From d08d28c0cda1f762a47cc205d4363de03df16675 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 9 Nov 2011 13:40:29 +0100
Subject: [PATCH] Fix: Sanitize PHP_SELF

---
 htdocs/main.inc.php | 50 +++++++++++++++++++++++++++++----------------
 1 file changed, 32 insertions(+), 18 deletions(-)

diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index a27ead10152..f34ec1264cb 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -62,26 +62,40 @@ if (function_exists('get_magic_quotes_gpc'))	// magic_quotes_* removed in PHP6
 	}
 }
 
-// Security: SQL Injection and XSS Injection (scripts) protection (Filters on GET, POST)
-function test_sql_and_script_inject($val,$get)
+
+/**
+ * Security: SQL Injection and XSS Injection (scripts) protection (Filters on GET, POST, PHP_SELF)
+ *
+ * @param		string		$val		Value
+ * @param		string		$type		1=GET, 0=POST, 2=PHP_SELF
+ * @return		boolean					true if there is an injection
+ */
+function test_sql_and_script_inject($val, $type)
 {
 	$sql_inj = 0;
-	// For SQL Injection
-	$sql_inj += preg_match('/delete[\s]+from/i', $val);
-	$sql_inj += preg_match('/create[\s]+table/i', $val);
-	$sql_inj += preg_match('/update.+set.+=/i', $val);
-	$sql_inj += preg_match('/insert[\s]+into/i', $val);
-	$sql_inj += preg_match('/select.+from/i', $val);
-	$sql_inj += preg_match('/union.+select/i', $val);
-	$sql_inj += preg_match('/(\.\.%2f)+/i', $val);
+	// For SQL Injection (onyl GET and POST are used to be included into bad escaped SQL requests)
+	if ($type != 2)
+	{
+    	$sql_inj += preg_match('/delete[\s]+from/i', $val);
+    	$sql_inj += preg_match('/create[\s]+table/i', $val);
+    	$sql_inj += preg_match('/update.+set.+=/i', $val);
+    	$sql_inj += preg_match('/insert[\s]+into/i', $val);
+    	$sql_inj += preg_match('/select.+from/i', $val);
+    	$sql_inj += preg_match('/union.+select/i', $val);
+    	$sql_inj += preg_match('/(\.\.%2f)+/i', $val);
+	}
 	// For XSS Injection done by adding javascript with script
-	$sql_inj += preg_match('/<script/i', $val);
-	$sql_inj += preg_match('/base[\s]+href/i', $val);
-	if ($get) $sql_inj += preg_match('/img[\s]+src/i', $val);
-	if ($get) $sql_inj += preg_match('/style[\s]*=/i', $val);
-	if ($get) $sql_inj += preg_match('/javascript:/i', $val);
-	// For XSS Injection done by adding javascript with onmousemove, etc... (closing a src or href tag with not cleaned param)
-	if ($get) $sql_inj += preg_match('/"/i', $val);	// We refused " in GET parameters value
+    $sql_inj += preg_match('/<script/i', $val);
+    $sql_inj += preg_match('/base[\s]+href/i', $val);
+    if ($type == 1)
+    {
+        $sql_inj += preg_match('/img[\s]+src/i', $val);
+        $sql_inj += preg_match('/style[\s]*=/i', $val);
+	    $sql_inj += preg_match('/javascript:/i', $val);
+    }
+	// For XSS Injection done by adding javascript closing html tags like with onmousemove, etc... (closing a src or href tag with not cleaned param)
+	if ($type == 1) $sql_inj += preg_match('/"/i', $val);      // We refused " in GET parameters value
+	if ($type == 2) $sql_inj += preg_match('/[\s;"]/', $val);    // PHP_SELF is an url and must match url syntax
 	return $sql_inj;
 }
 // Security: Return true if OK, false otherwise
@@ -112,7 +126,7 @@ function analyse_sql_and_script(&$var,$get)
 if (! empty($_SERVER["PHP_SELF"]))
 {
     $morevaltochecklikepost=array($_SERVER["PHP_SELF"]);
-    analyse_sql_and_script($morevaltochecklikepost,0);
+    analyse_sql_and_script($morevaltochecklikepost,2);
 }
 // Sanity check on GET parameters
 if (! empty($_SERVER["QUERY_STRING"]))