aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorIgor Wiedler <igor@wiedler.ch>2011-08-18 23:38:39 +0200
committerIgor Wiedler <igor@wiedler.ch>2011-08-18 23:44:30 +0200
commitc5cef773c4811d2041c56a9c34da94a30f8190e1 (patch)
treed3286beea76cbb7edc85732f6ccb2c4ea9fb4245
parentfd08cd8dd013c0d1bf8e18611f798c6987d9de9c (diff)
downloadforums-c5cef773c4811d2041c56a9c34da94a30f8190e1.tar
forums-c5cef773c4811d2041c56a9c34da94a30f8190e1.tar.gz
forums-c5cef773c4811d2041c56a9c34da94a30f8190e1.tar.bz2
forums-c5cef773c4811d2041c56a9c34da94a30f8190e1.tar.xz
forums-c5cef773c4811d2041c56a9c34da94a30f8190e1.zip
[feature/request-class] Adjust code base to do html decoding manually
PHPBB3-9716
-rw-r--r--phpBB/includes/auth/auth_apache.php12
-rw-r--r--phpBB/includes/functions.php7
-rw-r--r--phpBB/includes/functions_download.php2
-rw-r--r--phpBB/includes/functions_messenger.php2
-rw-r--r--phpBB/includes/questionnaire/questionnaire.php4
-rw-r--r--phpBB/includes/session.php16
-rw-r--r--phpBB/install/database_update.php2
-rw-r--r--phpBB/install/index.php6
-rw-r--r--phpBB/install/install_install.php8
-rw-r--r--phpBB/style.php2
10 files changed, 31 insertions, 30 deletions
diff --git a/phpBB/includes/auth/auth_apache.php b/phpBB/includes/auth/auth_apache.php
index ff07936b36..9089703035 100644
--- a/phpBB/includes/auth/auth_apache.php
+++ b/phpBB/includes/auth/auth_apache.php
@@ -30,7 +30,7 @@ function init_apache()
{
global $user, $request;
- if (!$request->is_set('PHP_AUTH_USER', phpbb_request_interface::SERVER) || $user->data['username'] !== $request->server('PHP_AUTH_USER'))
+ if (!$request->is_set('PHP_AUTH_USER', phpbb_request_interface::SERVER) || $user->data['username'] !== htmlspecialchars_decode($request->server('PHP_AUTH_USER')))
{
return $user->lang['APACHE_SETUP_BEFORE_USE'];
}
@@ -72,8 +72,8 @@ function login_apache(&$username, &$password)
);
}
- $php_auth_user = $request->server('PHP_AUTH_USER');
- $php_auth_pw = $request->server('PHP_AUTH_PW');
+ $php_auth_user = htmlspecialchars_decode($request->server('PHP_AUTH_USER'));
+ $php_auth_pw = htmlspecialchars_decode($request->server('PHP_AUTH_PW'));
if (!empty($php_auth_user) && !empty($php_auth_pw))
{
@@ -143,8 +143,8 @@ function autologin_apache()
return array();
}
- $php_auth_user = $request->server('PHP_AUTH_USER');
- $php_auth_pw = $request->server('PHP_AUTH_PW');
+ $php_auth_user = htmlspecialchars_decode($request->server('PHP_AUTH_USER'));
+ $php_auth_pw = htmlspecialchars_decode($request->server('PHP_AUTH_PW'));
if (!empty($php_auth_user) && !empty($php_auth_pw))
{
@@ -233,7 +233,7 @@ function validate_session_apache(&$user)
// Check if PHP_AUTH_USER is set and handle this case
if ($request->is_set('PHP_AUTH_USER', phpbb_request_interface::SERVER))
{
- $php_auth_user = $request->server('PHP_AUTH_USER', '', true);
+ $php_auth_user = $request->server('PHP_AUTH_USER');
return ($php_auth_user === $user['username']) ? true : false;
}
diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php
index ea96801129..b0c89bdceb 100644
--- a/phpBB/includes/functions.php
+++ b/phpBB/includes/functions.php
@@ -879,7 +879,8 @@ function phpbb_own_realpath($path)
{
// Warning: If chdir() has been used this will lie!
