diff options
| -rw-r--r-- | auto_prepend.php | 14 | ||||
| -rw-r--r-- | it_html.class | 8 | ||||
| -rw-r--r-- | itjs.php | 2 | 
3 files changed, 19 insertions, 5 deletions
| diff --git a/auto_prepend.php b/auto_prepend.php index 7d13289..192c743 100644 --- a/auto_prepend.php +++ b/auto_prepend.php @@ -149,4 +149,18 @@ function db_version()  	return in_array("db4", dba_handlers()) ? "db4" : "db2";  } +/** + * Experimental PHP taint support, see ftp://ftp.porcupine.org/pub/php/ + */ +if (function_exists("taint")) +{ +	function it_untaint(&$value, $marks = TC_HTML) { untaint($value, $marks); return $value; } +	function it_taintcheck(&$value, $marks = TC_HTML) { if (istainted($value) & $marks) { untaint($value, $marks); it::error("it_taintcheck($value, $marks) failed"); } return $value; } +} +else +{ +	function it_untaint(&$value, $marks = 0) {  return $value; } +	function it_taintcheck(&$value, $marks = 0) { } +} +  ?> diff --git a/it_html.class b/it_html.class index a73bba6..08904a8 100644 --- a/it_html.class +++ b/it_html.class @@ -220,13 +220,13 @@ function _parse_args($args)  			foreach ($arg as $key => $value)  			{  				if (is_int($key)) -					$data .= $value; +					$data .= it_taintcheck($value);  				else  					$p[$key] = $value;  			}  		}  		else -			$data .= $arg; +			$data .= it_taintcheck($arg);  	}  	return array($data, $p); @@ -265,7 +265,7 @@ function _tag($name, $args)  		if (($value === null) || ($value === false))	# null or false: omit whole tag  			;  		else if (isset($value) && $value !== true)	# normal case: value -			$result .= " $key=\"" . (preg_match("/[<>&\"'\n\x80-\x9f]/", $value) ? str_replace("\n", "
", Q($value)) : $value) . '"'; +			$result .= " $key=\"" . (preg_match("/[<>&\"'\n\x80-\x9f]/", $value) ? str_replace("\n", "
", Q($value)) : it_untaint($value)) . '"';  		else						# true: tag without value  			$result .= ($this->p['htmltype'] == 'html') ? " $key" : " $key=\"$key\"";  	} @@ -436,7 +436,7 @@ function u(/* ... */)  	list($base, $params) = it_html::_parse_args($args);  	if (!isset($base)) -		$base = $_SERVER['PHP_SELF']; +		it_untaint($base = $_SERVER['PHP_SELF']);  	$base = preg_replace('|\0|', '', $base);  	$base = preg_replace('|[^\w.+!*(),:?@&=/~$-]|e', 'urlencode("$0")', $base); @@ -73,7 +73,7 @@ if ($checksum != $_SERVER['HTTP_IF_NONE_MATCH'])  		$data .= sprintf("/*sln:% 8d*/", strlen($data) + 16);  	} -	echo $data; +	echo it_untaint($data);  }  else  	header("HTTP/1.0 304 Not Modified"); |