From: Tim Starling Date: Fri, 23 Jun 2006 03:56:03 +0000 (+0000) Subject: Added check for newlines in redirects as a paranoia guard against header injection... X-Git-Tag: 1.31.0-rc.0~56689 X-Git-Url: http://git.cyclocoop.org/%22%20.%20generer_url_ecrire%28%22auteur_infos%22%2C%20%22id_auteur=%24id%22%29%20.%20%22?a=commitdiff_plain;h=982637b93a4fc140abfcdf1168cf1af994b634a9;p=lhc%2Fweb%2Fwiklou.git Added check for newlines in redirects as a paranoia guard against header injection in PHP<5.1.2. Removed OutputPage::addHeader(), has been non-functioning for as long as I can remember. --- diff --git a/includes/OutputPage.php b/includes/OutputPage.php index 14b1b618d4..2816a34923 100644 --- a/includes/OutputPage.php +++ b/includes/OutputPage.php @@ -10,7 +10,7 @@ if ( ! defined( 'MEDIAWIKI' ) ) * @package MediaWiki */ class OutputPage { - var $mHeaders, $mMetatags, $mKeywords; + var $mMetatags, $mKeywords; var $mLinktags, $mPagetitle, $mBodytext, $mDebugtext; var $mHTMLtitle, $mRobotpolicy, $mIsarticle, $mPrintable; var $mSubtitle, $mRedirect, $mStatusCode; @@ -35,8 +35,7 @@ class OutputPage { * Initialise private variables */ function OutputPage() { - $this->mHeaders = $this->mMetatags = - $this->mKeywords = $this->mLinktags = array(); + $this->mMetatags = $this->mKeywords = $this->mLinktags = array(); $this->mHTMLtitle = $this->mPagetitle = $this->mBodytext = $this->mRedirect = $this->mLastModified = $this->mSubtitle = $this->mDebugtext = $this->mRobotpolicy = @@ -54,9 +53,13 @@ class OutputPage { $this->mRevisionId = null; $this->mNewSectionLink = false; } + + function redirect( $url, $responsecode = '302' ) { + # Strip newlines as a paranoia check for header injection in PHP<5.1.2 + $this->mRedirect = str_replace( "\n", '', $url ); + $this->mRedirectCode = $responsecode; + } - function addHeader( $name, $val ) { array_push( $this->mHeaders, $name.': '.$val ); } - function redirect( $url, $responsecode = '302' ) { $this->mRedirect = $url; $this->mRedirectCode = $responsecode; } function setStatusCode( $statusCode ) { $this->mStatusCode = $statusCode; } # To add an http-equiv meta tag, precede the name with "http:"