Untaint ULTRAHOME and IT_HOME (e.g. for it::log)

1 files changed, 4 insertions, 3 deletions

diff --git a/it_auto_prepend.php b/it_auto_prepend.php
index 263e2fc..44e6c32 100644
--- a/it_auto_prepend.php
+++ b/it_auto_prepend.php
@@ -41,13 +41,11 @@ function it_initialize()
 		else	# Shell
 			$GLOBALS['ULTRAHOME'] = dirname(dirname(preg_match('|^/|', $argv[0]) ? $argv[0] : getcwd() . '/' . $argv[0]));
 
-		$GLOBALS['IT_HOME'] = $GLOBALS['ULTRAHOME'];	# IT_HOME is recommended variable name for applications
-
 		$needsconvert = !@eval("return is_array(42=>69,);");	# Check if PHP is patched to support our syntax, see http://cschneid.com/php/
 
 		if ($needsconvert && !$GLOBALS['IT_SYNTAXCONVERTER_DIR'])
 		{
-			$GLOBALS['IT_SYNTAXCONVERTER_DIR'] = $GLOBALS['IT_HOME'] . "/tmp";
+			$GLOBALS['IT_SYNTAXCONVERTER_DIR'] = $GLOBALS['ULTRAHOME'] . "/tmp";
 
 			if (!is_writeable($GLOBALS['IT_SYNTAXCONVERTER_DIR']) || getmyuid() != fileowner($GLOBALS['IT_SYNTAXCONVERTER_DIR']))
 				die(($webmode ? "<pre>" : "") . "Seems to be running in shared environment, manually set\n\$GLOBALS['IT_SYNTAXCONVERTER_DIR'] in $it_path/auto_prepend_local.php\nto either:\n  a) FALSE (syntax conversion disabled) or\n  b) the path to a writeable directory (NOTE: THIS IS UNSAFE!) or\n  c) install the PHP patch from http://cschneid.com/php/\n" . ($webmode ? "</pre>" : ""));
@@ -71,6 +69,9 @@ function it_initialize()
 			require("itools.lib");	# PHP 4 fallback
 		}
 
+		# IT_HOME is recommended variable name for applications
+		$GLOBALS['IT_HOME'] = $GLOBALS['ULTRAHOME'] = it_untaint($GLOBALS['ULTRAHOME'], TC_ALL);
+
 		@set_error_handler("it_errorhandler", E_USER_ERROR | E_RECOVERABLE_ERROR | E_WARNING | E_USER_WARNING | E_NOTICE | E_USER_NOTICE);
 		ini_set('include_path', $GLOBALS['IT_SYNTAXCONVERTER_DIR'] . "/it_syntaxconverter:$it_path:$include_path");
 		$user_includes = explode(":", $include_path);