Allow filtering of globals

diff --git a/docs/gnuworld/noreg/index.php b/docs/gnuworld/noreg/index.php
index 4f1b0bf29954d1be171884a1deffb4d7bb421f3b..6431359e4dd31443689c259633bc89a42e46f6f0 100755 (executable)
--- a/docs/gnuworld/noreg/index.php
+++ b/docs/gnuworld/noreg/index.php
@@ -1,8 +1,7 @@
 <?
-/* $Id: index.php,v 1.10 2004/07/25 03:31:52 nighty Exp $ */
-       $min_lvl=800;
        require("../../../php_includes/cmaster.inc");
        std_connect();
+       $min_lvl=800;
         $user_id = std_security_chk($auth);
         $admin = std_admin();
        $cTheme = get_theme_info();
@@ -136,5 +135,3 @@ For CService Admins use <b>ONLY</b>.
 ?>
 </body>
 </html>
-
-

diff --git a/php_includes/cmaster.inc.dist b/php_includes/cmaster.inc.dist
index c2a7029bb7402e100153f8c51bfe3b26ae8f58b8..1aed14c3975f5cc7e2f33b9eaba1f5cd0e139d2a 100644 (file)
--- a/php_includes/cmaster.inc.dist
+++ b/php_includes/cmaster.inc.dist
@@ -38,6 +38,9 @@ if (file_exists("../../vendor/autoload.php")) {
     die;
 }
 
+define("REGISTER_GLOBALS_BLACKLIST", array("min_lvl", "edit_lvl"));
+define("REGISTER_GLOBALS_COOKIE_WHITELIST", array("auth", "sauth", "totp", "csess", "rlogin", "sepoch", "cstheme"));
+
 // Ugly hack, but this code will never be fixed not to require register_globals which was
 // deprecated in PHP 5.4.
 function register_global_array( $sg ) {
@@ -54,9 +57,17 @@ function register_global_array( $sg ) {
   Global ${$superGlobals[$sg]};
 
   foreach( ${$superGlobals[$sg]} as $key => $val ) {
+    if (in_array(strtolower($key), REGISTER_GLOBALS_BLACKLIST)) {
+      continue;
+    }
     if ($superGlobals[$sg] == "_GET" || $superGlobals[$sg] == "_POST") {
       $val = pg_escape_string($val);
+    } elseif ($superGlobals[$sg] == "__COOKIE") {
+      if (!in_array(strtolower($key), REGISTER_GLOBALS_COOKIE_WHITELIST)) {
+        continue;
+      }
     }
+
     $GLOBALS[$key]  = $val;
   }
 }