From 965042d015a0351303999b0196998be67d42dbae Mon Sep 17 00:00:00 2001 From: Nils Adermann Date: Tue, 25 Nov 2014 15:43:24 +0100 Subject: [ticket/13376] Revert unnecessary change for cookies called GLOBALS 92f554e3 Also introduce a clear cookie message hardcoded just in case. PHPBB3-13376 --- phpBB/includes/startup.php | 28 +++++----------------------- 1 file changed, 5 insertions(+), 23 deletions(-) (limited to 'phpBB/includes/startup.php') diff --git a/phpBB/includes/startup.php b/phpBB/includes/startup.php index cf216a65db..2f3b1c5324 100644 --- a/phpBB/includes/startup.php +++ b/phpBB/includes/startup.php @@ -80,31 +80,13 @@ function deregister_globals() { if (isset($not_unset[$varname])) { - // Hacking attempt. No point in continuing unless it's a COOKIE (so a cookie called GLOBALS doesn't lock users out completely) - if ($varname !== 'GLOBALS' || isset($_GET['GLOBALS']) || isset($_POST['GLOBALS']) || isset($_SERVER['GLOBALS']) || isset($_SESSION['GLOBALS']) || isset($_ENV['GLOBALS']) || isset($_FILES['GLOBALS'])) + // Hacking attempt. No point in continuing. + if (isset($_COOKIE[$varname])) { - exit; - } - else - { - $cookie = &$_COOKIE; - while (isset($cookie['GLOBALS'])) - { - if (!is_array($cookie['GLOBALS'])) - { - break; - } - - foreach ($cookie['GLOBALS'] as $registered_var => $value) - { - if (!isset($not_unset[$registered_var])) - { - unset($GLOBALS[$registered_var]); - } - } - $cookie = &$cookie['GLOBALS']; - } + echo "Clear your cookies. "; } + echo "Malicious variable name detected. Contact the administrator and ask them to disable register_globals."; + exit; } unset($GLOBALS[$varname]); -- cgit v1.2.1 From 4b9434bf1ba4c015da11309602cfccf1a9c2493c Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Wed, 21 Jan 2015 00:16:42 +0100 Subject: [ticket/13531] Explicitly disallow trailing paths (e.g. PATH_INFO). PHPBB3-13531 --- phpBB/includes/startup.php | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) (limited to 'phpBB/includes/startup.php') diff --git a/phpBB/includes/startup.php b/phpBB/includes/startup.php index 2f3b1c5324..d9dab2a356 100644 --- a/phpBB/includes/startup.php +++ b/phpBB/includes/startup.php @@ -95,6 +95,40 @@ function deregister_globals() unset($input); } +/** + * Check if requested page uses a trailing path + * + * @param string $phpEx PHP extension + * + * @return bool True if trailing path is used, false if not + */ +function phpbb_has_trailing_path($phpEx) +{ + // Check if path_info is being used + if (!empty($_SERVER['PATH_INFO']) || !empty($_SERVER['ORIG_PATH_INFO'])) + { + return true; + } + + // Match any trailing path appended to a php script in the REQUEST_URI. + // It is assumed that only actual PHP scripts use names like foo.php. Due + // to this, any phpBB board inside a directory that has the php extension + // appended to its name will stop working, i.e. if the board is at + // example.com/phpBB/test.php/ or example.com/test.php/ + if (preg_match('#^[^?]+\.' . preg_quote($phpEx, '#') . '/#', $_SERVER['REQUEST_URI'])) + { + return true; + } + + return false; +} + +// Check if trailing path is used +if (phpbb_has_trailing_path($phpEx)) +{ + exit('Trailing paths and path_info is not supported by phpBB 3.0'); +} + // Register globals and magic quotes have been dropped in PHP 5.4 if (version_compare(PHP_VERSION, '5.4.0-dev', '>=')) { -- cgit v1.2.1 From e34b92882a51dc89da88464b8c751a9d93a03124 Mon Sep 17 00:00:00 2001 From: Andreas Fischer Date: Wed, 21 Jan 2015 00:51:36 +0100 Subject: [ticket/13531] Send 404 Not Found. PHPBB3-13531 --- phpBB/includes/startup.php | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) (limited to 'phpBB/includes/startup.php') diff --git a/phpBB/includes/startup.php b/phpBB/includes/startup.php index d9dab2a356..92639fc5bd 100644 --- a/phpBB/includes/startup.php +++ b/phpBB/includes/startup.php @@ -126,7 +126,21 @@ function phpbb_has_trailing_path($phpEx) // Check if trailing path is used if (phpbb_has_trailing_path($phpEx)) { - exit('Trailing paths and path_info is not supported by phpBB 3.0'); + if (substr(strtolower(@php_sapi_name()), 0, 3) === 'cgi') + { + $prefix = 'Status:'; + } + else if (!empty($_SERVER['SERVER_PROTOCOL'])) + { + $prefix = $_SERVER['SERVER_PROTOCOL']; + } + else + { + $prefix = 'HTTP/1.0'; + } + header("$prefix 404 Not Found", true, 404); + echo 'Trailing paths and PATH_INFO is not supported by phpBB 3.0'; + exit; } // Register globals and magic quotes have been dropped in PHP 5.4 -- cgit v1.2.1 From 74950559074d738733ac1258b07912f9ca14203a Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Tue, 27 Jan 2015 22:12:32 +0100 Subject: [ticket/13549] Do not exit when ORIG_PATH_INFO just contains SCRIPT_NAME. The ORIG_PATH_INFO on IIS also contains the script name. Only use that for killing the script after removing the script name from ORIG_PATH_INFO. PHPBB3-13549 --- phpBB/includes/startup.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/includes/startup.php') diff --git a/phpBB/includes/startup.php b/phpBB/includes/startup.php index 92639fc5bd..9bbbf4fd4c 100644 --- a/phpBB/includes/startup.php +++ b/phpBB/includes/startup.php @@ -105,7 +105,7 @@ function deregister_globals() function phpbb_has_trailing_path($phpEx) { // Check if path_info is being used - if (!empty($_SERVER['PATH_INFO']) || !empty($_SERVER['ORIG_PATH_INFO'])) + if (!empty($_SERVER['PATH_INFO']) || (!empty($_SERVER['ORIG_PATH_INFO']) && $_SERVER['SCRIPT_NAME'] != $_SERVER['ORIG_PATH_INFO'])) { return true; } -- cgit v1.2.1 From 463c62df1847a3791fb7ec23b72c2f72bed12938 Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Sat, 11 Apr 2015 17:43:06 +0200 Subject: [ticket/13765] Verify SERVER_PROTOCOL has the expected format before using it. PHPBB3-13765 --- phpBB/includes/startup.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/includes/startup.php') diff --git a/phpBB/includes/startup.php b/phpBB/includes/startup.php index 9bbbf4fd4c..008651c236 100644 --- a/phpBB/includes/startup.php +++ b/phpBB/includes/startup.php @@ -130,7 +130,7 @@ if (phpbb_has_trailing_path($phpEx)) { $prefix = 'Status:'; } - else if (!empty($_SERVER['SERVER_PROTOCOL'])) + else if (!empty($_SERVER['SERVER_PROTOCOL']) && is_string($_SERVER['SERVER_PROTOCOL']) && preg_match('#^HTTP/[0-9]\.[0-9]$#', $_SERVER['SERVER_PROTOCOL'])) { $prefix = $_SERVER['SERVER_PROTOCOL']; } -- cgit v1.2.1