[geeklog-cvs] geeklog: Fixed content being escaped when magic_quotes_gpc = On ...
geeklog-cvs at lists.geeklog.net
geeklog-cvs at lists.geeklog.net
Sun Aug 28 11:08:52 EDT 2011
changeset 8358:974698df2be7
url: http://project.geeklog.net/cgi-bin/hgwebdir.cgi/geeklog/rev/974698df2be7
user: Dirk Haun <dirk at haun-online.de>
date: Sat Jun 18 16:31:46 2011 +0200
description:
Fixed content being escaped when magic_quotes_gpc = On and the security token expires (bug #0001230)
diffstat:
public_html/users.php | 34 ++++++++++++++++++++++++++++++++--
1 files changed, 32 insertions(+), 2 deletions(-)
diffs (77 lines):
diff -r 8ba83d861a58 -r 974698df2be7 public_html/users.php
--- a/public_html/users.php Sat Jun 18 09:47:25 2011 +0200
+++ b/public_html/users.php Sat Jun 18 16:31:46 2011 +0200
@@ -2,13 +2,13 @@
/* Reminder: always indent with 4 spaces (no tabs). */
// +---------------------------------------------------------------------------+
-// | Geeklog 1.6 |
+// | Geeklog 1.8 |
// +---------------------------------------------------------------------------+
// | users.php |
// | |
// | User authentication module. |
// +---------------------------------------------------------------------------+
-// | Copyright (C) 2000-2010 by the following authors: |
+// | Copyright (C) 2000-2011 by the following authors: |
// | |
// | Authors: Tony Bibbs - tony AT tonybibbs DOT com |
// | Mark Limburg - mlimburg AT users DOT sourceforge DOT net |
@@ -484,6 +484,29 @@
exit;
}
+/**
+* Helper function: When magic_quotes_gpc = On, everything in $_GET and $_POST
+* has already been auto-escaped. So we need to undo this before re-creating
+* the GET or POST request.
+*
+* NOTE: Assumes that is only being called when magic_quotes_gpc = On
+*
+* @param ref $value value to un-escape
+* @return mixed un-escaped value or array of values
+* @see COM_stripslashes
+*
+*/
+function stripslashes_gpc_recursive(&$value)
+{
+ if (is_array($value)) {
+ array_map('stripslashes_gpc_recursive', $value);
+ } else {
+ // don't use COM_stripslashes here - no need to check magic_quotes_gpc
+ $value = stripslashes($value);
+ }
+
+ return $value;
+}
/**
* Re-send a request after successful re-authentication
@@ -528,6 +551,7 @@
((($method == 'POST') && !empty($postdata)) ||
(($method == 'GET') && !empty($getdata)))) {
+ $magic = get_magic_quotes_gpc();
$req = new HTTP_Request($returnurl);
if ($method == 'POST') {
$req->setMethod(HTTP_REQUEST_METHOD_POST);
@@ -536,6 +560,9 @@
if ($key == CSRF_TOKEN) {
$req->addPostData($key, SEC_createToken());
} else {
+ if ($magic) {
+ $value = stripslashes_gpc_recursive($value);
+ }
$req->addPostData($key, $value);
}
}
@@ -554,6 +581,9 @@
if ($key == CSRF_TOKEN) {
$req->addQueryString($key, SEC_createToken());
} else {
+ if ($magic) {
+ $value = stripslashes_gpc_recursive($value);
+ }
$req->addQueryString($key, $value);
}
}
More information about the geeklog-cvs
mailing list