From b837b30fd26691c62fd8cb39a3e9888fc32c6184 Mon Sep 17 00:00:00 2001 From: pdontthink Date: Sat, 26 Jun 2010 10:15:49 +0000 Subject: [PATCH] Aggressive sanitizing of REQUEST_URI, PHP_SELF, and QUERY_STRING corrupted page URIs by encoding ampersands in the query string, so we have to un-sanitize ampersands. Will this cause any security/XSS issues? git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@13957 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- include/init.php | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/include/init.php b/include/init.php index 79c39c03..5efd61ea 100644 --- a/include/init.php +++ b/include/init.php @@ -275,13 +275,17 @@ if (function_exists('get_magic_quotes_gpc') && @get_magic_quotes_gpc()) { * htmlspecialchars() is the preferred method. * QUERY_STRING also needs the same treatment since it is * used in php_self(). + * Update again: the encoding of ampersands that occurs + * using htmlspecialchars() corrupts the query strings + * in normal URIs, so we have to let those through. +FIXME: will the de-sanitizing of ampersands create any security/XSS problems? */ if (isset($_SERVER['REQUEST_URI'])) - $_SERVER['REQUEST_URI'] = htmlspecialchars($_SERVER['REQUEST_URI']); + $_SERVER['REQUEST_URI'] = str_replace('&', '&', htmlspecialchars($_SERVER['REQUEST_URI'])); if (isset($_SERVER['PHP_SELF'])) - $_SERVER['PHP_SELF'] = htmlspecialchars($_SERVER['PHP_SELF']); + $_SERVER['PHP_SELF'] = str_replace('&', '&', htmlspecialchars($_SERVER['PHP_SELF'])); if (isset($_SERVER['QUERY_STRING'])) - $_SERVER['QUERY_STRING'] = htmlspecialchars($_SERVER['QUERY_STRING']); + $_SERVER['QUERY_STRING'] = str_replace('&', '&', htmlspecialchars($_SERVER['QUERY_STRING'])); $PHP_SELF = php_self(); -- 2.25.1