KingOfDog.de/old
Archived
1
0
Fork 0
Code Releases Activity

Update to CodeIgniter 3.19

Browse Source
This commit is contained in:
Marcel
2018-12-29 16:16:49 +01:00
parent b036b4d36e
commit d09ee2788d
159 changed files with 2508 additions and 1910 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
system/core/Benchmark.php
View File

@@ -6,7 +6,7 @@
*
* This content is released under the MIT License (MIT)
*
* Copyright (c) 2014 - 2016, British Columbia Institute of Technology
* Copyright (c) 2014 - 2018, British Columbia Institute of Technology
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
@@ -29,7 +29,7 @@
* @package CodeIgniter
* @author EllisLab Dev Team
* @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (https://ellislab.com/)
* @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/)
* @copyright Copyright (c) 2014 - 2018, British Columbia Institute of Technology (http://bcit.ca/)
* @license http://opensource.org/licenses/MIT MIT License
* @link https://codeigniter.com
* @since Version 1.0.0

36
system/core/CodeIgniter.php
View File

@@ -6,7 +6,7 @@
*
* This content is released under the MIT License (MIT)
*
* Copyright (c) 2014 - 2016, British Columbia Institute of Technology
* Copyright (c) 2014 - 2018, British Columbia Institute of Technology
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
@@ -29,7 +29,7 @@
* @package CodeIgniter
* @author EllisLab Dev Team
* @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (https://ellislab.com/)
* @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/)
* @copyright Copyright (c) 2014 - 2018, British Columbia Institute of Technology (http://bcit.ca/)
* @license http://opensource.org/licenses/MIT MIT License
* @link https://codeigniter.com
* @since Version 1.0.0
@@ -55,7 +55,7 @@ defined('BASEPATH') OR exit('No direct script access allowed');
* @var string
*
*/
define('CI_VERSION', '3.0.6');
const CI_VERSION = '3.1.9';
/*
* ------------------------------------------------------
@@ -67,7 +67,10 @@ defined('BASEPATH') OR exit('No direct script access allowed');
require_once(APPPATH.'config/'.ENVIRONMENT.'/constants.php');
}
require_once(APPPATH.'config/constants.php');
if (file_exists(APPPATH.'config/constants.php'))
{
require_once(APPPATH.'config/constants.php');
}
/*
* ------------------------------------------------------
@@ -416,14 +419,29 @@ if ( ! is_php('5.4'))
$params = array($method, array_slice($URI->rsegments, 2));
$method = '_remap';
}
// WARNING: It appears that there are issues with is_callable() even in PHP 5.2!
// Furthermore, there are bug reports and feature/change requests related to it
// that make it unreliable to use in this context. Please, DO NOT change this
// work-around until a better alternative is available.
elseif ( ! in_array(strtolower($method), array_map('strtolower', get_class_methods($class)), TRUE))
elseif ( ! method_exists($class, $method))
{
$e404 = TRUE;
}
/**
* DO NOT CHANGE THIS, NOTHING ELSE WORKS!
*
* - method_exists() returns true for non-public methods, which passes the previous elseif
* - is_callable() returns false for PHP 4-style constructors, even if there's a __construct()
* - method_exists($class, '__construct') won't work because CI_Controller::__construct() is inherited
* - People will only complain if this doesn't work, even though it is documented that it shouldn't.
*
* ReflectionMethod::isConstructor() is the ONLY reliable check,
* knowing which method will be executed as a constructor.
*/
elseif ( ! is_callable(array($class, $method)))
{
$reflection = new ReflectionMethod($class, $method);
if ( ! $reflection->isPublic() OR $reflection->isConstructor())
{
$e404 = TRUE;
}
}
}
if ($e404)

54
system/core/Common.php
View File

@@ -6,7 +6,7 @@
*
* This content is released under the MIT License (MIT)
*
* Copyright (c) 2014 - 2016, British Columbia Institute of Technology
* Copyright (c) 2014 - 2018, British Columbia Institute of Technology
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
@@ -29,7 +29,7 @@
* @package CodeIgniter
* @author EllisLab Dev Team
* @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (https://ellislab.com/)
* @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/)
* @copyright Copyright (c) 2014 - 2018, British Columbia Institute of Technology (http://bcit.ca/)
* @license http://opensource.org/licenses/MIT MIT License
* @link https://codeigniter.com
* @since Version 1.0.0
@@ -135,7 +135,7 @@ if ( ! function_exists('load_class'))
*
* @param string the class name being requested
* @param string the directory where the class should be found
* @param string an optional argument to pass to the class constructor
* @param mixed an optional argument to pass to the class constructor
* @return object
*/
function &load_class($class, $directory = 'libraries', $param = NULL)
@@ -319,17 +319,13 @@ if ( ! function_exists('get_mimes'))
if (empty($_mimes))
{
$_mimes = file_exists(APPPATH.'config/mimes.php')
? include(APPPATH.'config/mimes.php')
: array();
if (file_exists(APPPATH.'config/'.ENVIRONMENT.'/mimes.php'))
{
$_mimes = include(APPPATH.'config/'.ENVIRONMENT.'/mimes.php');
}
elseif (file_exists(APPPATH.'config/mimes.php'))
{
$_mimes = include(APPPATH.'config/mimes.php');
}
else
{
$_mimes = array();
$_mimes = array_merge($_mimes, include(APPPATH.'config/'.ENVIRONMENT.'/mimes.php'));
}
}
@@ -355,7 +351,7 @@ if ( ! function_exists('is_https'))
{
return TRUE;
}
elseif (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https')
elseif (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) === 'https')
{
return TRUE;
}
@@ -410,11 +406,6 @@ if ( ! function_exists('show_error'))
if ($status_code < 100)
{
$exit_status = $status_code + 9; // 9 is EXIT__AUTO_MIN
if ($exit_status > 125) // 125 is EXIT__AUTO_MAX
{
$exit_status = 1; // EXIT_ERROR
}
$status_code = 500;
}
else
@@ -544,13 +535,18 @@ if ( ! function_exists('set_status_header'))
416 => 'Requested Range Not Satisfiable',
417 => 'Expectation Failed',
422 => 'Unprocessable Entity',
426 => 'Upgrade Required',
428 => 'Precondition Required',
429 => 'Too Many Requests',
431 => 'Request Header Fields Too Large',
500 => 'Internal Server Error',
501 => 'Not Implemented',
502 => 'Bad Gateway',
503 => 'Service Unavailable',
504 => 'Gateway Timeout',
505 => 'HTTP Version Not Supported'
505 => 'HTTP Version Not Supported',
511 => 'Network Authentication Required',
);
if (isset($stati[$code]))
@@ -566,12 +562,12 @@ if ( ! function_exists('set_status_header'))
if (strpos(PHP_SAPI, 'cgi') === 0)
{
header('Status: '.$code.' '.$text, TRUE);
return;
}
else
{
$server_protocol = isset($_SERVER['SERVER_PROTOCOL']) ? $_SERVER['SERVER_PROTOCOL'] : 'HTTP/1.1';
header($server_protocol.' '.$code.' '.$text, TRUE, $code);
}
$server_protocol = (isset($_SERVER['SERVER_PROTOCOL']) && in_array($_SERVER['SERVER_PROTOCOL'], array('HTTP/1.0', 'HTTP/1.1', 'HTTP/2'), TRUE))
? $_SERVER['SERVER_PROTOCOL'] : 'HTTP/1.1';
header($server_protocol.' '.$code.' '.$text, TRUE, $code);
}
}
@@ -598,7 +594,7 @@ if ( ! function_exists('_error_handler'))
*/
function _error_handler($severity, $message, $filepath, $line)
{
$is_error = (((E_ERROR | E_COMPILE_ERROR | E_CORE_ERROR | E_USER_ERROR) & $severity) === $severity);
$is_error = (((E_ERROR | E_PARSE | E_COMPILE_ERROR | E_CORE_ERROR | E_USER_ERROR) & $severity) === $severity);
// When an error occurred, set the status header to '500 Internal Server Error'
// to indicate to the client something went wrong.
@@ -656,6 +652,7 @@ if ( ! function_exists('_exception_handler'))
$_error =& load_class('Exceptions', 'core');
$_error->log_exception('error', 'Exception: '.$exception->getMessage(), $exception->getFile(), $exception->getLine());
is_cli() OR set_status_header(500);
// Should we display the error?
if (str_ireplace(array('off', 'none', 'no', 'false', 'null'), '', ini_get('display_errors')))
{
@@ -716,8 +713,9 @@ if ( ! function_exists('remove_invisible_characters'))
// carriage return (dec 13) and horizontal tab (dec 09)
if ($url_encoded)
{
$non_displayables[] = '/%0[0-8bcef]/'; // url encoded 00-08, 11, 12, 14, 15
$non_displayables[] = '/%1[0-9a-f]/'; // url encoded 16-31
$non_displayables[] = '/%0[0-8bcef]/i'; // url encoded 00-08, 11, 12, 14, 15
$non_displayables[] = '/%1[0-9a-f]/i'; // url encoded 16-31
$non_displayables[] = '/%7f/i'; // url encoded 127
}
$non_displayables[] = '/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]+/S'; // 00-08, 11, 12, 14-31, 127
@@ -821,7 +819,7 @@ if ( ! function_exists('function_usable'))
* terminate script execution if a disabled function is executed.
*
* The above described behavior turned out to be a bug in Suhosin,
* but even though a fix was commited for 0.9.34 on 2012-02-12,
* but even though a fix was committed for 0.9.34 on 2012-02-12,
* that version is yet to be released. This function will therefore
* be just temporary, but would probably be kept for a few years.
*

