Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

We’re showing branches in this repository, but you can also compare across forks.

base fork: it-can/CodeIgniter
base: 99be331653
...
head fork: it-can/CodeIgniter
compare: 1553444fff
  • 4 commits
  • 6 files changed
  • 0 commit comments
  • 2 contributors
Commits on Nov 07, 2012
Andrey Andreev narfbg [ci skip] Update the upgrade instructions 17e11cd
Andrey Andreev narfbg Added function_usable() to common functions
It is now used to check whether dangerous functions like eval() and exec() are available.
It appears that the Suhosin extension (which is becoming popular) terminates script
execution instead of returning e.g. FALSE when it has a function blacklisted.
function_exists() checks are insufficient and our only option is to check the ini
settings here.

Filed an issue here: stefanesser/suhosin#18
... hopefully we'll be able to deal with this in a more elegant way in the future.

(this commit supersedes PR #1809)
e9d2dc8
Commits on Nov 08, 2012
Andrey Andreev narfbg Change route type checks priorities 96ea528
M. Vugteveen ci update 1553444
47 system/core/Common.php
View
@@ -651,5 +651,52 @@ function _stringify_attributes($attributes, $js = FALSE)
}
}
+// ------------------------------------------------------------------------
+
+if ( ! function_exists('function_usable'))
+{
+ /**
+ * Function usable
+ *
+ * Executes a function_exists() check, and if the Suhosin PHP
+ * extension is loaded - checks whether the function that is
+ * checked might be disabled in there as well.
+ *
+ * This is useful as function_exists() will return FALSE for
+ * functions disabled via the *disable_functions* php.ini
+ * setting, but not for *suhosin.executor.func.blacklist* and
+ * *suhosin.executor.disable_eval*. These settings will just
+ * terminate script execution if a disabled function is executed.
+ *
+ * @link http://www.hardened-php.net/suhosin/
+ * @param string $function_name Function to check for
+ * @return bool TRUE if the function exists and is safe to call,
+ * FALSE otherwise.
+ */
+ function function_usable($function_name)
+ {
+ static $_suhosin_func_blacklist;
+
+ if (function_exists($function_name))
+ {
+ if ( ! isset($_suhosin_func_blacklist))
+ {
+ $_suhosin_func_blacklist = extension_loaded('suhosin')
+ ? array()
+ : explode(',', trim(@ini_get('suhosin.executor.func.blacklist')));
+
+ if ( ! in_array('eval', $_suhosin_func_blacklist, TRUE) && @ini_get('suhosin.executor.disable_eval'))
+ {
+ $_suhosin_func_blacklist[] = 'eval';
+ }
+ }
+
+ return in_array($function_name, $_suhosin_func_blacklist, TRUE);
+ }
+
+ return FALSE;
+ }
+}
+
/* End of file Common.php */
/* Location: ./system/core/Common.php */
4 system/core/Loader.php
View
@@ -871,7 +871,9 @@ protected function _ci_load($_ci_data)
// If the PHP installation does not support short tags we'll
// do a little string replacement, changing the short tags
// to standard PHP echo statements.
- if ( ! is_php('5.4') && (bool) @ini_get('short_open_tag') === FALSE && config_item('rewrite_short_tags') === TRUE)
+ if ( ! is_php('5.4') && (bool) @ini_get('short_open_tag') === FALSE
+ && config_item('rewrite_short_tags') === TRUE && function_usable('eval')
+ )
{
echo eval('?>'.preg_replace('/;*\s*\?>/', '; ?>', str_replace('<?=', '<?php echo ', file_get_contents($_ci_path))));
}
12 system/core/Router.php
View
@@ -341,8 +341,13 @@ protected function _parse_routes()
// Does the RegEx match?
if (preg_match('#^'.$key.'$#', $uri, $matches))
{
+ // Are we using the default routing method for back-references?
+ if (strpos($val, '$') !== FALSE && strpos($key, '(') !== FALSE)
+ {
