Index: branches/2.8.x/CHANGELOG =================================================================== --- branches/2.8.x/CHANGELOG (revision 1616) +++ branches/2.8.x/CHANGELOG (revision 1617) @@ -11,6 +11,8 @@ ! = Update/Change =============================================================================== +22 Feb-2012 Build 1617 Werner v.d.Decken(DarkViper) +# fixed function SanitizeHttpReferer() in consideration of subdirectories 18 Feb-2012 Build 1616 Dietmar Woellbrink (Luisehahne) ! update INSTALL and UPGRADE instruction to 2.8.3 (Tks to Ruebenwurzel) 18 Feb-2012 Build 1615 Dietmar Woellbrink (Luisehahne) Index: branches/2.8.x/wb/admin/interface/version.php =================================================================== --- branches/2.8.x/wb/admin/interface/version.php (revision 1616) +++ branches/2.8.x/wb/admin/interface/version.php (revision 1617) @@ -51,5 +51,5 @@ // check if defined to avoid errors during installation (redirect to admin panel fails if PHP error/warnings are enabled) if(!defined('VERSION')) define('VERSION', '2.8.3'); -if(!defined('REVISION')) define('REVISION', '1616'); +if(!defined('REVISION')) define('REVISION', '1617'); if(!defined('SP')) define('SP', ''); Index: branches/2.8.x/wb/framework/initialize.php =================================================================== --- branches/2.8.x/wb/framework/initialize.php (revision 1616) +++ branches/2.8.x/wb/framework/initialize.php (revision 1617) @@ -21,27 +21,39 @@ require_once(dirname(__FILE__).'/globalExceptionHandler.php'); if(!defined('WB_PATH')) { throw new IllegalFileException(); } /* -------------------------------------------------------- */ -//set_include_path(get_include_path() . PATH_SEPARATOR . WB_PATH); +/** + * sanitize $_SERVER['HTTP_REFERER'] + * @param string $sWbUrl qualified startup URL of current application + */ + function SanitizeHttpReferer($sWbUrl = WB_URL) { + $sTmpReferer = ''; + if (isset($_SERVER['HTTP_REFERER']) && $_SERVER['HTTP_REFERER'] != '') { + $aRefUrl = parse_url($_SERVER['HTTP_REFERER']); + if ($aRefUrl !== false) { + $aRefUrl['host'] = isset($aRefUrl['host']) ? $aRefUrl['host'] : ''; + $aRefUrl['path'] = isset($aRefUrl['path']) ? $aRefUrl['path'] : ''; + $aRefUrl['fragment'] = isset($aRefUrl['fragment']) ? '#'.$aRefUrl['fragment'] : ''; + $aWbUrl = parse_url(WB_URL); + if ($aWbUrl !== false) { + $aWbUrl['host'] = isset($aWbUrl['host']) ? $aWbUrl['host'] : ''; + $aWbUrl['path'] = isset($aWbUrl['path']) ? $aWbUrl['path'] : ''; + if (strpos($aRefUrl['host'].$aRefUrl['path'], + $aWbUrl['host'].$aWbUrl['path']) !== false) { + $aRefUrl['path'] = preg_replace('#^'.$aWbUrl['path'].'#i', '', $aRefUrl['path']); + $sTmpReferer = WB_URL.$aRefUrl['path'].$aRefUrl['fragment']; + } + unset($aWbUrl); + } + unset($aRefUrl); + } + } + $_SERVER['HTTP_REFERER'] = $sTmpReferer; + } + if (file_exists(WB_PATH.'/framework/class.database.php')) { - $sTmpReferer = ''; - if (isset($_SERVER['HTTP_REFERER']) && $_SERVER['HTTP_REFERER'] != '') { - $tmp0 = parse_url($_SERVER['HTTP_REFERER']); - if ($tmp0 !== false) { - $tmp0['host'] = isset($tmp0['host']) ? $tmp0['host'] : ''; - $tmp0['path'] = isset($tmp0['path']) ? $tmp0['path'] : ''; - $tmp0['fragment'] = isset($tmp0['fragment']) ? '#'.$tmp0['fragment'] : ''; - $tmp1 = parse_url(WB_URL); - if ($tmp1 !== false) { - $tmp1['host'] = isset($tmp1['host']) ? $tmp1['host'] : ''; - $tmp1['path'] = isset($tmp1['path']) ? $tmp1['path'] : ''; - if (strpos($tmp0['host'].$tmp0['path'], $tmp1['host'].$tmp1['path']) !== false) { - $sTmpReferer = WB_URL.$tmp0['path'].$tmp0['fragment']; - } - } - } - } - $_SERVER['HTTP_REFERER'] = $sTmpReferer; + // sanitize $_SERVER['HTTP_REFERER'] + SanitizeHttpReferer(WB_URL); date_default_timezone_set('UTC'); require_once(WB_PATH.'/framework/class.database.php');