diff options
author | Nils Adermann <naderman@naderman.de> | 2014-11-25 15:43:24 +0100 |
---|---|---|
committer | Nils Adermann <naderman@naderman.de> | 2014-11-25 15:57:12 +0100 |
commit | 965042d015a0351303999b0196998be67d42dbae (patch) | |
tree | 600950d217580eb7a91d0a8c39ea58edb456d6d8 | |
parent | a415b8e37b683fcb7d0702df0695850c7980d770 (diff) | |
download | forums-965042d015a0351303999b0196998be67d42dbae.tar forums-965042d015a0351303999b0196998be67d42dbae.tar.gz forums-965042d015a0351303999b0196998be67d42dbae.tar.bz2 forums-965042d015a0351303999b0196998be67d42dbae.tar.xz forums-965042d015a0351303999b0196998be67d42dbae.zip |
[ticket/13376] Revert unnecessary change for cookies called GLOBALS 92f554e3
Also introduce a clear cookie message hardcoded just in case.
PHPBB3-13376
-rw-r--r-- | phpBB/includes/startup.php | 28 |
1 files changed, 5 insertions, 23 deletions
diff --git a/phpBB/includes/startup.php b/phpBB/includes/startup.php index cf216a65db..2f3b1c5324 100644 --- a/phpBB/includes/startup.php +++ b/phpBB/includes/startup.php @@ -80,31 +80,13 @@ function deregister_globals() { if (isset($not_unset[$varname])) { - // Hacking attempt. No point in continuing unless it's a COOKIE (so a cookie called GLOBALS doesn't lock users out completely) - if ($varname !== 'GLOBALS' || isset($_GET['GLOBALS']) || isset($_POST['GLOBALS']) || isset($_SERVER['GLOBALS']) || isset($_SESSION['GLOBALS']) || isset($_ENV['GLOBALS']) || isset($_FILES['GLOBALS'])) + // Hacking attempt. No point in continuing. + if (isset($_COOKIE[$varname])) { - exit; - } - else - { - $cookie = &$_COOKIE; - while (isset($cookie['GLOBALS'])) - { - if (!is_array($cookie['GLOBALS'])) - { - break; - } - - foreach ($cookie['GLOBALS'] as $registered_var => $value) - { - if (!isset($not_unset[$registered_var])) - { - unset($GLOBALS[$registered_var]); - } - } - $cookie = &$cookie['GLOBALS']; - } + echo "Clear your cookies. "; } + echo "Malicious variable name detected. Contact the administrator and ask them to disable register_globals."; + exit; } unset($GLOBALS[$varname]); |