diff options
| author | Christian Schneider | 2007-11-13 14:22:51 +0000 |
|---|---|---|
| committer | Christian Schneider | 2007-11-13 14:22:51 +0000 |
| commit | 944f8ca2a616df44e9a49a371050d1101be8924a (patch) | |
| tree | d186a66a9e81aca7a7ecbe57201c76f1d8795695 /it_auto_prepend.php | |
| parent | 18ae9081ff04de3d751fbc4688bdec656c3ea143 (diff) | |
| download | itools-944f8ca2a616df44e9a49a371050d1101be8924a.tar.gz itools-944f8ca2a616df44e9a49a371050d1101be8924a.tar.bz2 itools-944f8ca2a616df44e9a49a371050d1101be8924a.zip | |
Tested and fixed syntax converter security
Diffstat (limited to 'it_auto_prepend.php')
| -rw-r--r-- | it_auto_prepend.php | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/it_auto_prepend.php b/it_auto_prepend.php index 58f522b..472a016 100644 --- a/it_auto_prepend.php +++ b/it_auto_prepend.php @@ -57,19 +57,19 @@ function it_initialize() require("itools.lib"); # PHP 4 fallback } + # IT_HOME is recommended variable name for applications + $GLOBALS['IT_HOME'] = $GLOBALS['ULTRAHOME'] = it_untaint($GLOBALS['ULTRAHOME'], TC_ALL); + $needsconvert = !@eval("return is_array(42=>69,);"); # Check if PHP is patched to support our syntax, see http://cschneid.com/php/ if ($needsconvert && !$GLOBALS['IT_SYNTAXCONVERTER_DIR']) { $GLOBALS['IT_SYNTAXCONVERTER_DIR'] = $GLOBALS['ULTRAHOME'] . "/tmp"; - if (!is_writeable($GLOBALS['IT_SYNTAXCONVERTER_DIR']) || getmyuid() != fileowner($GLOBALS['IT_SYNTAXCONVERTER_DIR'])) + if (!is_writeable($GLOBALS['IT_SYNTAXCONVERTER_DIR']) || !function_exists("posix_geteuid") || posix_geteuid() != fileowner($GLOBALS['IT_SYNTAXCONVERTER_DIR'])) die(($webmode ? "<pre>" : "") . "Seems to be running in shared environment, manually set\n\$GLOBALS['IT_SYNTAXCONVERTER_DIR'] in $it_path/auto_prepend_local.php\nto either:\n a) FALSE (syntax conversion disabled) or\n b) the path to a writeable directory (NOTE: THIS IS UNSAFE!) or\n c) install the PHP patch from http://cschneid.com/php/\n" . ($webmode ? "</pre>" : "")); } - # IT_HOME is recommended variable name for applications - $GLOBALS['IT_HOME'] = $GLOBALS['ULTRAHOME'] = it_untaint($GLOBALS['ULTRAHOME'], TC_ALL); - @set_error_handler("it_errorhandler", E_USER_ERROR | E_RECOVERABLE_ERROR | E_WARNING | E_USER_WARNING | E_NOTICE | E_USER_NOTICE); ini_set('include_path', $GLOBALS['IT_SYNTAXCONVERTER_DIR'] . "/it_syntaxconverter:$it_path:$include_path"); $user_includes = explode(":", $include_path); @@ -103,7 +103,7 @@ function it_initialize() if ($needsconvert) { # Convert syntax and start - $converted = it_convert($_SERVER['SCRIPT_FILENAME']); + $converted = it_convert(it_untaint($_SERVER['SCRIPT_FILENAME'], TC_SELF)); /* XXX Disabled as DB not always there if (!$autoloader) # PHP 4 fallback |