Changeset 43829 in spip-zone


Ignore:
Timestamp:
Jan 23, 2011, 8:53:59 PM (10 years ago)
Author:
fil@…
Message:

0.9.9: affiner la detection de 'op' pour ne pas nuire a drupal, et bloquer les xss sur var_recherche

File:
1 edited

Legend:

Unmodified
Added
Removed
  • _core_/securite/ecran_securite.php

    r43635 r43829  
    66 */
    77
    8 define('_ECRAN_SECURITE', '0.9.8'); // 17 janv 2011
     8define('_ECRAN_SECURITE', '0.9.9'); // 23 janv 2011
    99
    1010/*
     
    5151$cjpeg_command='';
    5252
    53 /*     - controle la variable $lang (XSS)
    54  *
    55  */
    56 if (isset($_GET['lang']))
    57         $GLOBALS['lang'] = $_GET['lang'] = htmlentities((string)$_GET['lang']);
    58 if (isset($_POST['lang']))
    59         $GLOBALS['lang'] = $_POST['lang'] = htmlentities((string)$_POST['lang']);
     53/*     - controle la variable lang, var_recherche (XSS)
     54 *
     55 */
     56foreach(array('lang', 'var_recherche') as $ecran_securite_i)
     57if (isset($_GET[$ecran_securite_i]))
     58        $_REQUEST[$ecran_securite_i] = $GLOBALS[$ecran_securite_i] = $_GET[$ecran_securite_i] = preg_replace(',[^\w-]+,',' ',(string)$_GET[$ecran_securite_i]);
     59if (isset($_POST[$ecran_securite_i]))
     60        $_REQUEST[$ecran_securite_i] = $GLOBALS[$ecran_securite_i] = $_POST[$ecran_securite_i] = preg_replace(',[^\w-]+,',' ',(string)$_POST[$ecran_securite_i]);
    6061
    6162/*     - filtre l'acces a spip_acces_doc (injection SQL en 1.8.2x)
     
    185186
    186187/*
    187  * op, lang, permettent des inclusions arbitraires
    188  */
    189 foreach (array('op','lang') as $var)
    190 if (isset($_REQUEST[$var])
    191 AND $_REQUEST[$var] !== preg_replace('/[^\-\w]/', '', $_REQUEST[$var]))
    192         $ecran_securite_raison = "$var";
    193 
     188 * op permet des inclusions arbitraires ;
     189 * on verifie 'page' pour ne pas bloquer ... drupal
     190 */
     191if (isset($_REQUEST['op']) AND isset($_REQUEST['page'])
     192AND $_REQUEST['op'] !== preg_replace('/[^\-\w]/', '', $_REQUEST['op']))
     193        $ecran_securite_raison = 'op';
    194194
    195195/*
Note: See TracChangeset for help on using the changeset viewer.