Prevent XSS issues relating to PHP_SELF

Selectively porting the security fixes for issue #13191 from dhx's original commit e679a1c, following the reintroduction of the form_action_self() function in master branch to fix issue #16410.
mantisbt · Sep 26, 2013 · 033a504 · 033a504
1 parent 8d7b840
commit 033a504
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 4 deletions.
diff --git a/core/form_api.php b/core/form_api.php
@@ -49,7 +49,8 @@
  * @return string Form action value
  */
 function form_action_self() {
-	return basename($_SERVER['PHP_SELF']);
+	$t_self = trim( str_replace( "\0", '', $_SERVER['SCRIPT_NAME'] ) );
+	return basename( $t_self );
 }
 
 /**

diff --git a/manage_config_email_page.php b/manage_config_email_page.php
@@ -309,7 +309,7 @@ function get_section_end_for_email() {
 		echo form_security_field( 'manage_config_revert' );
 		echo "<input name=\"revert\" type=\"hidden\" value=\"notify_flags,default_notify_flags\"></input>";
 		echo "<input name=\"project\" type=\"hidden\" value=\"$t_project\"></input>";
-		echo "<input name=\"return\" type=\"hidden\" value=\"" . form_action_self() ."\"></input>";
+		echo "<input name=\"return\" type=\"hidden\" value=\"" . string_attribute( form_action_self() ) ."\"></input>";
 		echo "<input type=\"submit\" class=\"button\" value=\"";
 		if ( ALL_PROJECTS == $t_project ) {
 			echo lang_get( 'revert_to_system' );

diff --git a/manage_config_work_threshold_page.php b/manage_config_work_threshold_page.php
@@ -353,7 +353,7 @@ function get_section_end() {
 	echo form_security_field( 'manage_config_revert' );
 	echo "<input name=\"revert\" type=\"hidden\" value=\"" . implode( ',', $t_overrides ) . "\"></input>";
 	echo "<input name=\"project\" type=\"hidden\" value=\"$t_project_id\"></input>";
-	echo "<input name=\"return\" type=\"hidden\" value=\"" . form_action_self() ."\"></input>";
+	echo "<input name=\"return\" type=\"hidden\" value=\"" . string_attribute( form_action_self() ) ."\"></input>";
 	echo "<input type=\"submit\" class=\"button\" value=\"";
 	if ( ALL_PROJECTS == $t_project_id ) {
 		echo lang_get( 'revert_to_system' );

diff --git a/manage_config_workflow_page.php b/manage_config_workflow_page.php
@@ -430,7 +430,7 @@ function access_row() {
 		echo form_security_field( 'manage_config_revert' );
 		echo "<input name=\"revert\" type=\"hidden\" value=\"" . implode( ',', $t_overrides ) . "\"></input>";
 		echo "<input name=\"project\" type=\"hidden\" value=\"$t_project\"></input>";
-		echo "<input name=\"return\" type=\"hidden\" value=\"" . form_action_self() ."\"></input>";
+		echo "<input name=\"return\" type=\"hidden\" value=\"" . string_attribute( form_action_self() ) ."\"></input>";
 		echo "<input type=\"submit\" class=\"button\" value=\"";
 		if ( ALL_PROJECTS == $t_project ) {
 			echo lang_get( 'revert_to_system' );