[ci skip] Backport security-related changes from 3.0

narfbg · narfbg · commit da859411367a · 2015-04-12T14:16:50.000+03:00
diff --git a/application/config/config.php b/application/config/config.php
@@ -10,11 +10,13 @@
 |
 |	http://example.com/
 |
-| If this is not set then CodeIgniter will guess the protocol, domain and
-| path to your installation.
+| If this is not set then CodeIgniter will try to guess the protocol, domain
+| and path to your installation. However, you should always configure this
+| explicitly and never rely on auto-guessing, especially in production
+| environments.
 |
 */
-$config['base_url']	= '';
+$config['base_url'] = '';
 
 /*
 |--------------------------------------------------------------------------
diff --git a/system/core/Config.php b/system/core/Config.php
@@ -67,11 +67,13 @@ function __construct()
 		// Set the base_url automatically if none was provided
 		if ($this->config['base_url'] == '')
 		{
-			if (isset($_SERVER['HTTP_HOST']))
+			// The regular expression is only a basic validation for a valid "Host" header.
+			// It's not exhaustive, only checks for valid characters.
+			if (isset($_SERVER['HTTP_HOST']) && preg_match('/^((\[[0-9a-f:]+\])|(\d{1,3}(\.\d{1,3}){3})|[a-z0-9\-\.]+)(:\d+)?$/i', $_SERVER['HTTP_HOST']))
 			{
 				$base_url = (empty($_SERVER['HTTPS']) OR strtolower($_SERVER['HTTPS']) === 'off') ? 'http' : 'https';
 				$base_url .= '://'. $_SERVER['HTTP_HOST'];
-				$base_url .= str_replace(basename($_SERVER['SCRIPT_NAME']), '', $_SERVER['SCRIPT_NAME']);
+				$base_url .= substr($_SERVER['SCRIPT_NAME'], 0, strpos($_SERVER['SCRIPT_NAME'], basename($_SERVER['SCRIPT_FILENAME'])));
 			}
 
 			else
diff --git a/system/core/Security.php b/system/core/Security.php
@@ -530,19 +530,19 @@ public function entity_decode($str, $charset='UTF-8')
 					{
 						$_entities[':'] = '&colon;';
 						$_entities['('] = '&lpar;';
-						$_entities[')'] = '&rpar';
+						$_entities[')'] = '&rpar;';
 						$_entities["\n"] = '&newline;';
 						$_entities["\t"] = '&tab;';
 					}
 				}
 
 				$replace = array();
 				$matches = array_unique(array_map('strtolower', $matches[0]));
-				for ($i = 0, $c = count($matches); $i < $c; $i++)
+				foreach ($matches as &$match)
 				{
-					if (($char = array_search($matches[$i].';', $_entities, TRUE)) !== FALSE)
+					if (($char = array_search($match.';', $_entities, TRUE)) !== FALSE)
 					{
-						$replace[$matches[$i]] = $char;
+						$replace[$match] = $char;
 					}
 				}
 
@@ -644,7 +644,7 @@ protected function _compact_exploded_words($matches)
 	protected function _remove_evil_attributes($str, $is_image)
 	{
 		// All javascript event handlers (e.g. onload, onclick, onmouseover), style, and xmlns
-		$evil_attributes = array('on\w*', 'style', 'xmlns', 'formaction', 'form', 'xlink:href');
+		$evil_attributes = array('on\w*', 'style', 'xmlns', 'formaction', 'form', 'xlink:href', 'FSCommand', 'seekSegmentTime');
 
 		if ($is_image === TRUE)
 		{
diff --git a/user_guide/changelog.html b/user_guide/changelog.html
@@ -57,6 +57,23 @@
 
 <h1>Change Log</h1>
 
+<h2>Version 2.2.2</h2>
+<p>Release Date: Not Released</p>
+
+<ul>
+	<li>General Changes</li>
+		<ul>
+			<li>Added HTTP "Host" header character validation to prevent cache poisoning attacks when <kbd>base_url</kbd> auto-detection is used.</li>
+			<li>Added <kbd>FSCommand</kbd> and <kbd>seekSegmentTime</kbd> to the "evil attributes" list in <samp>CI_Security::xss_clean()</samp>.</li>
+		</ul>
+	</li>
+</ul>
+
+<h3>Bug fixes:</h3>
+<ul>
+	<li>Fixed a bug (#3665) - <samp>CI_Security::entity_decode()</samp> triggered warnings under some circumstances.</li>
+</ul>
+
 <h2>Version 2.2.1</h2>
 <p>Release Date: January 22, 2015</p>
 

