Check cookie against md5 regex.
Otherwise, cookie can contain arbitrary injected code that gets sent
back directly to the browser.
diff --git a/system/core/Security.php b/system/core/Security.php
index a3e2274..6f5ac1e 100755
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -848,7 +848,7 @@
// each page load since a page could contain embedded
// sub-pages causing this feature to fail
if (isset($_COOKIE[$this->_csrf_cookie_name]) &&
- $_COOKIE[$this->_csrf_cookie_name] != '')
+ preg_match('#^[0-9a-f]{32}$#iS', $_COOKIE[$this->_csrf_cookie_name]) === 1)
{
return $this->_csrf_hash = $_COOKIE[$this->_csrf_cookie_name];
}