Replace or sanitize remaining uses of PHP_SELF. Fixes #2446
Matthew Noorenberghe
parent
99f1e23c5b
commit
a97711de89
|
|
@ -50,9 +50,8 @@ class Frame {
|
|||
}
|
||||
|
||||
public function getImageSrc( $show='capture' ) {
|
||||
|
||||
return $_SERVER['PHP_SELF'].'?view=image&fid='.$this->{'FrameId'}.'&eid='.$this->{'EventId'}.'&show='.$show;
|
||||
#return $_SERVER['PHP_SELF'].'?view=image&fid='.$this->{'Id'}.'&show='.$show.'&filename='.$this->Event()->MonitorId().'_'.$this->{'EventId'}.'_'.$this->{'FrameId'}.'.jpg';
|
||||
return '?view=image&fid='.$this->{'FrameId'}.'&eid='.$this->{'EventId'}.'&show='.$show;
|
||||
#return '?view=image&fid='.$this->{'Id'}.'&show='.$show.'&filename='.$this->Event()->MonitorId().'_'.$this->{'EventId'}.'_'.$this->{'FrameId'}.'.jpg';
|
||||
} // end function getImageSrc
|
||||
|
||||
public static function find( $parameters = array(), $options = NULL ) {
|
||||
|
|
|
|||
|
|
@ -117,7 +117,8 @@ class Server {
|
|||
if ( isset($this->{'PathToIndex'}) and $this->{'PathToIndex'} ) {
|
||||
return $this->{'PathToIndex'};
|
||||
}
|
||||
return $_SERVER['PHP_SELF'];
|
||||
// We can't trust PHP_SELF to not include an XSS vector. See note in skin.js.php.
|
||||
return preg_replace('/\.php.*$/i', '.php', $_SERVER['PHP_SELF']);
|
||||
}
|
||||
|
||||
public function UrlToIndex( $port=null ) {
|
||||
|
|
|
|||
|
|
@ -43,7 +43,7 @@ if ( $action == 'delete' ) {
|
|||
$Group->delete();
|
||||
}
|
||||
}
|
||||
$redirect = ZM_BASE_URL.$_SERVER['PHP_SELF'].'?view=groups';
|
||||
$redirect = '?view=groups';
|
||||
$refreshParent = true;
|
||||
} # end if action
|
||||
?>
|
||||
|
|
|
|||
|
|
@ -29,7 +29,7 @@ if ( $action == 'login' && isset($_REQUEST['username']) && ( ZM_AUTH_TYPE == 're
|
|||
$view = 'login';
|
||||
} else {
|
||||
$view = 'postlogin';
|
||||
$redirect = ZM_BASE_URL.$_SERVER['PHP_SELF'].'?view=console';
|
||||
$redirect = '?view=console';
|
||||
}
|
||||
}
|
||||
?>
|
||||
|
|
|
|||
|
|
@ -40,7 +40,7 @@ if ( isset($_REQUEST['object']) ) {
|
|||
$_SESSION['zmMontageLayout'] = $Layout->Id();
|
||||
setcookie('zmMontageLayout', $Layout->Id(), 1);
|
||||
session_write_close();
|
||||
$redirect = ZM_BASE_URL.$_SERVER['PHP_SELF'].'?view=montage';
|
||||
$redirect = '?view=montage';
|
||||
} // end if save
|
||||
|
||||
} # end if isset($_REQUEST['object'] )
|
||||
|
|
|
|||
|
|
@ -89,7 +89,7 @@ if ( $action == 'delete' ) {
|
|||
case 'lowband' :
|
||||
break;
|
||||
}
|
||||
$redirect = ZM_BASE_URL.$_SERVER['PHP_SELF'].'?view=options&tab='.$_REQUEST['tab'];
|
||||
$redirect = '?view=options&tab='.$_REQUEST['tab'];
|
||||
}
|
||||
loadConfig(false);
|
||||
return;
|
||||
|
|
|
|||
|
|
@ -28,12 +28,12 @@ if ( ($action == 'privacy') && isset($_REQUEST['option']) ) {
|
|||
case 'decline' :
|
||||
dbQuery("UPDATE Config SET Value = '0' WHERE Name = 'ZM_SHOW_PRIVACY'");