13
system/core/Config.php
View File

@@ -6,7 +6,7 @@
*
* This content is released under the MIT License (MIT)
*
* Copyright (c) 2014 - 2016, British Columbia Institute of Technology
* Copyright (c) 2014 - 2018, British Columbia Institute of Technology
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
@@ -29,7 +29,7 @@
* @package CodeIgniter
* @author EllisLab Dev Team
* @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (https://ellislab.com/)
* @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/)
* @copyright Copyright (c) 2014 - 2018, British Columbia Institute of Technology (http://bcit.ca/)
* @license http://opensource.org/licenses/MIT MIT License
* @link https://codeigniter.com
* @since Version 1.0.0
@@ -319,7 +319,7 @@ class CI_Config {
}
}
return $base_url.ltrim($this->_uri_string($uri), '/');
return $base_url.$this->_uri_string($uri);
}
// -------------------------------------------------------------
@@ -337,11 +337,8 @@ class CI_Config {
{
if ($this->item('enable_query_strings') === FALSE)
{
if (is_array($uri))
{
$uri = implode('/', $uri);
}
return trim($uri, '/');
is_array($uri) && $uri = implode('/', $uri);
return ltrim($uri, '/');
}
elseif (is_array($uri))
{

4
system/core/Controller.php
View File

@@ -6,7 +6,7 @@
*
* This content is released under the MIT License (MIT)
*
* Copyright (c) 2014 - 2016, British Columbia Institute of Technology
* Copyright (c) 2014 - 2018, British Columbia Institute of Technology
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
@@ -29,7 +29,7 @@
* @package CodeIgniter
* @author EllisLab Dev Team
* @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (https://ellislab.com/)
* @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/)
* @copyright Copyright (c) 2014 - 2018, British Columbia Institute of Technology (http://bcit.ca/)
* @license http://opensource.org/licenses/MIT MIT License
* @link https://codeigniter.com
* @since Version 1.0.0

7
system/core/Exceptions.php
View File

@@ -6,7 +6,7 @@
*
* This content is released under the MIT License (MIT)
*
* Copyright (c) 2014 - 2016, British Columbia Institute of Technology
* Copyright (c) 2014 - 2018, British Columbia Institute of Technology
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
@@ -29,7 +29,7 @@
* @package CodeIgniter
* @author EllisLab Dev Team
* @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (https://ellislab.com/)
* @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/)
* @copyright Copyright (c) 2014 - 2018, British Columbia Institute of Technology (http://bcit.ca/)
* @license http://opensource.org/licenses/MIT MIT License
* @link https://codeigniter.com
* @since Version 1.0.0
@@ -207,7 +207,6 @@ class CI_Exceptions {
}
else
{
set_status_header(500);
$templates_path .= 'html'.DIRECTORY_SEPARATOR;
}
@@ -232,7 +231,7 @@ class CI_Exceptions {
* @param string $message Error message
* @param string $filepath File path
* @param int $line Line number
* @return string Error page output
* @return void
*/
public function show_php_error($severity, $message, $filepath, $line)
{

4
system/core/Hooks.php
View File

@@ -6,7 +6,7 @@
*
* This content is released under the MIT License (MIT)
*
* Copyright (c) 2014 - 2016, British Columbia Institute of Technology
* Copyright (c) 2014 - 2018, British Columbia Institute of Technology
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
@@ -29,7 +29,7 @@
* @package CodeIgniter
* @author EllisLab Dev Team
* @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (https://ellislab.com/)
* @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/)
* @copyright Copyright (c) 2014 - 2018, British Columbia Institute of Technology (http://bcit.ca/)
* @license http://opensource.org/licenses/MIT MIT License
* @link https://codeigniter.com
* @since Version 1.0.0

54
system/core/Input.php
View File

@@ -6,7 +6,7 @@
*
* This content is released under the MIT License (MIT)
*
* Copyright (c) 2014 - 2016, British Columbia Institute of Technology
* Copyright (c) 2014 - 2018, British Columbia Institute of Technology
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
@@ -29,7 +29,7 @@
* @package CodeIgniter
* @author EllisLab Dev Team
* @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (https://ellislab.com/)
* @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/)
* @copyright Copyright (c) 2014 - 2018, British Columbia Institute of Technology (http://bcit.ca/)
* @license http://opensource.org/licenses/MIT MIT License
* @link https://codeigniter.com
* @since Version 1.0.0
@@ -137,7 +137,7 @@ class CI_Input {
*/
public function __construct()
{
$this->_allow_get_array = (config_item('allow_get_array') === TRUE);
$this->_allow_get_array = (config_item('allow_get_array') !== FALSE);
$this->_enable_xss = (config_item('global_xss_filtering') === TRUE);
$this->_enable_csrf = (config_item('csrf_protection') === TRUE);
$this->_standardize_newlines = (bool) config_item('standardize_newlines');
@@ -359,7 +359,7 @@ class CI_Input {
* @param bool $httponly Whether to only makes the cookie accessible via HTTP (no javascript)
* @return void
*/
public function set_cookie($name, $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = FALSE, $httponly = FALSE)
public function set_cookie($name, $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = NULL, $httponly = NULL)
{
if (is_array($name))
{
@@ -388,15 +388,13 @@ class CI_Input {
$path = config_item('cookie_path');
}
if ($secure === FALSE && config_item('cookie_secure') === TRUE)
{
$secure = config_item('cookie_secure');
}
$secure = ($secure === NULL && config_item('cookie_secure') !== NULL)
? (bool) config_item('cookie_secure')
: (bool) $secure;
if ($httponly === FALSE && config_item('cookie_httponly') !== FALSE)
{
$httponly = config_item('cookie_httponly');
}
$httponly = ($httponly === NULL && config_item('cookie_httponly') !== NULL)
? (bool) config_item('cookie_httponly')
: (bool) $httponly;
if ( ! is_numeric($expire))
{
@@ -519,9 +517,9 @@ class CI_Input {
if ($separator === ':')
{
$netaddr = explode(':', str_replace('::', str_repeat(':', 9 - substr_count($netaddr, ':')), $netaddr));
for ($i = 0; $i < 8; $i++)
for ($j = 0; $j < 8; $j++)
{
$netaddr[$i] = intval($netaddr[$i], 16);
$netaddr[$j] = intval($netaddr[$j], 16);
}
}
else
@@ -760,30 +758,32 @@ class CI_Input {
// If header is already defined, return it immediately
if ( ! empty($this->headers))
{
return $this->headers;
return $this->_fetch_from_array($this->headers, NULL, $xss_clean);
}
// In Apache, you can simply call apache_request_headers()
if (function_exists('apache_request_headers'))
{
return $this->headers = apache_request_headers();
$this->headers = apache_request_headers();
}
$this->headers['Content-Type'] = isset($_SERVER['CONTENT_TYPE']) ? $_SERVER['CONTENT_TYPE'] : @getenv('CONTENT_TYPE');
foreach ($_SERVER as $key => $val)
else
{
if (sscanf($key, 'HTTP_%s', $header) === 1)
{
// take SOME_HEADER and turn it into Some-Header
$header = str_replace('_', ' ', strtolower($header));
$header = str_replace(' ', '-', ucwords($header));
isset($_SERVER['CONTENT_TYPE']) && $this->headers['Content-Type'] = $_SERVER['CONTENT_TYPE'];
$this->headers[$header] = $this->_fetch_from_array($_SERVER, $key, $xss_clean);
foreach ($_SERVER as $key => $val)
{
if (sscanf($key, 'HTTP_%s', $header) === 1)
{
// take SOME_HEADER and turn it into Some-Header
$header = str_replace('_', ' ', strtolower($header));
$header = str_replace(' ', '-', ucwords($header));
$this->headers[$header] = $_SERVER[$key];
}
}
}
return $this->headers;
return $this->_fetch_from_array($this->headers, NULL, $xss_clean);
}
// --------------------------------------------------------------------

