Fix: Sanitize PHP_SELF

Dolibarr · Nov 9, 2011 · d08d28c · d08d28c
1 parent 5027152
commit d08d28c
Showing 1 changed file with 32 additions and 18 deletions.
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
@@ -62,26 +62,40 @@ function stripslashes_deep($value)
 	}
 }
 
-// Security: SQL Injection and XSS Injection (scripts) protection (Filters on GET, POST)
-function test_sql_and_script_inject($val,$get)
+
+/**
+ * Security: SQL Injection and XSS Injection (scripts) protection (Filters on GET, POST, PHP_SELF)
+ *
+ * @param		string		$val		Value
+ * @param		string		$type		1=GET, 0=POST, 2=PHP_SELF
+ * @return		boolean					true if there is an injection
+ */
+function test_sql_and_script_inject($val, $type)
 {
 	$sql_inj = 0;
-	// For SQL Injection
-	$sql_inj += preg_match('/delete[\s]+from/i', $val);
-	$sql_inj += preg_match('/create[\s]+table/i', $val);
-	$sql_inj += preg_match('/update.+set.+=/i', $val);
-	$sql_inj += preg_match('/insert[\s]+into/i', $val);
-	$sql_inj += preg_match('/select.+from/i', $val);
-	$sql_inj += preg_match('/union.+select/i', $val);
-	$sql_inj += preg_match('/(\.\.%2f)+/i', $val);
+	// For SQL Injection (onyl GET and POST are used to be included into bad escaped SQL requests)
+	if ($type != 2)
+	{
+    	$sql_inj += preg_match('/delete[\s]+from/i', $val);
+    	$sql_inj += preg_match('/create[\s]+table/i', $val);
+    	$sql_inj += preg_match('/update.+set.+=/i', $val);
+    	$sql_inj += preg_match('/insert[\s]+into/i', $val);
+    	$sql_inj += preg_match('/select.+from/i', $val);
+    	$sql_inj += preg_match('/union.+select/i', $val);
+    	$sql_inj += preg_match('/(\.\.%2f)+/i', $val);
+	}
 	// For XSS Injection done by adding javascript with script
-	$sql_inj += preg_match('/<script/i', $val);
-	$sql_inj += preg_match('/base[\s]+href/i', $val);
-	if ($get) $sql_inj += preg_match('/img[\s]+src/i', $val);
-	if ($get) $sql_inj += preg_match('/style[\s]*=/i', $val);
-	if ($get) $sql_inj += preg_match('/javascript:/i', $val);
-	// For XSS Injection done by adding javascript with onmousemove, etc... (closing a src or href tag with not cleaned param)
-	if ($get) $sql_inj += preg_match('/"/i', $val);	// We refused " in GET parameters value
+    $sql_inj += preg_match('/<script/i', $val);
+    $sql_inj += preg_match('/base[\s]+href/i', $val);
+    if ($type == 1)
+    {
+        $sql_inj += preg_match('/img[\s]+src/i', $val);
+        $sql_inj += preg_match('/style[\s]*=/i', $val);
+	    $sql_inj += preg_match('/javascript:/i', $val);
+    }
+	// For XSS Injection done by adding javascript closing html tags like with onmousemove, etc... (closing a src or href tag with not cleaned param)
+	if ($type == 1) $sql_inj += preg_match('/"/i', $val);      // We refused " in GET parameters value
+	if ($type == 2) $sql_inj += preg_match('/[\s;"]/', $val);    // PHP_SELF is an url and must match url syntax
 	return $sql_inj;
 }
 // Security: Return true if OK, false otherwise
@@ -112,7 +126,7 @@ function analyse_sql_and_script(&$var,$get)
 if (! empty($_SERVER["PHP_SELF"]))
 {
     $morevaltochecklikepost=array($_SERVER["PHP_SELF"]);
-    analyse_sql_and_script($morevaltochecklikepost,0);
+    analyse_sql_and_script($morevaltochecklikepost,2);
 }
 // Sanity check on GET parameters
 if (! empty($_SERVER["QUERY_STRING"]))