deregister globals to install too

git-svn-id: file:///svn/phpbb/trunk@8130 89ea8834-ac86-4346-8a33-228a782c2dd0
2025-07-31 22:10:45 +02:00 · 2007-10-04 11:33:33 +00:00
parent 303239afa4
commit 92f554e38a
18 changed files with 174 additions and 119 deletions
--- a/phpBB/install/convertors/convert_phpbb20.php
+++ b/phpBB/install/convertors/convert_phpbb20.php
@@ -1,10 +1,10 @@
 <?php
-/** 
+/**
 *
 * @package install
 * @version $Id$
-* @copyright (c) 2006 phpBB Group 
-* @license http://opensource.org/licenses/gpl-license.php GNU Public License 
+* @copyright (c) 2006 phpBB Group
+* @license http://opensource.org/licenses/gpl-license.php GNU Public License
 *
 */

@@ -57,9 +57,9 @@ $tables = array(
 	'forum_prune',
 	'forums',
 	'groups',
-	'posts', 
-	'posts_text', 
-	'privmsgs', 
+	'posts',
+	'posts_text',
+	'privmsgs',
 	'privmsgs_text',
 	'ranks',
 	'smilies',
@@ -70,7 +70,7 @@ $tables = array(
 	'vote_desc',
 	'vote_results',
 	'vote_voters',
-	'words' 
+	'words'
 );

 /**
@@ -140,7 +140,7 @@ $config_schema = array(

 /**
 * $test_file is the name of a file which is present on the source
-* forum which can be used to check that the path specified by the 
+* forum which can be used to check that the path specified by the
 * user was correct
 */
 $test_file = 'modcp.php';
@@ -250,14 +250,14 @@ if (!$get_info)
 *
 *		// DB INSERT array
 *		This one consist of three parameters
-*		First Parameter: 
+*		First Parameter:
 *							The key need to be filled within the target table
 *							If this is empty, the target table gets not assigned the source value
 *		Second Parameter:
 *							Source value. If the first parameter is specified, it will be assigned this value.
 *							If the first parameter is empty, this only gets added to the select query
 *		Third Parameter:
-*							Custom Function. Function to execute while storing source value into target table. 
+*							Custom Function. Function to execute while storing source value into target table.
 *							The functions return value get stored.
 *							The function parameter consist of the value of the second parameter.
 *
@@ -706,7 +706,7 @@ if (!$get_info)
 				array('pm_forwarded',			0,										''),
 				array('folder_id',				PRIVMSGS_INBOX,							''),

-				'where'			=> 'privmsgs.privmsgs_id = privmsgs_text.privmsgs_text_id 
+				'where'			=> 'privmsgs.privmsgs_id = privmsgs_text.privmsgs_text_id
 										AND (privmsgs.privmsgs_type = 0 OR privmsgs.privmsgs_type = 1 OR privmsgs.privmsgs_type = 5)',
 			),
 			
@@ -746,7 +746,7 @@ if (!$get_info)
 				array('pm_forwarded',			0,										''),
 				array('folder_id',				PRIVMSGS_SENTBOX,						''),

-				'where'			=> 'privmsgs.privmsgs_id = privmsgs_text.privmsgs_text_id 
+				'where'			=> 'privmsgs.privmsgs_id = privmsgs_text.privmsgs_text_id
 										AND privmsgs.privmsgs_type = 2',
 			),

@@ -766,7 +766,7 @@ if (!$get_info)
 				array('pm_forwarded',			0,										''),
 				array('folder_id',				'privmsgs.privmsgs_to_userid',			'phpbb_get_savebox_id'),

-				'where'			=> 'privmsgs.privmsgs_id = privmsgs_text.privmsgs_text_id 
+				'where'			=> 'privmsgs.privmsgs_id = privmsgs_text.privmsgs_text_id
 										AND privmsgs.privmsgs_type = 3',
 			),

@@ -786,7 +786,7 @@ if (!$get_info)
 				array('pm_forwarded',			0,										''),
 				array('folder_id',				'privmsgs.privmsgs_from_userid',		'phpbb_get_savebox_id'),

-				'where'			=> 'privmsgs.privmsgs_id = privmsgs_text.privmsgs_text_id 
+				'where'			=> 'privmsgs.privmsgs_id = privmsgs_text.privmsgs_text_id
 										AND privmsgs.privmsgs_type = 4',
 			),

