We use cookies to ensure you get the best experience on our website
Головна сторінка Огляд Довідка
Реєстрація Увійти
0ct0pu5
/
squirrelmail
1
0
Відгалуження 0
Файли Проблеми 0 Запити на злиття 0 Wiki
Переглянути джерело

removed any possible globalized var. It is possible that SESSION, ENV and
SERVER vars can be trusted, but I prefer reverting any possible rg=on effects.

tokul 19 роки тому
батько
f1903ffab4
коміт
1fb4febf46
2 змінених файлів з 38 додано та 18 видалено
Об'єднаний вигляд Показати статистику Diff
  1. 38 3
      functions/global.php
  2. 0 15
      src/configtest.php

+ 38 - 3
functions/global.php
Переглянути файл 

@@ -362,14 +362,41 @@ if (get_magic_quotes_gpc()) {
 
 }
 
 }
 
 
 
 /**
 
 /**
 
- * If register_globals are on, unregister all globals from $_GET, $_POST, 
- * and $_COOKIE. Before 4.3.0 $_FILES globals are unregistered too. Code
 
- * requires PHP 4.1.0 or newer. 
+ * If register_globals are on, unregister globals.
 
+ * Code requires PHP 4.1.0 or newer.
 
  */
 
  */
 
 if ((bool) @ini_get('register_globals')) {
 
 if ((bool) @ini_get('register_globals')) {
 
+    /**
 
+     * Remove all globals from $_GET, $_POST, and $_COOKIE.
 
+     */
 
     foreach ($_REQUEST as $key => $value) {
 
     foreach ($_REQUEST as $key => $value) {
 
         unset($GLOBALS[$key]);
 
         unset($GLOBALS[$key]);
 
     }
 
     }
 
+    /**
 
+     * Remove globalized $_FILES variables
 
+     * Before 4.3.0 $_FILES are included in $_REQUEST.
 
+     * Unglobalize them in separate call in order to remove dependency 
+     * on PHP version.
 
+     */
 
+    foreach ($_FILES as $key => $value) {
 
+        unset($GLOBALS[$key]);
 
+        // there are three undocumented $_FILES globals.
 
+        unset($GLOBALS[$key.'_type']);
 
+        unset($GLOBALS[$key.'_name']);
 
+        unset($GLOBALS[$key.'_size']);
 
+    }
 
+    /**
 
+     * Remove globalized environment variables.
 
+     */
 
+    foreach ($_ENV as $key => $value) {
 
+        unset($GLOBALS[$key]);
 
+    }
 
+    /**
 
+     * Remove globalized server variables.
 
+     */
 
+    foreach ($_SERVER as $key => $value) {
 
+        unset($GLOBALS[$key]);
 
+    }
 
 }
 
 }
 
 
 
 /* strip any tags added to the url from PHP_SELF.
 
 /* strip any tags added to the url from PHP_SELF.
 
@@ -381,4 +408,12 @@ $PHP_SELF = php_self();
 
 
 
 sqsession_is_active();
 
 sqsession_is_active();
 
 
 
+/** 
+ * Remove globalized session data in rg=on setups
 
+ */
 
+if ((bool) @ini_get('register_globals')) {
 
+    foreach ($_SESSION as $key => $value) {
 
+        unset($GLOBALS[$key]);
 
+    }
 
+}
 
 ?>
 
 ?>

+ 0 - 15
src/configtest.php
Переглянути файл 

@@ -121,21 +121,6 @@ if (function_exists('mb_internal_encoding') &&
 
     do_err($mb_error);
 
     do_err($mb_error);
 
 }
 
 }
 
 
 
-/**
 
- * We code with register_globals = off. SquirrelMail should work in such setup
 
- * since 1.2.9 and 1.3.0. Running SquirrelMail with register_globals = on can
 
- * cause variable corruption and security issues. Globals can be turned off in
 
- * php.ini, webserver config and .htaccess files. Scripts can turn off globals only
 
- * in php 4.2.3 or older.
 
- */
 
-if ((bool) ini_get('register_globals')) {
 
-    $rg_error='You have enabled php register_globals.'
 
-        .' Running PHP installation with register_globals=on can cause problems.'
 
-        .' See <a href="http://www.php.net/manual/en/security.registerglobals.php">'
 
-        .'security information about register_globals</a>.';
 
-    do_err($rg_error);
 
-}
 
-
 
 /* checking paths */
 
 /* checking paths */
 
 
 
 echo "Checking paths...<br />\n";
 
 echo "Checking paths...<br />\n";

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5