makary/phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-06-28 06:08:52 +00:00
Code Issues Projects Releases Packages Wiki Activity

do not use parse_str because it could lead to "unexpected" output which could lead to XSS

Browse source 
git-svn-id: file:///svn/phpbb/trunk@6476 89ea8834-ac86-4346-8a33-228a782c2dd0
This commit is contained in:
Meik Sievertsen 2006-10-11 07:02:29 +00:00
parent e168cd2793
commit a765165cd1
1 changed files with 13 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
phpBB/includes/functions.php
View file

@ -1607,9 +1607,20 @@ function build_url($strip_vars = false)
}
$query = $_query = array();
parse_str(substr($redirect, strpos($redirect, '?') + 1), $query);
$args = substr($redirect, strpos($redirect, '?') + 1);
$args = ($args) ? explode('&', $args) : array();
$redirect = substr($redirect, 0, strpos($redirect, '?'));
foreach ($args as $argument)
{
$arguments = explode('=', $argument);
$key = $arguments[0];
unset($arguments[0]);
$query[$key] = implode('=', $arguments);
}
// Strip the vars off
foreach ($strip_vars as $strip)
{
@ -1619,7 +1630,7 @@ function build_url($strip_vars = false)
}
}
//
// Glue the remaining parts together... already urlencoded
foreach ($query as $key => $value)
{
$_query[] = $key . '=' . $value;