[Linpha-cvs] SF.net SVN: linpha: [4853] trunk/linpha2
Status: Inactive
Brought to you by:
bzrudi
Menu
▾
▴
[Linpha-cvs] SF.net SVN: linpha: [4853] trunk/linpha2
|
From: <fan...@us...> - 2008-02-06 20:50:54
|
Revision: 4853
http://linpha.svn.sourceforge.net/linpha/?rev=4853&view=rev
Author: fangehrn
Date: 2008-02-06 12:50:49 -0800 (Wed, 06 Feb 2008)
Log Message:
-----------
2008-02-06 flo
* common.php/linpha.class.php
- fixed LINPHA_CLIENT when linpha is installed not to a subfolder
- secured $_SERVER['PATH_INFO']
Modified Paths:
--------------
trunk/linpha2/ChangeLog
trunk/linpha2/docs/dev/linpha2.specs.txt
trunk/linpha2/docs/dev/security.txt
trunk/linpha2/lib/classes/linpha.class.php
trunk/linpha2/lib/classes/linpha.sql.class.php
trunk/linpha2/lib/include/calendar.php
trunk/linpha2/lib/include/common.php
Modified: trunk/linpha2/ChangeLog
===================================================================
--- trunk/linpha2/ChangeLog 2008-02-04 22:12:44 UTC (rev 4852)
+++ trunk/linpha2/ChangeLog 2008-02-06 20:50:49 UTC (rev 4853)
@@ -1,4 +1,10 @@
+
+2008-02-06 flo
+ * common.php/linpha.class.php
+ - fixed LINPHA_CLIENT when linpha is installed not to a subfolder
+ - secured $_SERVER['PATH_INFO']
+
2008-02-04 flo
* Some more work on the installer
- fixed several bugs (absolute paths, sqlite, manual mode, back navigation)
Modified: trunk/linpha2/docs/dev/linpha2.specs.txt
===================================================================
--- trunk/linpha2/docs/dev/linpha2.specs.txt 2008-02-04 22:12:44 UTC (rev 4852)
+++ trunk/linpha2/docs/dev/linpha2.specs.txt 2008-02-06 20:50:49 UTC (rev 4853)
@@ -53,6 +53,13 @@
- htmlentities()
- smart_htmlspecialchars() from phpmeta used several times in forms in linpha1
?
+ /* update 06.02.2008 fa */
+ decided to use htmlentities($str, ENT_QUOTES)
+ difference between htmlspecialchars() and htmlentities():
+ htmlspecialchars(): Array( ["] => " [<] => < [>] => > [&] => & )
+ htmlentities(): Array( [ ] => [¡] => ¡ [¢] => ¢ [£] => £ [¤] => ¤ [¥] => ¥ [¦] => ¦ [§] => § [¨] => ¨ [©] => © [ª] => ª [«] => « [¬] => ¬ [] => ­ [®] => ® [¯] => ¯ [°] => ° [±] => ± [²] => ² [³] => ³ [´] => ´ [µ] => µ [¶] => ¶ [·] => · [¸] => ¸ [¹] => ¹ [º] => º [»] => » [¼] => ¼ [½] => ½ [¾] => ¾ [¿] => ¿ [À] => À [Á] => Á [Â] => Â [Ã] => Ã [Ä] => Ä [Å] => Å [Æ] => Æ [Ç] => Ç [È] => È [É] => É [Ê] => Ê [Ë] => Ë [Ì] => Ì [Í] => Í [Î] => Î [Ï] => Ï [Ð] => Ð [Ñ] => Ñ [Ò] => Ò [Ó] => Ó [Ô] => Ô [Õ] => Õ [Ö] => Ö [×] => × [Ø] => Ø [Ù] => Ù [Ú] => Ú [Û] => Û [Ü] => Ü [Ý] => Ý [Þ] => Þ [ß] => ß [à] => à [á] => á [â] => â [ã] => ã [ä] => ä [å] => å [æ] => æ [ç] => ç [è] => è [é] => é [ê] => ê [ë] => ë [ì] => ì [í] => í [î] => î [ï] => ï [ð] => ð [ñ] => ñ [ò] => ò [ó] => ó [ô] => ô [õ] => õ [ö] => ö [÷] => ÷ [ø] => ø [ù] => ù [ú] => ú [û] => û [ü] => ü [ý] => ý [þ] => þ [ÿ] => ÿ ["] => " [<] => < [>] => > [&] => &)
+ -> its better to convert German Umlauts etc. to html entities to prevent problems if the browser does not support UTF-8
+
- ?