// Warning: This has some problems sometime (CLI can create them easily)
- $path = str_replace(DIRECTORY_SEPARATOR, '/', dirname($request->server('SCRIPT_FILENAME'))) . '/' . $path;
+ $filename = htmlspecialchars_decode($request->server('SCRIPT_FILENAME'));
+ $path = str_replace(DIRECTORY_SEPARATOR, '/', dirname($filename)) . '/' . $path;
$absolute = true;
$path_prefix = '';
}
@@ -4242,7 +4243,7 @@ function phpbb_http_login($param)
{
if ($request->is_set($k, phpbb_request_interface::SERVER))
{
- $username = $request->server($k);
+ $username = htmlspecialchars_decode($request->server($k));
break;
}
}
@@ -4252,7 +4253,7 @@ function phpbb_http_login($param)
{
if ($request->is_set($k, phpbb_request_interface::SERVER))
{
- $password = $request->server($k);
+ $password = htmlspecialchars_decode($request->server($k));
break;
}
}
diff --git a/phpBB/includes/functions_download.php b/phpBB/includes/functions_download.php
index bcb360cac7..b4664d74cb 100644
--- a/phpBB/includes/functions_download.php
+++ b/phpBB/includes/functions_download.php
@@ -301,7 +301,7 @@ function download_allowed()
return true;
}
- $url = trim($request->header('Referer'));
+ $url = htmlspecialchars_decode($request->header('Referer'));
if (!$url)
{
diff --git a/phpBB/includes/functions_messenger.php b/phpBB/includes/functions_messenger.php
index a9241884bb..1866733545 100644
--- a/phpBB/includes/functions_messenger.php
+++ b/phpBB/includes/functions_messenger.php
@@ -342,7 +342,7 @@ class messenger
$user->session_begin();
}
- $calling_page = $request->server('PHP_SELF');
+ $calling_page = htmlspecialchars_decode($request->server('PHP_SELF'));
$message = '';
switch ($type)
diff --git a/phpBB/includes/questionnaire/questionnaire.php b/phpBB/includes/questionnaire/questionnaire.php
index ed61cf82d0..fa12d570df 100644
--- a/phpBB/includes/questionnaire/questionnaire.php
+++ b/phpBB/includes/questionnaire/questionnaire.php
@@ -152,11 +152,11 @@ class phpbb_questionnaire_system_data_provider
// Start discovering the IPV4 server address, if available
// Try apache, IIS, fall back to 0.0.0.0
- $server_address = $request->server('SERVER_ADDR', $request->server('LOCAL_ADDR', '0.0.0.0'));
+ $server_address = htmlspecialchars_decode($request->server('SERVER_ADDR', $request->server('LOCAL_ADDR', '0.0.0.0')));
return array(
'os' => PHP_OS,
- 'httpd' => $request->server('SERVER_SOFTWARE'),
+ 'httpd' => htmlspecialchars_decode($request->server('SERVER_SOFTWARE')),
// we don't want the real IP address (for privacy policy reasons) but only
// a network address to see whether your installation is running on a private or public network.
'private_ip' => $this->is_private_ip($server_address),
diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php
index 9faf9eee60..84ad98d31f 100644
--- a/phpBB/includes/session.php
+++ b/phpBB/includes/session.php
@@ -46,13 +46,13 @@ class session
$page_array = array();
// First of all, get the request uri...
- $script_name = $request->server('PHP_SELF');
- $args = explode('&', $request->server('QUERY_STRING'));
+ $script_name = htmlspecialchars_decode($request->server('PHP_SELF'));
+ $args = explode('&', htmlspecialchars_decode($request->server('QUERY_STRING')));
// If we are unable to get the script name we use REQUEST_URI as a failover and note it within the page array for easier support...
if (!$script_name)
{
- $script_name = $request->server('REQUEST_URI');
+ $script_name = htmlspecialchars_decode($request->server('REQUEST_URI'));
$script_name = (($pos = strpos($script_name, '?')) !== false) ? substr($script_name, 0, $pos) : $script_name;
$page_array['failover'] = 1;
}
@@ -146,7 +146,7 @@ class session
global $config, $request;
// Get hostname
- $host = $request->header('Host', $request->server('SERVER_NAME'));
+ $host = htmlspecialchars_decode($request->header('Host', $request->server('SERVER_NAME')));
// Should be a string and lowered
$host = (string) strtolower($host);
@@ -214,9 +214,9 @@ class session
$this->time_now = time();
$this->cookie_data = array('u' => 0, 'k' => '');
$this->update_session_page = $update_session_page;
- $this->browser = $request->header('User-Agent', '', true);
- $this->referer = $request->header('Referer', '', true);
- $this->forwarded_for = $request->header('X-Forwarded-For', '', true);
+ $this->browser = $request->header('User-Agent');
+ $this->referer = $request->header('Referer');
+ $this->forwarded_for = $request->header('X-Forwarded-For');
$this->host = $this->extract_current_hostname();
$this->page = $this->extract_current_page($phpbb_root_path);
@@ -270,7 +270,7 @@ class session
// Why no forwarded_for et al? Well, too easily spoofed. With the results of my recent requests
// it's pretty clear that in the majority of cases you'll at least be left with a proxy/cache ip.
