diff options
| author | Marc Alexander <admin@m-a-styles.de> | 2015-01-21 00:16:42 +0100 |
|---|---|---|
| committer | Andreas Fischer <bantu@phpbb.com> | 2015-01-21 01:02:08 +0100 |
| commit | 4b9434bf1ba4c015da11309602cfccf1a9c2493c (patch) | |
| tree | bf18c2f664c124d459a99282c2387b12e0508f46 /phpBB/includes | |
| parent | d17904884ea27905d85c8cdc395821ade7079fa2 (diff) | |
| download | forums-4b9434bf1ba4c015da11309602cfccf1a9c2493c.tar forums-4b9434bf1ba4c015da11309602cfccf1a9c2493c.tar.gz forums-4b9434bf1ba4c015da11309602cfccf1a9c2493c.tar.bz2 forums-4b9434bf1ba4c015da11309602cfccf1a9c2493c.tar.xz forums-4b9434bf1ba4c015da11309602cfccf1a9c2493c.zip | |
[ticket/13531] Explicitly disallow trailing paths (e.g. PATH_INFO).
PHPBB3-13531
Diffstat (limited to 'phpBB/includes')
| -rw-r--r-- | phpBB/includes/startup.php | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/phpBB/includes/startup.php b/phpBB/includes/startup.php index 2f3b1c5324..d9dab2a356 100644 --- a/phpBB/includes/startup.php +++ b/phpBB/includes/startup.php @@ -95,6 +95,40 @@ function deregister_globals() unset($input); } +/** + * Check if requested page uses a trailing path + * + * @param string $phpEx PHP extension + * + * @return bool True if trailing path is used, false if not + */ +function phpbb_has_trailing_path($phpEx) +{ + // Check if path_info is being used + if (!empty($_SERVER['PATH_INFO']) || !empty($_SERVER['ORIG_PATH_INFO'])) + { + return true; + } + + // Match any trailing path appended to a php script in the REQUEST_URI. + // It is assumed that only actual PHP scripts use names like foo.php. Due + // to this, any phpBB board inside a directory that has the php extension + // appended to its name will stop working, i.e. if the board is at + // example.com/phpBB/test.php/ or example.com/test.php/ + if (preg_match('#^[^?]+\.' . preg_quote($phpEx, '#') . '/#', $_SERVER['REQUEST_URI'])) + { + return true; + } + + return false; +} + +// Check if trailing path is used +if (phpbb_has_trailing_path($phpEx)) +{ + exit('Trailing paths and path_info is not supported by phpBB 3.0'); +} + // Register globals and magic quotes have been dropped in PHP 5.4 if (version_compare(PHP_VERSION, '5.4.0-dev', '>=')) { |