MDL-17789 prevent potential XSS problems through PHP_SELF

diff --git a/lib/setup.php b/lib/setup.php
index 9ac23f1bc722b8a9d42b7f22e87beb2fbcbc0b4e..e15ea3bb15ea76a370ce4c35ae4208b9c0a8929b 100644 (file)
--- a/lib/setup.php
+++ b/lib/setup.php
@@ -408,7 +408,15 @@ global $SCRIPT;
         }
         if (!empty($_SERVER['PATH_TRANSLATED'])) {
             $_SERVER['PATH_TRANSLATED'] = stripslashes($_SERVER['PATH_TRANSLATED']);
+    }
+
+/// neutralise nasty chars in PHP_SELF
+    if (isset($_SERVER['PHP_SELF'])) {
+        $phppos = strpos($_SERVER['PHP_SELF'], '.php');
+        if ($phppos !== false) {
+            $_SERVER['PHP_SELF'] = substr($_SERVER['PHP_SELF'], 0, $phppos+4);
         }
+        unset($phppos);
     }
 
 /// initialise ME's