- $this->ip = $request->server('REMOTE_ADDR');
+ $this->ip = htmlspecialchars_decode($request->server('REMOTE_ADDR'));
$this->ip = preg_replace('# {2,}#', ' ', str_replace(',', ' ', $this->ip));
// split the list of IPs
diff --git a/phpBB/install/database_update.php b/phpBB/install/database_update.php
index cd060a0b2b..b69d44d7be 100644
--- a/phpBB/install/database_update.php
+++ b/phpBB/install/database_update.php
@@ -145,7 +145,7 @@ unset($dbpasswd);
$user->ip = '';
if ($request->server('REMOTE_ADDR'))
{
- $user->ip = (function_exists('phpbb_ip_normalise')) ? phpbb_ip_normalise($request->server('REMOTE_ADDR')) : $request->server('REMOTE_ADDR', '', true);
+ $user->ip = (function_exists('phpbb_ip_normalise')) ? phpbb_ip_normalise($request->server('REMOTE_ADDR')) : $request->server('REMOTE_ADDR');
}
$sql = "SELECT config_value
diff --git a/phpBB/install/index.php b/phpBB/install/index.php
index bba26fde7a..f43d95301f 100644
--- a/phpBB/install/index.php
+++ b/phpBB/install/index.php
@@ -430,14 +430,14 @@ class module
global $request;
// HTTP_HOST is having the correct browser url in most cases...
- $server_name = strtolower($request->header('Host', $request->server('SERVER_NAME')));
+ $server_name = strtolower(htmlspecialchars_decode($request->header('Host', $request->server('SERVER_NAME'))));
$server_port = $request->server('SERVER_PORT', 0);
$secure = $request->is_secure() ? 1 : 0;
- $script_name = $request->server('PHP_SELF');
+ $script_name = htmlspecialchars_decode($request->server('PHP_SELF'));
if (!$script_name)
{
- $script_name = $request->server('REQUEST_URI');
+ $script_name = htmlspecialchars_decode($request->server('REQUEST_URI'));
}
// Replace backslashes and doubled slashes (could happen on some proxy setups)
diff --git a/phpBB/install/install_install.php b/phpBB/install/install_install.php
index 12f541e5f8..1a69638220 100644
--- a/phpBB/install/install_install.php
+++ b/phpBB/install/install_install.php
@@ -1017,7 +1017,7 @@ class install_install extends module
$s_hidden_fields .= '<input type="hidden" name="language" value="' . $data['language'] . '" />';
// HTTP_HOST is having the correct browser url in most cases...
- $server_name = strtolower($request->header('Host', $request->server('SERVER_NAME')));
+ $server_name = strtolower(htmlspecialchars_decode($request->header('Host', $request->server('SERVER_NAME'))));
// HTTP HOST can carry a port number...
if (strpos($server_name, ':') !== false)
@@ -1033,10 +1033,10 @@ class install_install extends module
if ($data['script_path'] === '')
{
- $name = $request->server('PHP_SELF');
+ $name = htmlspecialchars_decode($request->server('PHP_SELF'));
if (!$name)
{
- $name = $request->server('REQUEST_URI');
+ $name = htmlspecialchars_decode($request->server('REQUEST_URI'));
}
// Replace backslashes and doubled slashes (could happen on some proxy setups)
@@ -1117,7 +1117,7 @@ class install_install extends module
}
// HTTP_HOST is having the correct browser url in most cases...
- $server_name = strtolower($request->header('Host', $request->server('SERVER_NAME')));
+ $server_name = strtolower(htmlspecialchars_decode($request->header('Host', $request->server('SERVER_NAME'))));
$referer = strtolower($request->header('Referer'));
// HTTP HOST can carry a port number...
diff --git a/phpBB/style.php b/phpBB/style.php
index caa45784de..eaab4544bc 100644
--- a/phpBB/style.php
+++ b/phpBB/style.php
@@ -152,7 +152,7 @@ if ($id)
if ($config['gzip_compress'])
{
// IE6 is not able to compress the style (do not ask us why!)
- $browser = strtolower($request->header('User-Agent', '', true));
+ $browser = strtolower($request->header('User-Agent'));
if ($browser && strpos($browser, 'msie 6.0') === false && @extension_loaded('zlib') && !headers_sent())
{