Menu
▾
▴
[Tikiwiki-cvs/svn] SF.net SVN: tikiwiki:[15151] trunk/tiki-setup_base.php
|
From: <ny...@us...> - 2008-10-15 09:54:35
|
Revision: 15151
http://tikiwiki.svn.sourceforge.net/tikiwiki/?rev=15151&view=rev
Author: nyloth
Date: 2008-10-15 09:54:24 +0000 (Wed, 15 Oct 2008)
Log Message:
-----------
[FIX] security checks: fix tiki_p_trust_input since make_clean has to be called when magic_quotes_gpc is on.
Modified Paths:
--------------
trunk/tiki-setup_base.php
Modified: trunk/tiki-setup_base.php
===================================================================
--- trunk/tiki-setup_base.php 2008-10-15 01:32:48 UTC (rev 15150)
+++ trunk/tiki-setup_base.php 2008-10-15 09:54:24 UTC (rev 15151)
@@ -108,14 +108,14 @@
// DEAL WITH XSS-TYPE ATTACKS AND OTHER REQUEST ISSUES
require_once('lib/setup/sanitization.php');
-function make_clean(&$var,$gpc=false) {
+function make_clean(&$var,$gpc=false,$clean_xss=false) {
if ( is_array($var) ) {
foreach ( $var as $key=>$val ) {
- make_clean($var[$key],$gpc);
+ make_clean($var[$key],$gpc,$clean_xss);
}
} else {
if ($gpc) $var = stripslashes($var);
- if ( ! isset($_SERVER['SCRIPT_FILENAME']) || basename($_SERVER['SCRIPT_FILENAME']) != 'tiki-admin.php' ) {
+ if ( $clean_xss && ( ! isset($_SERVER['SCRIPT_FILENAME']) || basename($_SERVER['SCRIPT_FILENAME']) != 'tiki-admin.php' ) ) {
$var = RemoveXSS($var);
}
}
@@ -408,27 +408,27 @@
unset($allperms);
// --------------------------------------------------------------
+$magic_quotes_gpc = get_magic_quotes_gpc();
+$clean_xss = ( $tiki_p_trust_input != 'y' );
-if ( $tiki_p_trust_input != 'y' ) {
- $magic_quotes_gpc = get_magic_quotes_gpc();
-
- // deal with register_globals
- if ( ini_get('register_globals') ) {
- foreach ( array($_ENV, $_GET, $_POST, $_COOKIE, $_SERVER) as $superglob ) {
- foreach ( $superglob as $key=>$val ) {
- if ( isset($GLOBALS[$key]) && $GLOBALS[$key]==$val ) { // if global has been set some other way
- // that is OK (prevents munging of $_SERVER with ?_SERVER=rubbish etc.)
- unset($GLOBALS[$key]);
- }
+// deal with register_globals
+if ( ini_get('register_globals') ) {
+ foreach ( array($_ENV, $_GET, $_POST, $_COOKIE, $_SERVER) as $superglob ) {
+ foreach ( $superglob as $key=>$val ) {
+ if ( isset($GLOBALS[$key]) && $GLOBALS[$key]==$val ) { // if global has been set some other way
+ // that is OK (prevents munging of $_SERVER with ?_SERVER=rubbish etc.)
+ unset($GLOBALS[$key]);
}
}
}
- make_clean($_GET, $magic_quotes_gpc);
- make_clean($_POST, $magic_quotes_gpc);
- make_clean($_COOKIE, $magic_quotes_gpc);
- make_clean($_SERVER['QUERY_STRING']);
- make_clean($_SERVER['REQUEST_URI']);
+}
+make_clean($_GET, $magic_quotes_gpc, $clean_xss);
+make_clean($_POST, $magic_quotes_gpc, $clean_xss);
+make_clean($_COOKIE, $magic_quotes_gpc, $clean_xss);
+make_clean($_SERVER['QUERY_STRING'], false, $clean_xss);
+make_clean($_SERVER['REQUEST_URI'], false, $clean_xss);
+if ( $tiki_p_trust_input != 'y' ) {
$varcheck_vars = array('_COOKIE', '_GET', '_POST', '_ENV', '_SERVER');
$varcheck_errors = '';
foreach ( $varcheck_vars as $var ) {
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|