Mirrors/dolibarr
1
0
Fork 0
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-02-20 13:46:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix: clean PHP_SELF for prevent XSS attack

Browse Source
This commit is contained in:
Regis Houssin 2011-03-06 20:42:36 +00:00
parent 874157cdff
commit 0c1e2a21e2
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
htdocs/main.inc.php
View File

@ -115,10 +115,16 @@ function analyse_sql_and_script(&$var,$get)
analyse_sql_and_script($_GET,1);
analyse_sql_and_script($_POST,0);
// Clean PHP_SELF for prevent XSS attack
// Get the name of the current file
$phpself = basename($_SERVER["SCRIPT_NAME"]);
// Get everything from start of PHP_SELF to where $phpself begins
// Cut that part out, and place $phpself after it
$_SERVER['PHP_SELF'] = substr($_SERVER['PHP_SELF'], 0, strpos($_SERVER['PHP_SELF'],$phpself)) . $phpself;
// This is to make Dolibarr working with Plesk
if (! empty($_SERVER['DOCUMENT_ROOT'])) set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs');
// Include the conf.php and functions.lib.php
require_once("filefunc.inc.php");