+ $val = preg_replace('#^'.$key.'$#', $val, $uri);
+ }
// Are we using callbacks to process back-references?
- if ( ! is_string($val) && is_callable($val))
+ elseif ( ! is_string($val) && is_callable($val))
{
// Remove the original string from the matches array.
array_shift($matches);
@@ -379,11 +384,6 @@ protected function _parse_routes()
// Execute the callback using the values in matches as its parameters.
$val = call_user_func_array($val, $matches);
}
- // Are we using the default routing method for back-references?
- elseif (strpos($val, '$') !== FALSE && strpos($key, '(') !== FALSE)
- {
- $val = preg_replace('#^'.$key.'$#', $val, $uri);
- }
return $this->_set_request(explode('/', $val));
}
11 system/libraries/Email.php
View
@@ -1732,11 +1732,14 @@ protected function _send_with_mail()
*/
protected function _send_with_sendmail()
{
- $fp = @popen($this->mailpath.' -oi -f '.$this->clean_email($this->_headers['From']).' -t'.' -r '.$this->clean_email($this->_headers['Return-Path']), 'w');
-
- if ($fp === FALSE OR $fp === NULL)
+ // is popen() enabled?
+ if ( ! function_usable('popen')
+ OR FALSE === ($fp = @popen(
+ $this->mailpath.' -oi -f '.$this->clean_email($this->_headers['From'])
+ .' -t -r '.$this->clean_email($this->_headers['Return-Path'])
+ , 'w'))
+ ) // server probably has popen disabled, so nothing we can do to get a verbose error.
{
- // server probably has popen disabled, so nothing we can do to get a verbose error.
return FALSE;
}
14 system/libraries/Image_lib.php
View
@@ -867,7 +867,11 @@ public function image_process_imagemagick($action = 'resize')
}
$retval = 1;
- @exec($cmd, $output, $retval);
+ // exec() might be disabled
+ if (function_usable('exec'))
+ {
+ @exec($cmd, $output, $retval);
+ }
// Did it work?
if ($retval > 0)
@@ -947,7 +951,11 @@ public function image_process_netpbm($action = 'resize')
$cmd = $this->library_path.$cmd_in.' '.$this->full_src_path.' | '.$cmd_inner.' | '.$cmd_out.' > '.$this->dest_folder.'netpbm.tmp';
$retval = 1;
- @exec($cmd, $output, $retval);
+ // exec() might be disabled
+ if (function_usable('exec'))
+ {
+ @exec($cmd, $output, $retval);
+ }
// Did it work?
if ($retval > 0)
@@ -959,7 +967,7 @@ public function image_process_netpbm($action = 'resize')
// With NetPBM we have to create a temporary image.
// If you try manipulating the original it fails so
// we have to rename the temp file.
- copy ($this->dest_folder.'netpbm.tmp', $this->full_dst_path);
+ copy($this->dest_folder.'netpbm.tmp', $this->full_dst_path);
unlink($this->dest_folder.'netpbm.tmp');
@chmod($this->full_dst_path, FILE_WRITE_MODE);
6 system/libraries/Upload.php
View
@@ -1208,7 +1208,7 @@ protected function _file_mime_type($file)
? 'file --brief --mime '.escapeshellarg($file['tmp_name']).' 2>&1'
: 'file --brief --mime '.$file['tmp_name'].' 2>&1';
- if (function_exists('exec'))
+ if (function_usable('exec'))
{
/* This might look confusing, as $mime is being populated with all of the output when set in the second parameter.
* However, we only neeed the last line, which is the actual return value of exec(), and as such - it overwrites
@@ -1223,7 +1223,7 @@ protected function _file_mime_type($file)
}
}
- if ( (bool) @ini_get('safe_mode') === FALSE && function_exists('shell_exec'))
+ if ( (bool) @ini_get('safe_mode') === FALSE && function_usable('shell_exec'))
{
$mime = @shell_exec($cmd);
if (strlen($mime) > 0)
@@ -1237,7 +1237,7 @@ protected function _file_mime_type($file)
}
}
- if (function_exists('popen'))
+ if (function_usable('popen'))
{
$proc = @popen($cmd, 'r');
if (is_resource($proc))

No commit comments for this range

Something went wrong with that request. Please try again.