8
system/core/Lang.php
View File

@@ -6,7 +6,7 @@
*
* This content is released under the MIT License (MIT)
*
* Copyright (c) 2014 - 2016, British Columbia Institute of Technology
* Copyright (c) 2014 - 2018, British Columbia Institute of Technology
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
@@ -29,7 +29,7 @@
* @package CodeIgniter
* @author EllisLab Dev Team
* @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (https://ellislab.com/)
* @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/)
* @copyright Copyright (c) 2014 - 2018, British Columbia Institute of Technology (http://bcit.ca/)
* @license http://opensource.org/licenses/MIT MIT License
* @link https://codeigniter.com
* @since Version 1.0.0
@@ -78,7 +78,7 @@ class CI_Lang {
* Load a language file
*
* @param mixed $langfile Language file name
* @param string $idiom Language name (en, etc.)
* @param string $idiom Language name (english, etc.)
* @param bool $return Whether to return the loaded array of translations
* @param bool $add_suffix Whether to add suffix to $langfile
* @param string $alt_path Alternative path to look for the language file
@@ -109,7 +109,7 @@ class CI_Lang {
if (empty($idiom) OR ! preg_match('/^[a-z_-]+$/i', $idiom))
{
$config =& get_config();
$idiom = empty($config['language']) ? 'en' : $config['language'];
$idiom = empty($config['language']) ? 'english' : $config['language'];
}
if ($return === FALSE && isset($this->is_loaded[$langfile]) && $this->is_loaded[$langfile] === $idiom)

188
system/core/Loader.php
View File

@@ -6,7 +6,7 @@
*
* This content is released under the MIT License (MIT)
*
* Copyright (c) 2014 - 2016, British Columbia Institute of Technology
* Copyright (c) 2014 - 2018, British Columbia Institute of Technology
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
@@ -29,7 +29,7 @@
* @package CodeIgniter
* @author EllisLab Dev Team
* @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (https://ellislab.com/)
* @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/)
* @copyright Copyright (c) 2014 - 2018, British Columbia Institute of Technology (http://bcit.ca/)
* @license http://opensource.org/licenses/MIT MIT License
* @link https://codeigniter.com
* @since Version 1.0.0
@@ -182,7 +182,7 @@ class CI_Loader {
* Loads and instantiates libraries.
* Designed to be called from application controllers.
*
* @param string $library Library name
* @param mixed $library Library name
* @param array $params Optional parameters to pass to the library class constructor
* @param string $object_name An optional object name to assign to
* @return object
@@ -226,7 +226,7 @@ class CI_Loader {
*
* Loads and instantiates models.
*
* @param string $model Model name
* @param mixed $model Model name
* @param string $name An optional object name to assign to
* @param bool $db_conn An optional database connection configuration to initialize
* @return object
@@ -303,6 +303,8 @@ class CI_Loader {
{
throw new RuntimeException($app_path."Model.php exists, but doesn't declare class CI_Model");
}
log_message('info', 'CI_Model class loaded');
}
elseif ( ! class_exists('CI_Model', FALSE))
{
@@ -317,6 +319,8 @@ class CI_Loader {
{
throw new RuntimeException($app_path.$class.".php exists, but doesn't declare class ".$class);
}
log_message('info', config_item('subclass_prefix').'Model class loaded');
}
}
@@ -350,7 +354,9 @@ class CI_Loader {
}
$this->_ci_models[] = $name;
$CI->$name = new $model();
$model = new $model();
$CI->$name = $model;
log_message('info', 'Model "'.get_class($model).'" initialized');
return $this;
}
@@ -486,7 +492,7 @@ class CI_Loader {
*/
public function view($view, $vars = array(), $return = FALSE)
{
return $this->_ci_load(array('_ci_view' => $view, '_ci_vars' => $this->_ci_object_to_array($vars), '_ci_return' => $return));
return $this->_ci_load(array('_ci_view' => $view, '_ci_vars' => $this->_ci_prepare_view_vars($vars), '_ci_return' => $return));
}
// --------------------------------------------------------------------
@@ -519,19 +525,13 @@ class CI_Loader {
*/
public function vars($vars, $val = '')
{
if (is_string($vars))
{
$vars = array($vars => $val);
}
$vars = is_string($vars)
? array($vars => $val)
: $this->_ci_prepare_view_vars($vars);
$vars = $this->_ci_object_to_array($vars);
if (is_array($vars) && count($vars) > 0)
foreach ($vars as $key => $val)
{
foreach ($vars as $key => $val)
{
$this->_ci_cached_vars[$key] = $val;
}
$this->_ci_cached_vars[$key] = $val;
}
return $this;
@@ -591,15 +591,21 @@ class CI_Loader {
*/
public function helper($helpers = array())
{
foreach ($this->_ci_prep_filename($helpers, '_helper') as $helper)
is_array($helpers) OR $helpers = array($helpers);
foreach ($helpers as &$helper)
{
$filename = basename($helper);
$filepath = ($filename === $helper) ? '' : substr($helper, 0, strlen($helper) - strlen($filename));
$filename = strtolower(preg_replace('#(_helper)?(\.php)?$#i', '', $filename)).'_helper';
$helper = $filepath.$filename;
if (isset($this->_ci_helpers[$helper]))
{
continue;
}
// Is this a helper extension request?
$ext_helper = config_item('subclass_prefix').$helper;
$ext_helper = config_item('subclass_prefix').$filename;
$ext_loaded = FALSE;
foreach ($this->_ci_helper_paths as $path)
{
@@ -934,18 +940,7 @@ class CI_Loader {
* the two types and cache them so that views that are embedded within
* other views can have access to these variables.
*/
if (is_array($_ci_vars))
{
foreach (array_keys($_ci_vars) as $key)
{
if (strncmp($key, '_ci_', 4) === 0)
{
unset($_ci_vars[$key]);
}
}
$this->_ci_cached_vars = array_merge($this->_ci_cached_vars, $_ci_vars);
}
empty($_ci_vars) OR $this->_ci_cached_vars = array_merge($this->_ci_cached_vars, $_ci_vars);
extract($this->_ci_cached_vars);
/*
@@ -1048,6 +1043,26 @@ class CI_Loader {
return $this->_ci_load_stock_library($class, $subdir, $params, $object_name);
}
// Safety: Was the class already loaded by a previous call?
if (class_exists($class, FALSE))
{
$property = $object_name;
if (empty($property))
{
$property = strtolower($class);
isset($this->_ci_varmap[$property]) && $property = $this->_ci_varmap[$property];
}
$CI =& get_instance();
if (isset($CI->$property))
{
log_message('debug', $class.' class already loaded. Second attempt ignored.');
return;
}
return $this->_ci_init_library($class, '', $params, $object_name);
}
// Let's search for the requested library file and load it.
foreach ($this->_ci_library_paths as $path)
{
@@ -1058,27 +1073,8 @@ class CI_Loader {
}
$filepath = $path.'libraries/'.$subdir.$class.'.php';
// Safety: Was the class already loaded by a previous call?
if (class_exists($class, FALSE))
{
// Before we deem this to be a duplicate request, let's see
// if a custom object name is being supplied. If so, we'll
// return a new instance of the object
if ($object_name !== NULL)
{
$CI =& get_instance();
if ( ! isset($CI->$object_name))
{
return $this->_ci_init_library($class, '', $params, $object_name);
}
}
log_message('debug', $class.' class already loaded. Second attempt ignored.');
return;
}
// Does the file exist? No? Bummer...
elseif ( ! file_exists($filepath))
if ( ! file_exists($filepath))
{
continue;
}
@@ -1106,7 +1102,7 @@ class CI_Loader {
* @used-by CI_Loader::_ci_load_library()
* @uses CI_Loader::_ci_init_library()
*
* @param string $library Library name to load
* @param string $library_name Library name to load
* @param string $file_path Path to the library filename, relative to libraries/
* @param mixed $params Optional parameters to pass to the class constructor
* @param string $object_name Optional object name to assign to
@@ -1123,16 +1119,17 @@ class CI_Loader {
$prefix = config_item('subclass_prefix');
}
// Before we deem this to be a duplicate request, let's see
// if a custom object name is being supplied. If so, we'll
// return a new instance of the object
if ($object_name !== NULL)
$property = $object_name;
if (empty($property))
{
$CI =& get_instance();
if ( ! isset($CI->$object_name))
{
return $this->_ci_init_library($library_name, $prefix, $params, $object_name);
}
$property = strtolower($library_name);
isset($this->_ci_varmap[$property]) && $property = $this->_ci_varmap[$property];
}
$CI =& get_instance();
if ( ! isset($CI->$property))
{
return $this->_ci_init_library($library_name, $prefix, $params, $object_name);
}
log_message('debug', $library_name.' class already loaded. Second attempt ignored.');
@@ -1154,10 +1151,8 @@ class CI_Loader {
{
return $this->_ci_init_library($library_name, $prefix, $params, $object_name);
}
else
{
log_message('debug', $path.' exists, but does not declare '.$prefix.$library_name);
}
log_message('debug', $path.' exists, but does not declare '.$prefix.$library_name);
}
}
@@ -1175,10 +1170,8 @@ class CI_Loader {
$prefix = config_item('subclass_prefix');
break;
}
else
{
log_message('debug', $path.' exists, but does not declare '.$subclass);
}
log_message('debug', $path.' exists, but does not declare '.$subclass);
}
}
@@ -1376,17 +1369,32 @@ class CI_Loader {
// --------------------------------------------------------------------
/**
* CI Object to Array translator
* Prepare variables for _ci_vars, to be later extract()-ed inside views
*
* Takes an object as input and converts the class variables to
* an associative array with key/value pairs.
* Converts objects to associative arrays and filters-out internal
* variable names (i.e. keys prefixed with '_ci_').
*
* @param object $object Object data to translate
* @param mixed $vars
* @return array
*/
protected function _ci_object_to_array($object)
protected function _ci_prepare_view_vars($vars)
{
return is_object($object) ? get_object_vars($object) : $object;
if ( ! is_array($vars))
{
$vars = is_object($vars)
? get_object_vars($vars)
: array();
}
foreach (array_keys($vars) as $key)
{
if (strncmp($key, '_ci_', 4) === 0)
{
unset($vars[$key]);
}
}
return $vars;
}
// --------------------------------------------------------------------
@@ -1404,34 +1412,4 @@ class CI_Loader {
$CI =& get_instance();
return $CI->$component;
}
// --------------------------------------------------------------------
/**
* Prep filename
*
* This function prepares filenames of various items to
* make their loading more reliable.
*
* @param string|string[] $filename Filename(s)
* @param string $extension Filename extension
* @return array
*/
protected function _ci_prep_filename($filename, $extension)
{
if ( ! is_array($filename))
{
return array(strtolower(str_replace(array($extension, '.php'), '', $filename).$extension));
}
else
{
foreach ($filename as $key => $val)
{
$filename[$key] = strtolower(str_replace(array($extension, '.php'), '', $val).$extension);
}
return $filename;
}
}
}

