mirror of
https://github.com/phpbb/phpbb.git
synced 2025-08-07 17:27:16 +02:00
Merge branch '3.3.x'
This commit is contained in:
Máté Bartus
@@ -52,7 +52,7 @@ class session
|
||||
// If we are unable to get the script name we use REQUEST_URI as a failover and note it within the page array for easier support...
|
||||
if (!$script_name)
|
||||
{
|
||||
$script_name = htmlspecialchars_decode($request->server('REQUEST_URI'));
|
||||
$script_name = htmlspecialchars_decode($request->server('REQUEST_URI'), ENT_COMPAT);
|
||||
$script_name = (($pos = strpos($script_name, '?')) !== false) ? substr($script_name, 0, $pos) : $script_name;
|
||||
$page_array['failover'] = 1;
|
||||
}
|
||||
@@ -86,7 +86,7 @@ class session
|
||||
|
||||
// basenamed page name (for example: index.php)
|
||||
$page_name = (substr($script_name, -1, 1) == '/') ? '' : basename($script_name);
|
||||
$page_name = urlencode(htmlspecialchars($page_name));
|
||||
$page_name = urlencode(htmlspecialchars($page_name, ENT_COMPAT));
|
||||
|
||||
$symfony_request_path = filesystem_helper::clean_path($symfony_request->getPathInfo());
|
||||
if ($symfony_request_path !== '/')
|
||||
@@ -151,8 +151,8 @@ class session
|
||||
'page_dir' => $page_dir,
|
||||
|
||||
'query_string' => $query_string,
|
||||
'script_path' => str_replace(' ', '%20', htmlspecialchars($script_path)),
|
||||
'root_script_path' => str_replace(' ', '%20', htmlspecialchars($root_script_path)),
|
||||
'script_path' => str_replace(' ', '%20', htmlspecialchars($script_path, ENT_COMPAT)),
|
||||
'root_script_path' => str_replace(' ', '%20', htmlspecialchars($root_script_path, ENT_COMPAT)),
|
||||
|
||||
'page' => $page,
|
||||
'forum' => $forum_id,
|
||||
@@ -169,7 +169,7 @@ class session
|
||||
global $config, $request;
|
||||
|
||||
// Get hostname
|
||||
$host = htmlspecialchars_decode($request->header('Host', $request->server('SERVER_NAME')));
|
||||
$host = htmlspecialchars_decode($request->header('Host', $request->server('SERVER_NAME')), ENT_COMPAT);
|
||||
|
||||
// Should be a string and lowered
|
||||
$host = (string) strtolower($host);
|
||||
@@ -292,7 +292,7 @@ class session
|
||||
|
||||
// Why no forwarded_for et al? Well, too easily spoofed. With the results of my recent requests
|
||||
// it's pretty clear that in the majority of cases you'll at least be left with a proxy/cache ip.
|
||||
$ip = htmlspecialchars_decode($request->server('REMOTE_ADDR'));
|
||||
$ip = htmlspecialchars_decode($request->server('REMOTE_ADDR'), ENT_COMPAT);
|
||||
$ip = preg_replace('# {2,}#', ' ', str_replace(',', ' ', $ip));
|
||||
|
||||
/**
|
||||
@@ -458,8 +458,8 @@ class session
|
||||
$s_ip,
|
||||
$u_browser,
|
||||
$s_browser,
|
||||
htmlspecialchars($u_forwarded_for),
|
||||
htmlspecialchars($s_forwarded_for)
|
||||
htmlspecialchars($u_forwarded_for, ENT_COMPAT),
|
||||
htmlspecialchars($s_forwarded_for, ENT_COMPAT)
|
||||
));
|
||||
}
|
||||
else
|
||||
@@ -1585,7 +1585,7 @@ class session
|
||||
return true;
|
||||
}
|
||||
|
||||
$host = htmlspecialchars($this->host);
|
||||
$host = htmlspecialchars($this->host, ENT_COMPAT);
|
||||
$ref = substr($this->referer, strpos($this->referer, '://') + 3);
|
||||
|
||||
if (!(stripos($ref, $host) === 0) && (!$config['force_server_vars'] || !(stripos($ref, $config['server_name']) === 0)))
|
||||
|
||||
Reference in New Issue
Block a user