From a765165cd1280c8f79d7ad99dbdf6dab05375dde Mon Sep 17 00:00:00 2001
From: Meik Sievertsen <acydburn@phpbb.com>
Date: Wed, 11 Oct 2006 07:02:29 +0000
Subject: [PATCH] do not use parse_str because it could lead to "unexpected"
 output which could lead to XSS

git-svn-id: file:///svn/phpbb/trunk@6476 89ea8834-ac86-4346-8a33-228a782c2dd0
---
 phpBB/includes/functions.php | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php
index 3c6a80fc37..6092d8b0dc 100644
--- a/phpBB/includes/functions.php
+++ b/phpBB/includes/functions.php
@@ -1607,9 +1607,20 @@ function build_url($strip_vars = false)
 		}
 
 		$query = $_query = array();
-		parse_str(substr($redirect, strpos($redirect, '?') + 1), $query);
+
+		$args = substr($redirect, strpos($redirect, '?') + 1);
+		$args = ($args) ? explode('&', $args) : array();
 		$redirect = substr($redirect, 0, strpos($redirect, '?'));
 
+		foreach ($args as $argument)
+		{
+			$arguments = explode('=', $argument);
+			$key = $arguments[0];
+			unset($arguments[0]);
+
+			$query[$key] = implode('=', $arguments);
+		}
+
 		// Strip the vars off
 		foreach ($strip_vars as $strip)
 		{
@@ -1619,7 +1630,7 @@ function build_url($strip_vars = false)
 			}
 		}
 	
-		// 
+		// Glue the remaining parts together... already urlencoded
 		foreach ($query as $key => $value)
 		{
 			$_query[] = $key . '=' . $value;