From e376b0029858b0fda3baa8a38a19f2824b42bc52 Mon Sep 17 00:00:00 2001
From: secretr <m.yovchev@gmail.com>
Date: Sun, 21 Nov 2010 12:49:36 +0000
Subject: [PATCH] mod rewrite support - e_REQUEST_URI and e_REQUEST_URL added
 to be used in forms (instead e_SELF), basic experimental generic XSS
 protection

---
 class2.php                   | 14 +++++++++-
 e107_handlers/e107_class.php | 50 ++++++++++++++++++++++++++++++++----
 2 files changed, 58 insertions(+), 6 deletions(-)

diff --git a/class2.php b/class2.php
index d0cfa59a8..078813545 100644
--- a/class2.php
+++ b/class2.php
@@ -432,7 +432,19 @@ $pref = e107::getPref();
 //DEPRECATED, BC, call e107::getConfig('menu')->get('pref_name') only when needed
 $menu_pref = e107::getConfig('menu')->getPref(); //extract menu prefs
 
-
+// NEW - force ssl
+if(e107::getPref('ssl_enabled') && !deftrue('e_SSL_DISABLE'))
+{
+	// NOTE: e_SSL_DISABLE check is here to help webmasters fix 'ssl_enabled'
+	// if set by accident on site with no SSL support - just define it in e107_config.php
+	if(strpos(e_REQUEST_URL, 'http://') === 0)
+	{
+		// e_REQUEST_URL and e_REQUEST_URI introduced
+		$url = 'https://'.substr(e_REQUEST_URL, 7); 
+		header('Location: '.$url);
+		exit;
+	}
+}
 
 // $sql->db_Mark_Time('(Extracting Core Prefs Done)');
 
diff --git a/e107_handlers/e107_class.php b/e107_handlers/e107_class.php
index 36c68437c..a0a258b06 100644
--- a/e107_handlers/e107_class.php
+++ b/e107_handlers/e107_class.php
@@ -311,7 +311,7 @@ class e107
 	 */
 	public function setDirs($e107_dirs, $e107_config_override = array())
 	{
-		$this->e107_dirs = array_merge($this->defaultDirs($e107_dirs), (array) $e107_dirs, (array) $e107_config_override);
+		$this->e107_dirs = array_merge($this->defaultDirs($e107_dirs)/*, (array) $e107_dirs*/, (array) $e107_config_override);
 		return $this;
 	}
 
@@ -337,7 +337,7 @@ class e107
 			'SYSTEM_DIRECTORY' 		=> 'e107_system/',
 			'CORE_DIRECTORY' 		=> 'e107_core/',
 			'WEB_DIRECTORY' 		=> 'e107_web/',
-		), $override_root);
+		), (array) $override_root);
 
 		if($return_root) return $ret;
 
@@ -2188,13 +2188,53 @@ class e107
 		$page = substr(strrchr($_SERVER['PHP_SELF'], '/'), 1);
 
 		define('e_PAGE', $page);
-		define('e_SELF', $this->HTTP_SCHEME . '://' . $_SERVER['HTTP_HOST'] . ($_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_FILENAME']));
+		
+		$eSelf = $_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_FILENAME'];
+		define('e_SELF', $this->HTTP_SCHEME.'://'.$_SERVER['HTTP_HOST'].$eSelf);
 
+		// START New - request uri/url detection, XSS protection
+		$requestUri = $requestUrl = '';
+		if (isset($_SERVER['HTTP_X_REWRITE_URL']))
+		{ 
+			// check this first so IIS will catch
+			$requestUri = $_SERVER['HTTP_X_REWRITE_URL'];
+			$requestUrl = $this->HTTP_SCHEME.'://'.$_SERVER['HTTP_HOST'].$requestUri;
+			// fix request uri
+			$_SERVER['REQUEST_URI'] = $requestUri;
+		}
+		elseif (isset($_SERVER['REQUEST_URI']))
+		{
+			$requestUri = $_SERVER['REQUEST_URI'];
+			$requestUrl = $this->HTTP_SCHEME.'://'.$_SERVER['HTTP_HOST'].$requestUri;
+		}
+		else
+		{ 
+			// go back to e_SELF
+			$requestUri = $eSelf;
+			$requestUrl = e_SELF;
+			if (e_QUERY)
+			{
+				$requestUri .= '?'.e_QUERY;
+				$requestUrl .= '?'.e_QUERY;
+			}
+		}
+		// FIXME - basic security - add url sanitize method to e_parse
+		$check = rawurldecode($requestUri); // urlencoded by default
+		// a bit aggressive XSS protection... convert to e.g. htmlentities if you are not a bad guy
+		if(preg_match('/[<>]/', $check))
+		{
+			header('HTTP/1.1 403 Forbidden');
+			exit;
+		}
+		// the last anti-XSS measure, XHTML compliant URL to be used in forms instead e_SELF
+		define('e_REQUEST_URL', str_replace(array("'", '"'), array('%27', '%22'), $requestUrl));
+		define('e_REQUEST_URI', str_replace(array("'", '"'), array('%27', '%22'), $requestUri));
+		unset($requestUrl, $requestUri);
+		// END request uri/url detection, XSS protection
+		
 		define('e_SIGNUP', e_BASE.(file_exists(e_BASE.'customsignup.php') ? 'customsignup.php' : 'signup.php'));
 		define('e_LOGIN', e_BASE.(file_exists(e_BASE.'customlogin.php') ? 'customlogin.php' : 'login.php'));
 
-
-
 		// e_SELF has the full HTML path
 		$inAdminDir = FALSE;
 		$isPluginDir = strpos(e_SELF,'/'.$PLUGINS_DIRECTORY) !== FALSE;		// True if we're in a plugin