--- a/phpBB/install/convertors/functions_phpbb20.php
+++ b/phpBB/install/convertors/functions_phpbb20.php
@@ -1,13 +1,18 @@
 <?php
-/** 
+/**
 *
 * @package install
 * @version $Id$
-* @copyright (c) 2006 phpBB Group 
-* @license http://opensource.org/licenses/gpl-license.php GNU Public License 
+* @copyright (c) 2006 phpBB Group
+* @license http://opensource.org/licenses/gpl-license.php GNU Public License
 *
 */

+if (!defined('IN_PHPBB'))
+{
+	exit;
+}
+
 /**
 * Helper functions for phpBB 2.0.x to phpBB 3.0.x conversion
 */
@@ -524,7 +529,7 @@ function phpbb_user_id($user_id)

 	// A user id of 0 can happen, for example within the ban table if no user is banned...
 	// Within the posts and topics table this can be "dangerous" but is the fault of the user
-	// having mods installed (a poster id of 0 is not possible in 2.0.x). 
+	// having mods installed (a poster id of 0 is not possible in 2.0.x).
 	// Therefore, we return the user id "as is".

 	return (int) $user_id;
--- a/phpBB/install/data/confusables.php
+++ b/phpBB/install/data/confusables.php
--- a/phpBB/install/data/new_normalizer.php
+++ b/phpBB/install/data/new_normalizer.php
@@ -1,5 +1,20 @@
 <?php
+/**
+*
+* @package install
+* @version $Id$
+* @copyright (c) 2007 phpBB Group
+* @license http://opensource.org/licenses/gpl-license.php GNU Public License
+*
+*/

+/**
+* @ignore
+*/
+if (!defined('IN_PHPBB'))
+{
+	exit;
+}

 /**
 * A wrapper function for the normalizer which takes care of including the class if required and modifies the passed strings
--- a/phpBB/install/database_update.php
+++ b/phpBB/install/database_update.php
@@ -1139,7 +1139,7 @@ $no_updates = true;
 // some code magic
 if (version_compare($current_version, '3.0.RC1', '<='))
 {
-	// we have to remove a few extra entries from converted boards. 
+	// we have to remove a few extra entries from converted boards.
 	$sql = 'SELECT group_id
 		FROM ' . GROUPS_TABLE . "
 		WHERE group_name = '" . $db->sql_escape('BOTS') . "'";
@@ -1178,14 +1178,14 @@ if (version_compare($current_version, '3.0.RC1', '<='))

 	set_config('jab_use_ssl', '0');
 	set_config('allow_post_flash', '1');
- 
+
 	$no_updates = false;
 }

 if (version_compare($current_version, '3.0.RC2', '<='))
 {
 	$smileys = array();
-	$sql = 'SELECT smiley_id, code 
+	$sql = 'SELECT smiley_id, code
 		FROM ' . SMILIES_TABLE;
 		
 	$result = $db->sql_query($sql);
@@ -1209,7 +1209,7 @@ if (version_compare($current_version, '3.0.RC2', '<='))
 		$new_code = str_replace('&gt;', '>', $new_code);
 		$new_code = utf8_htmlspecialchars($new_code);

-		$sql = 'UPDATE ' . SMILIES_TABLE . ' 
+		$sql = 'UPDATE ' . SMILIES_TABLE . '
 			SET code = \'' . $db->sql_escape($new_code) . '\'
 			WHERE smiley_id = ' . (int) $id;
 		$db->sql_query($sql);
@@ -1307,7 +1307,7 @@ if (version_compare($current_version, '3.0.RC3', '<='))
 	}

 	// Make sure empty smiley codes do not exist
-	$sql = 'DELETE FROM ' . SMILIES_TABLE . " 
+	$sql = 'DELETE FROM ' . SMILIES_TABLE . "
 		WHERE code = ''";
 	_sql($sql, $errored, $error_ary);

@@ -1489,7 +1489,7 @@ if (version_compare($current_version, '3.0.RC4', '<='))
 			[template_filename] [varchar] (100) DEFAULT ('') NOT NULL ,
 			[template_included] [varchar] (8000) DEFAULT ('') NOT NULL ,
 			[template_mtime] [int] DEFAULT (0) NOT NULL ,
-			[template_data] [text] DEFAULT ('') NOT NULL 
+			[template_data] [text] DEFAULT ('') NOT NULL
 		) ON [PRIMARY] TEXTIMAGE_ON [PRIMARY]";
 		_sql($sql, $errored, $error_ary);

