onokazu
onoka****@users*****
2005年 9月 5日 (月) 05:46:09 JST
Index: xoops2jp/html/include/commentform.inc.php diff -u xoops2jp/html/include/commentform.inc.php:1.3 xoops2jp/html/include/commentform.inc.php:1.4 --- xoops2jp/html/include/commentform.inc.php:1.3 Sat Aug 13 12:41:44 2005 +++ xoops2jp/html/include/commentform.inc.php Mon Sep 5 05:46:09 2005 @@ -1,5 +1,5 @@ <?php -// $Id: commentform.inc.php,v 1.3 2005/08/13 03:41:44 onokazu Exp $ +// $Id: commentform.inc.php,v 1.4 2005/09/04 20:46:09 onokazu Exp $ // ------------------------------------------------------------------------ // // XOOPS - PHP Content Management System // // Copyright (c) 2000 XOOPS.org // Index: xoops2jp/html/include/common.php diff -u xoops2jp/html/include/common.php:1.6 xoops2jp/html/include/common.php:1.7 --- xoops2jp/html/include/common.php:1.6 Wed Aug 3 21:39:11 2005 +++ xoops2jp/html/include/common.php Mon Sep 5 05:46:09 2005 @@ -1,5 +1,5 @@ <?php -// $Id: common.php,v 1.6 2005/08/03 12:39:11 onokazu Exp $ +// $Id: common.php,v 1.7 2005/09/04 20:46:09 onokazu Exp $ // ------------------------------------------------------------------------ // // XOOPS - PHP Content Management System // // Copyright (c) 2000 XOOPS.org // @@ -163,6 +163,10 @@ if ( isset( $_SERVER[ 'QUERY_STRING' ] ) ) { $_SERVER[ 'REQUEST_URI' ] .= '?' . $_SERVER[ 'QUERY_STRING' ]; } + + // Guard for XSS string of PHP_SELF + if(preg_match("/[\<\>\"\'\(\)]/",$_SERVER['REQUEST_URI'])) + die(); } $xoopsRequestUri = $_SERVER[ 'REQUEST_URI' ]; // Deprecated (use the corrected $_SERVER variable now) /**#@-*/ Index: xoops2jp/html/include/functions.php diff -u xoops2jp/html/include/functions.php:1.4 xoops2jp/html/include/functions.php:1.5 --- xoops2jp/html/include/functions.php:1.4 Wed Aug 3 21:39:11 2005 +++ xoops2jp/html/include/functions.php Mon Sep 5 05:46:09 2005 @@ -1,5 +1,5 @@ <?php -// $Id: functions.php,v 1.4 2005/08/03 12:39:11 onokazu Exp $ +// $Id: functions.php,v 1.5 2005/09/04 20:46:09 onokazu Exp $ // ------------------------------------------------------------------------ // // XOOPS - PHP Content Management System // // Copyright (c) 2000 XOOPS.org // @@ -460,6 +460,15 @@ //} else { $ret = isset($_SERVER[$key]) ? $_SERVER[$key] : $_ENV[$key]; //} + + switch($key) { + case 'PHP_SELF': + case 'PATH_INFO': + case 'PATH_TRANSLATED': + $ret = htmlspecialchars($ret,ENT_QUOTES); + break; + } + return $ret; } Index: xoops2jp/html/include/notification_functions.php diff -u xoops2jp/html/include/notification_functions.php:1.2 xoops2jp/html/include/notification_functions.php:1.3 --- xoops2jp/html/include/notification_functions.php:1.2 Fri Mar 18 21:51:55 2005 +++ xoops2jp/html/include/notification_functions.php Mon Sep 5 05:46:09 2005 @@ -1,5 +1,5 @@ <?php -// $Id: notification_functions.php,v 1.2 2005/03/18 12:51:55 onokazu Exp $ +// $Id: notification_functions.php,v 1.3 2005/09/04 20:46:09 onokazu Exp $ // ------------------------------------------------------------------------ // // XOOPS - PHP Content Management System // // Copyright (c) 2000 XOOPS.org // @@ -322,7 +322,7 @@ $all_categories =& notificationCategoryInfo ('', $module_id); // FIXME: better or more standardized way to do this? - $script_url = explode('/', $_SERVER['PHP_SELF']); + $script_url = explode('/', xoops_getenv('PHP_SELF')); $script_name = $script_url[count($script_url)-1]; $sub_categories = array(); Index: xoops2jp/html/include/registerform.php diff -u xoops2jp/html/include/registerform.php:1.5 xoops2jp/html/include/registerform.php:1.6 --- xoops2jp/html/include/registerform.php:1.5 Sat Aug 13 12:41:44 2005 +++ xoops2jp/html/include/registerform.php Mon Sep 5 05:46:09 2005 @@ -1,5 +1,5 @@ <?php -// $Id: registerform.php,v 1.5 2005/08/13 03:41:44 onokazu Exp $ +// $Id: registerform.php,v 1.6 2005/09/04 20:46:09 onokazu Exp $ // ------------------------------------------------------------------------ // // XOOPS - PHP Content Management System // // Copyright (c) 2000 XOOPS.org // Index: xoops2jp/html/include/searchform.php diff -u xoops2jp/html/include/searchform.php:1.3 xoops2jp/html/include/searchform.php:1.4 --- xoops2jp/html/include/searchform.php:1.3 Sat Aug 13 12:41:44 2005 +++ xoops2jp/html/include/searchform.php Mon Sep 5 05:46:09 2005 @@ -1,5 +1,5 @@ <?php -// $Id: searchform.php,v 1.3 2005/08/13 03:41:44 onokazu Exp $ +// $Id: searchform.php,v 1.4 2005/09/04 20:46:09 onokazu Exp $ // ------------------------------------------------------------------------ // // XOOPS - PHP Content Management System // // Copyright (c) 2000 XOOPS.org // Index: xoops2jp/html/include/version.php diff -u xoops2jp/html/include/version.php:1.9 xoops2jp/html/include/version.php:1.10 --- xoops2jp/html/include/version.php:1.9 Sat Aug 13 12:50:41 2005 +++ xoops2jp/html/include/version.php Mon Sep 5 05:46:09 2005 @@ -1,4 +1,4 @@ <?php -// $Id: version.php,v 1.9 2005/08/13 03:50:41 onokazu Exp $ -define("XOOPS_VERSION","XOOPS 2.0.11.1 JP"); +// $Id: version.php,v 1.10 2005/09/04 20:46:09 onokazu Exp $ +define("XOOPS_VERSION","XOOPS 2.0.12 JP"); ?> \ No newline at end of file