[Fusionforge-commits] r8361 - branches/Branch_4_8/gforge/www/include

Alain Peyrat aljeux at libremir.placard.fr.eu.org
Fri Nov 6 19:04:15 CET 2009


Author: aljeux
Date: 2009-11-06 19:04:15 +0100 (Fri, 06 Nov 2009)
New Revision: 8361

Modified:
   branches/Branch_4_8/gforge/www/include/pre.php
Log:
XSS fix: Globally secure $PHP_SELF in pre.php

Modified: branches/Branch_4_8/gforge/www/include/pre.php
===================================================================
--- branches/Branch_4_8/gforge/www/include/pre.php	2009-11-06 18:03:59 UTC (rev 8360)
+++ branches/Branch_4_8/gforge/www/include/pre.php	2009-11-06 18:04:15 UTC (rev 8361)
@@ -11,6 +11,14 @@
 // escaping lib
 require_once $gfcommon.'include/escapingUtils.php';
 
+if (isset($_SERVER) && array_key_exists('PHP_SELF', $_SERVER) && $_SERVER['PHP_SELF']) {
+	$_SERVER['PHP_SELF'] = htmlspecialchars($_SERVER['PHP_SELF']);
+}
+
+if (isset($GLOBALS) && array_key_exists('PHP_SELF', $GLOBALS) && $GLOBALS['PHP_SELF']) {
+	$GLOBALS['PHP_SELF'] = htmlspecialchars($GLOBALS['PHP_SELF']);
+}
+
 // Just say no to link prefetching (Moz prefetching, Google Web Accelerator, others)
 // http://www.google.com/webmasters/faq.html#prefetchblock
 if (getStringFromServer('HTTP_X_moz') === 'prefetch'){




More information about the Fusionforge-commits mailing list