holm/egroupware
1
1
Fork 0
forked from extern/egroupware
Code Issues Pull Requests Packages Projects Releases Wiki Activity

check cookies for XSS attempts

Browse Source
This commit is contained in:
Ralf Becker 2017-10-27 16:52:34 +02:00
parent 78f1206304
commit e2df5b5aa1
2 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
api/src/Framework/Login.php
View File

@ -164,7 +164,7 @@ class Login
$tmpl->set_var('login_url', $GLOBALS['egw_info']['server']['webserver_url'] . '/login.php' . $extra_vars); $tmpl->set_var('login_url', $GLOBALS['egw_info']['server']['webserver_url'] . '/login.php' . $extra_vars);
$tmpl->set_var('version', $GLOBALS['egw_info']['server']['versions']['phpgwapi']); $tmpl->set_var('version', $GLOBALS['egw_info']['server']['versions']['phpgwapi']);
$tmpl->set_var('login', $last_loginid); $tmpl->set_var('login', htmlspecialchars($last_loginid));
$tmpl->set_var('lang_username',lang('username')); $tmpl->set_var('lang_username',lang('username'));
$tmpl->set_var('lang_login',lang('login')); $tmpl->set_var('lang_login',lang('login'));

4
api/src/loader/security.php
View File

@ -173,7 +173,7 @@ if (isset($_SERVER['SCRIPT_FILENAME']) && $_SERVER['SCRIPT_FILENAME'] == __FILE_
die("<p style='color: ".($num_failed?'red':'black')."'>Tests finished: $num_failed / $total failed</p>"); die("<p style='color: ".($num_failed?'red':'black')."'>Tests finished: $num_failed / $total failed</p>");
}*/ }*/
foreach(array('_GET','_POST','_REQUEST','HTTP_GET_VARS','HTTP_POST_VARS') as $n => $where) foreach(array('_COOKIE','_GET','_POST','_REQUEST','HTTP_GET_VARS','HTTP_POST_VARS') as $n => $where)
{ {
$pregs = array( $pregs = array(
'order' => '/^[a-zA-Z0-9_,]*$/', 'order' => '/^[a-zA-Z0-9_,]*$/',
@ -188,7 +188,7 @@ foreach(array('_GET','_POST','_REQUEST','HTTP_GET_VARS','HTTP_POST_VARS') as $n
} }
// do the check for script-tags only for _GET and _POST or if we found something in _GET and _POST // do the check for script-tags only for _GET and _POST or if we found something in _GET and _POST
// speeds up the execusion a bit // speeds up the execusion a bit
if (isset($GLOBALS[$where]) && is_array($GLOBALS[$where]) && ($n < 2 || isset($GLOBALS['egw_unset_vars']))) if (isset($GLOBALS[$where]) && is_array($GLOBALS[$where]) && ($n < 3 || isset($GLOBALS['egw_unset_vars'])))
{ {
_check_script_tag($GLOBALS[$where],$where); _check_script_tag($GLOBALS[$where],$where);
} }