BUG Prevent url= querystring argument override

This commit is contained in:
Damian Mooyman 2015-01-01 12:01:01 +13:00
parent f2edf34297
commit 71a14c3035

View File

@ -67,37 +67,44 @@ if(!empty($_SERVER['HTTP_X_ORIGINAL_URL'])) {
*/ */
global $url; global $url;
// PHP 5.4's built-in webserver uses this // Helper to safely parse and load a querystring fragment
if (php_sapi_name() == 'cli-server') { $parseQuery = function($query) {
$url = $_SERVER['REQUEST_URI']; parse_str($query, $_GET);
if ($_GET) $_REQUEST = array_merge((array)$_REQUEST, (array)$_GET);
};
// Querystring args need to be explicitly parsed // Apache rewrite rules and IIS use this
if(strpos($url,'?') !== false) { if (isset($_GET['url']) && php_sapi_name() !== 'cli-server') {
list($url, $query) = explode('?',$url,2);
parse_str($query, $_GET); // Prevent injection of url= querystring argument by prioritising any leading url argument
if ($_GET) $_REQUEST = array_merge((array)$_REQUEST, (array)$_GET); if(isset($_SERVER['QUERY_STRING']) &&
preg_match('/^(?<url>url=[^&?]*)(?<query>.*[&?]url=.*)$/', $_SERVER['QUERY_STRING'], $results)
) {
$queryString = $results['query'].'&'.$results['url'];
$parseQuery($queryString);
} }
// Pass back to the webserver for files that exist
if(file_exists(BASE_PATH . $url) && is_file(BASE_PATH . $url)) return false;
// Apache rewrite rules use this
} else if (isset($_GET['url'])) {
$url = $_GET['url']; $url = $_GET['url'];
// IIS includes get variables in url // IIS includes get variables in url
$i = strpos($url, '?'); $i = strpos($url, '?');
if($i !== false) { if($i !== false) {
$url = substr($url, 0, $i); $url = substr($url, 0, $i);
} }
// Lighttpd uses this // Lighttpd and PHP 5.4's built-in webserver use this
} else { } else {
if(strpos($_SERVER['REQUEST_URI'],'?') !== false) { $url = $_SERVER['REQUEST_URI'];
list($url, $query) = explode('?', $_SERVER['REQUEST_URI'], 2);
parse_str($query, $_GET); // Querystring args need to be explicitly parsed
if ($_GET) $_REQUEST = array_merge((array)$_REQUEST, (array)$_GET); if(strpos($url,'?') !== false) {
} else { list($url, $query) = explode('?',$url,2);
$url = $_SERVER["REQUEST_URI"]; $parseQuery($query);
}
// Pass back to the webserver for files that exist
if(php_sapi_name() === 'cli-server' && file_exists(BASE_PATH . $url) && is_file(BASE_PATH . $url)) {
return false;
} }
} }