aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorWilli Eggeling <mail@wje-online.de>2017-08-26 11:27:18 +0200
committerWilli Eggeling <mail@wje-online.de>2017-08-26 11:27:18 +0200
commit94c035ff717c4c836bb76109b013ffaa78f64ef1 (patch)
treef78c178d2e84253cecb8387a4c33514331939692
parentde901736a663934c1b67f09f1d586da665f0f036 (diff)
downloadShaarli-94c035ff717c4c836bb76109b013ffaa78f64ef1.tar.gz
Shaarli-94c035ff717c4c836bb76109b013ffaa78f64ef1.tar.zst
Shaarli-94c035ff717c4c836bb76109b013ffaa78f64ef1.zip
removed doc and code references to magic quotes
- removed all references to magic quotes - magic quotes are not supported on PHP >= 5.4 (https://secure.php.net/manual/en/security.magicquotes.php) - Shaarli does not support PHP < 5.5
-rw-r--r--doc/md/Security.md3
-rw-r--r--index.php9
2 files changed, 0 insertions, 12 deletions
diff --git a/doc/md/Security.md b/doc/md/Security.md
index 36f629af..65db4225 100644
--- a/doc/md/Security.md
+++ b/doc/md/Security.md
@@ -1,9 +1,6 @@
1## Client browser 1## Client browser
2- Shaarli relies on `HTTP_REFERER` for some functions (like redirects and clicking on tags). If you have disabled or masqueraded `HTTP_REFERER` in your browser, some features of Shaarli may not work 2- Shaarli relies on `HTTP_REFERER` for some functions (like redirects and clicking on tags). If you have disabled or masqueraded `HTTP_REFERER` in your browser, some features of Shaarli may not work
3 3
4## PHP
5- `magic_quotes` is an horrible option of PHP which is often activated on servers. No serious developer should rely on this horror to secure their code against SQL injections. You should disable it (and Shaarli expects this option to be disabled). Nevertheless, I have added code to cope with `magic_quotes` on, so you should not be bothered even on crappy hosts.
6
7## Server and sessions 4## Server and sessions
8- Directories are protected using `.htaccess` files 5- Directories are protected using `.htaccess` files
9- Forms are protected against XSRF (Cross-site requests forgery): 6- Forms are protected against XSRF (Cross-site requests forgery):
diff --git a/index.php b/index.php
index 76526bd5..b1d0c994 100644
--- a/index.php
+++ b/index.php
@@ -133,15 +133,6 @@ date_default_timezone_set($conf->get('general.timezone', 'UTC'));
133 133
134ob_start(); // Output buffering for the page cache. 134ob_start(); // Output buffering for the page cache.
135 135
136// In case stupid admin has left magic_quotes enabled in php.ini:
137if (get_magic_quotes_gpc())
138{
139 function stripslashes_deep($value) { $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); return $value; }
140 $_POST = array_map('stripslashes_deep', $_POST);
141 $_GET = array_map('stripslashes_deep', $_GET);
142 $_COOKIE = array_map('stripslashes_deep', $_COOKIE);
143}
144
145// Prevent caching on client side or proxy: (yes, it's ugly) 136// Prevent caching on client side or proxy: (yes, it's ugly)
146header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); 137header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
147header("Cache-Control: no-store, no-cache, must-revalidate"); 138header("Cache-Control: no-store, no-cache, must-revalidate");