an image - * @return string The string with the evil attributes removed - */ - protected function _remove_evil_attributes($str, $is_image) - { - $evil_attributes = array('on\w*', 'style', 'xmlns', 'formaction', 'form', 'xlink:href', 'FSCommand', 'seekSegmentTime'); - - if ($is_image === TRUE) - { - /* - * Adobe Photoshop puts XML metadata into JFIF images, - * including namespacing, so we have to allow this for images. - */ - unset($evil_attributes[array_search('xmlns', $evil_attributes)]); - } - - $pattern = '#(' // catch everything in the tag preceeding the evil attribute - .'<[a-z0-9]+(?=[^>a-z0-9])' // tag start and name, followed by a non-tag character - .'[^>a-z0-9]*' // a valid attribute character immediately after the tag would count as a separator - // optional attributes - .'([\s\042\047/=]+' // non-attribute characters, excluding > (tag close) for obvious reasons - .'[^\s\042\047>/=]+' // attribute characters - // optional attribue-value - .'(\s*=\s*' // attribute-value separator - .'(\042[^\042]*\042|\047[^\047]*\047|[^\s\042\047=><`]*)' // single, double or non-quoted value - .')?' // end optional attribute-value group - .')*' // end optional attributes group - .')' // end catching evil attribute prefix - // evil attribute starts here - .'([\s\042\047/=]+' // non-attribute characters (we'll replace that with a single space), again excluding '>' - .'('.implode('|', $evil_attributes).')' - .'\s*=\s*' // attribute-value separator - .'(\042[^\042]+\042|\047[^\047]+\047|[^\s\042\047=><`]+)' // attribute value; single, double or non-quotes - .')' // end evil attribute - .'#isS'; - - do - { - $count = 0; - $str = preg_replace($pattern, '$1 [removed]', $str, -1, $count); - } - while ($count); - - return $str; - } - - // -------------------------------------------------------------------- - /** * Sanitize Naughty HTML * @@ -846,21 +779,59 @@ class CI_Security { */ protected function _sanitize_naughty_html($matches) { - static $naughty = array( + static $naughty_tags = array( 'alert', 'prompt', 'confirm', 'applet', 'audio', 'basefont', 'base', 'behavior', 'bgsound', 'blink', 'body', 'embed', 'expression', 'form', 'frameset', 'frame', 'head', 'html', 'ilayer', 'iframe', 'input', 'button', 'select', 'isindex', 'layer', 'link', 'meta', 'keygen', 'object', 'plaintext', 'style', 'script', 'textarea', 'title', 'math', 'video', 'svg', 'xml', 'xss' ); - // Is the element that we caught naughty? - // If not, just return it back. - if ( ! in_array(strtolower($matches[3]), $naughty, TRUE)) + static $evil_attributes = array( + 'on\w+', 'style', 'xmlns', 'formaction', 'form', 'xlink:href', 'FSCommand', 'seekSegmentTime' + ); + + // Is the element that we caught naughty? If so, escape it + if (in_array(strtolower($matches['tagName']), $naughty_tags, TRUE)) { - return $matches[0]; + return '<'.$matches[1].'>'; } + // For other tags, see if their attributes are "evil" and strip those + elseif (isset($matches['attributes'])) + { + // We'll need to catch all attributes separately first + $pattern = '#' + .'([\s\042\047/=]*)' // non-attribute characters, excluding > (tag close) for obvious reasons + .'(?[^\s\042\047>/=]+)' // attribute characters + // optional attribute-value + .'(?:\s*=\s*\042[^\042]+\042|\s*=\s*\047[^\047]+\047|\s*=\s*[^\s\042\047=><`]+)?' // attribute-value separator + .'#i'; + + if ($count = preg_match_all($pattern, $matches['attributes'], $attributes, PREG_SET_ORDER | PREG_OFFSET_CAPTURE)) + { + // Since we'll be using substr_replace() below, we + // need to handle the attributes in reverse order, + // so we don't damage the string. + for ($i = $count - 1; $i > -1; $i--) + { + // Is it indeed an "evil" attribute? + if (preg_match('#^('.implode('|', $evil_attributes).')$#i', $attributes[$i]['name'][0])) + { + $matches['attributes'] = substr_replace( + $matches['attributes'], + ' [removed]', + $attributes[$i][0][1], + strlen($attributes[$i][0][0]) + ); + } + } - return '<'.$matches[1].'>'; + // Note: This will strip some non-space characters and/or + // reduce multiple spaces between attributes. + return '<'.$matches['closeTag'].$matches['tagName'].' '.trim($matches['attributes']).'>'; + } + } + + return $matches[0]; } // -------------------------------------------------------------------- @@ -880,12 +851,15 @@ class CI_Security { */ protected function _js_link_removal($match) { - return str_replace($match[1], - preg_replace('#href=.*?(?:(?:alert|prompt|confirm)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|_filter_attributes(str_replace(array('<', '>'), '', $match[1])) - ), - $match[0]); + return str_replace( + $match[1], + preg_replace( + '#href=.*?(?:(?:alert|prompt|confirm)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|_filter_attributes(str_replace(array('<', '>'), '', $match[1])) + ), + $match[0] + ); } // -------------------------------------------------------------------- -- cgit v1.2.3-24-g4f1b From 088e57db3808f78ee89def94c6ce95b571a88427 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 17 Sep 2015 15:55:57 +0300 Subject: Don't allow open-ended tags to pass through xss_clean() This was a regression caused by the previous commit --- system/core/Security.php | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) (limited to 'system') diff --git a/system/core/Security.php b/system/core/Security.php index 08cfcbe8f..a30613386 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -492,7 +492,7 @@ class CI_Security { * Becomes: <blink> */ $pattern = '#' - .'<((?/*\s*)(?[a-z0-9]+)(?=[^a-z0-9])' // tag start and name, followed by a non-tag character + .'<((?/*\s*)(?[a-z0-9]+)(?=[^a-z0-9]|$)' // tag start and name, followed by a non-tag character .'[^\s\042\047a-z0-9>/=]*' // a valid attribute character immediately after the tag would count as a separator // optional attributes .'(?(?:[\s\042\047/=]*' // non-attribute characters, excluding > (tag close) for obvious reasons @@ -502,7 +502,7 @@ class CI_Security { .'(?:\042[^\042]*\042|\047[^\047]*\047|[^\s\042\047=><`]*)' // single, double or non-quoted value .')?' // end optional attribute-value group .')*)' // end optional attributes group - .'[^>]*)>#isS'; + .'[^>]*)(?\>)?#isS'; // Note: It would be nice to optimize this for speed, BUT // only matching the naughty elements here results in @@ -790,8 +790,13 @@ class CI_Security { 'on\w+', 'style', 'xmlns', 'formaction', 'form', 'xlink:href', 'FSCommand', 'seekSegmentTime' ); + // First, escape unclosed tags + if (empty($matches['closeTag'])) + { + return '<'.$matches[1]; + } // Is the element that we caught naughty? If so, escape it - if (in_array(strtolower($matches['tagName']), $naughty_tags, TRUE)) + elseif (in_array(strtolower($matches['tagName']), $naughty_tags, TRUE)) { return '<'.$matches[1].'>'; } @@ -827,7 +832,7 @@ class CI_Security { // Note: This will strip some non-space characters and/or // reduce multiple spaces between attributes. - return '<'.$matches['closeTag'].$matches['tagName'].' '.trim($matches['attributes']).'>'; + return '<'.$matches['slash'].$matches['tagName'].' '.trim($matches['attributes']).'>'; } } -- cgit v1.2.3-24-g4f1b From 4fbf2d1a8e2b6d33e92f3f353b05388fd3229bd7 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 21 Sep 2015 16:17:48 +0300 Subject: More XSS stuff --- system/core/Security.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'system') diff --git a/system/core/Security.php b/system/core/Security.php index a30613386..0cae23a79 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -808,7 +808,7 @@ class CI_Security { .'([\s\042\047/=]*)' // non-attribute characters, excluding > (tag close) for obvious reasons .'(?[^\s\042\047>/=]+)' // attribute characters // optional attribute-value - .'(?:\s*=\s*\042[^\042]+\042|\s*=\s*\047[^\047]+\047|\s*=\s*[^\s\042\047=><`]+)?' // attribute-value separator + .'(?:\s*=\s*\042[^\042]+\042|\s*=\s*\047[^\047]+\047|\s*=\s*[^\s\042\047=><`]*)?' // attribute-value separator .'#i'; if ($count = preg_match_all($pattern, $matches['attributes'], $attributes, PREG_SET_ORDER | PREG_OFFSET_CAPTURE)) @@ -861,7 +861,7 @@ class CI_Security { preg_replace( '#href=.*?(?:(?:alert|prompt|confirm)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|_filter_attributes(str_replace(array('<', '>'), '', $match[1])) + $this->_filter_attributes($match[1]) ), $match[0] ); @@ -889,7 +889,7 @@ class CI_Security { preg_replace( '#src=.*?(?:(?:alert|prompt|confirm|eval)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|_filter_attributes(str_replace(array('<', '>'), '', $match[1])) + $this->_filter_attributes($match[1]) ), $match[0] ); -- cgit v1.2.3-24-g4f1b From 84f24c23baf5ea45c30c4ab3cbc57cd846ea0f56 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 24 Sep 2015 15:17:28 +0300 Subject: Fix #4137 --- system/core/Exceptions.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system') diff --git a/system/core/Exceptions.php b/system/core/Exceptions.php index fc25f57e6..d8f62c0fe 100644 --- a/system/core/Exceptions.php +++ b/system/core/Exceptions.php @@ -187,7 +187,7 @@ class CI_Exceptions { // -------------------------------------------------------------------- - public function show_exception(Exception $exception) + public function show_exception($exception) { $templates_path = config_item('error_views_path'); if (empty($templates_path)) -- cgit v1.2.3-24-g4f1b From e837851d3626617ff9f8311c45d26449167d5fa8 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Tue, 29 Sep 2015 12:30:55 +0300 Subject: Merge pull request #4126 from zoaked/patch-1 Persist config file rules when using FV reset_validation() --- system/libraries/Form_validation.php | 1 - 1 file changed, 1 deletion(-) (limited to 'system') diff --git a/system/libraries/Form_validation.php b/system/libraries/Form_validation.php index af90316a4..a158225ee 100644 --- a/system/libraries/Form_validation.php +++ b/system/libraries/Form_validation.php @@ -1586,7 +1586,6 @@ class CI_Form_validation { public function reset_validation() { $this->_field_data = array(); - $this->_config_rules = array(); $this->_error_array = array(); $this->_error_messages = array(); $this->error_string = ''; -- cgit v1.2.3-24-g4f1b From 249580e711d42fe966e52d7bcc0f349ba99a94a3 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 2 Oct 2015 16:44:05 +0300 Subject: More XSS stuff --- system/core/Security.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system') diff --git a/system/core/Security.php b/system/core/Security.php index 0cae23a79..27471d98e 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -808,7 +808,7 @@ class CI_Security { .'([\s\042\047/=]*)' // non-attribute characters, excluding > (tag close) for obvious reasons .'(?[^\s\042\047>/=]+)' // attribute characters // optional attribute-value - .'(?:\s*=\s*\042[^\042]+\042|\s*=\s*\047[^\047]+\047|\s*=\s*[^\s\042\047=><`]*)?' // attribute-value separator + .'(?:\s*=(?:[^\s\042\047=><`]+|\s*\042[^\042]+\042|\s*\047[^\047]+\047|\s*(?U:[^\s\042\047=><`]*)))' // attribute-value separator .'#i'; if ($count = preg_match_all($pattern, $matches['attributes'], $attributes, PREG_SET_ORDER | PREG_OFFSET_CAPTURE)) -- cgit v1.2.3-24-g4f1b From 48844d16102d92fd146d562bc322b5624e44f9dd Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 5 Oct 2015 10:52:04 +0300 Subject: Close #4155 --- system/helpers/file_helper.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system') diff --git a/system/helpers/file_helper.php b/system/helpers/file_helper.php index cd1c641ec..f6cb1629a 100644 --- a/system/helpers/file_helper.php +++ b/system/helpers/file_helper.php @@ -343,7 +343,7 @@ if ( ! function_exists('get_mime_by_extension')) if ( ! is_array($mimes)) { - $mimes =& get_mimes(); + $mimes = get_mimes(); if (empty($mimes)) { -- cgit v1.2.3-24-g4f1b From f0f47da9ae4227968ccc9ee6511bcab526498b4c Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 5 Oct 2015 12:37:16 +0300 Subject: Some more intrusive XSS cleaning --- system/core/Security.php | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) (limited to 'system') diff --git a/system/core/Security.php b/system/core/Security.php index 27471d98e..ab85e2239 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -498,8 +498,8 @@ class CI_Security { .'(?(?:[\s\042\047/=]*' // non-attribute characters, excluding > (tag close) for obvious reasons .'