Security fix to my last commit.

diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index df3c81f0953b0506e67f791408cabff32e3e219f..81911f1f1f46765c05838c049fb8c42c87ff9b5d 100644 (file)
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -19,6 +19,11 @@ Legend:
 ! -> Note
 $ -> Affected files
 
+27-Feb-2009 Janusz Dobrowolski
+# Security fix to my last commit.
+$ /frontaccounting.php
+  /includes/lang/language.php
+
 25-Feb-2009 Joe Hunt
 ! Improved layout
 $ /inventory/prices.php

diff --git a/frontaccounting.php b/frontaccounting.php
index df1ff02cfdcdb15bd5ada726c72b18b3aa2534fd..7e2201882a74b9f954ca64cfa97c8f69c5df83c4 100644 (file)
--- a/frontaccounting.php
+++ b/frontaccounting.php
@@ -9,6 +9,8 @@
     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  
     See the License here <http://www.gnu.org/licenses/gpl-3.0.html>.
 ***********************************************************************/
+if (!isset($path_to_root) || isset($_GET['path_to_root']) || isset($_POST['path_to_root']))
+       die("Restricted access");
        include_once($path_to_root . '/applications/application.php');
        include_once($path_to_root . '/applications/customers.php');
        include_once($path_to_root . '/applications/suppliers.php');

diff --git a/includes/lang/language.php b/includes/lang/language.php
index 059901cfc66cfee89278b72f929ea583d6973b3e..0727222cd09a6338c3ea56ec0c82977815a0bea3 100644 (file)
--- a/includes/lang/language.php
+++ b/includes/lang/language.php
@@ -9,6 +9,9 @@
     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  
     See the License here <http://www.gnu.org/licenses/gpl-3.0.html>.
 ***********************************************************************/
+// Prevent register_globals vulnerability
+if (isset($_GET['path_to_root']) || isset($_POST['path_to_root']))
+       die("Restricted access");
 include_once($path_to_root . "/lang/installed_languages.inc");
 include_once($path_to_root . "/includes/lang/gettext.php");