59
system/core/Log.php
View File

@@ -6,7 +6,7 @@
*
* This content is released under the MIT License (MIT)
*
* Copyright (c) 2014 - 2016, British Columbia Institute of Technology
* Copyright (c) 2014 - 2018, British Columbia Institute of Technology
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
@@ -29,7 +29,7 @@
* @package CodeIgniter
* @author EllisLab Dev Team
* @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (https://ellislab.com/)
* @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/)
* @copyright Copyright (c) 2014 - 2018, British Columbia Institute of Technology (http://bcit.ca/)
* @license http://opensource.org/licenses/MIT MIT License
* @link https://codeigniter.com
* @since Version 1.0.0
@@ -104,6 +104,13 @@ class CI_Log {
*/
protected $_levels = array('ERROR' => 1, 'DEBUG' => 2, 'INFO' => 3, 'ALL' => 4);
/**
* mbstring.func_overload flag
*
* @var bool
*/
protected static $func_overload;
// --------------------------------------------------------------------
/**
@@ -115,6 +122,8 @@ class CI_Log {
{
$config =& get_config();
isset(self::$func_overload) OR self::$func_overload = (extension_loaded('mbstring') && ini_get('mbstring.func_overload'));
$this->_log_path = ($config['log_path'] !== '') ? $config['log_path'] : APPPATH.'logs/';
$this->_file_ext = (isset($config['log_file_extension']) && $config['log_file_extension'] !== '')
? ltrim($config['log_file_extension'], '.') : 'php';
@@ -208,9 +217,9 @@ class CI_Log {
$message .= $this->_format_line($level, $date, $msg);
for ($written = 0, $length = strlen($message); $written < $length; $written += $result)
for ($written = 0, $length = self::strlen($message); $written < $length; $written += $result)
{
if (($result = fwrite($fp, substr($message, $written))) === FALSE)
if (($result = fwrite($fp, self::substr($message, $written))) === FALSE)
{
break;
}
@@ -237,11 +246,51 @@ class CI_Log {
*
* @param string $level The error level
* @param string $date Formatted date string
* @param string $msg The log message
* @param string $message The log message
* @return string Formatted log line with a new line character '\n' at the end
*/
protected function _format_line($level, $date, $message)
{
return $level.' - '.$date.' --> '.$message."\n";
}
// --------------------------------------------------------------------
/**
* Byte-safe strlen()
*
* @param string $str
* @return int
*/
protected static function strlen($str)
{
return (self::$func_overload)
? mb_strlen($str, '8bit')
: strlen($str);
}
// --------------------------------------------------------------------
/**
* Byte-safe substr()
*
* @param string $str
* @param int $start
* @param int $length
* @return string
*/
protected static function substr($str, $start, $length = NULL)
{
if (self::$func_overload)
{
// mb_substr($str, $start, null, '8bit') returns an empty
// string on PHP 5.3
isset($length) OR $length = ($start >= 0 ? self::strlen($str) - $start : -$start);
return mb_substr($str, $start, $length, '8bit');
}
return isset($length)
? substr($str, $start, $length)
: substr($str, $start);
}
}

12
system/core/Model.php
View File

@@ -6,7 +6,7 @@
*
* This content is released under the MIT License (MIT)
*
* Copyright (c) 2014 - 2016, British Columbia Institute of Technology
* Copyright (c) 2014 - 2018, British Columbia Institute of Technology
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
@@ -29,7 +29,7 @@
* @package CodeIgniter
* @author EllisLab Dev Team
* @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (https://ellislab.com/)
* @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/)
* @copyright Copyright (c) 2014 - 2018, British Columbia Institute of Technology (http://bcit.ca/)
* @license http://opensource.org/licenses/MIT MIT License
* @link https://codeigniter.com
* @since Version 1.0.0
@@ -51,14 +51,10 @@ class CI_Model {
/**
* Class constructor
*
* @link https://github.com/bcit-ci/CodeIgniter/issues/5332
* @return void
*/
public function __construct()
{
log_message('info', 'Model Class Initialized');
}
// --------------------------------------------------------------------
public function __construct() {}
/**
* __get magic