@@ -1558,8 +1558,8 @@ $sql = 'UPDATE ' . USERS_TABLE . "
 	SET user_permissions = ''";
 _sql($sql, $errored, $error_ary);

-/* Optimize/vacuum analyze the tables where appropriate 
-// this should be done for each version in future along with 
+/* Optimize/vacuum analyze the tables where appropriate
+// this should be done for each version in future along with
 // the version number update
 switch ($db->sql_layer)
 {
@@ -1809,8 +1809,8 @@ function column_exists($dbms, $table, $column_name)
 		// ugh, SQLite
 		case 'sqlite':
 			$sql = "SELECT sql
-				FROM sqlite_master 
-				WHERE type = 'table' 
+				FROM sqlite_master
+				WHERE type = 'table'
 					AND name = '{$table}'";
 			$result = $db->sql_query($sql);

@@ -2079,8 +2079,8 @@ function sql_column_add($dbms, $table_name, $column_name, $column_data)
 			{
 				global $db;
 				$sql = "SELECT sql
-					FROM sqlite_master 
-					WHERE type = 'table' 
+					FROM sqlite_master
+					WHERE type = 'table'
 						AND name = '{$table_name}'
 					ORDER BY type DESC, name;";
 				$result = $db->sql_query($sql);
@@ -2176,8 +2176,8 @@ function sql_column_remove($dbms, $table_name, $column_name)
 			{
 				global $db;
 				$sql = "SELECT sql
-					FROM sqlite_master 
-					WHERE type = 'table' 
+					FROM sqlite_master
+					WHERE type = 'table'
 						AND name = '{$table_name}'
 					ORDER BY type DESC, name;";
 				$result = $db->sql_query($sql);
@@ -2295,8 +2295,8 @@ function sql_create_primary_key($dbms, $table_name, $column)

 		case 'sqlite':
 			$sql = "SELECT sql
-				FROM sqlite_master 
-				WHERE type = 'table' 
+				FROM sqlite_master
+				WHERE type = 'table'
 					AND name = '{$table_name}'
 				ORDER BY type DESC, name;";
 			$result = _sql($sql, $errored, $error_ary);
@@ -2678,8 +2678,8 @@ function sql_column_change($dbms, $table_name, $column_name, $column_data)
 		case 'sqlite':

 			$sql = "SELECT sql
-				FROM sqlite_master 
-				WHERE type = 'table' 
+				FROM sqlite_master
+				WHERE type = 'table'
 					AND name = '{$table_name}'
 				ORDER BY type DESC, name;";
 			$result = _sql($sql, $errored, $error_ary);
--- a/phpBB/install/index.php
+++ b/phpBB/install/index.php
@@ -1,10 +1,10 @@
 <?php
-/** 
+/**
 *
 * @package install
 * @version $Id$
-* @copyright (c) 2005 phpBB Group 
-* @license http://opensource.org/licenses/gpl-license.php GNU Public License 
+* @copyright (c) 2005 phpBB Group
+* @license http://opensource.org/licenses/gpl-license.php GNU Public License
 *
 */

@@ -34,17 +34,17 @@ if (version_compare(PHP_VERSION, '4.3.3') < 0)
 function deregister_globals()
 {
 	$not_unset = array(
-		'GLOBALS' => true,
-		'_GET' => true,
-		'_POST' => true,
-		'_COOKIE' => true,
-		'_REQUEST' => true,
-		'_SERVER' => true,
-		'_SESSION' => true,
-		'_ENV' => true,
-		'_FILES' => true,
-		'phpEx' => true,
-		'phpbb_root_path' => true
+		'GLOBALS'	=> true,
+		'_GET'		=> true,
+		'_POST'		=> true,
+		'_COOKIE'	=> true,
+		'_REQUEST'	=> true,
+		'_SERVER'	=> true,
+		'_SESSION'	=> true,
+		'_ENV'		=> true,
+		'_FILES'	=> true,
+		'phpEx'		=> true,
+		'phpbb_root_path'	=> true
 	);

 	// Not only will array_merge and array_keys give a warning if
@@ -55,8 +55,7 @@ function deregister_globals()
 		$_SESSION = array();
 	}

