From: <pdo...@us...> - 2010-06-26 10:15:55
|
Revision: 13957 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13957&view=rev Author: pdontthink Date: 2010-06-26 10:15:49 +0000 (Sat, 26 Jun 2010) Log Message: ----------- Aggressive sanitizing of REQUEST_URI, PHP_SELF, and QUERY_STRING corrupted page URIs by encoding ampersands in the query string, so we have to un-sanitize ampersands. Will this cause any security/XSS issues? Modified Paths: -------------- trunk/squirrelmail/include/init.php Modified: trunk/squirrelmail/include/init.php =================================================================== --- trunk/squirrelmail/include/init.php 2010-06-25 21:31:10 UTC (rev 13956) +++ trunk/squirrelmail/include/init.php 2010-06-26 10:15:49 UTC (rev 13957) @@ -275,13 +275,17 @@ * htmlspecialchars() is the preferred method. * QUERY_STRING also needs the same treatment since it is * used in php_self(). + * Update again: the encoding of ampersands that occurs + * using htmlspecialchars() corrupts the query strings + * in normal URIs, so we have to let those through. +FIXME: will the de-sanitizing of ampersands create any security/XSS problems? */ if (isset($_SERVER['REQUEST_URI'])) - $_SERVER['REQUEST_URI'] = htmlspecialchars($_SERVER['REQUEST_URI']); + $_SERVER['REQUEST_URI'] = str_replace('&', '&', htmlspecialchars($_SERVER['REQUEST_URI'])); if (isset($_SERVER['PHP_SELF'])) - $_SERVER['PHP_SELF'] = htmlspecialchars($_SERVER['PHP_SELF']); + $_SERVER['PHP_SELF'] = str_replace('&', '&', htmlspecialchars($_SERVER['PHP_SELF'])); if (isset($_SERVER['QUERY_STRING'])) - $_SERVER['QUERY_STRING'] = htmlspecialchars($_SERVER['QUERY_STRING']); + $_SERVER['QUERY_STRING'] = str_replace('&', '&', htmlspecialchars($_SERVER['QUERY_STRING'])); $PHP_SELF = php_self(); This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |