Aggressive sanitizing of REQUEST_URI, PHP_SELF, and QUERY_STRING corrupted page URIs...

git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@13957 7612ce4b-ef26-0410-bec9-ea0150e637f0

diff --git a/include/init.php b/include/init.php
index 79c39c034c69432c69845393e58e6e8a2673e5ea..5efd61eaf946cb2c9eb24d33466cd190bc2ccdd5 100644 (file)
--- a/include/init.php
+++ b/include/init.php
@@ -275,13 +275,17 @@ if (function_exists('get_magic_quotes_gpc') && @get_magic_quotes_gpc()) {
  * htmlspecialchars() is the preferred method.
  * QUERY_STRING also needs the same treatment since it is
  * used in php_self().
+ * Update again: the encoding of ampersands that occurs
+ * using htmlspecialchars() corrupts the query strings
+ * in normal URIs, so we have to let those through.
+FIXME: will the de-sanitizing of ampersands create any security/XSS problems?
  */
 if (isset($_SERVER['REQUEST_URI']))
-    $_SERVER['REQUEST_URI'] = htmlspecialchars($_SERVER['REQUEST_URI']);
+    $_SERVER['REQUEST_URI'] = str_replace('&', '&', htmlspecialchars($_SERVER['REQUEST_URI']));
 if (isset($_SERVER['PHP_SELF']))
-    $_SERVER['PHP_SELF'] = htmlspecialchars($_SERVER['PHP_SELF']);
+    $_SERVER['PHP_SELF'] = str_replace('&', '&', htmlspecialchars($_SERVER['PHP_SELF']));
 if (isset($_SERVER['QUERY_STRING']))
-    $_SERVER['QUERY_STRING'] = htmlspecialchars($_SERVER['QUERY_STRING']);
+    $_SERVER['QUERY_STRING'] = str_replace('&', '&', htmlspecialchars($_SERVER['QUERY_STRING']));
 
 $PHP_SELF = php_self();