From 57c944856712cf3fdc7855d10db07da93a82e863 Mon Sep 17 00:00:00 2001
From: Paul Richards <paul@mantisforge.org>
Date: Mon, 29 Aug 2011 18:55:14 +0100
Subject: [PATCH] Fix issue introduced previously whereby php_Self is now used
 unchecked.

introduced previously by john attempting to fix symlinks. Since we now use php 5.2, we can make use of filter_var.

This is a simpler version of what we were trying to do previously aka http://git.mantisforge.org/w/mantisbt.git?a=commitdiff;h=5ac1fdf32717d0c82cca7e7660dd4fd316a6a1b8

Depending on server/mantis config this can lead to XSS issues
---
 config_defaults_inc.php | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/config_defaults_inc.php b/config_defaults_inc.php
index c4bcebbe51..f970903d30 100644
--- a/config_defaults_inc.php
+++ b/config_defaults_inc.php
@@ -126,10 +126,20 @@
 		$t_host = 'localhost';
 	}
 
-	$t_path = str_replace( basename( $_SERVER['PHP_SELF'] ), '', $_SERVER['PHP_SELF'] );
+	if( isset( $_SERVER['SCRIPT_NAME'] ) ) {
+		$t_self = $_SERVER['SCRIPT_NAME'];
+	} else {
+		$t_self = $_SERVER['PHP_SELF'];
+	}
+
+	$t_self = filter_var($t_self, FILTER_SANITIZE_STRING);
+	$t_path = str_replace( basename( $t_self ), '', $t_self );
 	$t_path = basename( $t_path ) == "admin" ? rtrim( dirname( $t_path ), '/\\' ) . '/' : $t_path;
 	$t_path = basename( $t_path ) == "soap" ? rtrim( dirname( dirname( $t_path ) ), '/\\' ) . '/' : $t_path;
-
+	if( strpos( $t_path, '&#' ) ) {
+		echo 'Can not safely determine $g_path. Please set $g_path manually in config_inc.php';
+		die;
+	}
 	$t_url	= $t_protocol . '://' . $t_host . $t_path;
 
 } else {