| [ Index ] |
|
Code source de phpMyAdmin 2.10.3 |
1 <?php 2 /* $Id: grab_globals.lib.php 9467 2006-09-29 13:24:33Z lem9 $ */ 3 // vim: expandtab sw=4 ts=4 sts=4: 4 5 6 /** 7 * This library grabs the names and values of the variables sent or posted to a 8 * script in the $_* arrays and sets simple globals variables from them. It does 9 * the same work for the $PHP_SELF, $HTTP_ACCEPT_LANGUAGE and 10 * $HTTP_AUTHORIZATION variables. 11 * 12 * loic1 - 2001/25/11: use the new globals arrays defined with php 4.1+ 13 */ 14 15 /** 16 * copy values from one array to another, usally from a superglobal into $GLOBALS 17 * 18 * @uses $GLOBALS['_import_blacklist'] 19 * @uses preg_replace() 20 * @uses array_keys() 21 * @uses array_unique() 22 * @uses stripslashes() 23 * @param array $array values from 24 * @param array $target values to 25 * @param boolean $sanitize prevent importing key names in $_import_blacklist 26 */ 27 function PMA_gpc_extract($array, &$target, $sanitize = true) 28 { 29 if ( ! is_array($array) ) { 30 return false; 31 } 32 33 if ( $sanitize ) { 34 $valid_variables = preg_replace($GLOBALS['_import_blacklist'], '', 35 array_keys($array)); 36 $valid_variables = array_unique($valid_variables); 37 } else { 38 $valid_variables = array_keys($array); 39 } 40 41 foreach ( $valid_variables as $key ) { 42 43 if ( strlen($key) === 0 ) { 44 continue; 45 } 46 47 if ( is_array($array[$key]) ) { 48 // there could be a variable coming from a cookie of 49 // another application, with the same name as this array 50 unset( $target[$key] ); 51 52 PMA_gpc_extract($array[$key], $target[$key], false); 53 } else { 54 $target[$key] = $array[$key]; 55 } 56 } 57 return true; 58 } 59 60 61 /** 62 * @var array $_import_blacklist variable names that should NEVER be imported 63 * from superglobals 64 */ 65 $_import_blacklist = array( 66 '/^cfg$/i', // PMA configuration 67 '/^server$/i', // selected server 68 '/^db$/i', // page to display 69 '/^table$/i', // page to display 70 '/^goto$/i', // page to display 71 '/^back$/i', // the page go back 72 '/^lang$/i', // selected language 73 '/^convcharset$/i', // PMA convert charset 74 '/^collation_connection$/i', // 75 '/^set_theme$/i', // 76 '/^sql_query$/i', // the query to be executed 77 '/^GLOBALS$/i', // the global scope 78 '/^str.*$/i', // PMA localized strings 79 '/^_.*$/i', // PMA does not use variables starting with _ from extern 80 '/^.*\s+.*$/i', // no whitespaces anywhere 81 '/^[0-9]+.*$/i', // numeric variable names 82 //'/^PMA_.*$/i', // other PMA variables 83 ); 84 85 if (! empty($_GET)) { 86 PMA_gpc_extract($_GET, $GLOBALS); 87 } 88 89 if (! empty($_POST)) { 90 PMA_gpc_extract($_POST, $GLOBALS); 91 } 92 93 if (! empty($_FILES)) { 94 $_valid_variables = preg_replace($GLOBALS['_import_blacklist'], '', array_keys($_FILES)); 95 foreach ($_valid_variables as $name) { 96 if (strlen($name) != 0) { 97 $$name = $_FILES[$name]['tmp_name']; 98 ${$name . '_name'} = $_FILES[$name]['name']; 99 } 100 } 101 unset($name, $value); 102 } 103 104 /** 105 * globalize some environment variables 106 */ 107 $server_vars = array('PHP_SELF', 'HTTP_ACCEPT_LANGUAGE', 'HTTP_AUTHORIZATION'); 108 foreach ($server_vars as $current) { 109 // its not important HOW we detect html tags 110 // its more important to prevent XSS 111 // so its not important if we result in an invalid string, 112 // its even better than a XSS capable string 113 if (PMA_getenv($current) && false === strpos(PMA_getenv($current), '<')) { 114 $$current = PMA_getenv($current); 115 // already importet by register_globals? 116 } elseif (! isset($$current) || false !== strpos($$current, '<')) { 117 $$current = ''; 118 } 119 } 120 unset($server_vars, $current, $_import_blacklist); 121 122 ?>
titre
Description
Corps
titre
Description
Corps
titre
Description
Corps
titre
Corps
| Généré le : Mon Nov 26 15:18:20 2007 | par Balluche grâce à PHPXref 0.7 |
|
|