More cleanups and small improvements (e.g. usage of wrappers).

[mailer.git] / inc / libs / security_functions.php

diff --git a/inc/libs/security_functions.php b/inc/libs/security_functions.php
index 67aea962195e7b8057a4b67031b6ceaf57afb906..e2568b5c3c4261fa292e690566ae995e4d56d255 100644 (file)
--- a/inc/libs/security_functions.php
+++ b/inc/libs/security_functions.php
@@ -16,7 +16,7 @@
  * $Author::                                                          $ *
  * -------------------------------------------------------------------- *
  * Copyright (c) 2003 - 2009 by Roland Haeder                           *
- * Copyright (c) 2009 - 2012 by Mailer Developer Team                   *
+ * Copyright (c) 2009 - 2013 by Mailer Developer Team                   *
  * For more information visit: http://mxchange.org                      *
  *                                                                      *
  * This program is free software; you can redistribute it and/or modify *
@@ -163,17 +163,17 @@ if (isPhpVersionEqualNewer('5.0')) {
 } // END - if
 
 // Check if important arrays are found and define them if missing
-if (!isset($_SERVER)) {
+if ((!isset($_SERVER)) || (!is_array($_SERVER))) {
        global $_SERVER;
        $_SERVER = $GLOBALS['_SERVER'];
 } // END - if
 
-if (!isset($_GET)) {
+if ((!isset($_GET)) || (!is_array($_GET))) {
        global $_GET;
        $_GET = $GLOBALS['_GET'];
 } // END - if
 
-if (!isset($_POST)) {
+if ((!isset($_POST)) || (!is_array($_POST))) {
        global $_POST;
        $_POST = $GLOBALS['_POST'];
 } // END - if
@@ -181,7 +181,7 @@ if (!isset($_POST)) {
 // Generate arrays which holds the relevante chars to replace
 $GLOBALS['security_chars'] = array(
        // The chars we are looking for...
-       'from' => array('/', '.', chr(39), '$', '(', ')', '{--', '--}', '{?', '?}', '%', ';', '[', ']', ':', '--', chr(92)),
+       'from' => array('/', '.', chr(39), '$', '(', ')', '{--', '--}', '{%', '%}', '{?', '?}', '%', ';', '[', ']', ':', '--', chr(92), chr(39), '<', '>'),
        // ... and we will replace to.
        'to'   => array(
                '{SLASH}',
@@ -190,6 +190,8 @@ $GLOBALS['security_chars'] = array(
                '{DOLLAR}',
                '{OPEN_ANCHOR}',
                '{CLOSE_ANCHOR}',
+               '{OPEN_LANGUAGE}',
+               '{CLOSE_LANGUAGE}',
                '{OPEN_TEMPLATE}',
                '{CLOSE_TEMPLATE}',
                '{OPEN_CONFIG}',
@@ -200,12 +202,15 @@ $GLOBALS['security_chars'] = array(
                '{CLOSE_INDEX}',
                '{DBL_DOT}',
                '{COMMENT}',
-               '{BACKSLASH}'
+               '{BACKSLASH}',
+               '{SQUOTE}',
+               '{OPEN_TAG}',
+               '{CLOSE_TAG}'
        ),
 );
 
 /*
- * Characters allowed in URLs
+ * Characters allowed in booked URLs
  *
  * Note: Do not replace 'to' with 'from' and vise-versa! When you do this all booked URLs will be
  *       rejected because of the {SLASH}, {DOT} and all below listed items inside the URL.
@@ -221,10 +226,10 @@ $GLOBALS['url_chars'] = array(
 if (is_array($_GET)) {
        foreach ($_GET as $seckey => $secvalue) {
                if (is_array($secvalue)) {
-                       // Throw arrays away...
+                       // Throw arrays away ...
                        unset($_GET[$seckey]);
                } else {
-                       // Only variables are allowed (non-array) but we secure them all!
+                       // Only variables are allowed (non-array) but we secure them all.
                        $_GET[$seckey] = str_replace($GLOBALS['security_chars']['from'], $GLOBALS['security_chars']['to'], $_GET[$seckey]);
 
                        // Strip all other out