Skip to content

Commit

Permalink
Remove fixes for secruity issues that have been fixed in PHP years ago.
Browse files Browse the repository at this point in the history
  • Loading branch information
@realityking
realityking committed Nov 27, 2011
1 parent 548e35c commit 395f192
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 43 deletions.
2 changes: 1 addition & 1 deletion libraries/import.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ class_exists('JLoader') or die;
JLoader::import('joomla.environment.request');

// If an application flags it doesn't want this, adhere to that.
if (!defined('_JREQUEST_NO_CLEAN'))
if (!defined('_JREQUEST_NO_CLEAN') && (bool) ini_get('register_globals'))
{
JRequest::clean();
}
Expand Down
46 changes: 4 additions & 42 deletions libraries/joomla/environment/request.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -545,16 +545,11 @@ public static function checkToken($method = 'post')
*/
public static function clean()
{
self::_cleanArray($_FILES);
self::_cleanArray($_ENV);
self::_cleanArray($_GET);
self::_cleanArray($_POST);
self::_cleanArray($_COOKIE);
self::_cleanArray($_SERVER);

if (isset($_SESSION))
// Only run this if register globals is on.
// Remove this code when PHP 5.4 becomes the minimum requirement.
if (!(bool) ini_get('register_globals'))
{
self::_cleanArray($_SESSION);
return;
}

$REQUEST = $_REQUEST;
Expand Down Expand Up @@ -594,39 +589,6 @@ public static function clean()
$GLOBALS['_JREQUEST'] = array();
}

/**
* Adds an array to the GLOBALS array and checks that the GLOBALS variable is not being attacked.
*
* @param array &$array Array to clean.
* @param boolean $globalise True if the array is to be added to the GLOBALS.
*
* @return void
*
* @deprecated 12.1
* @since 11.1
*/
static function _cleanArray(&$array, $globalise = false)
{
static $banned = array('_files', '_env', '_get', '_post', '_cookie', '_server', '_session', 'globals');

foreach ($array as $key => $value)
{
// PHP GLOBALS injection bug
$failed = in_array(strtolower($key), $banned);

// PHP Zend_Hash_Del_Key_Or_Index bug
$failed |= is_numeric($key);
if ($failed)
{
jexit('Illegal variable <b>' . implode('</b> or <b>', $banned) . '</b> passed to script.');
}
if ($globalise)
{
$GLOBALS[$key] = $value;
}
}
}

/**
* Clean up an input variable.
*
Expand Down

0 comments on commit 395f192

Please sign in to comment.