From 058f8a11687f979e597c6f32b1836535ba5b4b88 Mon Sep 17 00:00:00 2001
From: ahaber <haber@se-rwth.de>
Date: Tue, 29 Apr 2014 11:05:23 +0200
Subject: [PATCH 1/4] fixed XSS for non existing bib files

---
 bibtexbrowser.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/bibtexbrowser.php b/bibtexbrowser.php
index e4a1e95..edf2475 100755
--- a/bibtexbrowser.php
+++ b/bibtexbrowser.php
@@ -238,15 +238,15 @@ function _zetDB($bibtex_filenames) {
 
   // ---------------------------- HANDLING unexistent files
   foreach(explode(MULTIPLE_BIB_SEPARATOR, $bibtex_filenames) as $bib) {
-  
+    $saveBib = htmlEntities($bib, ENT_QUOTES);
     // get file extension to only allow .bib files
-    $ext = pathinfo($bib, PATHINFO_EXTENSION);
+    $ext = pathinfo($saveBib, PATHINFO_EXTENSION);
     // this is a security protection
-    if (BIBTEXBROWSER_LOCAL_BIB_ONLY && (!file_exists($bib) || strcasecmp($ext, 'bib') != 0)) {
+    if (BIBTEXBROWSER_LOCAL_BIB_ONLY && (!file_exists($saveBib) || strcasecmp($ext, 'bib') != 0)) {
 
      // to automate dectection of faulty links with tools such as webcheck
      header('HTTP/1.1 404 Not found');
-     die('<b>the bib file '.$bib.' does not exist !</b>');
+     die('<b>the bib file '.$saveBib.' does not exist !</b>');
     }
   } // end for each
 

From 0c7bbef30c2745a8d00691b68c751a5e04558862 Mon Sep 17 00:00:00 2001
From: ahaber <haber@se-rwth.de>
Date: Tue, 29 Apr 2014 11:17:12 +0200
Subject: [PATCH 2/4] comment + more reasonable variable name

---
 bibtexbrowser.php | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/bibtexbrowser.php b/bibtexbrowser.php
index edf2475..2dddb8c 100755
--- a/bibtexbrowser.php
+++ b/bibtexbrowser.php
@@ -238,15 +238,16 @@ function _zetDB($bibtex_filenames) {
 
   // ---------------------------- HANDLING unexistent files
   foreach(explode(MULTIPLE_BIB_SEPARATOR, $bibtex_filenames) as $bib) {
-    $saveBib = htmlEntities($bib, ENT_QUOTES);
+    // escape $bib to prevent XSS
+  	$escapedBib = htmlEntities($bib, ENT_QUOTES);
     // get file extension to only allow .bib files
-    $ext = pathinfo($saveBib, PATHINFO_EXTENSION);
+    $ext = pathinfo($escapedBib, PATHINFO_EXTENSION);
     // this is a security protection
-    if (BIBTEXBROWSER_LOCAL_BIB_ONLY && (!file_exists($saveBib) || strcasecmp($ext, 'bib') != 0)) {
+    if (BIBTEXBROWSER_LOCAL_BIB_ONLY && (!file_exists($escapedBib) || strcasecmp($ext, 'bib') != 0)) {
 
      // to automate dectection of faulty links with tools such as webcheck
      header('HTTP/1.1 404 Not found');
-     die('<b>the bib file '.$saveBib.' does not exist !</b>');
+     die('<b>the bib file '.$escapedBib.' does not exist !</b>');
     }
   } // end for each
 

From c932e59129e2d8b8fed7eec280ec26eacd3b7aac Mon Sep 17 00:00:00 2001
From: ahaber <haber@se-rwth.de>
Date: Tue, 29 Apr 2014 13:43:13 +0200
Subject: [PATCH 3/4] only escape html output to (theoretical) support special
 characters in file names

---
 bibtexbrowser.php | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/bibtexbrowser.php b/bibtexbrowser.php
index 2dddb8c..de82798 100755
--- a/bibtexbrowser.php
+++ b/bibtexbrowser.php
@@ -238,15 +238,14 @@ function _zetDB($bibtex_filenames) {
 
   // ---------------------------- HANDLING unexistent files
   foreach(explode(MULTIPLE_BIB_SEPARATOR, $bibtex_filenames) as $bib) {
-    // escape $bib to prevent XSS
-  	$escapedBib = htmlEntities($bib, ENT_QUOTES);
     // get file extension to only allow .bib files
-    $ext = pathinfo($escapedBib, PATHINFO_EXTENSION);
+    $ext = pathinfo($bib, PATHINFO_EXTENSION);
     // this is a security protection
-    if (BIBTEXBROWSER_LOCAL_BIB_ONLY && (!file_exists($escapedBib) || strcasecmp($ext, 'bib') != 0)) {
-
+    if (BIBTEXBROWSER_LOCAL_BIB_ONLY && (!file_exists($bib) || strcasecmp($ext, 'bib') != 0)) {
      // to automate dectection of faulty links with tools such as webcheck
      header('HTTP/1.1 404 Not found');
+    // escape $bib to prevent XSS
+  	$escapedBib = htmlEntities($bib, ENT_QUOTES);
      die('<b>the bib file '.$escapedBib.' does not exist !</b>');
     }
   } // end for each

From 48b78f5772d9aa7af8d4fb7a0b826b173e9e03e5 Mon Sep 17 00:00:00 2001
From: ahaber <haber@se-rwth.de>
Date: Mon, 5 May 2014 12:29:59 +0200
Subject: [PATCH 4/4] aligned with clean_xss_fix branch

---
 bibtexbrowser.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/bibtexbrowser.php b/bibtexbrowser.php
index de82798..fe4764f 100755
--- a/bibtexbrowser.php
+++ b/bibtexbrowser.php
@@ -242,11 +242,11 @@ function _zetDB($bibtex_filenames) {
     $ext = pathinfo($bib, PATHINFO_EXTENSION);
     // this is a security protection
     if (BIBTEXBROWSER_LOCAL_BIB_ONLY && (!file_exists($bib) || strcasecmp($ext, 'bib') != 0)) {
-     // to automate dectection of faulty links with tools such as webcheck
-     header('HTTP/1.1 404 Not found');
-    // escape $bib to prevent XSS
-  	$escapedBib = htmlEntities($bib, ENT_QUOTES);
-     die('<b>the bib file '.$escapedBib.' does not exist !</b>');
+      // to automate dectection of faulty links with tools such as webcheck
+      header('HTTP/1.1 404 Not found');
+      // escape $bib to prevent XSS
+      $escapedBib = htmlEntities($bib, ENT_QUOTES);
+      die('<b>the bib file '.$escapedBib.' does not exist !</b>');
     }
   } // end for each