用户
 找回密码
 入住 CI 中国社区
搜索
查看: 2508|回复: 0
收起左侧

Codeigniter 2.2.1 发布了

[复制链接]
发表于 2015-1-24 21:44:14 | 显示全部楼层 |阅读模式
本帖最后由 popcorner 于 2015-1-24 21:45 编辑

来自http://forum.codeigniter.com/thread-843.html的消息

CodeIgniter 2.2.1 has been released today, and is a security release for the 2.x branch. The XSS handling has been improved, and timezones updated.


Since most have moved on to the development version of 3.0 from the GitHub repo, these fixes only affect sites powered by the legacy version. Sites running the development version of 3.x are unaffected as they have already been addressed in that version line. We felt that sites who were still running 2.x and potentially impacted by the vulnerability warranted an update so the release available for that version line is secure.

You can download v2.2.1 now, and we encourage you to read the full changelog.



大致说的是对XSS处理上做了些改进,更新了时区。已经使用3.0开发版的用户不受影响,但这些修复对使用2.x版本的用户很重要,他们认为那些仍然在使用2.x版本ci的网站可能会受到这些漏洞的影响,于是做了这些必要的更新以保证这个版本仍然可以安全使用。完整的更新内容可以在更新日志当中查看。点这里即可下载 v2.2.1


附更新日志



Release Date: January 22, 2015
  • General Changes
    • Improved security in xss_clean().
    • Updated timezones in Date Helper.

Bug fixes:
  • Fixed a bug (#3094) - CI_Input::_clean_input_data() breaks encrypted session cookies.
  • Fixed a bug (#2268) - CI_Security::xss_clean() didn't properly match JavaScript events.
  • Fixed a bug (#3309) - CI_Security::xss_clean() used an overly-invasive pattern to strip JS event handlers.
  • Fixed a bug (#2771) - CI_Security::xss_clean() didn't take into account HTML5 entities.
  • Fixed a bug (#73) - CI_Security::sanitize_filename() could be tricked by an XSS attack.
  • Fixed a bug (#2681) - CI_Security::entity_decode() used the PREG_REPLACE_EVAL flag, which is deprecated since PHP 5.5.
  • Fixed a bug (#3302) - Internal function get_config() triggered an E_NOTICE message on PHP 5.6.
  • Fixed a bug (#2508) - Config Library didn't properly detect if the current request is via HTTPS.
  • Fixed a bug (#3314) - SQLSRV Database driver's method count_all() didn't escape the supplied table name.
  • Fixed a bug (#3404) - MySQLi Database driver's method escape_str() had a wrong fallback to mysql_escape_string() when there was no active connection.
  • Fixed a bug in the Session Library where session ID regeneration occurred during AJAX requests.



本版积分规则