From 23ef85fa74c07093a9f7de6879fabebc0aeed18f Mon Sep 17 00:00:00 2001
From: Meik Sievertsen <acydburn@phpbb.com>
Date: Thu, 12 Oct 2006 15:20:33 +0000
Subject: [PATCH] some test code, hopefully working for all occassions where we
 are using the functions...

git-svn-id: file:///svn/phpbb/trunk@6487 89ea8834-ac86-4346-8a33-228a782c2dd0
---
 phpBB/includes/functions.php | 15 ++++++++++++++-
 phpBB/includes/session.php   |  8 +++++++-
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php
index 2666f013c5..4fbac96fe2 100644
--- a/phpBB/includes/functions.php
+++ b/phpBB/includes/functions.php
@@ -1478,7 +1478,7 @@ function generate_board_url($without_script_path = false)
 /**
 * Redirects the user to another page then exits the script nicely
 */
-function redirect($url)
+function redirect($url, $return = false)
 {
 	global $db, $cache, $config, $user;
 
@@ -1554,6 +1554,17 @@ function redirect($url)
 		}
 	}
 
+	// Make sure no linebreaks are there... to prevent http response splitting for PHP < 4.4.2
+	if (strpos(urldecode($url), "\n") !== false || strpos(urldecode($url), "\r") !== false || strpos($url, ';') !== false || strpos($url, generate_board_url()) !== 0)
+	{
+		trigger_error('Tried to redirect to potentially insecure url.', E_USER_ERROR);
+	}
+
+	if ($return)
+	{
+		return $url;
+	}
+
 	// Redirect via an HTML form for PITA webservers
 	if (@preg_match('#Microsoft|WebSTAR|Xitami#', getenv('SERVER_SOFTWARE')))
 	{
@@ -1670,6 +1681,8 @@ function meta_refresh($time, $url)
 {
 	global $template;
 
+	$url = redirect($url, true);
+
 	$template->assign_vars(array(
 		'META' => '<meta http-equiv="refresh" content="' . $time . ';url=' . $url . '" />')
 	);
diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php
index 09a52feb1f..079d7b9f07 100644
--- a/phpBB/includes/session.php
+++ b/phpBB/includes/session.php
@@ -64,7 +64,8 @@ class session
 		$query_string = trim(implode('&', $args));
 
 		// basenamed page name (for example: index.php)
-		$page_name = htmlspecialchars(basename($script_name));
+		$page_name = basename($script_name);
+		$page_name = urlencode(htmlspecialchars($page_name));
 
 		// current directory within the phpBB root (for example: adm)
 		$root_dirs = explode('/', str_replace('\\', '/', phpbb_realpath($root_path)));
@@ -112,6 +113,11 @@ class session
 			'page'				=> $page
 		);
 
+		if (!file_exists($page_name))
+		{
+			trigger_error('You are on a page that does not exist!', E_USER_ERROR);
+		}
+
 		return $page_array;
 	}