File Release Notes and Changelog
Notes:
This is another maintenance release that corrects code that
can possibly be used for cross-site scripting.
If you have an old version and don't want to upgrade for
some reason, you can first change two lines referenced in the
the version 1.2.3 release notes and then add the following
lines at the top of the script immediately after <?php
// Disallow some special characters in the query string.
$server_vars = ($_SERVER) ? $_SERVER : $HTTP_SERVER_VARS;
$get_vars = ($_GET) ? $_GET : $HTTP_GET_VARS;
if (preg_match('/(%00|%3c|<)/i', $server_vars['QUERY_STRING'])
|| preg_match('!\\\\0!', @$get_vars['Qwd'])) {
header('HTTP/1.0 403 Forbidden');
exit("<html>\n <body>\n Invalid request.\n </body>\n</html>"); }
Changes:
* Improved register_globals protection.
* Now disallowing some special characters in the query string (original
security alert by nuffsaid@newbslove.us).
* Made some incremental improvements to path_helper.php and rm_tree.php.
See CHANGELOG.txt for a complete list of changes.
