[Fusionforge-commits] r8368 - trunk/gforge/www/include

Alain Peyrat aljeux at libremir.placard.fr.eu.org
Fri Nov 6 19:05:12 CET 2009


Author: aljeux
Date: 2009-11-06 19:05:12 +0100 (Fri, 06 Nov 2009)
New Revision: 8368

Modified:
   trunk/gforge/www/include/pre.php
Log:
XSS fix: Globally secure $PHP_SELF in pre.php

Modified: trunk/gforge/www/include/pre.php
===================================================================
--- trunk/gforge/www/include/pre.php	2009-11-06 18:05:07 UTC (rev 8367)
+++ trunk/gforge/www/include/pre.php	2009-11-06 18:05:12 UTC (rev 8368)
@@ -11,6 +11,14 @@
 // escaping lib
 require_once $gfcommon.'include/escapingUtils.php';
 
+if (isset($_SERVER) && array_key_exists('PHP_SELF', $_SERVER) && $_SERVER['PHP_SELF']) {
+	$_SERVER['PHP_SELF'] = htmlspecialchars($_SERVER['PHP_SELF']);
+}
+
+if (isset($GLOBALS) && array_key_exists('PHP_SELF', $GLOBALS) && $GLOBALS['PHP_SELF']) {
+	$GLOBALS['PHP_SELF'] = htmlspecialchars($GLOBALS['PHP_SELF']);
+}
+
 // Just say no to link prefetching (Moz prefetching, Google Web Accelerator, others)
 // http://www.google.com/webmasters/faq.html#prefetchblock
 if (getStringFromServer('HTTP_X_moz') === 'prefetch'){




More information about the Fusionforge-commits mailing list