174
system/core/Output.php
View File

@@ -6,7 +6,7 @@
*
* This content is released under the MIT License (MIT)
*
* Copyright (c) 2014 - 2016, British Columbia Institute of Technology
* Copyright (c) 2014 - 2018, British Columbia Institute of Technology
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
@@ -29,7 +29,7 @@
* @package CodeIgniter
* @author EllisLab Dev Team
* @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (https://ellislab.com/)
* @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/)
* @copyright Copyright (c) 2014 - 2018, British Columbia Institute of Technology (http://bcit.ca/)
* @license http://opensource.org/licenses/MIT MIT License
* @link https://codeigniter.com
* @since Version 1.0.0
@@ -122,6 +122,13 @@ class CI_Output {
*/
public $parse_exec_vars = TRUE;
/**
* mbstring.func_overload flag
*
* @var bool
*/
protected static $func_overload;
/**
* Class constructor
*
@@ -138,6 +145,8 @@ class CI_Output {
&& extension_loaded('zlib')
);
isset(self::$func_overload) OR self::$func_overload = (extension_loaded('mbstring') && ini_get('mbstring.func_overload'));
// Get mime types for later
$this->mimes =& get_mimes();
@@ -285,7 +294,7 @@ class CI_Output {
/**
* Get Header
*
* @param string $header_name
* @param string $header
* @return string
*/
public function get_header($header)
@@ -302,11 +311,12 @@ class CI_Output {
return NULL;
}
for ($i = 0, $c = count($headers); $i < $c; $i++)
// Count backwards, in order to get the last matching header
for ($c = count($headers) - 1; $c > -1; $c--)
{
if (strncasecmp($header, $headers[$i], $l = strlen($header)) === 0)
if (strncasecmp($header, $headers[$c], $l = self::strlen($header)) === 0)
{
return trim(substr($headers[$i], $l+1));
return trim(self::substr($headers[$c], $l+1));
}
}
@@ -480,13 +490,13 @@ class CI_Output {
if (isset($_SERVER['HTTP_ACCEPT_ENCODING']) && strpos($_SERVER['HTTP_ACCEPT_ENCODING'], 'gzip') !== FALSE)
{
header('Content-Encoding: gzip');
header('Content-Length: '.strlen($output));
header('Content-Length: '.self::strlen($output));
}
else
{
// User agent doesn't support gzip compression,
// so we'll have to decompress our cache
$output = gzinflate(substr($output, 10, -8));
$output = gzinflate(self::substr($output, 10, -8));
}
}
@@ -576,62 +586,59 @@ class CI_Output {
return;
}
if (flock($fp, LOCK_EX))
{
// If output compression is enabled, compress the cache
// itself, so that we don't have to do that each time
// we're serving it
if ($this->_compress_output === TRUE)
{
$output = gzencode($output);
if ($this->get_header('content-type') === NULL)
{
$this->set_content_type($this->mime_type);
}
}
$expire = time() + ($this->cache_expiration * 60);
// Put together our serialized info.
$cache_info = serialize(array(
'expire' => $expire,
'headers' => $this->headers
));
$output = $cache_info.'ENDCI--->'.$output;
for ($written = 0, $length = strlen($output); $written < $length; $written += $result)
{
if (($result = fwrite($fp, substr($output, $written))) === FALSE)
{
break;
}
}
flock($fp, LOCK_UN);
}
else
if ( ! flock($fp, LOCK_EX))
{
log_message('error', 'Unable to secure a file lock for file at: '.$cache_path);
fclose($fp);
return;
}
// If output compression is enabled, compress the cache
// itself, so that we don't have to do that each time
// we're serving it
if ($this->_compress_output === TRUE)
{
$output = gzencode($output);
if ($this->get_header('content-type') === NULL)
{
$this->set_content_type($this->mime_type);
}
}
$expire = time() + ($this->cache_expiration * 60);
// Put together our serialized info.
$cache_info = serialize(array(
'expire' => $expire,
'headers' => $this->headers
));
$output = $cache_info.'ENDCI--->'.$output;
for ($written = 0, $length = self::strlen($output); $written < $length; $written += $result)
{
if (($result = fwrite($fp, self::substr($output, $written))) === FALSE)
{
break;
}
}
flock($fp, LOCK_UN);
fclose($fp);
if (is_int($result))
{
chmod($cache_path, 0640);
log_message('debug', 'Cache file written: '.$cache_path);
// Send HTTP cache-control headers to browser to match file cache settings.
$this->set_cache_header($_SERVER['REQUEST_TIME'], $expire);
}
else
if ( ! is_int($result))
{
@unlink($cache_path);
log_message('error', 'Unable to write the complete cache content at: '.$cache_path);
return;
}
chmod($cache_path, 0640);
log_message('debug', 'Cache file written: '.$cache_path);
// Send HTTP cache-control headers to browser to match file cache settings.
$this->set_cache_header($_SERVER['REQUEST_TIME'], $expire);
}
// --------------------------------------------------------------------
@@ -698,11 +705,9 @@ class CI_Output {
log_message('debug', 'Cache file has expired. File deleted.');
return FALSE;
}
else
{
// Or else send the HTTP cache control headers.
$this->set_cache_header($last_modified, $expire);
}
// Send the HTTP cache control headers
$this->set_cache_header($last_modified, $expire);
// Add headers from cache file.
foreach ($cache_info['headers'] as $header)
@@ -711,7 +716,7 @@ class CI_Output {
}
// Display the cache
$this->_display(substr($cache, strlen($match[0])));
$this->_display(self::substr($cache, self::strlen($match[0])));
log_message('debug', 'Cache file is current. Sending it to browser.');
return TRUE;
}
@@ -788,13 +793,50 @@ class CI_Output {
$this->set_status_header(304);
exit;
}
else
{
header('Pragma: public');
header('Cache-Control: max-age='.$max_age.', public');
header('Expires: '.gmdate('D, d M Y H:i:s', $expiration).' GMT');
header('Last-modified: '.gmdate('D, d M Y H:i:s', $last_modified).' GMT');
}
header('Pragma: public');
header('Cache-Control: max-age='.$max_age.', public');
header('Expires: '.gmdate('D, d M Y H:i:s', $expiration).' GMT');
header('Last-modified: '.gmdate('D, d M Y H:i:s', $last_modified).' GMT');
}
// --------------------------------------------------------------------
/**
* Byte-safe strlen()
*
* @param string $str
* @return int
*/
protected static function strlen($str)
{
return (self::$func_overload)
? mb_strlen($str, '8bit')
: strlen($str);
}
// --------------------------------------------------------------------
/**
* Byte-safe substr()
*
* @param string $str
* @param int $start
* @param int $length
* @return string
*/
protected static function substr($str, $start, $length = NULL)
{
if (self::$func_overload)
{
// mb_substr($str, $start, null, '8bit') returns an empty
// string on PHP 5.3
isset($length) OR $length = ($start >= 0 ? self::strlen($str) - $start : -$start);
return mb_substr($str, $start, $length, '8bit');
}
return isset($length)
? substr($str, $start, $length)
: substr($str, $start);
}
}

4
system/core/Router.php
View File

@@ -6,7 +6,7 @@
*
* This content is released under the MIT License (MIT)
*
* Copyright (c) 2014 - 2016, British Columbia Institute of Technology
* Copyright (c) 2014 - 2018, British Columbia Institute of Technology
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
@@ -29,7 +29,7 @@
* @package CodeIgniter
* @author EllisLab Dev Team
* @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (https://ellislab.com/)
* @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/)
* @copyright Copyright (c) 2014 - 2018, British Columbia Institute of Technology (http://bcit.ca/)
* @license http://opensource.org/licenses/MIT MIT License
* @link https://codeigniter.com
* @since Version 1.0.0

