From 2d6e0f00d8e1e7f709e4d7f3ca087c319fa8a276 Mon Sep 17 00:00:00 2001
From: Sebastian Mendel <cybot_tm@users.sourceforge.net>
Date: Thu, 27 Oct 2005 17:03:36 +0000
Subject: [PATCH] [XSS] clean $_SERVER variables

---
 ChangeLog                      |  1 +
 libraries/grab_globals.lib.php | 13 +++++++++----
 server_status.php              | 12 ++++++------
 3 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 23e62c189..7ac94b3a4 100755
--- a/ChangeLog
+++ b/ChangeLog
@@ -27,6 +27,7 @@ $Source$
       - bug #1274032 Field privileges with database names containing underscores
       - use DROP USER
       - use db_name LIKE REPLACE( mysql.db.Db, \_, _ )
+    * libraries/grab_globals.lib.php: [XSS] clean $_SERVER variables
     
 2005-10-26 Marc Delisle  <lem9@users.sourceforge.net>
     * lang/french* updates
diff --git a/libraries/grab_globals.lib.php b/libraries/grab_globals.lib.php
index 45328479d..48bc9a2ed 100644
--- a/libraries/grab_globals.lib.php
+++ b/libraries/grab_globals.lib.php
@@ -91,14 +91,19 @@ if (!empty($_FILES)) {
 
 if (!empty($_SERVER)) {
     $server_vars = array('PHP_SELF', 'HTTP_ACCEPT_LANGUAGE', 'HTTP_AUTHORIZATION');
-    foreach ($server_vars as $current) {
-        if (isset($_SERVER[$current])) {
+    foreach ( $server_vars as $current ) {
+        // its not important HOW we detect html tags 
+        // its more important to prevent XSS
+        // so its not important if we result in an invalid string,
+        // its even better than a XSS capable string
+        if ( isset( $_SERVER[$current] ) && false === strpos( $_SERVER[$current], '<' ) ) {
             $$current = $_SERVER[$current];
-        } elseif (!isset($$current)) {
+        // already importet by register_globals?
+        } elseif ( ! isset( $$current ) || false !== strpos( $$current, '<' ) ) {
             $$current = '';
         }
     }
-    unset($server_vars, $current);
+    unset( $server_vars, $current );
 } // end if
 
 // Security fix: disallow accessing serious server files via "?goto="
diff --git a/server_status.php b/server_status.php
index 3e3748928..459c30c30 100644
--- a/server_status.php
+++ b/server_status.php
@@ -257,7 +257,7 @@ $sections = array(
 $links = array();
 
 $links['table'][$strFlushTables]
-    = $_SERVER['PHP_SELF'] . '?flush=TABLES&amp;' . PMA_generate_common_url();
+    = $PHP_SELF . '?flush=TABLES&amp;' . PMA_generate_common_url();
 $links['table'][$strShowOpenTables]
     = 'sql.php?sql_query=' . urlencode('SHOW OPEN TABLES') . 
       '&amp;goto=server_status.php&amp;' . PMA_generate_common_url();
@@ -272,7 +272,7 @@ $links['repl']['MySQL - ' . $strDocu]
     = $cfg['MySQLManualBase'] . '/replication.html';
 
 $links['qcache'][$strFlushQueryCache]
-    = $_SERVER['PHP_SELF'] . '?flush=QUERY CACHE&amp;' . 
+    = $PHP_SELF . '?flush=QUERY CACHE&amp;' . 
       PMA_generate_common_url();
 $links['qcache']['MySQL - ' . $strDocu]
     = $cfg['MySQLManualBase'] . '/query-cache.html';
@@ -331,10 +331,10 @@ $hour_factor    = 3600 / $server_status['Uptime'];
 ?>
 <div id="statuslinks">
     <a href="<?php echo 
-        $_SERVER['PHP_SELF'] . '?' . PMA_generate_common_url(); ?>"
+        $PHP_SELF . '?' . PMA_generate_common_url(); ?>"
        ><?php echo $strRefresh; ?></a>
     <a href="<?php echo
-        $_SERVER['PHP_SELF'] . '?flush=STATUS&amp;' . PMA_generate_common_url(); ?>"
+        $PHP_SELF . '?flush=STATUS&amp;' . PMA_generate_common_url(); ?>"
        ><?php echo $strShowStatusReset; ?></a>
     <a href="<?php echo
         $cfg['MySQLManualBase']; ?>/server-status-variables.html" 
@@ -353,7 +353,7 @@ echo sprintf( $strServerStatusUptime,
 <?php
 foreach ( $sections as $section_name => $section ) {
     if ( ! empty( $section['vars'] ) && ! empty( $section['title'] ) ) {
-        echo '<a href="' . $_SERVER['PHP_SELF'] . '?' . 
+        echo '<a href="' . $PHP_SELF . '?' . 
              PMA_generate_common_url() . '#' . $section_name . '">' . 
              $section['title'] . '</a>' . "\n";
     }
@@ -581,7 +581,7 @@ foreach ( $sections as $section_name => $section ) {
     <table class="data" id="serverstatussection<?php echo $section_name; ?>">
     <caption class="tblHeaders">
         <a class="top"
-           href="<?php echo $_SERVER['PHP_SELF'] . '?' . 
+           href="<?php echo $PHP_SELF . '?' . 
                  PMA_generate_common_url() . '#_top'; ?>"
            name="<?php echo $section_name; ?>"><?php echo $strPos1; ?>
             <?php echo