- php session
limit the session cookie not only to domain, but also to full url path
Modified: trunk/linpha2/docs/dev/security.txt
===================================================================
--- trunk/linpha2/docs/dev/security.txt 2008-02-04 22:12:44 UTC (rev 4852)
+++ trunk/linpha2/docs/dev/security.txt 2008-02-06 20:50:49 UTC (rev 4853)
@@ -8,6 +8,8 @@
where no quotes are used, take special care: "ORDER by id,(select password from users)"
- encode all untrusted html data with htmlspecialchars( $text, ENT_QUOTES )
+ /* update 06.02.2008 fa */ decided to switch to htmlentities($str, ENT_QUOTES)
+ see linpha2.specs.txt for details
- check every data coming by the user (GET/POST/COOKIE)
Modified: trunk/linpha2/lib/classes/linpha.class.php
===================================================================
--- trunk/linpha2/lib/classes/linpha.class.php 2008-02-04 22:12:44 UTC (rev 4852)
+++ trunk/linpha2/lib/classes/linpha.class.php 2008-02-06 20:50:49 UTC (rev 4853)
@@ -79,10 +79,16 @@
}
}
- if(!defined('LINPHA_CLIENT'))
+ if(!defined('LINPHA_CLIENT')) // LINPHA_CLIENT must be defined before linpha is included from another page
{
- define('LINPHA_CLIENT', LinFilesys::cleanPath( dirname($_SERVER['PHP_SELF']).'/'.LINPHA_DIR ) );
+ $dir = dirname($_SERVER['PHP_SELF']);
+ if ($dir=='\\' || $dir=='/') { // this is the case when linpha is installed not to a subfolder
+ define('LINPHA_CLIENT', '' ); // LINPHA_CLIENT has never an ending slash
+ } else {
+ define('LINPHA_CLIENT', LinFilesys::cleanPath( $dir.'/'.LINPHA_DIR ) );
+ }
}
+
/**
* installation check
Modified: trunk/linpha2/lib/classes/linpha.sql.class.php
===================================================================
--- trunk/linpha2/lib/classes/linpha.sql.class.php 2008-02-04 22:12:44 UTC (rev 4852)
+++ trunk/linpha2/lib/classes/linpha.sql.class.php 2008-02-06 20:50:49 UTC (rev 4853)
@@ -230,6 +230,14 @@
}
else
{
+ /**
+ * u-oh... take care when handling with $_SERVER['PATH_INFO'], it is not secure
+ * and may contain cross site scripting. in common.php all htmlentities have been
+ * replaced
+ *
+ * LinSql::getIdFromFullFilename does not output to the browser, always uses addslashes()
+ * and returns false if it is not a valid album, so as far as i know it's safe to use it this way
+ */
if( isset($_SERVER['PATH_INFO']) )
{
$id = LinSql::getIdFromFullFilename( substr($_SERVER['PATH_INFO'],1) ); // PATH_INFO starts with a '/' -> remove this
Modified: trunk/linpha2/lib/include/calendar.php
===================================================================
--- trunk/linpha2/lib/include/calendar.php 2008-02-04 22:12:44 UTC (rev 4852)
+++ trunk/linpha2/lib/include/calendar.php 2008-02-06 20:50:49 UTC (rev 4853)
@@ -1,179 +1,179 @@
-<?php
-/*
-* Copyright (c) 2004 Heiko Rutenbeck <bz...@tu...>
-*
-* This program is free software; you can redistribute it and/or modify
-* it under the terms of the GNU General Public License as published by
-* the Free Software Foundation; either version 2 of the License, or
-* (at your option) any later version.
