initvar() is too permissive
Posted: Sun Apr 29, 2012 9:41 pm
Hello Developers,
I'm using a GET parameter 'geshi_file' and noticed, that $f == 'file' was set by CMSimple_XH. I found the cause in initvar():
IMO that's far too permissive. Any GET parameter ending in 'file' (e.g. 'profile') will set $file, and this will cause $f to be set to 'file' later on! I doubt, that a preg_replace() is necessary here, and I query, why looking for $_GET[...] isn't enough. BTW: this preg_replace() was introduced in CMSimple 2.3. Ahh(!), now I see a possible reason: the preg_replace() is working case insensitive, so it's possible to do an initvar('File') and nonetheless get $file, $FILE or $fIlE. However -- does that make any sense?
Perhaps turning this line back to was it was in CMSimple 2.2 should be considered (and of course be tested):
I'm using a GET parameter 'geshi_file' and noticed, that $f == 'file' was set by CMSimple_XH. I found the cause in initvar():
Code: Select all
$GLOBALS[$name] = @preg_replace("/.*?(" . $name . "=([^\&]*))?.*?/i", "\\2", sv('QUERY_STRING')); Perhaps turning this line back to was it was in CMSimple 2.2 should be considered (and of course be tested):
Code: Select all
$GLOBALS[$name]='';