Gitiles
Code Review Sign In
www.giggi.me / code-igniter-v3-giggi / 15130caa8d3f4650d383647050ce918de728bc53^! / . / system
commit15130caa8d3f4650d383647050ce918de728bc53[log] [tgz]
authorDerek Jones <derek.jones@ellislab.com>Mon Jan 28 15:54:45 2008 +0000
committerDerek Jones <derek.jones@ellislab.com>Mon Jan 28 15:54:45 2008 +0000
treed57277bef5e51e7ae4fc72e9fe360f9e17463db7
parentb261439cf3f12ce047b4dcc576fcbd511075ba29 [diff]
* Added valid_base64() to the Validation class
* Tightened up validation of the supplied string given to the decode() method of the Encryption class (#3320)

diff --git a/system/libraries/Encrypt.php b/system/libraries/Encrypt.php
index b533c04..48f9d3e 100644
--- a/system/libraries/Encrypt.php
+++ b/system/libraries/Encrypt.php

@@ -27,7 +27,8 @@
  * @link		http://codeigniter.com/user_guide/libraries/encryption.html

  */

 class CI_Encrypt {

-

+	

+	var $CI;

 	var $encryption_key	= '';

 	var $_hash_type	= 'sha1';

 	var $_mcrypt_exists = FALSE;

@@ -42,6 +43,7 @@
 	 */

 	function CI_Encrypt()

 	{

+		$this->CI =& get_instance();

 		$this->_mcrypt_exists = ( ! function_exists('mcrypt_encrypt')) ? FALSE : TRUE;

 		log_message('debug', "Encrypt Class Initialized");

 	}

@@ -138,16 +140,22 @@
 	function decode($string, $key = '')

 	{

 		$key = $this->get_key($key);

+		

+		$this->CI->load->library('validation');

+		

+		if ($this->CI->validation->valid_base64($string) === FALSE)

+		{

+			return FALSE;

+		}

+

 		$dec = base64_decode($string);

-		

-		 if ($dec === FALSE)

-		 {

-		 	return FALSE;

-		 }

-		

+

 		if ($this->_mcrypt_exists === TRUE)

 		{

-			$dec = $this->mcrypt_decode($dec, $key);

+			if (($dec = $this->mcrypt_decode($dec, $key)) === FALSE)

+			{

+				return FALSE;

+			}

 		}

 		

 		return $this->_xor_decode($dec, $key);

@@ -266,6 +274,12 @@
 	{

 		$data = $this->_remove_cipher_noise($data, $key);

 		$init_size = mcrypt_get_iv_size($this->_get_cipher(), $this->_get_mode());

+		

+		if ($init_size > strlen($data))

+		{

+			return FALSE;

+		}

+		

 		$init_vect = substr($data, 0, $init_size);

 		$data = substr($data, $init_size);

 		return rtrim(mcrypt_decrypt($this->_get_cipher(), $key, $data, $this->_get_mode(), $init_vect), "\0");


diff --git a/system/libraries/Validation.php b/system/libraries/Validation.php
index 162d362..7720a7d 100644
--- a/system/libraries/Validation.php
+++ b/system/libraries/Validation.php

@@ -573,6 +573,23 @@
 	// --------------------------------------------------------------------

 	

 	/**

+	 * Valid Base64

+	 *

+	 * Tests a string for characters outside of the Base64 alphabet

+	 * as defined by RFC 2045 http://www.faqs.org/rfcs/rfc2045

+	 *

+	 * @access	public

+	 * @param	string

+	 * @return	bool

+	 */

+	function valid_base64($str)

+	{

+		return (bool) ! preg_match('/[^a-zA-Z0-9\/\+=]/', $str);

+	}

+

+	// --------------------------------------------------------------------

+	

+	/**

 	 * Set Select

 	 *

 	 * Enables pull-down lists to be set to the value the user