From 5cc4a272b227581316552672f28f546a31fa6656 Mon Sep 17 00:00:00 2001
From: tokul <tokul@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Date: Sun, 4 Dec 2005 09:19:15 +0000
Subject: [PATCH] unregister globals from $_REQUEST. global.php should be
 loaded before global variables are defined in script and variable corruption
 should be minimal.

We still have to review $theme global in validate.php. I could not reproduce
any error when $theme was set through GET request.


git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@10430 7612ce4b-ef26-0410-bec9-ea0150e637f0
---
 functions/global.php | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/functions/global.php b/functions/global.php
index a477f995..ab30ffaa 100644
--- a/functions/global.php
+++ b/functions/global.php
@@ -356,12 +356,22 @@ $uid_support = true;
 
 /* if running with magic_quotes_gpc then strip the slashes
    from POST and GET global arrays */
-
 if (get_magic_quotes_gpc()) {
     sqstripslashes($_GET);
     sqstripslashes($_POST);
 }
 
+/**
+ * If register_globals are on, unregister all globals from $_GET, $_POST, 
+ * and $_COOKIE. Before 4.3.0 $_FILES globals are unregistered too. Code
+ * requires PHP 4.1.0 or newer. 
+ */
+if ((bool) @ini_get('register_globals')) {
+    foreach ($_REQUEST as $key => $value) {
+        unset($GLOBALS[$key]);
+    }
+}
+
 /* strip any tags added to the url from PHP_SELF.
    This fixes hand crafted url XXS expoits for any
    page that uses PHP_SELF as the FORM action */
-- 
2.25.1