X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;f=include%2Finit.php;h=047f18771081a8fc8e6f630cb8026999f52e4e7f;hb=a28de4194b8f41675c0034aeabee86ab35a8c00f;hp=a024f8f12817cdfc33306c536d7951167faa0c8b;hpb=67c826cef3c0dcbf930606b13b6eadbedabba82c;p=squirrelmail.git diff --git a/include/init.php b/include/init.php index a024f8f1..047f1877 100644 --- a/include/init.php +++ b/include/init.php @@ -120,9 +120,20 @@ if(!empty($_SERVER['UNIQUE_ID'])) { $seed .= uniqid(mt_rand(),TRUE); $seed .= implode( '', stat( __FILE__) ); -/** PHP 4.2 and up don't require seeding, but their used seed algorithm - * is of questionable quality, so we keep doing it ourselves. */ -mt_srand(hexdec(md5($seed))); +// mt_srand() uses an integer to seed, so we need to distill our +// very large seed to something useful (without taking a sub-string, +// the integer conversion of such a large number is always 0 on +// many systems, but strangely, 9 hex numbers - even if larger +// than a signed 32 bit integer - seem to be an acceptable "integer" +// seed (perhaps it is used as unsigned?)... +// we may want to revisit this and always force it to be less than +// 2,147,483,647 +// +$seed = hexdec(substr(md5($seed), 0, 9)); + +// PHP 4.2 and up don't require seeding, but their used seed algorithm +// is of questionable quality, so we keep doing it ourselves. */ +mt_srand($seed); /** * calculate SM_PATH and calculate the base_uri @@ -224,6 +235,12 @@ if ($sm_debug_mode & SM_DEBUG_MODE_STRICT) error_reporting($error_level); +/** + * Detect SSL connections + */ +$is_secure_connection = is_ssl_secured_connection(); + + require(SM_PATH . 'functions/plugin.php'); require(SM_PATH . 'include/languages.php'); require(SM_PATH . 'class/template/Template.class.php'); @@ -246,10 +263,21 @@ if (function_exists('get_magic_quotes_gpc') && @get_magic_quotes_gpc()) { } -/* strip any tags added to the url from PHP_SELF. -This fixes hand crafted url XXS expoits for any - page that uses PHP_SELF as the FORM action */ -$_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']); +/** + * Strip any tags added to the url from PHP_SELF. + * This fixes hand crafted url XXS expoits for any + * page that uses PHP_SELF as the FORM action + * Update: strip_tags() won't catch something like + * src/right_main.php?sort=0&startMessage=1&mailbox=INBOX&xxx="> + * or + * contrib/decrypt_headers.php/%22%20onmouseover=%22alert(%27hello%20world%27)%22%3E + * because it doesn't bother with broken tags. + * htmlspecialchars() is the preferred method. + * QUERY_STRING also needs the same treatment since it is + * used in php_self(). + */ +$_SERVER['PHP_SELF'] = htmlspecialchars($_SERVER['PHP_SELF']); +$_SERVER['QUERY_STRING'] = htmlspecialchars($_SERVER['QUERY_STRING']); $PHP_SELF = php_self(); @@ -774,6 +802,7 @@ function checkForJavascript($reset = FALSE) { if ( !$reset && sqGetGlobalVar('javascript_on', $javascript_on, SQ_SESSION) ) return $javascript_on; + //FIXME: this isn't used anywhere else in this function; can we remove it? why is it here? $user_is_logged_in = FALSE; if ( $reset || !isset($javascript_setting) ) $javascript_setting = getPref($data_dir, $username, 'javascript_setting', SMPREF_JS_AUTODETECT);