|
||||
dbQuery("UPDATE Config SET Value = '0' WHERE Name = 'ZM_TELEMETRY_DATA'");
|
||||
$redirect = ZM_BASE_URL.$_SERVER['PHP_SELF'].'?view=console';
|
||||
$redirect = '?view=console';
|
||||
break;
|
||||
case 'accept' :
|
||||
dbQuery("UPDATE Config SET Value = '0' WHERE Name = 'ZM_SHOW_PRIVACY'");
|
||||
dbQuery("UPDATE Config SET Value = '1' WHERE Name = 'ZM_TELEMETRY_DATA'");
|
||||
$redirect = ZM_BASE_URL.$_SERVER['PHP_SELF'].'?view=console';
|
||||
$redirect = '?view=console';
|
||||
break;
|
||||
default: # Enable the privacy statement if we somehow submit something other than accept or decline
|
||||
dbQuery("UPDATE Config SET Value = '1' WHERE Name = 'ZM_SHOW_PRIVACY'");
|
||||
|
|
|
|||
|
|
@ -294,7 +294,7 @@ function getImageStreamHTML( $id, $src, $width, $height, $title='' ) {
|
|||
|
||||
function outputControlStream( $src, $width, $height, $monitor, $scale, $target ) {
|
||||
?>
|
||||
<form name="ctrlForm" method="post" action="<?php echo $_SERVER['PHP_SELF'] ?>" target="<?php echo $target ?>">
|
||||
<form name="ctrlForm" method="post" action="?" target="<?php echo $target ?>">
|
||||
<input type="hidden" name="view" value="blank">
|
||||
<input type="hidden" name="mid" value="<?php echo $monitor['Id'] ?>">
|
||||
<input type="hidden" name="action" value="control">
|
||||
|
|
@ -364,7 +364,7 @@ function getWebSiteUrl( $id, $src, $width, $height, $title='' ) {
|
|||
|
||||
function outputControlStill( $src, $width, $height, $monitor, $scale, $target ) {
|
||||
?>
|
||||
<form name="ctrlForm" method="post" action="<?php echo $_SERVER['PHP_SELF'] ?>" target="<?php echo $target ?>">
|
||||
<form name="ctrlForm" method="post" action="?" target="<?php echo $target ?>">
|
||||
<input type="hidden" name="view" value="blank">
|
||||
<input type="hidden" name="mid" value="<?php echo $monitor['Id'] ?>">
|
||||
<input type="hidden" name="action" value="control">
|
||||
|
|
|
|||
|
|
@ -29,7 +29,11 @@ var AJAX_TIMEOUT = <?php echo ZM_WEB_AJAX_TIMEOUT ?>;
|
|||
var navBarRefresh = <?php echo 1000*ZM_WEB_REFRESH_NAVBAR ?>;
|
||||
|
||||
var currentView = '<?php echo $view ?>';
|
||||
var thisUrl = '<?php echo ZM_BASE_URL.$_SERVER['PHP_SELF'] ?>';
|
||||
<?php
|
||||
/* We can't trust PHP_SELF on a path like /index.php/"%3E%3Cimg src=x onerror=prompt('1');%3E which
|
||||
will still load index.php but will include the arbitrary payload after `.php/`. To mitigate this,
|
||||
try to avoid using PHP_SELF but here I try to replace everything after '.php'. */ ?>
|
||||
var thisUrl = '<?php echo ZM_BASE_URL.preg_replace('/\.php.*$/i', '.php', $_SERVER['PHP_SELF']) ?>';
|
||||
var skinPath = '<?php echo ZM_SKIN_PATH ?>';
|
||||
var serverId = '<?php echo defined('ZM_SERVER_ID') ? ZM_SERVER_ID : '' ?>';
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue