From 5335bc317f07f12c0f0bae5ac9189f75fcad0f1c Mon Sep 17 00:00:00 2001 From: Wes Baker Date: Tue, 24 Apr 2012 15:17:14 -0400 Subject: Updating XSS cleaning to better handle base64 encoded attributes. --- system/core/Security.php | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) (limited to 'system') diff --git a/system/core/Security.php b/system/core/Security.php index ac39ce97b..65746637b 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -99,7 +99,8 @@ class CI_Security { 'javascript\s*:', 'expression\s*(\(|&\#40;)', // CSS and IE 'vbscript\s*:', // IE, surprise! - 'Redirect\s+302' + 'Redirect\s+302', + "([\"'])?data\s*:[^\\1]*?base64[^\\1]*?,[^\\1]*?\\1?" ); public function __construct() @@ -362,7 +363,7 @@ class CI_Security { * These words are compacted back to their correct state. */ $words = array( - 'javascript', 'expression', 'vbscript', 'script', + 'javascript', 'expression', 'vbscript', 'script', 'base64', 'applet', 'alert', 'document', 'write', 'cookie', 'window' ); @@ -602,10 +603,11 @@ class CI_Security { $attribs = array(); // find occurrences of illegal attribute strings without quotes - preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*([^\s]*)/is', $str, $matches, PREG_SET_ORDER); + preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*([^\s>]*)/is', $str, $matches, PREG_SET_ORDER); foreach ($matches as $attr) { + $attribs[] = preg_quote($attr[0], '/'); } @@ -620,7 +622,7 @@ class CI_Security { // replace illegal attribute strings that are inside an html tag if (count($attribs) > 0) { - $str = preg_replace('/<(\/?[^><]+?)([^A-Za-z\-])('.implode('|', $attribs).')([\s><])([><]*)/i', '<$1$2$4$5', $str, -1, $count); + $str = preg_replace("/<(\/?[^><]+?)([^A-Za-z<>\-])(.*?)(".implode('|', $attribs).")(.*?)([\s><])([><]*)/i", '<$1 $3$5$6$7', $str, -1, $count); } } while ($count); @@ -661,7 +663,7 @@ class CI_Security { protected function _js_link_removal($match) { return str_replace($match[1], - preg_replace('#href=.*?(alert\(|alert&\#40;|javascript\:|livescript\:|mocha\:|charset\=|window\.|document\.|\.cookie|_filter_attributes(str_replace(array('<', '>'), '', $match[1])) ), @@ -801,7 +803,7 @@ class CI_Security { foreach ($this->_never_allowed_regex as $regex) { - $str = preg_replace('#'.$regex.'#i', '[removed]', $str); + $str = preg_replace('#'.$regex.'#is', '[removed]', $str); } return $str; -- cgit v1.2.3-24-g4f1b From 2d51c08027382cc10692188ccb68789daf2f2083 Mon Sep 17 00:00:00 2001 From: George Petsagourakis Date: Wed, 2 May 2012 20:29:04 +0300 Subject: Fixing some typos. --- system/libraries/Form_validation.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system') diff --git a/system/libraries/Form_validation.php b/system/libraries/Form_validation.php index a52cad5ff..5547c6a69 100644 --- a/system/libraries/Form_validation.php +++ b/system/libraries/Form_validation.php @@ -1005,7 +1005,7 @@ class CI_Form_validation { return (MB_ENABLED === TRUE) ? ($val <= mb_strlen($str)) - : ($val <= strlen(str)); + : ($val <= strlen($str)); } // -------------------------------------------------------------------- -- cgit v1.2.3-24-g4f1b From 306b378525a13d9c5d1a7f0d6d50c2f263f22a04 Mon Sep 17 00:00:00 2001 From: George Petsagourakis Date: Wed, 2 May 2012 20:31:08 +0300 Subject: Fixing some typos in the xmlrpc class. Also, fputs is an alias for fwrite. --- system/libraries/Xmlrpc.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'system') diff --git a/system/libraries/Xmlrpc.php b/system/libraries/Xmlrpc.php index 7009deacc..0d2533855 100644 --- a/system/libraries/Xmlrpc.php +++ b/system/libraries/Xmlrpc.php @@ -436,7 +436,7 @@ class XML_RPC_Client extends CI_Xmlrpc */ public function sendPayload($msg) { - $fp = @fsockopen($this->server, $this->port,$this->errno, $this->errstr, $this->timeout); + $fp = @fsockopen($this->server, $this->port,$this->errno, $this->errstring, $this->timeout); if ( ! is_resource($fp)) { @@ -458,7 +458,7 @@ class XML_RPC_Client extends CI_Xmlrpc .'Content-Length: '.strlen($msg->payload).$r.$r .$msg->payload; - if ( ! fputs($fp, $op, strlen($op))) + if ( ! fwrite($fp, $op, strlen($op))) { error_log($this->xmlrpcstr['http_error']); return new XML_RPC_Response(0, $this->xmlrpcerr['http_error'], $this->xmlrpcstr['http_error']); @@ -1076,7 +1076,7 @@ class XML_RPC_Message extends CI_Xmlrpc // we have an I4/INT // we must check that only 0123456789- are characters here $this->xh[$the_parser]['value'] = preg_match('/^[+-]?