OSDN Git Service

(root) / pukiwiki / pukiwiki.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c2c0a6e)
BugTrack/345:ページ名に相対パス(../や/.など)を使用できないように
authorarino <arino>
Mon, 26 May 2003 13:55:37 +0000 (22:55 +0900)
committerarino <arino>
Mon, 26 May 2003 13:55:37 +0000 (22:55 +0900)
func.php patch | blob | history

diff --git a/func.php b/func.php
index 5ced5c5..2da015e 100644 (file)
--- a/func.php
+++ b/func.php
@@ -2,7 +2,7 @@
 /////////////////////////////////////////////////
 // PukiWiki - Yet another WikiWikiWeb clone.
 //
-// $Id: func.php,v 1.40 2003/05/17 11:08:26 arino Exp $
+// $Id: func.php,v 1.41 2003/05/26 13:55:37 arino Exp $
 //
 
 // Ê¸»úÎó¤¬InterWikiName¤«¤É¤¦¤«
@@ -17,7 +17,8 @@ function is_pagename($str)
 {
        global $BracketName,$WikiName;
        
-       $is_pagename = (!is_interwiki($str) and preg_match("/^(?!\.{0,}\/)$BracketName$(?<!\/$)/",$str));
+       $is_pagename = (!is_interwiki($str) and preg_match("/^(?!\/)$BracketName$(?<!\/$)/",$str)
+               and !preg_match('/(^|\/)\.{1,2}(\/|$)/',$str));
        
        if (defined('SOURCE_ENCODING'))
        {
@@ -164,7 +165,61 @@ function auto_template($page)
        }
        return $body;
 }
-
+// ¸¡º÷¸ì¤òŸ³«¤¹¤ë
+function get_search_words($words,$special=FALSE)
+{
+       $quote_func = create_function('$str',$special ?
+               'return preg_quote($str,"/");' :
+               'return preg_quote(htmlspecialchars($str),"/");'
+       );
+       
+       $retval = array();
+       // Perl¥á¥â - Àµ¤·¤¯¥Ñ¥¿¡¼¥ó¥Þ¥Ã¥Á¤µ¤»¤ë
+       // http://www.din.or.jp/~ohzaki/perl.htm#JP_Match
+       $eucpre = $eucpost = '';
+       if (SOURCE_ENCODING == 'EUC-JP')
+       {
+               $eucpre = '(?<!\x8F)';
+               // # JIS X 0208 ¤¬ 0ʸ»ú°Ê¾å³¤¤¤Æ # ASCII, SS2, SS3 ¤Þ¤¿¤Ï½ªÃ¼
+               $eucpost = '(?=(?:[\xA1-\xFE][\xA1-\xFE])*(?:[\x00-\x7F\x8E\x8F]|\z))';
+       }
+       if (!function_exists('mb_convert_case'))
+       {
+               foreach ($words as $word)
+               {
+                       $retval[$word] = $eucpre.$quote_func($word).$eucpost;
+               }
+               return $retval;
+       }       
+       foreach ($words as $word)
+       {
+               // ±Ñ¿ô»ú¤ÏȾ³Ñ,¥«¥¿¥«¥Ê¤ÏÁ´³Ñ,¤Ò¤é¤¬¤Ê¤Ï¥«¥¿¥«¥Ê¤Ë
+               $word_zk = mb_convert_kana($word,'aKCV');
+               $chars = array();
+               for ($pos = 0; $pos < mb_strlen($word_zk);$pos++)
+               {
+                       $char = mb_substr($word_zk,$pos,1);
+                       $arr = array($quote_func($char));
+                       if (strlen($char) == 1) // ±Ñ¿ô»ú
+                       {
+                               $_char = strtoupper($char); // Âçʸ»ú
+                               $arr[] = $quote_func($_char);
+                               $arr[] = $quote_func(mb_convert_kana($_char,"A")); // Á´³Ñ
+                               $_char = strtolower($char); // ¾®Ê¸»ú
+                               $arr[] = $quote_func($_char);
+                               $arr[] = $quote_func(mb_convert_kana($_char,"A")); // Á´³Ñ
+                       }
+                       else // ¥Þ¥ë¥Á¥Ð¥¤¥Èʸ»ú
+                       {
+                               $arr[] = $quote_func(mb_convert_kana($char,"c")); // ¤Ò¤é¤¬¤Ê
+                               $arr[] = $quote_func(mb_convert_kana($char,"k")); // È¾³Ñ¥«¥¿¥«¥Ê
+                       }
+                       $chars[] = '(?:'.join('|',array_unique($arr)).')';
+               }
+               $retval[$word] = $eucpre.join('',$chars).$eucpost;
+       }
+       return $retval;
+}
 // ¸¡º÷
 function do_search($word,$type='AND',$non_format=FALSE)
 {
@@ -175,7 +230,7 @@ function do_search($word,$type='AND',$non_format=FALSE)
        $retval = array();
 
        $b_type = ($type == 'AND'); // AND:TRUE OR:FALSE
-       $keys = preg_split('/\s+/',preg_quote($word,'/'),-1,PREG_SPLIT_NO_EMPTY);
+       $keys = get_search_words(preg_split('/\s+/',$word,-1,PREG_SPLIT_NO_EMPTY));
        
        $_pages = get_existpages();
        $pages = array();
@@ -197,7 +252,7 @@ function do_search($word,$type='AND',$non_format=FALSE)
                $b_match = FALSE;
                foreach ($keys as $key)
                {
-                       $tmp = preg_grep("/$key/i",$source);
+                       $tmp = preg_grep("/$key/",$source);
                        $b_match = (count($tmp) > 0);
                        if ($b_match xor $b_type)
                        {
@@ -540,17 +595,13 @@ http://ns1.php.gr.jp/pipermail/php-users/2003-January/012742.html
 [PHP-users 12736] null byte attack
 
 2003-05-16: magic quotes gpc¤ÎÉü¸µ½èÍý¤òÅý¹ç
+2003-05-21: Ï¢ÁÛÇÛÎó¤Î¥­¡¼¤Ïbinary safe
 */ 
 function sanitize($param)
 {
        if (is_array($param))
        {
-               $result = array();
-               foreach ($param as $key=>$value)
-               {
-                       $key = str_replace("\0",'',$key);
-                       $result[$key] = sanitize($value);
-               }
+               $result = array_map('sanitize',$param);
        }
        else
        {
About OSDN
Find Software
Develop Software
Help