diff options
| author | Igor Wiedler <igor@wiedler.ch> | 2011-08-18 23:38:39 +0200 |
|---|---|---|
| committer | Igor Wiedler <igor@wiedler.ch> | 2011-08-18 23:44:30 +0200 |
| commit | c5cef773c4811d2041c56a9c34da94a30f8190e1 (patch) | |
| tree | d3286beea76cbb7edc85732f6ccb2c4ea9fb4245 | |
| parent | fd08cd8dd013c0d1bf8e18611f798c6987d9de9c (diff) | |
| download | forums-c5cef773c4811d2041c56a9c34da94a30f8190e1.tar forums-c5cef773c4811d2041c56a9c34da94a30f8190e1.tar.gz forums-c5cef773c4811d2041c56a9c34da94a30f8190e1.tar.bz2 forums-c5cef773c4811d2041c56a9c34da94a30f8190e1.tar.xz forums-c5cef773c4811d2041c56a9c34da94a30f8190e1.zip | |
[feature/request-class] Adjust code base to do html decoding manually
PHPBB3-9716
| -rw-r--r-- | phpBB/includes/auth/auth_apache.php | 12 | ||||
| -rw-r--r-- | phpBB/includes/functions.php | 7 | ||||
| -rw-r--r-- | phpBB/includes/functions_download.php | 2 | ||||
| -rw-r--r-- | phpBB/includes/functions_messenger.php | 2 | ||||
| -rw-r--r-- | phpBB/includes/questionnaire/questionnaire.php | 4 | ||||
| -rw-r--r-- | phpBB/includes/session.php | 16 | ||||
| -rw-r--r-- | phpBB/install/database_update.php | 2 | ||||
| -rw-r--r-- | phpBB/install/index.php | 6 | ||||
| -rw-r--r-- | phpBB/install/install_install.php | 8 | ||||
| -rw-r--r-- | phpBB/style.php | 2 |
10 files changed, 31 insertions, 30 deletions
diff --git a/phpBB/includes/auth/auth_apache.php b/phpBB/includes/auth/auth_apache.php index ff07936b36..9089703035 100644 --- a/phpBB/includes/auth/auth_apache.php +++ b/phpBB/includes/auth/auth_apache.php @@ -30,7 +30,7 @@ function init_apache() { global $user, $request; - if (!$request->is_set('PHP_AUTH_USER', phpbb_request_interface::SERVER) || $user->data['username'] !== $request->server('PHP_AUTH_USER')) + if (!$request->is_set('PHP_AUTH_USER', phpbb_request_interface::SERVER) || $user->data['username'] !== htmlspecialchars_decode($request->server('PHP_AUTH_USER'))) { return $user->lang['APACHE_SETUP_BEFORE_USE']; } @@ -72,8 +72,8 @@ function login_apache(&$username, &$password) ); } - $php_auth_user = $request->server('PHP_AUTH_USER'); - $php_auth_pw = $request->server('PHP_AUTH_PW'); + $php_auth_user = htmlspecialchars_decode($request->server('PHP_AUTH_USER')); + $php_auth_pw = htmlspecialchars_decode($request->server('PHP_AUTH_PW')); if (!empty($php_auth_user) && !empty($php_auth_pw)) { @@ -143,8 +143,8 @@ function autologin_apache() return array(); } - $php_auth_user = $request->server('PHP_AUTH_USER'); - $php_auth_pw = $request->server('PHP_AUTH_PW'); + $php_auth_user = htmlspecialchars_decode($request->server('PHP_AUTH_USER')); + $php_auth_pw = htmlspecialchars_decode($request->server('PHP_AUTH_PW')); if (!empty($php_auth_user) && !empty($php_auth_pw)) { @@ -233,7 +233,7 @@ function validate_session_apache(&$user) // Check if PHP_AUTH_USER is set and handle this case if ($request->is_set('PHP_AUTH_USER', phpbb_request_interface::SERVER)) { - $php_auth_user = $request->server('PHP_AUTH_USER', '', true); + $php_auth_user = $request->server('PHP_AUTH_USER'); return ($php_auth_user === $user['username']) ? true : false; } diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index ea96801129..b0c89bdceb 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -879,7 +879,8 @@ function phpbb_own_realpath($path) { // Warning: If chdir() has been used this will lie! // Warning: This has some problems sometime (CLI can create them easily) - $path = str_replace(DIRECTORY_SEPARATOR, '/', dirname($request->server('SCRIPT_FILENAME'))) . '/' . $path; + $filename = htmlspecialchars_decode($request->server('SCRIPT_FILENAME')); + $path = str_replace(DIRECTORY_SEPARATOR, '/', dirname($filename)) . '/' . $path; $absolute = true; $path_prefix = ''; } @@ -4242,7 +4243,7 @@ function phpbb_http_login($param) { if ($request->is_set($k, phpbb_request_interface::SERVER)) { - $username = $request->server($k); + $username = htmlspecialchars_decode($request->server($k)); break; } } @@ -4252,7 +4253,7 @@ function phpbb_http_login($param) { if ($request->is_set($k, phpbb_request_interface::SERVER)) { - $password = $request->server($k); + $password = htmlspecialchars_decode($request->server($k)); break; } } diff --git a/phpBB/includes/functions_download.php b/phpBB/includes/functions_download.php index bcb360cac7..b4664d74cb 100644 --- a/phpBB/includes/functions_download.php +++ b/phpBB/includes/functions_download.php @@ -301,7 +301,7 @@ function download_allowed() return true; } - $url = trim($request->header('Referer')); + $url = htmlspecialchars_decode($request->header('Referer')); if (!$url) { diff --git a/phpBB/includes/functions_messenger.php b/phpBB/includes/functions_messenger.php index a9241884bb..1866733545 100644 --- a/phpBB/includes/functions_messenger.php +++ b/phpBB/includes/functions_messenger.php @@ -342,7 +342,7 @@ class messenger $user->session_begin(); } - $calling_page = $request->server('PHP_SELF'); + $calling_page = htmlspecialchars_decode($request->server('PHP_SELF')); $message = ''; switch ($type) diff --git a/phpBB/includes/questionnaire/questionnaire.php b/phpBB/includes/questionnaire/questionnaire.php index ed61cf82d0..fa12d570df 100644 --- a/phpBB/includes/questionnaire/questionnaire.php +++ b/phpBB/includes/questionnaire/questionnaire.php @@ -152,11 +152,11 @@ class phpbb_questionnaire_system_data_provider // Start discovering the IPV4 server address, if available // Try apache, IIS, fall back to 0.0.0.0 - $server_address = $request->server('SERVER_ADDR', $request->server('LOCAL_ADDR', '0.0.0.0')); + $server_address = htmlspecialchars_decode($request->server('SERVER_ADDR', $request->server('LOCAL_ADDR', '0.0.0.0'))); return array( 'os' => PHP_OS, - 'httpd' => $request->server('SERVER_SOFTWARE'), + 'httpd' => htmlspecialchars_decode($request->server('SERVER_SOFTWARE')), // we don't want the real IP address (for privacy policy reasons) but only // a network address to see whether your installation is running on a private or public network. 'private_ip' => $this->is_private_ip($server_address), diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 9faf9eee60..84ad98d31f 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -46,13 +46,13 @@ class session $page_array = array(); // First of all, get the request uri... - $script_name = $request->server('PHP_SELF'); - $args = explode('&', $request->server('QUERY_STRING')); + $script_name = htmlspecialchars_decode($request->server('PHP_SELF')); + $args = explode('&', htmlspecialchars_decode($request->server('QUERY_STRING'))); // If we are unable to get the script name we use REQUEST_URI as a failover and note it within the page array for easier support... if (!$script_name) { - $script_name = $request->server('REQUEST_URI'); + $script_name = htmlspecialchars_decode($request->server('REQUEST_URI')); $script_name = (($pos = strpos($script_name, '?')) !== false) ? substr($script_name, 0, $pos) : $script_name; $page_array['failover'] = 1; } @@ -146,7 +146,7 @@ class session global $config, $request; // Get hostname - $host = $request->header('Host', $request->server('SERVER_NAME')); + $host = htmlspecialchars_decode($request->header('Host', $request->server('SERVER_NAME'))); // Should be a string and lowered $host = (string) strtolower($host); @@ -214,9 +214,9 @@ class session $this->time_now = time(); $this->cookie_data = array('u' => 0, 'k' => ''); $this->update_session_page = $update_session_page; - $this->browser = $request->header('User-Agent', '', true); - $this->referer = $request->header('Referer', '', true); - $this->forwarded_for = $request->header('X-Forwarded-For', '', true); + $this->browser = $request->header('User-Agent'); + $this->referer = $request->header('Referer'); + $this->forwarded_for = $request->header('X-Forwarded-For'); $this->host = $this->extract_current_hostname(); $this->page = $this->extract_current_page($phpbb_root_path); @@ -270,7 +270,7 @@ class session // Why no forwarded_for et al? Well, too easily spoofed. With the results of my recent requests // it's pretty clear that in the majority of cases you'll at least be left with a proxy/cache ip. - $this->ip = $request->server('REMOTE_ADDR'); + $this->ip = htmlspecialchars_decode($request->server('REMOTE_ADDR')); $this->ip = preg_replace('# {2,}#', ' ', str_replace(',', ' ', $this->ip)); // split the list of IPs diff --git a/phpBB/install/database_update.php b/phpBB/install/database_update.php index cd060a0b2b..b69d44d7be 100644 --- a/phpBB/install/database_update.php +++ b/phpBB/install/database_update.php @@ -145,7 +145,7 @@ unset($dbpasswd); $user->ip = ''; if ($request->server('REMOTE_ADDR')) { - $user->ip = (function_exists('phpbb_ip_normalise')) ? phpbb_ip_normalise($request->server('REMOTE_ADDR')) : $request->server('REMOTE_ADDR', '', true); + $user->ip = (function_exists('phpbb_ip_normalise')) ? phpbb_ip_normalise($request->server('REMOTE_ADDR')) : $request->server('REMOTE_ADDR'); } $sql = "SELECT config_value diff --git a/phpBB/install/index.php b/phpBB/install/index.php index bba26fde7a..f43d95301f 100644 --- a/phpBB/install/index.php +++ b/phpBB/install/index.php @@ -430,14 +430,14 @@ class module global $request; // HTTP_HOST is having the correct browser url in most cases... - $server_name = strtolower($request->header('Host', $request->server('SERVER_NAME'))); + $server_name = strtolower(htmlspecialchars_decode($request->header('Host', $request->server('SERVER_NAME')))); $server_port = $request->server('SERVER_PORT', 0); $secure = $request->is_secure() ? 1 : 0; - $script_name = $request->server('PHP_SELF'); + $script_name = htmlspecialchars_decode($request->server('PHP_SELF')); if (!$script_name) { - $script_name = $request->server('REQUEST_URI'); + $script_name = htmlspecialchars_decode($request->server('REQUEST_URI')); } // Replace backslashes and doubled slashes (could happen on some proxy setups) diff --git a/phpBB/install/install_install.php b/phpBB/install/install_install.php index 12f541e5f8..1a69638220 100644 --- a/phpBB/install/install_install.php +++ b/phpBB/install/install_install.php @@ -1017,7 +1017,7 @@ class install_install extends module $s_hidden_fields .= '<input type="hidden" name="language" value="' . $data['language'] . '" />'; // HTTP_HOST is having the correct browser url in most cases... - $server_name = strtolower($request->header('Host', $request->server('SERVER_NAME'))); + $server_name = strtolower(htmlspecialchars_decode($request->header('Host', $request->server('SERVER_NAME')))); // HTTP HOST can carry a port number... if (strpos($server_name, ':') !== false) @@ -1033,10 +1033,10 @@ class install_install extends module if ($data['script_path'] === '') { - $name = $request->server('PHP_SELF'); + $name = htmlspecialchars_decode($request->server('PHP_SELF')); if (!$name) { - $name = $request->server('REQUEST_URI'); + $name = htmlspecialchars_decode($request->server('REQUEST_URI')); } // Replace backslashes and doubled slashes (could happen on some proxy setups) @@ -1117,7 +1117,7 @@ class install_install extends module } // HTTP_HOST is having the correct browser url in most cases... - $server_name = strtolower($request->header('Host', $request->server('SERVER_NAME'))); + $server_name = strtolower(htmlspecialchars_decode($request->header('Host', $request->server('SERVER_NAME')))); $referer = strtolower($request->header('Referer')); // HTTP HOST can carry a port number... diff --git a/phpBB/style.php b/phpBB/style.php index caa45784de..eaab4544bc 100644 --- a/phpBB/style.php +++ b/phpBB/style.php @@ -152,7 +152,7 @@ if ($id) if ($config['gzip_compress']) { // IE6 is not able to compress the style (do not ask us why!) - $browser = strtolower($request->header('User-Agent', '', true)); + $browser = strtolower($request->header('User-Agent')); if ($browser && strpos($browser, 'msie 6.0') === false && @extension_loaded('zlib') && !headers_sent()) { |