-	// Merge all into one extremely huge array; unset
-	// this later
+	// Merge all into one extremely huge array; unset this later
 	$input = array_merge(
 		array_keys($_GET),
 		array_keys($_POST),
@@ -71,8 +70,26 @@ function deregister_globals()
 	{
 		if (isset($not_unset[$varname]))
 		{
-			// Hacking attempt. No point in continuing.
-			exit;
+			// Hacking attempt. No point in continuing unless it's a COOKIE
+			if ($varname !== 'GLOBALS' || isset($_GET['GLOBALS']) || isset($_POST['GLOBALS']) || isset($_SERVER['GLOBALS']) || isset($_SESSION['GLOBALS']) || isset($_ENV['GLOBALS']) || isset($_FILES['GLOBALS']))
+			{
+				exit;
+			}
+			else
+			{
+				$cookie = &$_COOKIE;
+				while (isset($cookie['GLOBALS']))
+				{
+					foreach ($cookie['GLOBALS'] as $registered_var => $value)
+					{
+						if (!isset($not_unset[$registered_var]))
+						{
+							unset($GLOBALS[$registered_var]);
+						}
+					}
+					$cookie = &$cookie['GLOBALS'];
+				}
+			}
 		}

 		unset($GLOBALS[$varname]);
@@ -517,7 +534,7 @@ class module

 					if (is_array($this->module_ary[$this->id]['subs']))
 					{
-						$subs = $this->module_ary[$this->id]['subs']; 
+						$subs = $this->module_ary[$this->id]['subs'];
 						foreach ($subs as $option)
 						{
 							$l_option = (!empty($lang['SUB_' . $option])) ? $lang['SUB_' . $option] : preg_replace('#_#', ' ', $option);
@@ -534,7 +551,7 @@ class module

 					if (is_array($this->module_ary[$this->id]['stages']))
 					{
-						$subs = $this->module_ary[$this->id]['stages']; 
+						$subs = $this->module_ary[$this->id]['stages'];
 						$matched = false;
 						foreach ($subs as $option)
 						{
--- a/phpBB/install/install_convert.php
+++ b/phpBB/install/install_convert.php
@@ -1,10 +1,10 @@
 <?php
-/** 
+/**
 *
 * @package install
 * @version $Id$
-* @copyright (c) 2006 phpBB Group 
-* @license http://opensource.org/licenses/gpl-license.php GNU Public License 
+* @copyright (c) 2006 phpBB Group
+* @license http://opensource.org/licenses/gpl-license.php GNU Public License
 *
 */

@@ -612,7 +612,7 @@ class install_convert extends module
 		$config['max_quote_depth'] = 0;

 		// @todo Need to confirm that max post length in source is <= max post length in destination or there may be interesting formatting issues
-		$config['max_post_chars'] = -1; 
+		$config['max_post_chars'] = -1;

 		// Set up a user as well. We _should_ have enough of a database here at this point to do this
 		// and it helps for any core code we call
@@ -1198,7 +1198,7 @@ class install_convert extends module
 				$schema['order_by'] = $schema['primary'];
 			}
 			$sql .= (!empty($schema['order_by'])) ? "\nORDER BY " . $schema['order_by'] : '';
-			 
+
 			// Counting basically holds the amount of rows processed.
 			$counting = -1;
 			$batch_time = 0;
@@ -1561,7 +1561,7 @@ class install_convert extends module
 	{
 		global $db, $phpbb_root_path, $convert, $config, $user, $template;

-		$db->sql_query('DELETE FROM ' . CONFIG_TABLE . " 
+		$db->sql_query('DELETE FROM ' . CONFIG_TABLE . "
 			WHERE config_name = 'convert_progress'
 				OR config_name = 'convert_options'
 				OR config_name = 'convert_db_server'
--- a/phpBB/install/install_install.php
+++ b/phpBB/install/install_install.php
@@ -1,10 +1,10 @@
 <?php
-/** 
+/**
 *
 * @package install
 * @version $Id$
-* @copyright (c) 2005 phpBB Group 
-* @license http://opensource.org/licenses/gpl-license.php GNU Public License 
+* @copyright (c) 2005 phpBB Group
+* @license http://opensource.org/licenses/gpl-license.php GNU Public License
 *
 */

@@ -191,7 +191,7 @@ class install_install extends module
 		));
 		
