diff index.php @ 365:2e0a0d93b8c1

Sanitize secure pages scheme.
author Matti Hamalainen <ccr@tnsp.org>
date Tue, 03 Dec 2013 13:13:23 +0200
parents 734781881e47
children 8693052c66a9
line wrap: on
line diff
--- a/index.php	Tue Dec 03 12:36:58 2013 +0200
+++ b/index.php	Tue Dec 03 13:13:23 2013 +0200
@@ -11,8 +11,8 @@
 cmLocaleInit();
 
 // Switch to https first, if needed
-if (!stCheckHTTPS() && isset($_SERVER["REQUEST_URI"]) &&
-  array_key_exists($_SERVER["REQUEST_URI"], $securePages))
+$isSecurePage = isset($_GET["page"]) && array_key_exists($_GET["page"], $securePages);
+if (!stCheckHTTPS() && $isSecurePage)
 {
   header("Location: https://".$_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"]);
   exit;
@@ -20,13 +20,13 @@
 
 
 // Check for cache-controlled pages
-if (isset($_SERVER["REQUEST_URI"]) &&
-  array_key_exists($_SERVER["REQUEST_URI"], $securePages))
+$noCache = $isSecurePage && $securePages[$_GET["page"]];
+if ($noCache)
   stSetupCacheControl();
 
 // Start output
 cmPrintPageHeader($pageTitle,
-  "  <meta http-equiv=\"Pragma\" content=\"no-cache\" />\n".
+  ($noCache ? "  <meta http-equiv=\"Pragma\" content=\"no-cache\" />\n" : "").
   "  <meta name=\"viewport\" content=\"width=device-width\" />\n");
 
 // Initiate SQL database connection