From 0ea06fd2878d802b1e627ac3ec31b6a5b61d9f9d Mon Sep 17 00:00:00 2001 From: Derek Jones Date: Tue, 5 Feb 2008 15:23:51 +0000 Subject: * Fixed a bug (#3396) where certain POST variables would cause a PHP warning. * Added $_SERVER, $_FILES, $_ENV, and $_SESSION to sanitization of globals. --- system/libraries/Input.php | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) (limited to 'system') diff --git a/system/libraries/Input.php b/system/libraries/Input.php index 5832d2d80..1c5682eb7 100644 --- a/system/libraries/Input.php +++ b/system/libraries/Input.php @@ -72,16 +72,15 @@ class CI_Input { $protected = array('_SERVER', '_GET', '_POST', '_FILES', '_REQUEST', '_SESSION', '_ENV', 'GLOBALS', 'HTTP_RAW_POST_DATA', 'system_folder', 'application_folder', 'BM', 'EXT', 'CFG', 'URI', 'RTR', 'OUT', 'IN'); - // Unset globals for securiy. + // Unset globals for security. // This is effectively the same as register_globals = off - foreach (array($_GET, $_POST, $_COOKIE) as $global) + foreach (array($_GET, $_POST, $_COOKIE, $_SERVER, $_FILES, $_ENV, (isset($_SESSION) && is_array($_SESSION)) ? $_SESSION : array()) as $global) { if ( ! is_array($global)) { if ( ! in_array($global, $protected)) { - global $$global; - $$global = NULL; + unset($GLOBALS[$global]); } } else @@ -90,8 +89,18 @@ class CI_Input { { if ( ! in_array($key, $protected)) { - global $$key; - $$key = NULL; + unset($GLOBALS[$key]); + } + + if (is_array($val)) + { + foreach($val as $k => $v) + { + if ( ! in_array($k, $protected)) + { + unset($GLOBALS[$k]); + } + } } } } -- cgit v1.2.3-24-g4f1b