Changeset 104833 in spip-zone


Ignore:
Timestamp:
Jun 12, 2017, 7:56:40 AM (3 years ago)
Author:
cedric@…
Message:

Report de http://core.spip.org/projects/spip/repository/revisions/23592 : Version 1.3.2 : Sanitizer HTTP_X_FORWARDED_HOST quand il est envoye en en-tete

File:
1 edited

Legend:

Unmodified
Added
Removed
  • _core_/securite/ecran_securite.php

    r104721 r104833  
    66 */
    77
    8 define('_ECRAN_SECURITE', '1.3.1'); // 2017-05-31
     8define('_ECRAN_SECURITE', '1.3.2'); // 2017-06-12
    99
    1010/*
     
    295295        $_SERVER['HTTP_REFERER'] = strtr($_SERVER['HTTP_REFERER'], '<>"\'', '[]##');
    296296
     297
     298/*
     299 * Echappement HTTP_X_FORWARDED_HOST
     300 */
     301if (isset($_SERVER['HTTP_X_FORWARDED_HOST']))
     302        $_SERVER['HTTP_X_FORWARDED_HOST'] = strtr($_SERVER['HTTP_X_FORWARDED_HOST'], "<>?\"\{\}\$'` \r\n", '____________');
     303
     304
    297305/*
    298306 * Réinjection des clés en html dans l'admin r19561
Note: See TracChangeset for help on using the changeset viewer.