[0-9\t ]+$/', $this->xh[$the_parser]['ac']) - ? (int) $this->xh[$the_parset]['ac'] + ? (int) $this->xh[$the_parser]['ac'] : 'ERROR_NON_NUMERIC_FOUND'; } $this->xh[$the_parser]['ac'] = ''; -- cgit v1.2.3-24-g4f1b From 4c316b6bdfa970e98127ea280fcc77ff1288190f Mon Sep 17 00:00:00 2001 From: Michiel Vugteveen Date: Fri, 4 May 2012 11:32:48 +0200 Subject: unset userdata --- system/libraries/Session.php | 45 +++++++++++++++++++++++--------------------- 1 file changed, 24 insertions(+), 21 deletions(-) (limited to 'system') diff --git a/system/libraries/Session.php b/system/libraries/Session.php index 3fa446d84..3195f0a91 100644 --- a/system/libraries/Session.php +++ b/system/libraries/Session.php @@ -36,146 +36,146 @@ */ class CI_Session { - /** + /** * Whether to encrypt the session cookie * * @var bool */ public $sess_encrypt_cookie = FALSE; - + /** * Whether to use to the database for session storage * * @var bool */ public $sess_use_database = FALSE; - + /** * Name of the database table in which to store sessions * * @var string */ public $sess_table_name = ''; - + /** * Length of time (in seconds) for sessions to expire * * @var int */ public $sess_expiration = 7200; - + /** * Whether to kill session on close of browser window * * @var bool */ public $sess_expire_on_close = FALSE; - + /** * Whether to match session on ip address * * @var bool */ public $sess_match_ip = FALSE; - + /** * Whether to match session on user-agent * * @var bool */ public $sess_match_useragent = TRUE; - + /** * Name of session cookie * * @var string */ public $sess_cookie_name = 'ci_session'; - + /** * Session cookie prefix * * @var string */ public $cookie_prefix = ''; - + /** * Session cookie path * * @var string */ public $cookie_path = ''; - + /** * Session cookie domain * * @var string */ public $cookie_domain = ''; - + /** * Whether to set the cookie only on HTTPS connections * * @var bool */ public $cookie_secure = FALSE; - + /** * Whether cookie should be allowed only to be sent by the server * * @var bool */ public $cookie_httponly = FALSE; - + /** * Interval at which to update session * * @var int */ public $sess_time_to_update = 300; - + /** * Key with which to encrypt the session cookie * * @var string */ public $encryption_key = ''; - + /** * String to indicate flash data cookies * * @var string */ public $flashdata_key = 'flash'; - + /** * Function to use to get the current time * * @var string */ public $time_reference = 'time'; - + /** * Probablity level of garbage collection of old sessions * * @var int */ public $gc_probability = 5; - + /** * Session data * * @var array */ public $userdata = array(); - + /** * Reference to CodeIgniter instance * * @var object */ public $CI; - + /** * Current time * @@ -570,6 +570,9 @@ class CI_Session { $this->cookie_domain, 0 ); + + // Kill session data + $this->userdata = array(); } // -------------------------------------------------------------------- -- cgit v1.2.3-24-g4f1b From d4fb95ff19666f178b9f84850d122ff07fe193b9 Mon Sep 17 00:00:00 2001 From: Cusco Date: Sat, 5 May 2012 03:22:24 +0800 Subject: Update system/database/drivers/interbase/interbase_utility.php --- system/database/drivers/interbase/interbase_utility.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system') diff --git a/system/database/drivers/interbase/interbase_utility.php b/system/database/drivers/interbase/interbase_utility.php index 1b92af9b6..164211836 100644 --- a/system/database/drivers/interbase/interbase_utility.php +++ b/system/database/drivers/interbase/interbase_utility.php @@ -42,7 +42,7 @@ class CI_DB_interbase_utility extends CI_DB_utility { * @param string $filename * @return mixed */ - protected function backup($filename) + protected function _backup($filename) { if ($service = ibase_service_attach($this->db->hostname, $this->db->username, $this->db->password)) { -- cgit v1.2.3-24-g4f1b From bb2c83bddbf51c42815be3de60eab24fd87ae392 Mon Sep 17 00:00:00 2001 From: Wes Baker Date: Fri, 4 May 2012 18:44:24 -0400 Subject: Added a return false if an image doesn't pass XSS cleaning to prevent file_get_contents from returning a NULL and passing through unscathed. --- system/libraries/Upload.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'system') diff --git a/system/libraries/Upload.php b/system/libraries/Upload.php index 8ad67050d..4a4a66f73 100644 --- a/system/libraries/Upload.php +++ b/system/libraries/Upload.php @@ -850,6 +850,10 @@ class CI_Upload { { return TRUE; // its an image, no "triggers" detected in the first 256 bytes, we're good } + else + { + return FALSE; + } } if (($data = @file_get_contents($file)) === FALSE) @@ -1099,4 +1103,4 @@ class CI_Upload { } /* End of file Upload.php */ -/* Location: ./system/libraries/Upload.php */ \ No newline at end of file +/* Location: ./system/libraries/Upload.php */ -- cgit v1.2.3-24-g4f1b From cdcceecba73dd9f54665f531d15c12f5c9679738 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 9 May 2012 11:23:30 +0300 Subject: Fix issue #1342 --- system/libraries/Form_validation.