From 4c1d7489feb1f727b88d26fee43b1cbcb6b4cc57 Mon Sep 17 00:00:00 2001
From: Ralf Becker <ralfbecker@outdoor-training.de>
Date: Tue, 3 Oct 2006 15:16:42 +0000
Subject: [PATCH] some code to make register_globals On installs safer, we
 might commit that after a test-periode to 1.2 too

---
 phpgwapi/inc/common_functions.inc.php | 53 ++++++++++++++++-----------
 phpgwapi/inc/functions.inc.php        |  4 +-
 2 files changed, 34 insertions(+), 23 deletions(-)

diff --git a/phpgwapi/inc/common_functions.inc.php b/phpgwapi/inc/common_functions.inc.php
index 0bae1374b2..af59fe09ee 100755
--- a/phpgwapi/inc/common_functions.inc.php
+++ b/phpgwapi/inc/common_functions.inc.php
@@ -663,7 +663,7 @@
 	{
 		list($appname,$classname) = explode('.',$class);
 
-		include_once($file=EGW_INCLUDE_ROOT.'/'.$appname.'/inc/class.'.$classname.'.inc.php');
+		include_once(EGW_INCLUDE_ROOT.'/'.$appname.'/inc/class.'.$classname.'.inc.php');
 
 		if (class_exists($classname))
 		{
@@ -937,30 +937,15 @@
 	 */
 	function _debug_array($array,$print=True)
 	{
-		$four = False;
-		if(@floor(phpversion()) > 3)
+		$output = '<pre>'.print_r($array,true)."</pre>\n";
+		
+		if ($print)
 		{
-			$four = True;
-		}
-		if($four)
-		{
-			if(!$print)
-			{
-				ob_start();
-			}
-			echo '<pre>';
-			print_r($array);
-			echo '</pre>';
-			if(!$print)
-			{
-				$v = ob_get_contents();
-				ob_end_clean();
-				return $v;
-			}
+			echo $output;
 		}
 		else
 		{
-			return print_r($array,False,$print);
+			return $output;
 		}
 	}
 
@@ -1232,6 +1217,32 @@
 	}
 	//if (is_array($GLOBALS['egw_unset_vars'])) { echo "egw_unset_vars=<pre>".htmlspecialchars(print_r($GLOBALS['egw_unset_vars'],true))."</pre>"; exit; }
 
+	// neutralises register_globals On, which is not used by eGW
+	// some code from the hardend php project: http://www.hardened-php.net/articles/PHPUG-PHP-Sicherheit-Parametermanipulationen.pdf
+	if (ini_get('register_globals'))
+	{
+		function unregister_globals()
+		{
+			// protect against GLOBALS overwrite or setting egw_info
+			if (isset($_REQUEST['GLOBALS']) || isset($_FILES['GLOBALS']) || isset($_REQUEST['egw_info']) || isset($_FILES['egw_info']))
+			{
+				die('GLOBALS overwrite detected!!!');
+			}
+			// unregister all globals
+			$noUnset = array('GLOBALS','_GET','_POST','_COOKIE','_SERVER','_ENV','_FILES','xajax');
+			foreach(array_unique(array_merge(
+				array_keys($_GET),array_keys($_POST),array_keys($_COOKIE),array_keys($_SERVER),array_keys($_ENV),array_keys($_FILES),
+				isset($_SESSION) && is_array($_SESSION) ? array_keys($_SESSION) : array())) as $k)
+			{
+				if (!in_array($k,$noUnset) && isset($GLOBALS[$k]))
+				{
+					unset($GLOBALS[$k]);
+				}
+			}
+		}
+		unregister_globals();
+	}
+
 	if(floor(phpversion()) <= 4)
 	{
 		/**
diff --git a/phpgwapi/inc/functions.inc.php b/phpgwapi/inc/functions.inc.php
index e04e656ca2..c74d0c540d 100644
--- a/phpgwapi/inc/functions.inc.php
+++ b/phpgwapi/inc/functions.inc.php
@@ -47,6 +47,8 @@
 		echo '!!! PLEASE CORRECT THIS SITUATION !!!</b></p>';
 	}
 
+	include(EGW_API_INC.'/common_functions.inc.php');
+
 	// check if we can restore the eGW enviroment from the php-session
 	if ($GLOBALS['egw_info']['server']['sessions_type'] == 'php4-restore' && $_REQUEST['sessionid'])
 	{
@@ -89,8 +91,6 @@
 			unset($_SESSION['egw_object_cache']);
 		}
 	}
-	include(EGW_API_INC.'/common_functions.inc.php');
-
 	print_debug('sane environment','messageonly','api');
 
 	/****************************************************************************\