Proposed fix for 0.7.3
[users/olberger-guest/nusoap.git] / debian / patches / 595248.patch
1 diff --git a/lib/class.wsdl.php b/lib/class.wsdl.php
2 index f435e54..d3f7034 100644
3 --- a/lib/class.wsdl.php
4 +++ b/lib/class.wsdl.php
5 @@ -743,9 +743,11 @@ class wsdl extends nusoap_base {
6         global $HTTP_SERVER_VARS;\r
7  \r
8                 if (isset($_SERVER)) {\r
9 -                       $PHP_SELF = $_SERVER['PHP_SELF'];\r
10 +                 // Avoid XSS injection in PHP_SELF\r
11 +                 $PHP_SELF = substr($_SERVER['PHP_SELF'], 0, (strlen($_SERVER['PHP_SELF']) - strlen($_SERVER['PATH_INFO'])));\r
12                 } elseif (isset($HTTP_SERVER_VARS)) {\r
13 -                       $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];\r
14 +                 // Avoid XSS injection in PHP_SELF\r
15 +                 $PHP_SELF = substr($HTTP_SERVER_VARS['PHP_SELF'], 0, (strlen($HTTP_SERVER_VARS['PHP_SELF']) - strlen($HTTP_SERVER_VARS['PATH_INFO'])));\r
16                 } else {\r
17                         $this->setError("Neither _SERVER nor HTTP_SERVER_VARS is available");\r
18                 }\r
19 diff --git a/lib/nusoap.php b/lib/nusoap.php
20 index a6dd21d..2860730 100644
21 --- a/lib/nusoap.php
22 +++ b/lib/nusoap.php
23 @@ -5222,9 +5222,11 @@ class wsdl extends nusoap_base {
24         global $HTTP_SERVER_VARS;\r
25  \r
26                 if (isset($_SERVER)) {\r
27 -                       $PHP_SELF = $_SERVER['PHP_SELF'];\r
28 +                 // Avoid XSS injection in PHP_SELF\r
29 +                 $PHP_SELF = substr($_SERVER['PHP_SELF'], 0, (strlen($_SERVER['PHP_SELF']) - strlen($_SERVER['PATH_INFO'])));\r
30                 } elseif (isset($HTTP_SERVER_VARS)) {\r
31 -                       $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];\r
32 +                 // Avoid XSS injection in PHP_SELF\r
33 +                 $PHP_SELF = substr($HTTP_SERVER_VARS['PHP_SELF'], 0, (strlen($HTTP_SERVER_VARS['PHP_SELF']) - strlen($HTTP_SERVER_VARS['PATH_INFO'])));\r
34                 } else {\r
35                         $this->setError("Neither _SERVER nor HTTP_SERVER_VARS is available");\r
36                 }\r