Fix: Sanitize PHP_SELF

htdocs/main.inc.php

@@ -64,31 +64,38 @@ if (function_exists('get_magic_quotes_gpc'))	// magic_quotes_* removed in PHP6
 }
 
 /**
- * Security: SQL Injection and XSS Injection (scripts) protection (Filters on GET, POST)
+ * Security: SQL Injection and XSS Injection (scripts) protection (Filters on GET, POST, PHP_SELF)
  *
  * @param		string		$val		Value
- * @param		string		$get		1=GET, 0=POST
+ * @param		string		$type		1=GET, 0=POST, 2=PHP_SELF
  * @return		boolean					true if there is an injection
  */
-function test_sql_and_script_inject($val, $get)
+function test_sql_and_script_inject($val, $type)
 {
 	$sql_inj = 0;
-	// For SQL Injection
+	// For SQL Injection (onyl GET and POST are used to be included into bad escaped SQL requests)
-	$sql_inj += preg_match('/delete[\s]+from/i', $val);
+	if ($type != 2)
-	$sql_inj += preg_match('/create[\s]+table/i', $val);
+	{
-	$sql_inj += preg_match('/update.+set.+=/i', $val);
+    	$sql_inj += preg_match('/delete[\s]+from/i', $val);
-	$sql_inj += preg_match('/insert[\s]+into/i', $val);
+    	$sql_inj += preg_match('/create[\s]+table/i', $val);
-	$sql_inj += preg_match('/select.+from/i', $val);
+    	$sql_inj += preg_match('/update.+set.+=/i', $val);
-	$sql_inj += preg_match('/union.+select/i', $val);
+    	$sql_inj += preg_match('/insert[\s]+into/i', $val);
-	$sql_inj += preg_match('/(\.\.%2f)+/i', $val);
+    	$sql_inj += preg_match('/select.+from/i', $val);
+    	$sql_inj += preg_match('/union.+select/i', $val);
+    	$sql_inj += preg_match('/(\.\.%2f)+/i', $val);
+	}
 	// For XSS Injection done by adding javascript with script
     $sql_inj += preg_match('/<script/i', $val);
     $sql_inj += preg_match('/base[\s]+href/i', $val);
-    if ($get) $sql_inj += preg_match('/img[\s]+src/i', $val);
+    if ($type == 1)
-    if ($get) $sql_inj += preg_match('/style([\s]+)?=/i', $val);
+    {
-	if ($get) $sql_inj += preg_match('/javascript:/i', $val);
+        $sql_inj += preg_match('/img[\s]+src/i', $val);
-	// For XSS Injection done by adding javascript with onmousemove, etc... (closing a src or href tag with not cleaned param)
+        $sql_inj += preg_match('/style[\s]*=/i', $val);
-	if ($get) $sql_inj += preg_match('/"/i', $val);	// We refused " in GET parameters value
+	    $sql_inj += preg_match('/javascript:/i', $val);
+    }
+	// For XSS Injection done by adding javascript closing html tags like with onmousemove, etc... (closing a src or href tag with not cleaned param)
+	if ($type == 1) $sql_inj += preg_match('/"/i', $val);      // We refused " in GET parameters value
+	if ($type == 2) $sql_inj += preg_match('/[\s;"]/', $val);    // PHP_SELF is an url and must match url syntax
 	return $sql_inj;
 }
 
@@ -96,16 +103,16 @@ function test_sql_and_script_inject($val, $get)
  * Security: Return true if OK, false otherwise
  *
  * @param		string		&$var		Variable name
- * @param		string		$get		1=GET, 0=POST
+ * @param		string		$type		1=GET, 0=POST, 2=PHP_SELF
  * @return		boolean					true if ther is an injection
  */
-function analyse_sql_and_script(&$var, $get)
+function analyse_sql_and_script(&$var, $type)
 {
 	if (is_array($var))
 	{
 		foreach ($var as $key => $value)
 		{
-			if (analyse_sql_and_script($value,$get))
+			if (analyse_sql_and_script($value,$type))
 			{
 				$var[$key] = $value;
 			}
@@ -119,7 +126,7 @@ function analyse_sql_and_script(&$var, $get)
 	}
 	else
 	{
-		return (test_sql_and_script_inject($var,$get) <= 0);
+		return (test_sql_and_script_inject($var,$type) <= 0);
 	}
 }
 
@@ -127,7 +134,7 @@ function analyse_sql_and_script(&$var, $get)
 if (! empty($_SERVER["PHP_SELF"]))
 {
     $morevaltochecklikepost=array($_SERVER["PHP_SELF"]);
-    analyse_sql_and_script($morevaltochecklikepost,0);
+    analyse_sql_and_script($morevaltochecklikepost,2);
 }
 // Sanity check on GET parameters
 if (! empty($_SERVER["QUERY_STRING"]))