 		
-		// Check for url_fopen 
+		// Check for url_fopen
 		if (@ini_get('allow_url_fopen') == '1' || strtolower(@ini_get('allow_url_fopen')) == 'on')
 		{
 			$result = '<strong style="color:green">' . $lang['YES'] . '</strong>';
@@ -211,7 +211,7 @@ class install_install extends module
 		));
 		
 		
-		// Check for getimagesize 
+		// Check for getimagesize
 		if (@function_exists('getimagesize'))
 		{
 			$passed['imagesize'] = true;
@@ -1326,16 +1326,16 @@ class install_install extends module
 					OR topic_last_poster_name = 'Admin'",

 			'UPDATE ' . $data['table_prefix'] . "users
-				SET user_regdate = $current_time", 
+				SET user_regdate = $current_time",

 			'UPDATE ' . $data['table_prefix'] . "posts
-				SET post_time = $current_time, poster_ip = '" . $db->sql_escape($user_ip) . "'", 
+				SET post_time = $current_time, poster_ip = '" . $db->sql_escape($user_ip) . "'",

 			'UPDATE ' . $data['table_prefix'] . "topics
-				SET topic_time = $current_time, topic_last_post_time = $current_time", 
+				SET topic_time = $current_time, topic_last_post_time = $current_time",

 			'UPDATE ' . $data['table_prefix'] . "forums
-				SET forum_last_post_time = $current_time", 
+				SET forum_last_post_time = $current_time",
 		);

 		if (@extension_loaded('gd') || can_load_dll('gd'))
@@ -1390,7 +1390,7 @@ class install_install extends module
 		$data = $this->get_submitted_data();
 		$table_prefix = $data['table_prefix'];

-		// If we get here and the extension isn't loaded it should be safe to just go ahead and load it 
+		// If we get here and the extension isn't loaded it should be safe to just go ahead and load it
 		$available_dbms = get_available_dbms($data['dbms']);

 		// Load the appropriate database class if not already loaded
@@ -1609,7 +1609,7 @@ class install_install extends module
 				foreach ($this->module_extras[$module_class] as $cat_name => $mods)
 				{
 					$sql = 'SELECT module_id, left_id, right_id
-						FROM ' . MODULES_TABLE . " 
+						FROM ' . MODULES_TABLE . "
 						WHERE module_langname = '" . $db->sql_escape($cat_name) . "'
 							AND module_class = '" . $db->sql_escape($module_class) . "'";
 					$result = $db->sql_query_limit($sql, 1);
@@ -1619,7 +1619,7 @@ class install_install extends module
 					foreach ($mods as $mod_name)
 					{
 						$sql = 'SELECT *
-							FROM ' . MODULES_TABLE . " 
+							FROM ' . MODULES_TABLE . "
 							WHERE module_langname = '" . $db->sql_escape($mod_name) . "'
 								AND module_class = '" . $db->sql_escape($module_class) . "'
 								AND module_basename <> ''";
--- a/phpBB/install/install_main.php
+++ b/phpBB/install/install_main.php
@@ -1,10 +1,10 @@
 <?php
-/** 
+/**
 *
 * @package install
 * @version $Id$
-* @copyright (c) 2005 phpBB Group 
-* @license http://opensource.org/licenses/gpl-license.php GNU Public License 
+* @copyright (c) 2005 phpBB Group
+* @license http://opensource.org/licenses/gpl-license.php GNU Public License
 *
 */

--- a/phpBB/install/install_update.php
+++ b/phpBB/install/install_update.php
@@ -1,10 +1,10 @@
 <?php
-/** 
+/**
 *
 * @package install
 * @version $Id$
-* @copyright (c) 2006 phpBB Group 
-* @license http://opensource.org/licenses/gpl-license.php GNU Public License 
+* @copyright (c) 2006 phpBB Group
+* @license http://opensource.org/licenses/gpl-license.php GNU Public License
 *
 * @todo check for writable cache/store/files directory
 */
@@ -419,7 +419,7 @@ class install_update extends module
 					// Add database update to log
 					add_log('admin', 'LOG_UPDATE_PHPBB', $this->current_version, $this->latest_version);

-					// Refresh prosilver css data - this may cause some unhappy users, but 
+					// Refresh prosilver css data - this may cause some unhappy users, but
 					$sql = 'SELECT *
 						FROM ' . STYLES_THEME_TABLE . "
 						WHERE theme_name = 'prosilver'";