143
system/core/Security.php
View File

@@ -6,7 +6,7 @@
*
* This content is released under the MIT License (MIT)
*
* Copyright (c) 2014 - 2016, British Columbia Institute of Technology
* Copyright (c) 2014 - 2018, British Columbia Institute of Technology
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
@@ -29,7 +29,7 @@
* @package CodeIgniter
* @author EllisLab Dev Team
* @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (https://ellislab.com/)
* @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/)
* @copyright Copyright (c) 2014 - 2018, British Columbia Institute of Technology (http://bcit.ca/)
* @license http://opensource.org/licenses/MIT MIT License
* @link https://codeigniter.com
* @since Version 1.0.0
@@ -133,15 +133,18 @@ class CI_Security {
* @var array
*/
protected $_never_allowed_str = array(
'document.cookie' => '[removed]',
'document.write' => '[removed]',
'.parentNode' => '[removed]',
'.innerHTML' => '[removed]',
'-moz-binding' => '[removed]',
'<!--' => '&lt;!--',
'-->' => '--&gt;',
'<![CDATA[' => '&lt;![CDATA[',
'<comment>' => '&lt;comment&gt;'
'document.cookie' => '[removed]',
'(document).cookie' => '[removed]',
'document.write' => '[removed]',
'(document).write' => '[removed]',
'.parentNode' => '[removed]',
'.innerHTML' => '[removed]',
'-moz-binding' => '[removed]',
'<!--' => '&lt;!--',
'-->' => '--&gt;',
'<![CDATA[' => '&lt;![CDATA[',
'<comment>' => '&lt;comment&gt;',
'<%' => '&lt;&#37;'
);
/**
@@ -151,7 +154,7 @@ class CI_Security {
*/
protected $_never_allowed_regex = array(
'javascript\s*:',
'(document|(document\.)?window)\.(location|on\w*)',
'(\(?document\)?|\(?window\)?(\.document)?)\.(location|on\w*)',
'expression\s*(\(|&\#40;)', // CSS and IE
'vbscript\s*:', // IE, surprise!
'wscript\s*:', // IE
@@ -223,14 +226,11 @@ class CI_Security {
}
}
// Do the tokens exist in both the _POST and _COOKIE arrays?
if ( ! isset($_POST[$this->_csrf_token_name], $_COOKIE[$this->_csrf_cookie_name])
OR $_POST[$this->_csrf_token_name] !== $_COOKIE[$this->_csrf_cookie_name]) // Do the tokens match?
{
$this->csrf_show_error();
}
// Check CSRF token validity, but don't error on mismatch just yet - we'll want to regenerate
$valid = isset($_POST[$this->_csrf_token_name], $_COOKIE[$this->_csrf_cookie_name])
&& hash_equals($_POST[$this->_csrf_token_name], $_COOKIE[$this->_csrf_cookie_name]);
// We kill this since we're done and we don't want to polute the _POST array
// We kill this since we're done and we don't want to pollute the _POST array
unset($_POST[$this->_csrf_token_name]);
// Regenerate on every submission?
@@ -244,6 +244,11 @@ class CI_Security {
$this->_csrf_set_hash();
$this->csrf_set_cookie();
if ($valid !== TRUE)
{
$this->csrf_show_error();
}
log_message('info', 'CSRF token verified');
return $this;
}
@@ -351,9 +356,9 @@ class CI_Security {
// Is the string an array?
if (is_array($str))
{
while (list($key) = each($str))
foreach ($str as $key => &$value)
{
$str[$key] = $this->xss_clean($str[$key]);
$str[$key] = $this->xss_clean($value);
}
return $str;
@@ -371,11 +376,17 @@ class CI_Security {
*
* Note: Use rawurldecode() so it does not remove plus signs
*/
do
if (stripos($str, '%') !== false)
{
$str = rawurldecode($str);
do
{
$oldstr = $str;
$str = rawurldecode($str);
$str = preg_replace_callback('#%(?:\s*[0-9a-f]){2,}#i', array($this, '_urldecodespaces'), $str);
}
while ($oldstr !== $str);
unset($oldstr);
}
while (preg_match('/%[0-9a-f]{2,}/i', $str));
/*
* Convert character entities to ASCII
@@ -466,7 +477,7 @@ class CI_Security {
if (preg_match('/<a/i', $str))
{
$str = preg_replace_callback('#<a[^a-z0-9>]+([^>]*?)(?:>|$)#si', array($this, '_js_link_removal'), $str);
$str = preg_replace_callback('#<a(?:rea)?[^a-z0-9>]+([^>]*?)(?:>|$)#si', array($this, '_js_link_removal'), $str);
}
if (preg_match('/<img/i', $str))
@@ -492,7 +503,7 @@ class CI_Security {
* Becomes: &lt;blink&gt;
*/
$pattern = '#'
.'<((?<slash>/*\s*)(?<tagName>[a-z0-9]+)(?=[^a-z0-9]|$)' // tag start and name, followed by a non-tag character
.'<((?<slash>/*\s*)((?<tagName>[a-z0-9]+)(?=[^a-z0-9]|$)|.+)' // tag start and name, followed by a non-tag character
.'[^\s\042\047a-z0-9>/=]*' // a valid attribute character immediately after the tag would count as a separator
// optional attributes
.'(?<attributes>(?:[\s\042\047/=]*' // non-attribute characters, excluding > (tag close) for obvious reasons
@@ -533,6 +544,14 @@ class CI_Security {
$str
);
// Same thing, but for "tag functions" (e.g. eval`some code`)
// See https://github.com/bcit-ci/CodeIgniter/issues/5420
$str = preg_replace(
'#(alert|prompt|confirm|cmd|passthru|eval|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)`(.*?)`#si',
'\\1\\2&#96;\\3&#96;',
$str
);
// Final clean up
// This adds a bit of extra precaution in case
// something got through the above filters
@@ -669,6 +688,22 @@ class CI_Security {
? ENT_COMPAT | ENT_HTML5
: ENT_COMPAT;
if ( ! isset($_entities))
{
$_entities = array_map('strtolower', get_html_translation_table(HTML_ENTITIES, $flag, $charset));
// If we're not on PHP 5.4+, add the possibly dangerous HTML 5
// entities to the array manually
if ($flag === ENT_COMPAT)
{
$_entities[':'] = '&colon;';
$_entities['('] = '&lpar;';
$_entities[')'] = '&rpar;';
$_entities["\n"] = '&NewLine;';
$_entities["\t"] = '&Tab;';
}
}
do
{
$str_compare = $str;
@@ -676,27 +711,6 @@ class CI_Security {
// Decode standard entities, avoiding false positives
if (preg_match_all('/&[a-z]{2,}(?![a-z;])/i', $str, $matches))
{
if ( ! isset($_entities))
{
$_entities = array_map(
'strtolower',
is_php('5.3.4')
? get_html_translation_table(HTML_ENTITIES, $flag, $charset)
: get_html_translation_table(HTML_ENTITIES, $flag)
);
// If we're not on PHP 5.4+, add the possibly dangerous HTML 5
// entities to the array manually
if ($flag === ENT_COMPAT)
{
$_entities[':'] = '&colon;';
$_entities['('] = '&lpar;';
$_entities[')'] = '&rpar;';
$_entities["\n"] = '&newline;';
$_entities["\t"] = '&tab;';
}
}
$replace = array();
$matches = array_unique(array_map('strtolower', $matches[0]));
foreach ($matches as &$match)
@@ -707,7 +721,7 @@ class CI_Security {
}
}
$str = str_ireplace(array_keys($replace), array_values($replace), $str);
$str = str_replace(array_keys($replace), array_values($replace), $str);
}
// Decode numeric & UTF16 two byte entities
@@ -716,6 +730,11 @@ class CI_Security {
$flag,
$charset
);
if ($flag === ENT_COMPAT)
{
$str = str_replace(array_values($_entities), array_keys($_entities), $str);
}
}
while ($str_compare !== $str);
return $str;
@@ -774,6 +793,24 @@ class CI_Security {
// ----------------------------------------------------------------
/**
* URL-decode taking spaces into account
*
* @see https://github.com/bcit-ci/CodeIgniter/issues/4877
* @param array $matches
* @return string
*/
protected function _urldecodespaces($matches)
{
$input = $matches[0];
$nospaces = preg_replace('#\s+#', '', $input);
return ($nospaces === $input)
? $input
: rawurldecode($nospaces);
}
// ----------------------------------------------------------------
/**
* Compact Exploded Words
*
@@ -803,7 +840,7 @@ class CI_Security {
protected function _sanitize_naughty_html($matches)
{
static $naughty_tags = array(
'alert', 'prompt', 'confirm', 'applet', 'audio', 'basefont', 'base', 'behavior', 'bgsound',
'alert', 'area', 'prompt', 'confirm', 'applet', 'audio', 'basefont', 'base', 'behavior', 'bgsound',
'blink', 'body', 'embed', 'expression', 'form', 'frameset', 'frame', 'head', 'html', 'ilayer',
'iframe', 'input', 'button', 'select', 'isindex', 'layer', 'link', 'meta', 'keygen', 'object',
'plaintext', 'style', 'script', 'textarea', 'title', 'math', 'video', 'svg', 'xml', 'xss'
@@ -826,7 +863,7 @@ class CI_Security {
// For other tags, see if their attributes are "evil" and strip those
elseif (isset($matches['attributes']))
{
// We'll store the already fitlered attributes here
// We'll store the already filtered attributes here
$attributes = array();
// Attribute-catching pattern
@@ -842,7 +879,7 @@ class CI_Security {
// Each iteration filters a single attribute
do
{
// Strip any non-alpha characters that may preceed an attribute.
// Strip any non-alpha characters that may precede an attribute.
// Browsers often parse these incorrectly and that has been a
// of numerous XSS issues we've had.
$matches['attributes'] = preg_replace('#^[^a-z]+#i', '', $matches['attributes']);
@@ -900,7 +937,7 @@ class CI_Security {
return str_replace(
$match[1],
preg_replace(
'#href=.*?(?:(?:alert|prompt|confirm)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|<script|<xss|data\s*:)#si',
'#href=.*?(?:(?:alert|prompt|confirm)(?:\(|&\#40;|`|&\#96;)|javascript:|livescript:|mocha:|charset=|window\.|\(?document\)?\.|\.cookie|<script|<xss|d\s*a\s*t\s*a\s*:)#si',
'',
$this->_filter_attributes($match[1])
),
@@ -928,7 +965,7 @@ class CI_Security {
return str_replace(
$match[1],
preg_replace(
'#src=.*?(?:(?:alert|prompt|confirm|eval)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|<script|<xss|base64\s*,)#si',
'#src=.*?(?:(?:alert|prompt|confirm|eval)(?:\(|&\#40;|`|&\#96;)|javascript:|livescript:|mocha:|charset=|window\.|\(?document\)?\.|\.cookie|<script|<xss|base64\s*,)#si',
'',
$this->_filter_attributes($match[1])
),

