From 8e4524c0d81c11477d0f46985cc3f4844a85c61f Mon Sep 17 00:00:00 2001
From: Gerhard Killesreiter <killes_www_drop_org@227.no-reply.drupal.org>
Date: Fri, 21 Apr 2006 06:39:00 +0000
Subject: #59378, unset disallowed globals in case register_globals is on,
 patch by chx

---
 includes/bootstrap.inc | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

(limited to 'includes/bootstrap.inc')

diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
index 15d2ba52d..110d496c4 100644
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -131,12 +131,25 @@ function conf_path() {
   return $conf;
 }
 
+/**
+ * Unsets all disallowed global variables. See $allowed for what's allowed.
+ */
+function drupal_unset_globals() {
+  if (ini_get('register_globals')) {
+    $allowed = array('_ENV' => 1, '_GET' => 1, '_POST' => 1, '_COOKIE' => 1, '_FILES' => 1, '_SERVER' => 1, '_REQUEST' => 1, 'access_check' => 1);
+    foreach ($GLOBALS as $key => $value) {
+      if (!isset($allowed[$key])) {
+        unset($GLOBALS[$key]);
+      }
+    }
+  }
+}
+
 /**
  * Loads the configuration and sets the base URL correctly.
  */
 function conf_init() {
   global $db_url, $db_prefix, $base_url, $base_path, $base_root, $conf;
-
   $conf = array();
   require_once './'. conf_path() .'/settings.php';
 
@@ -720,6 +733,7 @@ function _drupal_bootstrap($phase) {
 
   switch ($phase) {
     case DRUPAL_BOOTSTRAP_DATABASE:
+      drupal_unset_globals();
       // Initialize the configuration
       conf_init();
       // Initialize the default database.
-- 
cgit v1.2.3