Original file line number	Diff line number	Diff line change
`@@ -10,11 +10,13 @@`
`10`	`10`	`\|`
`11`	`11`	`\| http://example.com/`
`12`	`12`	`\|`
`13`		`-\| If this is not set then CodeIgniter will guess the protocol, domain and`
`14`		`-\| path to your installation.`
	`13`	`+\| If this is not set then CodeIgniter will try to guess the protocol, domain`
	`14`	`+\| and path to your installation. However, you should always configure this`
	`15`	`+\| explicitly and never rely on auto-guessing, especially in production`
	`16`	`+\| environments.`
`15`	`17`	`\|`
`16`	`18`	`*/`
`17`		`-$config['base_url'] = '';`
	`19`	`+$config['base_url'] = '';`
`18`	`20`
`19`	`21`	`/*`
`20`	`22`	`\|--------------------------------------------------------------------------`
Original file line number	Diff line number	Diff line change
`@@ -67,11 +67,13 @@ function __construct()`
`67`	`67`	`// Set the base_url automatically if none was provided`
`68`	`68`	`if ($this->config['base_url'] == '')`
`69`	`69`	`{`
`70`		`- if (isset($_SERVER['HTTP_HOST']))`
	`70`	`+ // The regular expression is only a basic validation for a valid "Host" header.`
	`71`	`+ // It's not exhaustive, only checks for valid characters.`
	`72`	`+ if (isset($_SERVER['HTTP_HOST']) && preg_match('/^((\[[0-9a-f:]+\])\|(\d{1,3}(\.\d{1,3}){3})\|[a-z0-9\-\.]+)(:\d+)?$/i', $_SERVER['HTTP_HOST']))`
`71`	`73`	`{`
`72`	`74`	`$base_url = (empty($_SERVER['HTTPS']) OR strtolower($_SERVER['HTTPS']) === 'off') ? 'http' : 'https';`
`73`	`75`	`$base_url .= '://'. $_SERVER['HTTP_HOST'];`
`74`		`- $base_url .= str_replace(basename($_SERVER['SCRIPT_NAME']), '', $_SERVER['SCRIPT_NAME']);`
	`76`	`+ $base_url .= substr($_SERVER['SCRIPT_NAME'], 0, strpos($_SERVER['SCRIPT_NAME'], basename($_SERVER['SCRIPT_FILENAME'])));`
`75`	`77`	`}`
`76`	`78`
`77`	`79`	`else`
Original file line number	Diff line number	Diff line change
`@@ -530,19 +530,19 @@ public function entity_decode($str, $charset='UTF-8')`
`530`	`530`	`{`
`531`	`531`	`$_entities[':'] = '&colon;';`
`532`	`532`	`$_entities['('] = '(';`
`533`		`- $_entities[')'] = '&rpar';`
	`533`	`+ $_entities[')'] = ')';`
`534`	`534`	`$_entities["\n"] = '&newline;';`
`535`	`535`	`$_entities["\t"] = '&tab;';`
`536`	`536`	`}`
`537`	`537`	`}`
`538`	`538`
`539`	`539`	`$replace = array();`
`540`	`540`	`$matches = array_unique(array_map('strtolower', $matches[0]));`
`541`		`- for ($i = 0, $c = count($matches); $i < $c; $i++)`
	`541`	`+ foreach ($matches as &$match)`
`542`	`542`	`{`
`543`		`- if (($char = array_search($matches[$i].';', $_entities, TRUE)) !== FALSE)`
	`543`	`+ if (($char = array_search($match.';', $_entities, TRUE)) !== FALSE)`
`544`	`544`	`{`
`545`		`- $replace[$matches[$i]] = $char;`
	`545`	`+ $replace[$match] = $char;`
`546`	`546`	`}`
`547`	`547`	`}`
`548`	`548`
`@@ -644,7 +644,7 @@ protected function _compact_exploded_words($matches)`
`644`	`644`	`protected function _remove_evil_attributes($str, $is_image)`
`645`	`645`	`{`
`646`	`646`	`// All javascript event handlers (e.g. onload, onclick, onmouseover), style, and xmlns`
`647`		`- $evil_attributes = array('on\w*', 'style', 'xmlns', 'formaction', 'form', 'xlink:href');`
	`647`	`+ $evil_attributes = array('on\w*', 'style', 'xmlns', 'formaction', 'form', 'xlink:href', 'FSCommand', 'seekSegmentTime');`
`648`	`648`
`649`	`649`	`if ($is_image === TRUE)`
`650`	`650`	`{`