From f98cfb53d12cbbf569ec1908c41d95b3eb527d8c Mon Sep 17 00:00:00 2001
From: skodak <skodak>
Date: Tue, 6 Jan 2009 12:31:20 +0000
Subject: [PATCH] MDL-17789 prevent potential XSS problems through PHP_SELF

---
 lib/setup.php | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/lib/setup.php b/lib/setup.php
index 9ac23f1bc7..e15ea3bb15 100644
--- a/lib/setup.php
+++ b/lib/setup.php
@@ -408,7 +408,15 @@ global $SCRIPT;
         }
         if (!empty($_SERVER['PATH_TRANSLATED'])) {
             $_SERVER['PATH_TRANSLATED'] = stripslashes($_SERVER['PATH_TRANSLATED']);
+    }
+
+/// neutralise nasty chars in PHP_SELF
+    if (isset($_SERVER['PHP_SELF'])) {
+        $phppos = strpos($_SERVER['PHP_SELF'], '.php');
+        if ($phppos !== false) {
+            $_SERVER['PHP_SELF'] = substr($_SERVER['PHP_SELF'], 0, $phppos+4);
         }
+        unset($phppos);
     }
 
 /// initialise ME's
-- 
2.39.5