diff options
| author | Dries Buytaert <dries@buytaert.net> | 2004-12-28 11:04:24 +0000 |
|---|---|---|
| committer | Dries Buytaert <dries@buytaert.net> | 2004-12-28 11:04:24 +0000 |
| commit | 0fb0a93965879025c03b4270ccb03ba608db8dff (patch) | |
| tree | 7a275b024a75eb8c213e5f190100f0d5d27f6eb9 | |
| parent | ddbec122dc005b8a55d2d3d698bb3fbacd45ad33 (diff) | |
| download | brdo-0fb0a93965879025c03b4270ccb03ba608db8dff.tar.gz brdo-0fb0a93965879025c03b4270ccb03ba608db8dff.tar.bz2 | |
- Improved the input checking.
| -rw-r--r-- | includes/common.inc | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/includes/common.inc b/includes/common.inc index 4a029dcc3..7d0ac19fa 100644 --- a/includes/common.inc +++ b/includes/common.inc @@ -584,7 +584,7 @@ function valid_input_data($data) { } } } - else { + else if (isset($data)) { // Detect dangerous input data. // Decode all normal character entities. @@ -1805,8 +1805,14 @@ else { // Initialize all enabled modules. module_init(); -if ($_REQUEST && !user_access('bypass input data check')) { - if (!valid_input_data($_REQUEST)) { +if (!user_access('bypass input data check')) { + // We can't use $_REQUEST because it consists of the contents of $_POST, + // $_GET and $_COOKIE: if any of the input arrays share a key, only one + // value will be verified. + if (!valid_input_data($_GET) + || !valid_input_data($_POST) + || !valid_input_data($_COOKIE) + || !valid_input_data($_FILES)) { die('Terminated request because of suspicious input data.'); } } |