[Fusionforge-commits] r8361 - branches/Branch_4_8/gforge/www/include
Alain Peyrat
aljeux at libremir.placard.fr.eu.org
Fri Nov 6 19:04:15 CET 2009
Author: aljeux
Date: 2009-11-06 19:04:15 +0100 (Fri, 06 Nov 2009)
New Revision: 8361
Modified:
branches/Branch_4_8/gforge/www/include/pre.php
Log:
XSS fix: Globally secure $PHP_SELF in pre.php
Modified: branches/Branch_4_8/gforge/www/include/pre.php
===================================================================
--- branches/Branch_4_8/gforge/www/include/pre.php 2009-11-06 18:03:59 UTC (rev 8360)
+++ branches/Branch_4_8/gforge/www/include/pre.php 2009-11-06 18:04:15 UTC (rev 8361)
@@ -11,6 +11,14 @@
// escaping lib
require_once $gfcommon.'include/escapingUtils.php';
+if (isset($_SERVER) && array_key_exists('PHP_SELF', $_SERVER) && $_SERVER['PHP_SELF']) {
+ $_SERVER['PHP_SELF'] = htmlspecialchars($_SERVER['PHP_SELF']);
+}
+
+if (isset($GLOBALS) && array_key_exists('PHP_SELF', $GLOBALS) && $GLOBALS['PHP_SELF']) {
+ $GLOBALS['PHP_SELF'] = htmlspecialchars($GLOBALS['PHP_SELF']);
+}
+
// Just say no to link prefetching (Moz prefetching, Google Web Accelerator, others)
// http://www.google.com/webmasters/faq.html#prefetchblock
if (getStringFromServer('HTTP_X_moz') === 'prefetch'){
More information about the Fusionforge-commits
mailing list