From ab609ec67c146d0e1ea2398023fd30cfe7382610 Mon Sep 17 00:00:00 2001
From: "fil@rezo.net" <>
Date: Sun, 23 Jan 2011 20:53:59 +0000
Subject: [PATCH] 0.9.9: affiner la detection de 'op' pour ne pas nuire a
 drupal, et bloquer les xss sur var_recherche

---
 ecran_securite.php | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/ecran_securite.php b/ecran_securite.php
index e89753e..f543d33 100644
--- a/ecran_securite.php
+++ b/ecran_securite.php
@@ -5,7 +5,7 @@
  * ------------------
  */
 
-define('_ECRAN_SECURITE', '0.9.8'); // 17 janv 2011
+define('_ECRAN_SECURITE', '0.9.9'); // 23 janv 2011
 
 /*
  * Documentation : http://www.spip.net/fr_article4200.html
@@ -50,13 +50,14 @@ foreach ($GLOBALS as $var => $val)
  */
 $cjpeg_command='';
 
-/*     - controle la variable $lang (XSS)
+/*     - controle la variable lang, var_recherche (XSS)
  *
  */
-if (isset($_GET['lang']))
-	$GLOBALS['lang'] = $_GET['lang'] = htmlentities((string)$_GET['lang']);
-if (isset($_POST['lang']))
-	$GLOBALS['lang'] = $_POST['lang'] = htmlentities((string)$_POST['lang']);
+foreach(array('lang', 'var_recherche') as $ecran_securite_i)
+if (isset($_GET[$ecran_securite_i]))
+	$_REQUEST[$ecran_securite_i] = $GLOBALS[$ecran_securite_i] = $_GET[$ecran_securite_i] = preg_replace(',[^\w-]+,',' ',(string)$_GET[$ecran_securite_i]);
+if (isset($_POST[$ecran_securite_i]))
+	$_REQUEST[$ecran_securite_i] = $GLOBALS[$ecran_securite_i] = $_POST[$ecran_securite_i] = preg_replace(',[^\w-]+,',' ',(string)$_POST[$ecran_securite_i]);
 
 /*     - filtre l'acces a spip_acces_doc (injection SQL en 1.8.2x)
  *
@@ -184,13 +185,12 @@ AND strstr((string)$_REQUEST['znom_sauvegarde'], '/'))
 
 
 /*
- * op, lang, permettent des inclusions arbitraires
+ * op permet des inclusions arbitraires ;
+ * on verifie 'page' pour ne pas bloquer ... drupal
  */
-foreach (array('op','lang') as $var)
-if (isset($_REQUEST[$var])
-AND $_REQUEST[$var] !== preg_replace('/[^\-\w]/', '', $_REQUEST[$var]))
-	$ecran_securite_raison = "$var";
-
+if (isset($_REQUEST['op']) AND isset($_REQUEST['page'])
+AND $_REQUEST['op'] !== preg_replace('/[^\-\w]/', '', $_REQUEST['op']))
+	$ecran_securite_raison = 'op';
 
 /*
  * S'il y a une raison de mourir, mourons
-- 
GitLab