[^\s\042\047>/=]+' // attribute characters // optional attribute-value - .'(?:\s*=\s*' // attribute-value separator - .'(?:\042[^\042]*\042|\047[^\047]*\047|[^\s\042\047=><`]*)' // single, double or non-quoted value + .'(?:\s*=' // attribute-value separator + .'(?:[^\s\042\047=><`]+|\s*\042[^\042]*\042|\s*\047[^\047]*\047|\s*(?U:[^\s\042\047=><`]*))' // single, double or non-quoted value .')?' // end optional attribute-value group .')*)' // end optional attributes group .'[^>]*)(?\>)?#isS'; @@ -808,7 +808,7 @@ class CI_Security { .'([\s\042\047/=]*)' // non-attribute characters, excluding > (tag close) for obvious reasons .'(?[^\s\042\047>/=]+)' // attribute characters // optional attribute-value - .'(?:\s*=(?:[^\s\042\047=><`]+|\s*\042[^\042]+\042|\s*\047[^\047]+\047|\s*(?U:[^\s\042\047=><`]*)))' // attribute-value separator + .'(?:\s*=(?[^\s\042\047=><`]+|\s*\042[^\042]*\042|\s*\047[^\047]*\047|\s*(?U:[^\s\042\047=><`]*)))' // attribute-value separator .'#i'; if ($count = preg_match_all($pattern, $matches['attributes'], $attributes, PREG_SET_ORDER | PREG_OFFSET_CAPTURE)) @@ -818,8 +818,14 @@ class CI_Security { // so we don't damage the string. for ($i = $count - 1; $i > -1; $i--) { - // Is it indeed an "evil" attribute? - if (preg_match('#^('.implode('|', $evil_attributes).')$#i', $attributes[$i]['name'][0])) + if ( + // Is it indeed an "evil" attribute? + preg_match('#^('.implode('|', $evil_attributes).')$#i', $attributes[$i]['name'][0]) + // Or an attribute not starting with a letter? Some parsers get confused by that + OR ! ctype_alpha($attributes[$i]['name'][0][0]) + // Does it have an equals sign, but no value and not quoted? Strip that too! + OR (trim($attributes[$i]['value'][0]) === '') + ) { $matches['attributes'] = substr_replace( $matches['attributes'], -- cgit v1.2.3-24-g4f1b From 47adcef68871cea1e556ffb2c0b6f585497e2a27 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 8 Oct 2015 17:21:06 +0300 Subject: [ci skip] Prepare 3.0.2 release --- system/core/CodeIgniter.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system') diff --git a/system/core/CodeIgniter.php b/system/core/CodeIgniter.php index b69630cf8..60dcc0e5e 100644 --- a/system/core/CodeIgniter.php +++ b/system/core/CodeIgniter.php @@ -55,7 +55,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @var string * */ - define('CI_VERSION', '3.0.2-dev'); + define('CI_VERSION', '3.0.2'); /* * ------------------------------------------------------ -- cgit v1.2.3-24-g4f1b From 6d6b3b2f89d517b4589cb52965f34b115036584a Mon Sep 17 00:00:00 2001 From: Ahmad Anbar Date: Sat, 10 Oct 2015 22:51:54 +0300 Subject: Optimize csv_from_result speed. --- system/database/DB_utility.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'system') diff --git a/system/database/DB_utility.php b/system/database/DB_utility.php index 78398ea83..b51893e18 100644 --- a/system/database/DB_utility.php +++ b/system/database/DB_utility.php @@ -254,11 +254,12 @@ abstract class CI_DB_utility { // Next blast through the result array and build out the rows while ($row = $query->unbuffered_row('array')) { + $line = array(); foreach ($row as $item) { - $out .= $enclosure.str_replace($enclosure, $enclosure.$enclosure, $item).$enclosure.$delim; + $line[] = $enclosure.str_replace($enclosure, $enclosure.$enclosure, $item).$enclosure; } - $out = substr($out, 0, -strlen($delim)).$newline; + $out .= implode($delim, $line).$newline; } return $out; -- cgit v1.2.3-24-g4f1b From 2b5825ec66670b6ecb9528740cc1a51b59dbd3f2 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 12 Oct 2015 16:57:28 +0300 Subject: [ci skip] This is 3.0.3-dev --- system/core/CodeIgniter.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system') diff --git a/system/core/CodeIgniter.php b/system/core/CodeIgniter.php index 60dcc0e5e..8cea813a2 100644 --- a/system/core/CodeIgniter.php +++ b/system/core/CodeIgniter.php @@ -55,7 +55,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @var string * */ - define('CI_VERSION', '3.0.2'); + define('CI_VERSION', '3.0.3-dev'); /* * ------------------------------------------------------ -- cgit v1.2.3-24-g4f1b