4
system/core/URI.php
View File

@@ -6,7 +6,7 @@
*
* This content is released under the MIT License (MIT)
*
* Copyright (c) 2014 - 2016, British Columbia Institute of Technology
* Copyright (c) 2014 - 2018, British Columbia Institute of Technology
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
@@ -29,7 +29,7 @@
* @package CodeIgniter
* @author EllisLab Dev Team
* @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (https://ellislab.com/)
* @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/)
* @copyright Copyright (c) 2014 - 2018, British Columbia Institute of Technology (http://bcit.ca/)
* @license http://opensource.org/licenses/MIT MIT License
* @link https://codeigniter.com
* @since Version 1.0.0

4
system/core/Utf8.php
View File

@@ -6,7 +6,7 @@
*
* This content is released under the MIT License (MIT)
*
* Copyright (c) 2014 - 2016, British Columbia Institute of Technology
* Copyright (c) 2014 - 2018, British Columbia Institute of Technology
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
@@ -29,7 +29,7 @@
* @package CodeIgniter
* @author EllisLab Dev Team
* @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (https://ellislab.com/)
* @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/)
* @copyright Copyright (c) 2014 - 2018, British Columbia Institute of Technology (http://bcit.ca/)
* @license http://opensource.org/licenses/MIT MIT License
* @link https://codeigniter.com
* @since Version 2.0.0

23
system/core/compat/hash.php
View File

@@ -6,7 +6,7 @@
*
* This content is released under the MIT License (MIT)
*
* Copyright (c) 2014 - 2016, British Columbia Institute of Technology
* Copyright (c) 2014 - 2018, British Columbia Institute of Technology
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
@@ -29,7 +29,7 @@
* @package CodeIgniter
* @author EllisLab Dev Team
* @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (https://ellislab.com/)
* @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/)
* @copyright Copyright (c) 2014 - 2018, British Columbia Institute of Technology (http://bcit.ca/)
* @license http://opensource.org/licenses/MIT MIT License
* @link https://codeigniter.com
* @since Version 3.0.0
@@ -119,7 +119,7 @@ if ( ! function_exists('hash_pbkdf2'))
*/
function hash_pbkdf2($algo, $password, $salt, $iterations, $length = 0, $raw_output = FALSE)
{
if ( ! in_array($algo, hash_algos(), TRUE))
if ( ! in_array(strtolower($algo), hash_algos(), TRUE))
{
trigger_error('hash_pbkdf2(): Unknown hashing algorithm: '.$algo, E_USER_WARNING);
return FALSE;
@@ -173,7 +173,9 @@ if ( ! function_exists('hash_pbkdf2'))
return FALSE;
}
$hash_length = strlen(hash($algo, NULL, TRUE));
$hash_length = defined('MB_OVERLOAD_STRING')
? mb_strlen(hash($algo, NULL, TRUE), '8bit')
: strlen(hash($algo, NULL, TRUE));
empty($length) && $length = $hash_length;
// Pre-hash password inputs longer than the algorithm's block size
@@ -221,14 +223,14 @@ if ( ! function_exists('hash_pbkdf2'))
'whirlpool' => 64
);
if (isset($block_sizes[$algo]) && strlen($password) > $block_sizes[$algo])
if (isset($block_sizes[$algo], $password[$block_sizes[$algo]]))
{
$password = hash($algo, $password, TRUE);
}
$hash = '';
// Note: Blocks are NOT 0-indexed
for ($bc = ceil($length / $hash_length), $bi = 1; $bi <= $bc; $bi++)
for ($bc = (int) ceil($length / $hash_length), $bi = 1; $bi <= $bc; $bi++)
{
$key = $derived_key = hash_hmac($algo, $salt.pack('N', $bi), $password, TRUE);
for ($i = 1; $i < $iterations; $i++)
@@ -240,6 +242,13 @@ if ( ! function_exists('hash_pbkdf2'))
}
// This is not RFC-compatible, but we're aiming for natural PHP compatibility
return substr($raw_output ? $hash : bin2hex($hash), 0, $length);
if ( ! $raw_output)
{
$hash = bin2hex($hash);
}
return defined('MB_OVERLOAD_STRING')
? mb_substr($hash, 0, $length, '8bit')
: substr($hash, 0, $length);
}
}

6
system/core/compat/mbstring.php
View File

@@ -6,7 +6,7 @@
*
* This content is released under the MIT License (MIT)
*
* Copyright (c) 2014 - 2016, British Columbia Institute of Technology
* Copyright (c) 2014 - 2018, British Columbia Institute of Technology
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
@@ -29,7 +29,7 @@
* @package CodeIgniter
* @author EllisLab Dev Team
* @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (https://ellislab.com/)
* @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/)
* @copyright Copyright (c) 2014 - 2018, British Columbia Institute of Technology (http://bcit.ca/)
* @license http://opensource.org/licenses/MIT MIT License
* @link https://codeigniter.com
* @since Version 3.0.0
@@ -68,7 +68,7 @@ if ( ! function_exists('mb_strlen'))
* @link http://php.net/mb_strlen
* @param string $str
* @param string $encoding
* @return string
* @return int
*/
function mb_strlen($str, $encoding = NULL)
{