-*
-* This program is distributed in the hope that it will be useful,
-* but WITHOUT ANY WARRANTY; without even the implied warranty of
-* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-* GNU General Public License for more details.
-*
-* You should have received a copy of the GNU General Public License
-* along with this program; if not, write to the Free Software
-* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-if(!defined('LINPHA_DIR')) { define('LINPHA_DIR','../..'); }
-
-include_once(LINPHA_DIR.'/lib/include/common.php');
-
-$style['tablebg']="#B3BCDE";
-
-/**
- * @todo do we need the startSession() for the language stuff?
- */
-include_once(LINPHA_DIR.'/lib/classes/linpha.class.php');
-?>
-<title>Calender - LinPHA</title>
-</head>
-<body>
-<?php
- $m = (!isset($_GET['m'])) ? date("n",mktime()) : $_GET['m']; // wenn $m $y noch nicht existiert, aktuellen monat und aktuelles jahr in $m und $y schreiben
- $y = (!isset($_GET['y'])) ? date("Y",mktime()) : $_GET['y'];
-?>
-<div align="center">
-<table bgcolor="<?php echo $style['tablebg']; ?>">
- <tr>
- <td valign="top">
-<?php
- /*== get what weekday the first is on ==*/
- $month_in_dec = strftime("%m",mktime(0,0,0,$m,1,$y));
-
- $tmpd = getdate(mktime(0,0,0,$m,1,$y));
- $firstwday= $tmpd["wday"];
-
- $lastday = mk_getLastDayofMonth($m,$y);
-
- $arr_month_long = Array(
- '1' => i18n("January"),
- '2' => i18n("February"),
- '3' => i18n("March"),
- '4' => i18n("April"),
- '5' => i18n("May"),
- '6' => i18n("June"),
- '7' => i18n("July"),
- '8' => i18n("August"),
- '9' => i18n("September"),
- '10' => i18n("October"),
- '11' => i18n("November"),
- '12' => i18n("December")
- );
-?>
-<table cellpadding=2 cellspacing=0 border=1>
- <tr>
- <td colspan=7 bgcolor="<?php echo $style['tablebg']; ?>">
- <table cellpadding=0 cellspacing=0 border=0 width="100%">
- <tr>
- <td width="20"><a href="?m=<?php echo (($m-1)<1) ? 12 : $m-1 ; ?>&y=<?php echo (($m-1)<1) ? $y-1 : $y ; ?>&form=<?php echo $_GET['form']; ?>"><<</a></td>
- <td bgcolor="<?php echo $style['tablebg']; ?>" align="center"><font size=2>
- <?php echo $arr_month_long[intval($month_in_dec)]." ".$y; ?>
- </font></td>
- <td width="20"><a href="?m=<?php echo (($m+1)>12) ? 1 : $m+1 ; ?>&y=<?php echo (($m+1)>12) ? $y+1 : $y ; ?>&form=<?php echo $_GET['form']; ?>">>></a></td>
- </tr>
- </table></td>
- </tr>
- <tr>
- <td width="22"><?php echo i18n("Sun"); ?></td>
- <td width="22"><?php echo i18n("Mon"); ?></td>
- <td width="22"><?php echo i18n("Tue"); ?></td>
- <td width="22"><?php echo i18n("Wed"); ?></td>
- <td width="22"><?php echo i18n("Thu"); ?></td>
