[Mapbender-commits] r6632 - trunk/mapbender/http/frames

svn_mapbender at osgeo.org svn_mapbender at osgeo.org
Mon Jul 26 05:39:54 EDT 2010 

Author: verenadiewald
Date: 2010-07-26 09:39:54 +0000 (Mon, 26 Jul 2010)
New Revision: 6632

Modified:
   trunk/mapbender/http/frames/index.php
   trunk/mapbender/http/frames/login.php
Log:
validate $_SERVER['QUERY_STRING'], remove name and password, send query_string to map.php for GET params

Modified: trunk/mapbender/http/frames/index.php
===================================================================
--- trunk/mapbender/http/frames/index.php	2010-07-26 09:35:41 UTC (rev 6631)
+++ trunk/mapbender/http/frames/index.php	2010-07-26 09:39:54 UTC (rev 6632)
@@ -95,10 +95,9 @@
 }
 $currentApplication = new gui($gui_id);
 echo $currentApplication->toHtml();
+
 $mapPhpParameters = htmlentities($urlParameters, ENT_QUOTES, CHARSET);
-$mapPhpParameters .= "&ZOOM=".$_REQUEST["ZOOM"];
-$mapPhpParameters .= "&CRS=".$_REQUEST["CRS"];
-$mapPhpParameters .= "&mb_myBBOX=".$_REQUEST["mb_myBBOX"];
+$mapPhpParameters .= "&".htmlentities($_SERVER["QUERY_STRING"]);
 
 echo "<script type='text/javascript' src='../javascripts/map.php?".$mapPhpParameters."'></script>";
 

Modified: trunk/mapbender/http/frames/login.php
===================================================================
--- trunk/mapbender/http/frames/login.php	2010-07-26 09:35:41 UTC (rev 6631)
+++ trunk/mapbender/http/frames/login.php	2010-07-26 09:39:54 UTC (rev 6632)
@@ -191,13 +191,11 @@
 				else {
 					$myURL = "Location: http://".$_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF'])."/index.php?".strip_tags (SID)."&gui_id=".$arrayGUIs[0];
 				}
-				# params for the initial call
-				$myURL .= "&ZOOM=".$_REQUEST["ZOOM"];
-				$myURL .= "&CRS=".$_REQUEST["CRS"];
+				# remove name and password from url, because url params are parsed later and written in javascript
+				$cleanUrl = preg_replace("/name=[^&]*&/","",$_SERVER["QUERY_STRING"]);
+				$cleanUrl = preg_replace("/password=[^&]*&/","",$cleanUrl);
 				
-				if(isset($_REQUEST["mb_myBBOX"])){
-					$myURL .= "&mb_myBBOX=".$_REQUEST["mb_myBBOX"];
-				}
+				$myURL .= "&".$cleanUrl;
 				
 				session_write_close();
 				header ($myURL);

More information about the Mapbender_commits mailing list