Automated merge with https://bitbucket.org/barrymieny/codeigniter
diff --git a/application/config/config.php b/application/config/config.php
index e318a2a..2a084ac 100644
--- a/application/config/config.php
+++ b/application/config/config.php
@@ -274,9 +274,9 @@
/*
|--------------------------------------------------------------------------
-| Cross Site Forgery Request
+| Cross Site Request Forgery
|--------------------------------------------------------------------------
-| Enables a CSFR cookie token to be set. When set to TRUE, token will be
+| Enables a CSRF cookie token to be set. When set to TRUE, token will be
| checked on a submitted form. If you are accepting user data, it is strongly
| recommended CSRF protection be enabled.
*/
diff --git a/index.php b/index.php
index 6ac7822..5bb53d2 100644
--- a/index.php
+++ b/index.php
@@ -6,7 +6,7 @@
*---------------------------------------------------------------
*
* By default CI runs with error reporting set to ALL. For security
- * reasons you are encouraged to change this when your site goes live.
+ * reasons you are encouraged to change this to 0 when your site goes live.
* For more info visit: http://www.php.net/error_reporting
*
*/
diff --git a/system/core/Router.php b/system/core/Router.php
index 1db1ad8..918ea24 100644
--- a/system/core/Router.php
+++ b/system/core/Router.php
@@ -345,7 +345,7 @@
*/
function set_class($class)
{
- $this->class = $class;
+ $this->class = str_replace(array('/', '.'), '', $class);
}
// --------------------------------------------------------------------
@@ -404,7 +404,7 @@
*/
function set_directory($dir)
{
- $this->directory = trim($dir, '/').'/';
+ $this->directory = str_replace(array('/', '.'), '', $dir).'/';
}
// --------------------------------------------------------------------
diff --git a/system/libraries/Javascript.php b/system/libraries/Javascript.php
index b4f33e3..30b62e1 100644
--- a/system/libraries/Javascript.php
+++ b/system/libraries/Javascript.php
@@ -22,7 +22,7 @@
* @subpackage Libraries
* @category Javascript
* @author ExpressionEngine Dev Team
- * @link http://codeigniter.com/user_guide/general/errors.html
+ * @link http://codeigniter.com/user_guide/libraries/javascript.html
*/
class CI_Javascript {
diff --git a/system/libraries/Security.php b/system/libraries/Security.php
index 2db8ee9..fa5317e 100644
--- a/system/libraries/Security.php
+++ b/system/libraries/Security.php
@@ -680,11 +680,10 @@
* @param string
* @return string
*/
- function sanitize_filename($str)
+ function sanitize_filename($str, $relative_path = FALSE)
{
$bad = array(
"../",
- "./",
"<!--",
"-->",
"<",
@@ -701,7 +700,6 @@
'=',
';',
'?',
- '/',
"%20",
"%22",
"%3c", // <
@@ -717,6 +715,12 @@
"%3b", // ;
"%3d" // =
);
+
+ if ( ! $relative_path)
+ {
+ $bad[] = './';
+ $bad[] = '/';
+ }
return stripslashes(str_replace($bad, '', $str));
}
diff --git a/system/libraries/Session.php b/system/libraries/Session.php
index 342c301..1e606de 100644
--- a/system/libraries/Session.php
+++ b/system/libraries/Session.php
@@ -61,7 +61,7 @@
// Set all the session preferences, which can either be set
// manually via the $params array above or via the config file
- foreach (array('sess_encrypt_cookie', 'sess_use_database', 'sess_table_name', 'sess_expiration', 'sess_match_ip', 'sess_match_useragent', 'sess_cookie_name', 'cookie_path', 'cookie_domain', 'sess_time_to_update', 'time_reference', 'cookie_prefix', 'encryption_key') as $key)
+ foreach (array('sess_encrypt_cookie', 'sess_use_database', 'sess_table_name', 'sess_expiration', 'sess_expire_on_close', 'sess_match_ip', 'sess_match_useragent', 'sess_cookie_name', 'cookie_path', 'cookie_domain', 'sess_time_to_update', 'time_reference', 'cookie_prefix', 'encryption_key') as $key)
{
$this->$key = (isset($params[$key])) ? $params[$key] : $this->CI->config->item($key);
}
diff --git a/user_guide/libraries/security.html b/user_guide/libraries/security.html
index a50d948..6d6216d 100644
--- a/user_guide/libraries/security.html
+++ b/user_guide/libraries/security.html
@@ -102,6 +102,11 @@
<code>$filename = $this->security->sanitize_filename($this->input->post('filename'));</code>
+<p>If it is acceptable for the user input to include relative paths, e.g. <kbd>file/in/some/approved/folder.txt</kbd>, you can set the second optional parameter,
+ <samp>$relative_path</samp> to TRUE.</p>
+
+<code>$filename = $this->security->sanitize_filename($this->input->post('filename'), TRUE);</code>
+
<!-- @todo write docs for CSRF methods -->
</div>