SMF 1.0.7 29 March 2006
SMF 1.0.8 21 August 2006
================================================================================
August 2006
--------------------------------------------------------------------------------
! Some message table values weren't stored properly. (Post.php)
! Fixed unset not working properly in all cases due to a vulnerability in PHP. (QueryString.php, Profile.php, Post.php)
July 2006
--------------------------------------------------------------------------------
! Block page requests attempting to modify the $GLOBALS variable. (QueryString.php)
================================================================================
April 2006
--------------------------------------------------------------------------------
! Added checking to the topic, board, and action REQUEST parameters to ensure they are not arrays prior to processing (QueryString.php)
SMF 1.0.7 29 March 2006
$context['icon'] = preg_replace('~[\./\\\\*:"<>]~', '', $_REQUEST['icon']);
$context['icon'] = preg_replace('~[\./\\\\*\':"<>]~', '', $_REQUEST['icon']);
$_POST['guestname'] = $row['posterName'];
$_POST['email'] = $row['posterEmail'];
$_POST['guestname'] = addslashes($row['posterName']);
$_POST['email'] = addslashes($row['posterEmail']);
unset($_POST['options'][$k]);
unset($_POST['options'][$k], $_POST['options'][$k]);
unset($GLOBALS['HTTP_POST_VARS']);
unset($GLOBALS['HTTP_POST_FILES']);
unset($GLOBALS['HTTP_POST_VARS'], $GLOBALS['HTTP_POST_VARS']);
unset($GLOBALS['HTTP_POST_FILES'], $GLOBALS['HTTP_POST_FILES']);
// These keys shouldn't be set...ever.
if (isset($_REQUEST['GLOBALS']) || isset($_COOKIE['GLOBALS']))
die('Invalid request variable.');
// Same goes for numeric keys.
foreach (array_merge(array_keys($_REQUEST), array_keys($_COOKIE), array_keys($_FILES)) as $key)
if (is_numeric($key))
die('Invalid request variable.');
// If there's a slash in it, we've got a start value! (old, compatible links.)
// Make sure we start with a string
$_REQUEST['board'] = (string) $_REQUEST['board'];
// If there's a slash in it, we've got a start value! (old, compatible links.)
// Slash means old, beta style, formatting. That's okay though, the link should still work.
// Make sure we start with a string
$_REQUEST['topic'] = (string) $_REQUEST['topic'];
// Slash means old, beta style, formatting. That's okay though, the link should still work.
// Find the user's IP address. (but don't let it give you 'unknown'!)
// The action needs to be a string and not an array or anything else
if (isset($_REQUEST['action']))
$_REQUEST['action'] = (string) $_REQUEST['action'];
if (isset($_GET['action']))
$_GET['action'] = (string) $_GET['action'];
// Find the user's IP address. (but don't let it give you 'unknown'!)