mirror of
https://github.com/e107inc/e107.git
synced 2025-01-17 12:48:24 +01:00
Input filter fixes.
This commit is contained in:
Cameron
parent
eac663e889
commit
17382b25ac
@ -1861,7 +1861,7 @@ function cookie($name, $value, $expire=0, $path = e_HTTP, $domain = '', $secure
|
||||
$domain = (e_DOMAIN != FALSE) ? ".".e_DOMAIN : "";
|
||||
}
|
||||
|
||||
setcookie($name, $value, $expire, $path, $domain, $secure);
|
||||
setcookie($name, $value, $expire, $path, $domain, $secure, true);
|
||||
}
|
||||
|
||||
// generic function for retaining values across pages. ie. cookies or sessions.
|
||||
@ -1879,7 +1879,7 @@ function session_set($name, $value, $expire='', $path = e_HTTP, $domain = '', $s
|
||||
$domain = (e_DOMAIN != FALSE) ? ".".e_DOMAIN : "";
|
||||
}
|
||||
|
||||
setcookie($name, $value, $expire, $path, $domain, $secure);
|
||||
setcookie($name, $value, $expire, $path, $domain, $secure, true);
|
||||
$_COOKIE[$name] = $value;
|
||||
}
|
||||
}
|
||||
|
||||
@ -3292,7 +3292,7 @@ class e107
|
||||
return array_walk($input, array('self', 'filter_request'), $type);
|
||||
}
|
||||
|
||||
|
||||
|
||||
if($type == "_POST" || ($type == "_SERVER" && ($key == "QUERY_STRING")))
|
||||
{
|
||||
if($type == "_POST" && ($base64 == FALSE))
|
||||
@ -3357,14 +3357,29 @@ class e107
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
if($type == '_GET') // Basic XSS check.
|
||||
{
|
||||
if(stripos($input, "<script")!==false || stripos($input, "%3Cscript")!==false)
|
||||
{
|
||||
header('HTTP/1.0 400 Bad Request', true, 400);
|
||||
if(deftrue('e_DEBUG'))
|
||||
{
|
||||
echo "Bad Request: ".__METHOD__." : ". __LINE__;
|
||||
}
|
||||
exit();
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
if($type == "_SERVER")
|
||||
{
|
||||
|
||||
if(($key == "QUERY_STRING") && (
|
||||
strpos(strtolower($input),"../../")!==FALSE
|
||||
|| strpos(strtolower($input),"php:")!==FALSE
|
||||
|| strpos(strtolower($input),"data:")!==FALSE
|
||||
|| strpos(strtolower($input),strtolower("%3Cscript"))!==FALSE
|
||||
|| stripos($input,"php:")!==FALSE
|
||||
|| stripos($input,"data:")!==FALSE
|
||||
|| stripos($input,"%3cscript")!==FALSE
|
||||
))
|
||||
{
|
||||
|
||||
@ -3413,10 +3428,13 @@ class e107
|
||||
exit();
|
||||
}
|
||||
|
||||
if($base64 != TRUE)
|
||||
if($base64 != true)
|
||||
{
|
||||
self::filter_request(base64_decode($input),$key,$type,TRUE);
|
||||
self::filter_request(base64_decode($input),$key,$type,true);
|
||||
}
|
||||
|
||||
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
@ -147,7 +147,7 @@ class e_session
|
||||
'path' => '',
|
||||
'domain' => '',
|
||||
'secure' => false,
|
||||
'httponly' => false,
|
||||
'httponly' => true,
|
||||
);
|
||||
|
||||
/**
|
||||
@ -197,7 +197,8 @@ class e_session
|
||||
);
|
||||
|
||||
$options = array(
|
||||
'httponly' => (e_SECURITY_LEVEL >= self::SECURITY_LEVEL_PARANOID),
|
||||
// 'httponly' => (e_SECURITY_LEVEL >= self::SECURITY_LEVEL_PARANOID),
|
||||
'httponly' => true,
|
||||
);
|
||||
|
||||
if(!defined('E107_INSTALL'))
|
||||
@ -226,7 +227,7 @@ class e_session
|
||||
$this->setConfig($config)
|
||||
->setOptions($options);
|
||||
}
|
||||
|
||||
|
||||
return $this;
|
||||
}
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user