unregister globals from $_REQUEST. global.php should be loaded before global

variables are defined in script and variable corruption should be minimal.

We still have to review $theme global in validate.php. I could not reproduce
any error when $theme was set through GET request.

git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@10430 7612ce4b-ef26-0410-bec9-ea0150e637f0

diff --git a/functions/global.php b/functions/global.php
index a477f9952d476f064a6fdd1d8a1c07a417ffbfc7..ab30ffaafcdfd664b63419ea4fe5d66468e56903 100644 (file)
--- a/functions/global.php
+++ b/functions/global.php
@@ -356,12 +356,22 @@ $uid_support = true;
 
 /* if running with magic_quotes_gpc then strip the slashes
    from POST and GET global arrays */
-
 if (get_magic_quotes_gpc()) {
     sqstripslashes($_GET);
     sqstripslashes($_POST);
 }
 
+/**
+ * If register_globals are on, unregister all globals from $_GET, $_POST, 
+ * and $_COOKIE. Before 4.3.0 $_FILES globals are unregistered too. Code
+ * requires PHP 4.1.0 or newer. 
+ */
+if ((bool) @ini_get('register_globals')) {
+    foreach ($_REQUEST as $key => $value) {
+        unset($GLOBALS[$key]);
+    }
+}
+
 /* strip any tags added to the url from PHP_SELF.
    This fixes hand crafted url XXS expoits for any
    page that uses PHP_SELF as the FORM action */