* Added valid_base64() to the Validation class
* Tightened up validation of the supplied string given to the decode() method of the Encryption class (#3320)
diff --git a/system/libraries/Encrypt.php b/system/libraries/Encrypt.php
index b533c04..48f9d3e 100644
--- a/system/libraries/Encrypt.php
+++ b/system/libraries/Encrypt.php
@@ -27,7 +27,8 @@
  * @link		http://codeigniter.com/user_guide/libraries/encryption.html

  */

 class CI_Encrypt {

-

+	

+	var $CI;

 	var $encryption_key	= '';

 	var $_hash_type	= 'sha1';

 	var $_mcrypt_exists = FALSE;

@@ -42,6 +43,7 @@
 	 */

 	function CI_Encrypt()

 	{

+		$this->CI =& get_instance();

 		$this->_mcrypt_exists = ( ! function_exists('mcrypt_encrypt')) ? FALSE : TRUE;

 		log_message('debug', "Encrypt Class Initialized");

 	}

@@ -138,16 +140,22 @@
 	function decode($string, $key = '')

 	{

 		$key = $this->get_key($key);

+		

+		$this->CI->load->library('validation');

+		

+		if ($this->CI->validation->valid_base64($string) === FALSE)

+		{

+			return FALSE;

+		}

+

 		$dec = base64_decode($string);

-		

-		 if ($dec === FALSE)

-		 {

-		 	return FALSE;

-		 }

-		

+

 		if ($this->_mcrypt_exists === TRUE)

 		{

-			$dec = $this->mcrypt_decode($dec, $key);

+			if (($dec = $this->mcrypt_decode($dec, $key)) === FALSE)

+			{

+				return FALSE;

+			}

 		}

 		

 		return $this->_xor_decode($dec, $key);

@@ -266,6 +274,12 @@
 	{

 		$data = $this->_remove_cipher_noise($data, $key);

 		$init_size = mcrypt_get_iv_size($this->_get_cipher(), $this->_get_mode());

+		

+		if ($init_size > strlen($data))

+		{

+			return FALSE;

+		}

+		

 		$init_vect = substr($data, 0, $init_size);

 		$data = substr($data, $init_size);

 		return rtrim(mcrypt_decrypt($this->_get_cipher(), $key, $data, $this->_get_mode(), $init_vect), "\0");

diff --git a/system/libraries/Validation.php b/system/libraries/Validation.php
index 162d362..7720a7d 100644
--- a/system/libraries/Validation.php
+++ b/system/libraries/Validation.php
@@ -573,6 +573,23 @@
 	// --------------------------------------------------------------------

 	

 	/**

+	 * Valid Base64

+	 *

+	 * Tests a string for characters outside of the Base64 alphabet

+	 * as defined by RFC 2045 http://www.faqs.org/rfcs/rfc2045

+	 *

+	 * @access	public

+	 * @param	string

+	 * @return	bool

+	 */

+	function valid_base64($str)

+	{

+		return (bool) ! preg_match('/[^a-zA-Z0-9\/\+=]/', $str);

+	}

+

+	// --------------------------------------------------------------------

+	

+	/**

 	 * Set Select

 	 *

 	 * Enables pull-down lists to be set to the value the user

diff --git a/user_guide/changelog.html b/user_guide/changelog.html
index b55de62..c9d2684 100644
--- a/user_guide/changelog.html
+++ b/user_guide/changelog.html
@@ -116,6 +116,7 @@
 			<li>Added a language entry for valid_ip validation error.</li>

 		    <li>Modified prep_for_form() in the Validation class to accept arrays, adding support for POST array validation (via callbacks only)</li>

 		    <li>Added an &quot;integer&quot; rule into the <a href="./libraries/validation.html">Validation</a> library.</li>

+			<li>Added valid_base64() to the Validation library.</li>

 		    <li>Changed the behaviour of custom callbacks so that they no longer trigger the &quot;required&quot; rule. </li>

 			<li>Modified Upload class $_FILES error messages to be more precise.</li>

 			<li>Moved the safe mode and auth checks for the Email library into the constructor. </li>

diff --git a/user_guide/libraries/validation.html b/user_guide/libraries/validation.html
index f9cac85..facd1a5 100644
--- a/user_guide/libraries/validation.html
+++ b/user_guide/libraries/validation.html
@@ -602,6 +602,12 @@
 <td class="td">Returns FALSE if the supplied IP is not valid.</td>

 <td class="td">&nbsp;</td>

 </tr>

+<tr>

+    <td class="td"><strong>valid_base64</strong></td>

+    <td class="td">No</td>

+    <td class="td">Returns FALSE if the supplied string contains anything other than valid Base64 characters.</td>

+    <td class="td">&nbsp;</td>

+</tr>

 </table>

 

 <p><strong>Note:</strong> These rules can also be called as discreet functions. For example:</p>