function processRequests() { if (isset($_SERVER['QUERY_STRING']) && (!isset($_GET) || !count($_GET) && strlen($_SERVER['QUERY_STRING']))) { // we might be in a framework such as CodeIgniter that deletes the $_GET vars. // re-create $_GET from the query string $matches = array(); preg_match_all('#(^|[\\?&])([a-z0-9\\-_]+)=([^&]*)#si', $_SERVER['QUERY_STRING'], $matches, PREG_SET_ORDER); for ($i = 0; $i < count($matches); $i++) { // Because WysiwygPro will remove slashes from $_GET if magic_quotes_gpc is on we should add some slashes in so the array is the same as the PHP generated $_GET would have been if (get_magic_quotes_gpc()) { $_GET[$matches[$i][2]] = addslashes(urldecode($matches[$i][3])); } else { $_GET[$matches[$i][2]] = urldecode($matches[$i][3]); } } } // get the requested file $req_path = isset($_GET['wproroutelink']) ? $_GET['wproroutelink'] : ''; if (!empty($req_path)) { $wpro_path = WPRO_DIR; // cannot include if IN_WPRO is defined for security purposes // this prevents out of order execution attacks // and makes this process no more dangerous than someone browsing the WysiwygPro directory if (defined('IN_WPRO')) { exit('WysiwygPro. Route request could not be performed. Please ensure that the WysiwygPro class (or any other WysiwygPro scripts) are included AFTER the call to wproRoute::processRequests().'); } // validate path by removing all dangerous characters, and since we know that all valid WPro files match this $req_path = preg_replace("/[^A-Za-z0-9_\\-]/si", '', $req_path); // create path $req_path = str_replace('-', '/', $req_path) . '.php'; // extra out of order execution protection just to be on the safe side. if (stristr($req_path, '.class.php') || stristr($req_path, '.inc.php') || stristr($req_path, '.tpl.php')) { exit; } // initiate global vars global $EDITOR, $DIALOG, $WPRO_SESS, $wpro_inDialog; $EDITOR = NULL; $DIALOG = NULL; $WPRO_SESS = NULL; $wpro_inDialog = NULL; // validate and include file, prevent directory traversal. if (!defined('WPRO_IN_ROUTE')) { define('WPRO_IN_ROUTE', true); } // deleting globals might break the parent application, we have to trust the parent application is secure?! if (!defined('WPRO_ALLOW_GLOBALS')) { define('WPRO_ALLOW_GLOBALS', true); } // this is OK since the only global vars used by WPro have been initiated above // check for directory traversal and that file exists include_once $wpro_path . 'core/libs/wproFilesystem.class.php'; $fs = new wproFilesystem(); if ($fs->folderNameOK($req_path) && is_file($wpro_path . $req_path)) { include_once $wpro_path . $req_path; exit; } } }