From 2ab1c1902711c8b0caf5c3e8f2fa825d72f6755d Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 4 Jan 2017 15:26:35 +0200 Subject: Fix an XSS vulnerability --- user_guide_src/source/changelog.rst | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'user_guide_src') diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 3ae234102..ad7d6a4ed 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -7,6 +7,10 @@ Version 3.1.3 Release Date: Not Released +- **Security** + + - Fixed an XSS vulnerability in :doc:`Security Library ` method ``xss_clean()``. + - General Changes - Deprecated ``$config['allow_get_array']``. -- cgit v1.2.3-24-g4f1b From 5a2390d4d6287f2ce35cadae4713b7dcd10fdc9b Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 4 Jan 2017 16:01:27 +0200 Subject: [ci skip] Protect CSRF verification from timing side-channel attacks --- user_guide_src/source/changelog.rst | 1 + 1 file changed, 1 insertion(+) (limited to 'user_guide_src') diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index ad7d6a4ed..7284d100c 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -10,6 +10,7 @@ Release Date: Not Released - **Security** - Fixed an XSS vulnerability in :doc:`Security Library ` method ``xss_clean()``. + - Added protection against timing side-channel attacks in :doc:`Security Library ` method ``csrf_verify()``. - General Changes -- cgit v1.2.3-24-g4f1b From cfd52edad6a4ae84b0c34755455b5b7b164878be Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 4 Jan 2017 16:58:08 +0200 Subject: [ci skip] Try to mitigate BREACH attacks against CSRF tokens --- user_guide_src/source/changelog.rst | 1 + 1 file changed, 1 insertion(+) (limited to 'user_guide_src') diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 7284d100c..d889d4b28 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -11,6 +11,7 @@ Release Date: Not Released - Fixed an XSS vulnerability in :doc:`Security Library ` method ``xss_clean()``. - Added protection against timing side-channel attacks in :doc:`Security Library ` method ``csrf_verify()``. + - Added protection against BREACH attacks targeting the CSRF token field generated by :doc:`Form Helper ` function :php:func:`form_open()`. - General Changes -- cgit v1.2.3-24-g4f1b From ec8dbbb79bb083acd1cf6beff5abea055b583db5 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 4 Jan 2017 17:01:44 +0200 Subject: Fix a possible file inclusion vulnerability in CI_Loader::vars() --- user_guide_src/source/changelog.rst | 1 + 1 file changed, 1 insertion(+) (limited to 'user_guide_src') diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index d889d4b28..fff17110e 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -10,6 +10,7 @@ Release Date: Not Released - **Security** - Fixed an XSS vulnerability in :doc:`Security Library ` method ``xss_clean()``. + - Fixed a possible file inclusion vulnerability in :doc:`Loader Library ` method ``vars()``. - Added protection against timing side-channel attacks in :doc:`Security Library ` method ``csrf_verify()``. - Added protection against BREACH attacks targeting the CSRF token field generated by :doc:`Form Helper ` function :php:func:`form_open()`. -- cgit v1.2.3-24-g4f1b From 61fd92498db72bc511effa8c15274596afbb5010 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 6 Jan 2017 11:47:34 +0200 Subject: [ci skip] Add a changelog entry for #4963 --- user_guide_src/source/changelog.rst | 1 + 1 file changed, 1 insertion(+) (limited to 'user_guide_src') diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index fff17110e..b60a90949 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -11,6 +11,7 @@ Release Date: Not Released - Fixed an XSS vulnerability in :doc:`Security Library ` method ``xss_clean()``. - Fixed a possible file inclusion vulnerability in :doc:`Loader Library ` method ``vars()``. + - Fixed a possible remote code execution vulnerability in the :doc:`Email Library ` when 'mail' or 'sendmail' are used (thanks to Paul Buonopane from `NamePros `_). - Added protection against timing side-channel attacks in :doc:`Security Library ` method ``csrf_verify()``. - Added protection against BREACH attacks targeting the CSRF token field generated by :doc:`Form Helper ` function :php:func:`form_open()`. -- cgit v1.2.3-24-g4f1b