Page 1 of 1

initvar() is too permissive

Posted: Sun Apr 29, 2012 9:41 pm
by cmb
Hello Developers,

I'm using a GET parameter 'geshi_file' and noticed, that $f == 'file' was set by CMSimple_XH. I found the cause in initvar():

Code: Select all

$GLOBALS[$name] = @preg_replace("/.*?(" . $name . "=([^\&]*))?.*?/i", "\\2", sv('QUERY_STRING')); 
IMO that's far too permissive. Any GET parameter ending in 'file' (e.g. 'profile') will set $file, and this will cause $f to be set to 'file' later on! I doubt, that a preg_replace() is necessary here, and I query, why looking for $_GET[...] isn't enough. BTW: this preg_replace() was introduced in CMSimple 2.3. Ahh(!), now I see a possible reason: the preg_replace() is working case insensitive, so it's possible to do an initvar('File') and nonetheless get $file, $FILE or $fIlE. However -- does that make any sense?

Perhaps turning this line back to was it was in CMSimple 2.2 should be considered (and of course be tested):

Code: Select all

$GLOBALS[$name]='';