- in all piwik, we now don't read from _REQUEST as it includes _COOKIE. We instead read data from union of _GET and _POST

- clarified how to test piwik for xss referer injection

6 files changed, 11 insertions, 11 deletions

diff --git a/core/API/Request.php b/core/API/Request.php
index 79993992ac..60bef14822 100644
--- a/core/API/Request.php
+++ b/core/API/Request.php
@@ -47,12 +47,13 @@ class Piwik_API_Request
 	 * 
 	 * @param string GET request that defines the API call (must at least contain a "method" parameter) 
 	 *  Example: method=UserSettings.getWideScreen&idSite=1&date=yesterday&period=week&format=xml
-	 * 	If a request is not provided, then we use the $_REQUEST superglobal and fetch
+	 * 	If a request is not provided, then we use the $_GET and $_POST superglobal and fetch
 	 * 	the values directly from the HTTP GET query.
 	 */
 	function __construct($request = null)
 	{
-		$requestArray = $_REQUEST;
+		$defaultRequest = $_GET + $_POST;
+		$requestArray = $defaultRequest;
 		
 		if(!is_null($request))
 		{
@@ -67,7 +68,7 @@ class Piwik_API_Request
 				Zend_Registry::get('access')->reloadAccess();
 			}
 						
-			$requestArray = array_merge($_REQUEST, $requestArray);
+			$requestArray = $requestArray + $defaultRequest;
 		}
 		
 		foreach($requestArray as &$element)
diff --git a/core/Common.php b/core/Common.php
index 4d3b38815f..c3e167cffe 100644
--- a/core/Common.php
+++ b/core/Common.php
@@ -376,7 +376,7 @@ class Piwik_Common
 	}
 
 	/**
-	 * Returns a sanitized variable value from the $_REQUEST superglobal.
+	 * Returns a sanitized variable value from the $_GET and $_POST superglobal.
 	 * If the variable doesn't have a value or an empty value, returns the defaultValue if specified.
 	 * If the variable doesn't have neither a value nor a default value provided, an exception is raised.
 	 *
@@ -395,7 +395,7 @@ class Piwik_Common
 	{
 		if(is_null($requestArrayToUse))
 		{
-			$requestArrayToUse = $_REQUEST;
+			$requestArrayToUse = $_GET + $_POST;
 		}
 
 		$varDefault = self::sanitizeInputValues( $varDefault );
diff --git a/core/FrontController.php b/core/FrontController.php
index 1c2948a0a1..aa2fc38a59 100644
--- a/core/FrontController.php
+++ b/core/FrontController.php
@@ -280,7 +280,6 @@ class Piwik_FrontController
 			for ($i=1; $i < $_SERVER['argc']; $i++)
 			{
 				parse_str($_SERVER['argv'][$i],$tmp);
-				$_REQUEST = array_merge($_REQUEST, $tmp);
 				$_GET = array_merge($_GET, $tmp);
 			}
 		}				
diff --git a/core/Tracker.php b/core/Tracker.php
index bad522f78b..2dfaa9ef3c 100644
--- a/core/Tracker.php
+++ b/core/Tracker.php
@@ -47,7 +47,7 @@ class Piwik_Tracker
 	
 	public function __construct() 
 	{
-		$this->request = $_REQUEST;
+		$this->request = $_GET + $_POST;
 	}
 
 	public function main()
diff --git a/core/Tracker/Generator.php b/core/Tracker/Generator.php
index ea1178123f..c52b1d904f 100644
--- a/core/Tracker/Generator.php
+++ b/core/Tracker/Generator.php
@@ -112,7 +112,7 @@ class Piwik_Tracker_Generator
 	 */
 	public function __construct()
 	{
-		$_COOKIE = $_GET = $_REQUEST = $_POST = array();
+		$_COOKIE = $_GET = $_POST = array();
 		
 		// init GET and REQUEST to the empty array
 		$this->setFakeRequest();
@@ -582,7 +582,7 @@ class Piwik_Tracker_Generator
 	 */
 	protected function setFakeRequest()
 	{
-		$_REQUEST = $_GET = $this->currentget;
+		$_GET = $this->currentget;
 	}
 	
 	/**
diff --git a/core/ViewDataTable.php b/core/ViewDataTable.php
index bf4340c30d..c450cc80f5 100644
--- a/core/ViewDataTable.php
+++ b/core/ViewDataTable.php
@@ -566,9 +566,9 @@ abstract class Piwik_ViewDataTable
 	 */
 	protected function getDefaultOrCurrent( $nameVar )
 	{
-		if(isset($_REQUEST[$nameVar]))
+		if(isset($_GET[$nameVar]))
 		{
-			return htmlspecialchars($_REQUEST[$nameVar]);
+			return htmlspecialchars($_GET[$nameVar]);
 		}
 		$default = $this->getDefault($nameVar);
 		return $default;