42
system/core/compat/password.php
View File

@@ -6,7 +6,7 @@
*
* This content is released under the MIT License (MIT)
*
* Copyright (c) 2014 - 2016, British Columbia Institute of Technology
* Copyright (c) 2014 - 2018, British Columbia Institute of Technology
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
@@ -29,7 +29,7 @@
* @package CodeIgniter
* @author EllisLab Dev Team
* @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (https://ellislab.com/)
* @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/)
* @copyright Copyright (c) 2014 - 2018, British Columbia Institute of Technology (http://bcit.ca/)
* @license http://opensource.org/licenses/MIT MIT License
* @link https://codeigniter.com
* @since Version 3.0.0
@@ -50,7 +50,7 @@ defined('BASEPATH') OR exit('No direct script access allowed');
// ------------------------------------------------------------------------
if (is_php('5.5') OR ! is_php('5.3.7') OR ! defined('CRYPT_BLOWFISH') OR CRYPT_BLOWFISH !== 1 OR defined('HHVM_VERSION'))
if (is_php('5.5') OR ! defined('CRYPT_BLOWFISH') OR CRYPT_BLOWFISH !== 1 OR defined('HHVM_VERSION'))
{
return;
}
@@ -94,8 +94,8 @@ if ( ! function_exists('password_hash'))
*/
function password_hash($password, $algo, array $options = array())
{
static $func_override;
isset($func_override) OR $func_override = (extension_loaded('mbstring') && ini_get('mbstring.func_override'));
static $func_overload;
isset($func_overload) OR $func_overload = (extension_loaded('mbstring') && ini_get('mbstring.func_overload'));
if ($algo !== 1)
{
@@ -109,21 +109,29 @@ if ( ! function_exists('password_hash'))
return NULL;
}
if (isset($options['salt']) && ($saltlen = ($func_override ? mb_strlen($options['salt'], '8bit') : strlen($options['salt']))) < 22)
if (isset($options['salt']) && ($saltlen = ($func_overload ? mb_strlen($options['salt'], '8bit') : strlen($options['salt']))) < 22)
{
trigger_error('password_hash(): Provided salt is too short: '.$saltlen.' expecting 22', E_USER_WARNING);
return NULL;
}
elseif ( ! isset($options['salt']))
{
if (defined('MCRYPT_DEV_URANDOM'))
if (function_exists('random_bytes'))
{
try
{
$options['salt'] = random_bytes(16);
}
catch (Exception $e)
{
log_message('error', 'compat/password: Error while trying to use random_bytes(): '.$e->getMessage());
return FALSE;
}
}
elseif (defined('MCRYPT_DEV_URANDOM'))
{
$options['salt'] = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM);
}
elseif (function_exists('openssl_random_pseudo_bytes'))
{
$options['salt'] = openssl_random_pseudo_bytes(16);
}
elseif (DIRECTORY_SEPARATOR === '/' && (is_readable($dev = '/dev/arandom') OR is_readable($dev = '/dev/urandom')))
{
if (($fp = fopen($dev, 'rb')) === FALSE)
@@ -136,7 +144,7 @@ if ( ! function_exists('password_hash'))
is_php('5.4') && stream_set_chunk_size($fp, 16);
$options['salt'] = '';
for ($read = 0; $read < 16; $read = ($func_override) ? mb_strlen($options['salt'], '8bit') : strlen($options['salt']))
for ($read = 0; $read < 16; $read = ($func_overload) ? mb_strlen($options['salt'], '8bit') : strlen($options['salt']))
{
if (($read = fread($fp, 16 - $read)) === FALSE)
{
@@ -148,6 +156,16 @@ if ( ! function_exists('password_hash'))
fclose($fp);
}
elseif (function_exists('openssl_random_pseudo_bytes'))
{
$is_secure = NULL;
$options['salt'] = openssl_random_pseudo_bytes(16, $is_secure);
if ($is_secure !== TRUE)
{
log_message('error', 'compat/password: openssl_random_pseudo_bytes() set the $cryto_strong flag to FALSE');
return FALSE;
}
}
else
{
log_message('error', 'compat/password: No CSPRNG available.');

215
system/core/compat/standard.php
View File

@@ -6,7 +6,7 @@
*
* This content is released under the MIT License (MIT)
*
* Copyright (c) 2014 - 2016, British Columbia Institute of Technology
* Copyright (c) 2014 - 2018, British Columbia Institute of Technology
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
@@ -29,7 +29,7 @@
* @package CodeIgniter
* @author EllisLab Dev Team
* @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (https://ellislab.com/)
* @copyright Copyright (c) 2014 - 2016, British Columbia Institute of Technology (http://bcit.ca/)
* @copyright Copyright (c) 2014 - 2018, British Columbia Institute of Technology (http://bcit.ca/)
* @license http://opensource.org/licenses/MIT MIT License
* @link https://codeigniter.com
* @since Version 3.0.0
@@ -62,7 +62,7 @@ if ( ! function_exists('array_column'))
* array_column()
*
* @link http://php.net/array_column
* @param string $array
* @param array $array
* @param mixed $column_key
* @param mixed $index_key
* @return array
@@ -153,7 +153,7 @@ if ( ! function_exists('hex2bin'))
*/
function hex2bin($data)
{
if (in_array($type = gettype($data), array('array', 'double', 'object'), TRUE))
if (in_array($type = gettype($data), array('array', 'double', 'object', 'resource'), TRUE))
{
if ($type === 'object' && method_exists($data, '__toString'))
{
@@ -180,210 +180,3 @@ if ( ! function_exists('hex2bin'))
return pack('H*', $data);
}
}
// ------------------------------------------------------------------------
if (is_php('5.3'))
{
return;
}
// ------------------------------------------------------------------------
if ( ! function_exists('array_replace'))
{
/**
* array_replace()
*
* @link http://php.net/array_replace
* @return array
*/
function array_replace()
{
$arrays = func_get_args();
if (($c = count($arrays)) === 0)
{
trigger_error('array_replace() expects at least 1 parameter, 0 given', E_USER_WARNING);
return NULL;
}
elseif ($c === 1)
{
if ( ! is_array($arrays[0]))
{
trigger_error('array_replace(): Argument #1 is not an array', E_USER_WARNING);
return NULL;
}
return $arrays[0];
}
$array = array_shift($arrays);
$c--;
for ($i = 0; $i < $c; $i++)
{
if ( ! is_array($arrays[$i]))
{
trigger_error('array_replace(): Argument #'.($i + 2).' is not an array', E_USER_WARNING);
return NULL;
}
elseif (empty($arrays[$i]))
{
continue;
}
foreach (array_keys($arrays[$i]) as $key)
{
$array[$key] = $arrays[$i][$key];
}
}
return $array;
}
}
// ------------------------------------------------------------------------
if ( ! function_exists('array_replace_recursive'))
{
/**
* array_replace_recursive()
*
* @link http://php.net/array_replace_recursive
* @return array
*/
function array_replace_recursive()
{
$arrays = func_get_args();
if (($c = count($arrays)) === 0)
{
trigger_error('array_replace_recursive() expects at least 1 parameter, 0 given', E_USER_WARNING);
return NULL;
}
elseif ($c === 1)
{
if ( ! is_array($arrays[0]))
{
trigger_error('array_replace_recursive(): Argument #1 is not an array', E_USER_WARNING);
return NULL;
}
return $arrays[0];
}
$array = array_shift($arrays);
$c--;
for ($i = 0; $i < $c; $i++)
{
if ( ! is_array($arrays[$i]))
{
trigger_error('array_replace_recursive(): Argument #'.($i + 2).' is not an array', E_USER_WARNING);
return NULL;
}
elseif (empty($arrays[$i]))
{
continue;
}
foreach (array_keys($arrays[$i]) as $key)
{
$array[$key] = (is_array($arrays[$i][$key]) && isset($array[$key]) && is_array($array[$key]))
? array_replace_recursive($array[$key], $arrays[$i][$key])
: $arrays[$i][$key];
}
}
return $array;
}
}
// ------------------------------------------------------------------------
if ( ! function_exists('quoted_printable_encode'))
{
/**
* quoted_printable_encode()
*
* @link http://php.net/quoted_printable_encode
* @param string $str
* @return string
*/
function quoted_printable_encode($str)
{
if (strlen($str) === 0)
{
return '';
}
elseif (in_array($type = gettype($str), array('array', 'object'), TRUE))
{
if ($type === 'object' && method_exists($str, '__toString'))
{
$str = (string) $str;
}
else
{
trigger_error('quoted_printable_encode() expects parameter 1 to be string, '.$type.' given', E_USER_WARNING);
return NULL;
}
}
if (function_exists('imap_8bit'))
{
return imap_8bit($str);
}
$i = $lp = 0;
$output = '';
$hex = '0123456789ABCDEF';
$length = (extension_loaded('mbstring') && ini_get('mbstring.func_overload'))
? mb_strlen($str, '8bit')
: strlen($str);
while ($length--)
{
if ((($c = $str[$i++]) === "\015") && isset($str[$i]) && ($str[$i] === "\012") && $length > 0)
{
$output .= "\015".$str[$i++];
$length--;
$lp = 0;
continue;
}
if (
ctype_cntrl($c)
OR (ord($c) === 0x7f)
OR (ord($c) & 0x80)
OR ($c === '=')
OR ($c === ' ' && isset($str[$i]) && $str[$i] === "\015")
)
{
if (
(($lp += 3) > 75 && ord($c) <= 0x7f)
OR (ord($c) > 0x7f && ord($c) <= 0xdf && ($lp + 3) > 75)
OR (ord($c) > 0xdf && ord($c) <= 0xef && ($lp + 6) > 75)
OR (ord($c) > 0xef && ord($c) <= 0xf4 && ($lp + 9) > 75)
)
{
$output .= "=\015\012";
$lp = 3;
}
$output .= '='.$hex[ord($c) >> 4].$hex[ord($c) & 0xf];
continue;
}
if ((++$lp) > 75)
{
$output .= "=\015\012";
$lp = 1;
}
$output .= $c;
}
return $output;
}
}