Merge pull request #1366 from aphofstede/2.1-stable
Check cookie against md5 regex. 2.1 stable CSRF injection security fix
diff --git a/system/core/Security.php b/system/core/Security.php
index a3e2274..6f5ac1e 100755
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -848,7 +848,7 @@
// each page load since a page could contain embedded
// sub-pages causing this feature to fail
if (isset($_COOKIE[$this->_csrf_cookie_name]) &&
- $_COOKIE[$this->_csrf_cookie_name] != '')
+ preg_match('#^[0-9a-f]{32}$#iS', $_COOKIE[$this->_csrf_cookie_name]) === 1)
{
return $this->_csrf_hash = $_COOKIE[$this->_csrf_cookie_name];
}
diff --git a/user_guide/changelog.html b/user_guide/changelog.html
index 613c4e6..55fbcee 100644
--- a/user_guide/changelog.html
+++ b/user_guide/changelog.html
@@ -85,6 +85,7 @@
<li>Fixed a bug - CI_Upload::_file_mime_type() could've failed if mime_content_type() is used for the detection and returns FALSE.</li>
<li>Fixed a bug (#538) - Windows paths were ignored when using the <a href="libraries/image_lib.html">Image Manipulation Class</a> to create a new file.</li>
<li>Fixed a bug - When database caching was enabled, $this->db->query() checked the cache before binding variables which resulted in cached queries never being found.</li>
+ <li>Fixed a bug - CSRF cookie value was allowed to be any (non-empty) string before being written to the output, making code injection a risk.</li>
</ul>