3 define("EWIKI_DIE_FOR_SECURITY", 1);
7 This tries to fight against variables set from outside (for PHP
8 versions where register_globals is still activated). It only checks
9 for variables used by ewiki (whose names start with "$ewiki_").
10 Warnings are written into the system log, if someone tries to insert
16 if (ini_get("register_globals") == "1") {
18 $uu_security_leak = 0;
20 define_syslog_variables();
21 openlog("ewiki", LOG_PID, LOG_USER);
23 foreach ($_REQUEST as $varname => $value) {
25 if (isset($GLOBALS[$varname]) && (substr($varname, 0, 5) == "ewiki")) {
27 $uu_security_leak = 1;
29 unset($GLOBALS[$varname]);
31 $err_msg = "ewiki security alert: ".$_SERVER["REMOTE_ADDR"].":".$_SERVER["REMOTE_PORT"]." tried to set the variable \$$varname to '".rawurlencode($value)."'. Please deactivate register_globals!";
32 syslog(LOG_CRIT, $err_msg);
33 error_log($err_msg, 0);
34 error_log($err_msg, 3, "/tmp/ewiki.log");
39 if ($uu_security_leak) {
41 if (EWIKI_DIE_FOR_SECURITY) {
42 die("<h1>Forbidden</h1>\nERROR #0257: For security reasons your request has been cancelled (and logged).");