Version 1.2 ()
------------------------------------------------------------------------
+ * Fix wrong next/previous page links when using wrapper.php indexFile
+ option. (garvinhicking)
+
+ * Prevent cookie-based session fixation by regenerationg server-side
+ session ID. Major thanks to David Vieira-Kurz.
+
* Display theme's preview_fullsize.jpg image when existing. Added
screenshots by williamts99.
*/
function serendipity_getUriArguments($uri, $wildcard = false) {
global $serendipity;
+static $indexFile = null;
+
+ if ($indexFile === null) {
+ $_indexFile = explode('.', $serendipity['indexFile']);
+ $indexFile = $_indexFile[0];
+ }
/* Explode the path into sections, to later be able to check for arguments and add our own */
preg_match('/^'. preg_quote($serendipity['serendipityHTTPPath'], '/') . '(' . preg_quote($serendipity['indexFile'], '/') . '\?\/)?(' . ($wildcard ? '.+' : '[;,_a-z0-9\-*\/%\+]+') . ')/i', $uri, $_res);
if (strlen($_res[2]) != 0) {
$args = explode('/', $_res[2]);
- if ($args[0] == 'index') {
+ if ($args[0] == $indexFile || $args[0] == $serendipity['indexFile']) {
unset($args[0]);
}
return $args;
# All rights reserved. See LICENSE file for licensing details
$global_debug = false;
+
if ($global_debug) {
#apd_set_pprof_trace();
if (!headers_sent()) {
session_start();
+
+ // Prevent session fixation by only allowing sessions that have been sent by the server.
+ // Any session that does not contain our unique token will be regarded as foreign/fixated
+ // and be regenerated with a system-generated SID.
+ // Patch by David Vieira-Kurz of majorsecurity.de
+ if (!isset($_SESSION['SERVER_GENERATED_SID'])) {
+ session_destroy();
+ session_regenerate_id();
+ $_SESSION['SERVER_GENERATED_SID'] = true;
+ }
}
if (!defined('S9Y_INCLUDE_PATH')) {
projects / s9y.git / commitdiff