Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Automated merge with https://bitbucket.org/barrymieny/codeigniter

  • Loading branch information...
commit 076a39a981fd7609b081923526b9999bd6641110 2 parents 3df6221 + 822470d
@derekjones derekjones authored
View
4 application/config/config.php
@@ -274,9 +274,9 @@
/*
|--------------------------------------------------------------------------
-| Cross Site Forgery Request
+| Cross Site Request Forgery
|--------------------------------------------------------------------------
-| Enables a CSFR cookie token to be set. When set to TRUE, token will be
+| Enables a CSRF cookie token to be set. When set to TRUE, token will be
| checked on a submitted form. If you are accepting user data, it is strongly
| recommended CSRF protection be enabled.
*/
View
2  index.php
@@ -6,7 +6,7 @@
*---------------------------------------------------------------
*
* By default CI runs with error reporting set to ALL. For security
- * reasons you are encouraged to change this when your site goes live.
+ * reasons you are encouraged to change this to 0 when your site goes live.
* For more info visit: http://www.php.net/error_reporting
*
*/
View
4 system/core/Router.php
@@ -345,7 +345,7 @@ function _parse_routes()
*/
function set_class($class)
{
- $this->class = $class;
+ $this->class = str_replace(array('/', '.'), '', $class);
}
// --------------------------------------------------------------------
@@ -404,7 +404,7 @@ function fetch_method()
*/
function set_directory($dir)
{
- $this->directory = trim($dir, '/').'/';
+ $this->directory = str_replace(array('/', '.'), '', $dir).'/';
}
// --------------------------------------------------------------------
View
2  system/libraries/Javascript.php
@@ -22,7 +22,7 @@
* @subpackage Libraries
* @category Javascript
* @author ExpressionEngine Dev Team
- * @link http://codeigniter.com/user_guide/general/errors.html
+ * @link http://codeigniter.com/user_guide/libraries/javascript.html
*/
class CI_Javascript {
View
10 system/libraries/Security.php
@@ -680,11 +680,10 @@ function entity_decode($str, $charset='UTF-8')
* @param string
* @return string
*/
- function sanitize_filename($str)
+ function sanitize_filename($str, $relative_path = FALSE)
{
$bad = array(
"../",
- "./",
"<!--",
"-->",
"<",
@@ -701,7 +700,6 @@ function sanitize_filename($str)
'=',
';',
'?',
- '/',
"%20",
"%22",
"%3c", // <
@@ -717,6 +715,12 @@ function sanitize_filename($str)
"%3b", // ;
"%3d" // =
);
+
+ if ( ! $relative_path)
+ {
+ $bad[] = './';
+ $bad[] = '/';
+ }
return stripslashes(str_replace($bad, '', $str));
}
View
2  system/libraries/Session.php
@@ -61,7 +61,7 @@ function CI_Session($params = array())
// Set all the session preferences, which can either be set
// manually via the $params array above or via the config file
- foreach (array('sess_encrypt_cookie', 'sess_use_database', 'sess_table_name', 'sess_expiration', 'sess_match_ip', 'sess_match_useragent', 'sess_cookie_name', 'cookie_path', 'cookie_domain', 'sess_time_to_update', 'time_reference', 'cookie_prefix', 'encryption_key') as $key)
+ foreach (array('sess_encrypt_cookie', 'sess_use_database', 'sess_table_name', 'sess_expiration', 'sess_expire_on_close', 'sess_match_ip', 'sess_match_useragent', 'sess_cookie_name', 'cookie_path', 'cookie_domain', 'sess_time_to_update', 'time_reference', 'cookie_prefix', 'encryption_key') as $key)
{
$this->$key = (isset($params[$key])) ? $params[$key] : $this->CI->config->item($key);
}
View
5 user_guide/libraries/security.html
@@ -102,6 +102,11 @@
<code>$filename = $this->security->sanitize_filename($this->input->post('filename'));</code>
+<p>If it is acceptable for the user input to include relative paths, e.g. <kbd>file/in/some/approved/folder.txt</kbd>, you can set the second optional parameter,
+ <samp>$relative_path</samp> to TRUE.</p>
+
+<code>$filename = $this->security->sanitize_filename($this->input->post('filename'), TRUE);</code>
+
<!-- @todo write docs for CSRF methods -->
</div>
Please sign in to comment.
Something went wrong with that request. Please try again.