| commit | 29e12641a1bb952f493462db6757ae12c7da1f2c | [log] [tgz] |
|---|---|---|
| author | Andrey Andreev <narf@devilix.net> | Mon Feb 10 13:24:44 2014 +0200 |
| committer | Andrey Andreev <narf@devilix.net> | Mon Feb 10 13:24:44 2014 +0200 |
| tree | 15a3c42f9d8ff53615d90d88b70547c0ef662110 | |
| parent | f7f9dca050eb439028797a62eb2d4cac89daf5c5 [diff] |
CI_Security: URL-decode until possible
diff --git a/system/core/Security.php b/system/core/Security.php index 75c994a..beb7f56 100644 --- a/system/core/Security.php +++ b/system/core/Security.php
@@ -359,7 +359,11 @@ * * Note: Use rawurldecode() so it does not remove plus signs */ - $str = rawurldecode($str); + do + { + $str = rawurldecode($str); + } + while (preg_match('/%[0-9a-f]{2,}/i', $str)); /* * Convert character entities to ASCII