blob: c6f3e5b062297d8f917b92fa27938489f7e3f217 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
$NetBSD: patch-ac,v 1.2.2.1 2006/06/04 13:55:58 salo Exp $
--- functions/global.php.orig 2006-02-03 22:27:47.000000000 +0000
+++ functions/global.php 2006-06-04 13:22:14.000000000 +0100
@@ -62,6 +62,47 @@
sqstripslashes($_POST);
}
+/**
+ * If register_globals are on, unregister globals.
+ * Code requires PHP 4.1.0 or newer.
+ * Second test covers boolean set as string (php_value register_globals off).
+ */
+if ((bool) @ini_get('register_globals') &&
+ strtolower(ini_get('register_globals'))!='off') {
+ /**
+ * Remove all globals from $_GET, $_POST, and $_COOKIE.
+ */
+ foreach ($_REQUEST as $key => $value) {
+ unset($GLOBALS[$key]);
+ }
+ /**
+ * Remove globalized $_FILES variables
+ * Before 4.3.0 $_FILES are included in $_REQUEST.
+ * Unglobalize them in separate call in order to remove dependency
+ * on PHP version.
+ */
+ foreach ($_FILES as $key => $value) {
+ unset($GLOBALS[$key]);
+ // there are three undocumented $_FILES globals.
+ unset($GLOBALS[$key.'_type']);
+ unset($GLOBALS[$key.'_name']);
+ unset($GLOBALS[$key.'_size']);
+ }
+ /**
+ * Remove globalized environment variables.
+ */
+ foreach ($_ENV as $key => $value) {
+ unset($GLOBALS[$key]);
+ }
+ /**
+ * Remove globalized server variables.
+ */
+ foreach ($_SERVER as $key => $value) {
+ unset($GLOBALS[$key]);
+ }
+}
+
+
/* strip any tags added to the url from PHP_SELF.
This fixes hand crafted url XXS expoits for any
page that uses PHP_SELF as the FORM action */
@@ -336,4 +377,4 @@
}
// vim: et ts=4
-?>
\ No newline at end of file
+?>
|
