Bad things are now 'classified' as bad (CSS class 'bad' is being used instead of...

[mailer.git] / inc / libs / security_functions.php

diff --git a/inc/libs/security_functions.php b/inc/libs/security_functions.php
index fc61bdf3606196ff1896f4de63e57fa9bcfcc1dd..b1cce1c5b323b30827b90b452d01bf66ae9f226e 100644 (file)
--- a/inc/libs/security_functions.php
+++ b/inc/libs/security_functions.php
@@ -16,8 +16,8 @@
  * $Author::                                                          $ *
  * -------------------------------------------------------------------- *
  * Copyright (c) 2003 - 2009 by Roland Haeder                           *
- * Copyright (c) 2009, 2010 by Mailer Developer Team                    *
- * For more information visit: http://www.mxchange.org                  *
+ * Copyright (c) 2009 - 2011 by Mailer Developer Team                   *
+ * For more information visit: http://mxchange.org                      *
  *                                                                      *
  * This program is free software; you can redistribute it and/or modify *
  * it under the terms of the GNU General Public License as published by *
@@ -36,7 +36,9 @@
  ************************************************************************/
 
 // Run only once this security check/replacement
-if (defined('__SECURITY')) return;
+if (defined('__SECURITY')) {
+       return;
+} // END - if
 
 // Some security stuff...
 if (strpos($_SERVER['PHP_SELF'], basename(__FILE__)) !== false) {
@@ -136,6 +138,12 @@ function detectPhpCaching () {
 ini_set('magic_quotes_runtime', false);
 ini_set('magic_quotes_gpc', false); // This may not work on some systems
 
+// No compatibility with Zend Engine 1, else an error like 'Implicit cloning'
+// will be produced.
+if (phpversion() >= '5.0') {
+       ini_set('zend.ze1_compatibility_mode', 'Off');
+} // END - if
+
 // Check if important arrays are found and define them if missing
 if (!isset($_SERVER)) {
        global $_SERVER;
@@ -155,7 +163,7 @@ if (!isset($_POST)) {
 // Generate arrays which holds the relevante chars to replace
 $GLOBALS['security_chars'] = array(
        // The chars we are looking for...
-       'from' => array('/', '.', "'", '$', '(', ')', '{--', '--}', '{?', '?}', '%', ';', '[', ']', ':', '--'),
+       'from' => array('/', '.', "'", '$', '(', ')', '{--', '--}', '{?', '?}', '%', ';', '[', ']', ':', '--', "\\"),
        // ... and we will replace to.
        'to'   => array(
                '{SLASH}',
@@ -173,7 +181,8 @@ $GLOBALS['security_chars'] = array(
                '{OPEN_INDEX}',
                '{CLOSE_INDEX}',
                '{DBL_DOT}',
-               '{COMMENT}'
+               '{COMMENT}',
+               '{BACKSLASH}'
        ),
 );
 
@@ -196,10 +205,7 @@ if (is_array($_GET)) {
                        unset($_GET[$seckey]);
                } else {
                        // Only variables are allowed (non-array) but we secure them all!
-                       foreach ($GLOBALS['security_chars']['from'] as $key => $char) {
-                               // Pass all through
-                               $_GET[$seckey] = str_replace($char  , $GLOBALS['security_chars']['to'][$key], $_GET[$seckey]);
-                       } // END - foreach
+                       $_GET[$seckey] = str_replace($GLOBALS['security_chars']['from'], $GLOBALS['security_chars']['to'], $_GET[$seckey]);
 
                        // Strip all other out
                        $_GET[$seckey] = secureString($_GET[$seckey]);
@@ -207,6 +213,18 @@ if (is_array($_GET)) {
        } // END - foreach
 } // END - if
 
+// Secure also $_POST data (only simple, no replace)
+if (is_array($_POST)) {
+       // Secure only simple data
+       foreach ($_POST as $seckey => $secvalue) {
+               // Is it an array?
+               if (!is_array($secvalue)) {
+                       // Strip all other out
+                       $_POST[$seckey] = secureString($_POST[$seckey]);
+               } // END - if
+       } // END - foreach
+} // END - if
+
 // Detect PHP caching
 detectPhpCaching();