- <td width="22"><?php echo i18n("Fri"); ?></td>
- <td width="22"><?php echo i18n("Sat"); ?></td>
- </tr>
- <?php
- $d = 1;
- $wday = $firstwday;
- $firstweek = true;
-
- /*== loop through all the days of the month ==*/
- while ( $d <= $lastday)
- {
-
- /*== set up blank days for first week ==*/
- if ($firstweek) {
- print "<tr>";
- for ($i=1; $i<=$firstwday; $i++)
- { print '<td><font size="2"></font></td>'; }
- $firstweek = false;
- }
-
- /*== Sunday start week with <tr> ==*/
- if ($wday==0) { print "<tr>"; }
-
- /*== check for event ==*/
- print "<td>";
- if($d<10) {
- if($m<10) {
- $tag = "$y:0$m:0$d";
- } else {
- $tag = "$y:$m:0$d";
- }
- } else {
- if($m<10) {
- $tag = "$y:0$m:$d";
- } else {
- $tag = "$y:$m:$d";
- }
- }
-
- $heute = date("Y:m:d",mktime()); // "01" bis "12"
- if($tag==$heute)
- {
- $font1 = "<font color=\"#FF0000\">";
- $font2 = "</font>";
- }
- else
- {
- $font1 = "";
- $font2 = "";
- }
- if(isset($_GET['additional_cmd']))
- {
- $str = ",opener.".$_GET['additional_cmd'];
- }
- else
- {
- $str = "";
- }
- echo '<a href="#" onClick="opener.document.getElementById(\''.$_GET['form'].'\').value=\''.$tag.'\'' . $str . ',window.close();">'.$font1.$d.$font2.'</a>';
- print "</td>\n";
-
- /*== Saturday week with </tr> ==*/
- if ($wday==6) { print "</tr>\n"; }
-
- $wday++;
- $wday = $wday % 7;
- $d++;
- }
-?>
-</tr>
-</table>
-<div align="center"><a href="#" onClick="window.close()"><?php echo i18n("Close Window"); ?></a></div>
-
- </td>
- </tr>
-</table>
-</div>
-</body>
-</html>
-<?php
-/*== get the last day of the month ==*/
-function mk_getLastDayofMonth($mon,$year)
-{
- for ($tday=28; $tday <= 31; $tday++)
- {
- $tdate = getdate(mktime(0,0,0,$mon,$tday,$year));
- if ($tdate["mon"] != $mon)
- { break; }
-
- }
- $tday--;
-
- return $tday;
-}
-?>
+<?php
+/*
+* Copyright (c) 2004 Heiko Rutenbeck <bz...@tu...>
+*
+* This program is free software; you can redistribute it and/or modify
+* it under the terms of the GNU General Public License as published by
+* the Free Software Foundation; either version 2 of the License, or
+* (at your option) any later version.
+*
+* This program is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+* GNU General Public License for more details.
+*
+* You should have received a copy of the GNU General Public License
+* along with this program; if not, write to the Free Software
+* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+if(!defined('LINPHA_DIR')) { define('LINPHA_DIR','../..'); }
+
+include_once(LINPHA_DIR.'/lib/include/common.php');
+
+$style['tablebg']="#B3BCDE";
+
+/**
+ * @todo do we need the startSession() for the language stuff?
+ */
+include_once(LINPHA_DIR.'/lib/classes/linpha.class.php');
+?>
+<title>Calender - LinPHA</title>
+</head>
+<body>
+<?php
+ $m = (!isset($_GET['m'])) ? date("n",mktime()) : $_GET['m']; // wenn $m $y noch nicht existiert, aktuellen monat und aktuelles jahr in $m und $y schreiben
+ $y = (!isset($_GET['y'])) ? date("Y",mktime()) : $_GET['y'];
+?>
+<div align="center">
+<table bgcolor="<?php echo $style['tablebg']; ?>">
+ <tr>
+ <td valign="top">
+<?php
+ /*== get what weekday the first is on ==*/
+ $month_in_dec = strftime("%m",mktime(0,0,0,$m,1,$y));
+
+ $tmpd = getdate(mktime(0,0,0,$m,1,$y));
+ $firstwday= $tmpd["wday"];
+
+ $lastday = mk_getLastDayofMonth($m,$y);
+
+ $arr_month_long = Array(
+ '1' => i18n("January"),
+ '2' => i18n("February"),
+ '3' => i18n("March"),
+ '4' => i18n("April"),
+ '5' => i18n("May"),
+ '6' => i18n("June"),
+ '7' => i18n("July"),
+ '8' => i18n("August"),
+ '9' => i18n("September"),
+ '10' => i18n("October"),
+ '11' => i18n("November"),
+ '12' => i18n("December")
+ );
+?>
+<table cellpadding=2 cellspacing=0 border=1>
+ <tr>
+ <td colspan=7 bgcolor="<?php echo $style['tablebg']; ?>">
+ <table cellpadding=0 cellspacing=0 border=0 width="100%">
+ <tr>
+ <td width="20"><a href="?m=<?php echo (($m-1)<1) ? 12 : $m-1 ; ?>&y=<?php echo (($m-1)<1) ? $y-1 : $y ; ?>&form=<?php echo $_GET['form']; ?>"><<</a></td>
+ <td bgcolor="<?php echo $style['tablebg']; ?>" align="center"><font size=2>
+ <?php echo $arr_month_long[intval($month_in_dec)]." ".$y; ?>
+ </font></td>
+ <td width="20"><a href="?m=<?php echo (($m+1)>12) ? 1 : $m+1 ; ?>&y=<?php echo (($m+1)>12) ? $y+1 : $y ; ?>&form=<?php echo $_GET['form']; ?>">>></a></td>
+ </tr>
+ </table></td>
+ </tr>
+ <tr>
+ <td width="22"><?php echo i18n("Sun"); ?></td>
+ <td width="22"><?php echo i18n("Mon"); ?></td>
+ <td width="22"><?php echo i18n("Tue"); ?></td>
+ <td width="22"><?php echo i18n("Wed"); ?></td>
+ <td width="22"><?php echo i18n("Thu"); ?></td>
+ <td width="22"><?php echo i18n("Fri"); ?></td>
+ <td width="22"><?php echo i18n("Sat"); ?></td>
+ </tr>
+ <?php
+ $d = 1;
+ $wday = $firstwday;
+ $firstweek = true;
+
+ /*== loop through all the days of the month ==*/
+ while ( $d <= $lastday)
+ {
+
+ /*== set up blank days for first week ==*/
+ if ($firstweek) {
+ print "<tr>";
+ for ($i=1; $i<=$firstwday; $i++)
+ { print '<td><font size="2"></font></td>'; }
+ $firstweek = false;
+ }
+
+ /*== Sunday start week with <tr> ==*/
+ if ($wday==0) { print "<tr>"; }
+
+ /*== check for event ==*/
+ print "<td>";
+ if($d<10) {
+ if($m<10) {
+ $tag = "$y:0$m:0$d";
+ } else {
+ $tag = "$y:$m:0$d";
+ }
+ } else {
+ if($m<10) {
+ $tag = "$y:0$m:$d";
+ } else {
+ $tag = "$y:$m:$d";
+ }
+ }
+
+ $heute = date("Y:m:d",mktime()); // "01" bis "12"
+ if($tag==$heute)
+ {
+ $font1 = "<font color=\"#FF0000\">";
+ $font2 = "</font>";
+ }
+ else
+ {
+ $font1 = "";
+ $font2 = "";
+ }
+ if(isset($_GET['additional_cmd']))
+ {
+ $str = ",opener.".$_GET['additional_cmd'];
+ }
+ else
+ {
+ $str = "";
+ }
+ echo '<a href="#" onClick="opener.document.getElementById(\''.$_GET['form'].'\').value=\''.$tag.'\'' . $str . ',window.close();">'.$font1.$d.$font2.'</a>';
+ print "</td>\n";
+
+ /*== Saturday week with </tr> ==*/
+ if ($wday==6) { print "</tr>\n"; }
+
+ $wday++;
+ $wday = $wday % 7;
+ $d++;
+ }
+?>
+</tr>
+</table>
+<div align="center"><a href="#" onClick="window.close()"><?php echo i18n("Close Window"); ?></a></div>
+
+ </td>
+ </tr>
+</table>
+</div>
+</body>
+</html>
+<?php
+/*== get the last day of the month ==*/
+function mk_getLastDayofMonth($mon,$year)
+{
+ for ($tday=28; $tday <= 31; $tday++)
+ {
+ $tdate = getdate(mktime(0,0,0,$mon,$tday,$year));
+ if ($tdate["mon"] != $mon)
+ { break; }
+
+ }
+ $tday--;
+
+ return $tday;
+}
+?>
Modified: trunk/linpha2/lib/include/common.php
===================================================================
--- trunk/linpha2/lib/include/common.php 2008-02-04 22:12:44 UTC (rev 4852)
+++ trunk/linpha2/lib/include/common.php 2008-02-06 20:50:49 UTC (rev 4853)
@@ -77,7 +77,7 @@
}
/**
- * secure PHP_SELF
+ * secure PHP_SELF and PATH_INFO
*
* added from linpha1 patch 1432469
*
@@ -97,14 +97,27 @@
*
*/
// Secure the PHP_SELF variable by first making all HTML code unuseable
+
+ //$_SERVER['PHP_SELF'] = '/tests/simple.php/"><script>alert(\'xss\')</script><foo';
$_SERVER['PHP_SELF'] = htmlentities($_SERVER['PHP_SELF']);
+ if (isset($_SERVER['PATH_INFO'])) {
+ /**
+ * @TODO this will probably break special signs in the perma-link feature
+ * www.somewhere.com/index.php/album1/photo.jpg
+ * www.somewhere.com/index.php/album2 with spaces and 'quotes' and other "quotes"/photo <1>.jpg
+ *
+ * for the moment its ok for me. would need furhter investigation to get perma-link with special signs working
+ */
+ $_SERVER['PATH_INFO'] = htmlentities($_SERVER['PATH_INFO']);
+ }
+
// Split it up into path and filename
$SELF_DIR = dirname($_SERVER['PHP_SELF']);
$SELF_FILE = basename($_SERVER['PHP_SELF']);
// Check for a .php inside the $SELF_DIR...
- while (ereg(".php", $SELF_DIR))
+ while (ereg(".php", $SELF_DIR)) // this will not work if there is a folder with .php in its name, but this is very unlikely
{
// Correct the dirname
$SELF_DIR = substr($SELF_DIR, 0, (strpos($SELF_DIR, ".php") + 4));
@@ -115,7 +128,22 @@
}
// Put both together again and let's pray it is secured now...
- $_SERVER['PHP_SELF'] = $SELF_DIR."/".$SELF_FILE;
+ if ( $SELF_DIR=='/' || $SELF_DIR=='\\') {
+ // if linpha is not installed in a subfolder take special behaviour
+ $_SERVER['PHP_SELF'] = "/".$SELF_FILE;
+
+ /**
+ * (windows xp sp2 apache2.2
+ * dirname('/'): \
+ * dirname('/index.php'): \
+ * dirname('/linpha/index.php'): /linpha
+ * dirname('/linpha/index.php/<asd>'): /linpha/index.php
+ * dirname('/linpha/index.php/<asd>/<asd>'): /linpha/index.php/<asd>)
+ */
+
+ } else {
+ $_SERVER['PHP_SELF'] = $SELF_DIR."/".$SELF_FILE;
+ }
// Remove uneccessary variables
unset($SELF_DIR);
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
