diff options
| -rw-r--r-- | phpBB/includes/functions.php | 15 | ||||
| -rw-r--r-- | phpBB/includes/session.php | 8 |
2 files changed, 21 insertions, 2 deletions
diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 2666f013c5..4fbac96fe2 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -1478,7 +1478,7 @@ function generate_board_url($without_script_path = false) /** * Redirects the user to another page then exits the script nicely */ -function redirect($url) +function redirect($url, $return = false) { global $db, $cache, $config, $user; @@ -1554,6 +1554,17 @@ function redirect($url) } } + // Make sure no linebreaks are there... to prevent http response splitting for PHP < 4.4.2 + if (strpos(urldecode($url), "\n") !== false || strpos(urldecode($url), "\r") !== false || strpos($url, ';') !== false || strpos($url, generate_board_url()) !== 0) + { + trigger_error('Tried to redirect to potentially insecure url.', E_USER_ERROR); + } + + if ($return) + { + return $url; + } + // Redirect via an HTML form for PITA webservers if (@preg_match('#Microsoft|WebSTAR|Xitami#', getenv('SERVER_SOFTWARE'))) { @@ -1670,6 +1681,8 @@ function meta_refresh($time, $url) { global $template; + $url = redirect($url, true); + $template->assign_vars(array( 'META' => '<meta http-equiv="refresh" content="' . $time . ';url=' . $url . '" />') ); diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 09a52feb1f..079d7b9f07 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -64,7 +64,8 @@ class session $query_string = trim(implode('&', $args)); // basenamed page name (for example: index.php) - $page_name = htmlspecialchars(basename($script_name)); + $page_name = basename($script_name); + $page_name = urlencode(htmlspecialchars($page_name)); // current directory within the phpBB root (for example: adm) $root_dirs = explode('/', str_replace('\\', '/', phpbb_realpath($root_path))); @@ -112,6 +113,11 @@ class session 'page' => $page ); + if (!file_exists($page_name)) + { + trigger_error('You are on a page that does not exist!', E_USER_ERROR); + } + return $page_array; } |