From: skodak <skodak>
Date: Tue, 6 Jan 2009 12:31:20 +0000 (+0000)
Subject: MDL-17789 prevent potential XSS problems through PHP_SELF
X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=f98cfb53d12cbbf569ec1908c41d95b3eb527d8c;p=moodle.git

MDL-17789 prevent potential XSS problems through PHP_SELF
---

diff --git a/lib/setup.php b/lib/setup.php
index 9ac23f1bc7..e15ea3bb15 100644
--- a/lib/setup.php
+++ b/lib/setup.php
@@ -408,7 +408,15 @@ global $SCRIPT;
         }
         if (!empty($_SERVER['PATH_TRANSLATED'])) {
             $_SERVER['PATH_TRANSLATED'] = stripslashes($_SERVER['PATH_TRANSLATED']);
+    }
+
+/// neutralise nasty chars in PHP_SELF
+    if (isset($_SERVER['PHP_SELF'])) {
+        $phppos = strpos($_SERVER['PHP_SELF'], '.php');
+        if ($phppos !== false) {
+            $_SERVER['PHP_SELF'] = substr($_SERVER['PHP_SELF'], 0, $phppos+4);
         }
+        unset($phppos);
     }
 
 /// initialise ME's