commit c696253dd044fc8d7de5acf835a9d1a6c144e0b3
author Eric Barnes <eric@ericlbarnes.com> Wed Aug 24 23:19:49 2011 -0400
committer Eric Barnes <eric@ericlbarnes.com> Wed Aug 24 23:19:49 2011 -0400
tree 74e9c60a2eceb9386c04b3cf13ae6863b56863e1
parent 0ba26c731cf8838b5239c1a7957bc18f58fe2f7d
parent 6a93995f2a24c0ac8d636ecac5f3eb0d0243e23d

Merge remote-tracking branch 'alexbilbie/csrf-override' into feature/csrf-verify

Conflicts:
	system/core/Security.php

system/core/Security.php

diff --git a/system/core/Security.php b/system/core/Security.php
index dcc680a..342455f 100755
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -33,6 +33,7 @@
 	 * @access protected
 	 */
 	protected $_xss_hash			= '';
+	
 	/**
 	 * Random Hash for Cross Site Request Forgery Protection Cookie
 	 *
@@ -40,6 +41,7 @@
 	 * @access protected
 	 */
 	protected $_csrf_hash			= '';
+	
 	/**
 	 * Expiration time for Cross Site Request Forgery Protection Cookie
 	 * Defaults to two hours (in seconds)
@@ -48,6 +50,7 @@
 	 * @access protected
 	 */
 	protected $_csrf_expire			= 7200;
+	
 	/**
 	 * Token name for Cross Site Request Forgery Protection Cookie
 	 *
@@ -55,6 +58,7 @@
 	 * @access protected
 	 */
 	protected $_csrf_token_name		= 'ci_csrf_token';
+	
 	/**
 	 * Cookie name for Cross Site Request Forgery Protection Cookie
 	 *
@@ -62,12 +66,14 @@
 	 * @access protected
 	 */
 	protected $_csrf_cookie_name	= 'ci_csrf_token';
+	
 	/**
 	 * List of never allowed strings
 	 *
 	 * @var array
 	 * @access protected
 	 */
+	
 	protected $_never_allowed_str = array(
 					'document.cookie'	=> '[removed]',
 					'document.write'	=> '[removed]',
@@ -80,7 +86,6 @@
 					'<![CDATA['			=> '&lt;![CDATA['
 	);
 
-	/* never allowed, regex replacement */
 	/**
 	 * List of never allowed regex replacement
 	 *
@@ -134,6 +139,16 @@
 		{
 			return $this->csrf_set_cookie();
 		}
+		
+		// Check if URI has been whitelisted from CSRF checks
+		if ($exclude_uris = config_item('csrf_exclude_uris'))
+		{
+			$uri = load_class('URI', 'core');
+			if (in_array($uri->uri_string(), $exclude_uris))
+			{
+				return $this;
+			}
+		}
 
 		// Do the tokens exist in both the _POST and _COOKIE arrays?
 		if ( ! isset($_POST[$this->_csrf_token_name]) OR
@@ -156,9 +171,9 @@
 		unset($_COOKIE[$this->_csrf_cookie_name]);
 		$this->_csrf_set_hash();
 		$this->csrf_set_cookie();
-
-		log_message('debug', "CSRF token verified ");
-
+		
+		log_message('debug', "CSRF token verified");
+		
 		return $this;
 	}
 
@@ -869,7 +884,6 @@
 	}
 
 }
-// END Security Class
 
 /* End of file Security.php */
-/* Location: ./system/libraries/Security.php */
+/* Location: ./system/libraries/Security.php */
\ No newline at end of file