Improved register-globals handling

pages/account/28.php

@@ -16,7 +16,7 @@
     Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 */ ?>
 <?
-	$query = "select * from `orginfo` where `id`='".intval($_REQUEST[orgid])."'";
+	$query = "select * from `orginfo` where `id`='".intval($_REQUEST['orgid'])."'";
 	$row = mysql_fetch_assoc(mysql_query($query));
 ?>
 <form method="post" action="account.php">
@@ -26,13 +26,13 @@
   </tr>
   <tr>
     <td class="DataTD"><?=_("Domain")?>:</td>
-    <td class="DataTD"><input type="text" name="domainname" value="<?=$_SESSION[_config][domain]?>"></td>
+    <td class="DataTD"><input type="text" name="domainname" value="<?=$_SESSION['_config']['domain']?>"></td>
   </tr>
   <tr>
     <td class="DataTD" colspan="2"><input type="submit" name="process" value="<?=_("Add")?>"></td>
   </tr>
 </table>
 <input type="hidden" name="oldid" value="<?=$id?>">
-<input type="hidden" name="orgid" value="<?=intval($_REQUEST[orgid])?>">
+<input type="hidden" name="orgid" value="<?=intval($_REQUEST['orgid'])?>">
 
 </form>

pages/index/4.php

@@ -15,7 +15,7 @@
     along with this program; if not, write to the Free Software
     Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 */ ?>
-<?=$_SERVER['SSL_CLIENT_M_SERIAL']?>
+
 <? if($_SESSION['_config']['hostname'] == $_SESSION['_config']['securehostname']) { ?>
 <p><?=_("Warning! You've attempted to log into the system with a client certificate, but the login failed due to the certificate being expired, revoked, disabled for certificate login, or simply not valid for this site. You can login using your Email/Pass Phrase to get a new certificate, by clicking on 'Normal Login' to the right of your screen.")?></p>
 <? } else { ?>
@@ -30,11 +30,11 @@ h1 {font-size:1.9em;text-align:center;}
 </style>
 <div class='box2'>
 <div class='box'>
-<form action='index.php' method='post'<? if($_REQUEST['noauto'] == 1) echo " autocomplete='off'"; ?>>
-<? if($_REQUEST['noauto'] == 1) { ?><input type="hidden" name="noauto" value="1"><? } ?>
+<form action='index.php' method='post'<? if(array_key_exists("noauto",$_REQUEST) && $_REQUEST['noauto'] == 1) echo " autocomplete='off'"; ?>>
+<? if(array_key_exists("noauto",$_REQUEST) && $_REQUEST['noauto'] == 1) { ?><input type="hidden" name="noauto" value="1"><? } ?>
 <h1><?=_("Login")?></h1>
 <p class='smalltext'><?=_("Warning! This site requires cookies to be enabled to ensure your privacy and security. This site uses session cookies to store temporary values to prevent people from copying and pasting the session ID to someone else exposing their account, personal details and identity theft as a result.")?></p>
-<label for="email"><?=_("Email Address")?>:</label><input type='text' name="email" value="<?=sanitizeHTML($_REQUEST['email'])?>" /><br />
+<label for="email"><?=_("Email Address")?>:</label><input type='text' name="email" value="<?=sanitizeHTML(array_key_exists("email",$_REQUEST)?$_REQUEST['email']:"")?>" /><br />
 <label for="pword"><?=_("Pass Phrase")?>:</label><input type='password' name='pword' /><br />
 <input type='submit' name="process" value="<?=_("Login")?>" /><br /><br />
 <a href='https://www.cacert.org/index.php?id=4'>Password Login</a> - 
@@ -46,7 +46,7 @@ h1 {font-size:1.9em;text-align:center;}
 </div>
 </div>
 <? } 
-if($_SESSION['_config']['oldlocation']!="")
+if(array_key_exists("oldlocation",$_SESSION['_config']) && $_SESSION['_config']['oldlocation']!="")
 {
   echo "<br/><center>If you want to use certificate login instead of username+password, please <a href='https://secure.cacert.org/".sanitizeHTML($_SESSION['_config']['oldlocation'])."'>click here</a></center>";
 }