From 8cbeeb09da93c3e6515f532c4e42ca558538ef5d Mon Sep 17 00:00:00 2001
From: friendica <info@friendica.com>
Date: Sat, 6 Sep 2014 03:11:07 -0700
Subject: extra_query_args() restricted to $_GET only. $_REQUEST was adding
 cookies and this is undesired and potentially a security issue.

---
 include/text.php | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

(limited to 'include')

diff --git a/include/text.php b/include/text.php
index 4fe9f9cde..097b02bbc 100644
--- a/include/text.php
+++ b/include/text.php
@@ -2033,13 +2033,14 @@ function normalise_openid($s) {
 	return trim(str_replace(array('http://','https://'),array('',''),$s),'/');
 }
 
-// used in ajax endless scroll request to find out all the args that the master page was viewing
-
+// used in ajax endless scroll request to find out all the args that the master page was viewing.
+// This was using $_REQUEST, but $_REQUEST also contains all your cookies. So we're restricting it 
+// to $_GET. If this is used in a post handler, that decision may need to be considered. 
 
 function extra_query_args() {
 	$s = '';
-	if(count($_REQUEST)) {
-		foreach($_REQUEST as $k => $v) {
+	if(count($_GET)) {
+		foreach($_GET as $k => $v) {
 			// these are request vars we don't want to duplicate
 			if(! in_array($k, array('q','f','zid','page','PHPSESSID'))) {
 				$s .= '&' . $k . '=' . $v;
-- 
cgit v1.2.3