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system') diff --git a/system/libraries/Form_validation.php b/system/libraries/Form_validation.php index 5547c6a69..73f607be8 100644 --- a/system/libraries/Form_validation.php +++ b/system/libraries/Form_validation.php @@ -448,7 +448,7 @@ class CI_Form_validation { { $this->_field_data[$field]['postdata'] = $this->_reduce_array($validation_array, $row['keys']); } - elseif ( ! empty($validation_array[$field])) + elseif (isset($validation_array[$field])) { $this->_field_data[$field]['postdata'] = $validation_array[$field]; } -- cgit v1.2.3-24-g4f1b From ca7d822f224033196e0e327944a01f319c90f37f Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 11 May 2012 10:59:09 +0300 Subject: User_agent library improvements --- system/libraries/User_agent.php | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) (limited to 'system') diff --git a/system/libraries/User_agent.php b/system/libraries/User_agent.php index 0ac605fa4..ff596f04b 100644 --- a/system/libraries/User_agent.php +++ b/system/libraries/User_agent.php @@ -51,14 +51,14 @@ class CI_User_agent { * @var bool */ public $is_browser = FALSE; - + /** * Flag for if the user-agent is a robot * * @var bool */ public $is_robot = FALSE; - + /** * Flag for if the user-agent is a mobile browser * @@ -72,7 +72,7 @@ class CI_User_agent { * @var array */ public $languages = array(); - + /** * Character sets accepted by the current user agent * @@ -86,21 +86,21 @@ class CI_User_agent { * @var array */ public $platforms = array(); - + /** * List of browsers to compare against current user agent * * @var array */ public $browsers = array(); - + /** * List of mobile browsers to compare against current user agent * * @var array */ public $mobiles = array(); - + /** * List of robots to compare against current user agent * @@ -114,28 +114,28 @@ class CI_User_agent { * @var string */ public $platform = ''; - + /** * Current user-agent browser * * @var string */ public $browser = ''; - + /** * Current user-agent version * * @var string */ public $version = ''; - + /** * Current user-agent mobile name * * @var string */ public $mobile = ''; - + /** * Current user-agent robot name * @@ -330,7 +330,7 @@ class CI_User_agent { { foreach ($this->mobiles as $key => $val) { - if (FALSE !== (strpos(strtolower($this->agent), $key))) + if (FALSE !== (stripos($this->agent, $key))) { $this->is_mobile = TRUE; $this->mobile = $val; @@ -604,7 +604,7 @@ class CI_User_agent { /** * Test for a particular character set * - * @param string $charset + * @param string $charset * @return bool */ public function accept_charset($charset = 'utf-8') -- cgit v1.2.3-24-g4f1b From 46d53fb8799eb2f84798f0e7a5f57b065c2482e2 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 11 May 2012 13:42:24 +0300 Subject: Fix issue #1349 --- system/libraries/Upload.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system') diff --git a/system/libraries/Upload.php b/system/libraries/Upload.php index 4a4a66f73..24d4bd4d0 100644 --- a/system/libraries/Upload.php +++ b/system/libraries/Upload.php @@ -725,7 +725,7 @@ class CI_Upload { public function get_extension($filename) { $x = explode('.', $filename); - return '.'.end($x); + return (count($x) !== 1) ? '.'.end($x) : ''; } // -------------------------------------------------------------------- -- cgit v1.2.3-24-g4f1b From fff6c2a3caa1ce14e58fcb3ee0d937d17985eea1 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Sun, 13 May 2012 22:15:23 +0300 Subject: Improve the solution for issue #1342 --- system/libraries/Form_validation.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system') diff --git a/system/libraries/Form_validation.php b/system/libraries/Form_validation.php index 73f607be8..c396580be 100644 --- a/system/libraries/Form_validation.php +++ b/system/libraries/Form_validation.php @@ -448,7 +448,7 @@ class CI_Form_validation { { $this->_field_data[$field]['postdata'] = $this->_reduce_array($validation_array, $row['keys']); } - elseif (isset($validation_array[$field])) + elseif (isset($validation_array[$field]) && $validation_array[$field] !== '') { $this->_field_data[$field]['postdata'] = $validation_array[$field]; } -- cgit v1.2.3-24-g4f1b