Project

General

Profile

Revision 01f36513

Added by Assos Assos about 6 years ago

Weekly update of contrib modules

View differences:

drupal7/includes/request-sanitizer.inc
51 51
    }
52 52
  }
53 53

  
54
  /**
55
   * Removes the destination if it is dangerous.
56
   *
57
   * Note this can only be called after common.inc has been included.
58
   *
59
   * @return bool
60
   *   TRUE if the destination has been removed from $_GET, FALSE if not.
61
   */
62
  public static function cleanDestination() {
63
    $dangerous_keys = array();
64
    $log_sanitized_keys = variable_get('sanitize_input_logging', FALSE);
65

  
66
    $parts = drupal_parse_url($_GET['destination']);
67
    // If there is a query string, check its query parameters.
68
    if (!empty($parts['query'])) {
69
      $whitelist = variable_get('sanitize_input_whitelist', array());
70

  
71
      self::stripDangerousValues($parts['query'], $whitelist, $dangerous_keys);
72
      if (!empty($dangerous_keys)) {
73
        // The destination is removed rather than sanitized to mirror the
74
        // handling of external destinations.
75
        unset($_GET['destination']);
76
        unset($_REQUEST['destination']);
77
        if ($log_sanitized_keys) {
78
          trigger_error(format_string('Potentially unsafe destination removed from query string parameters (GET) because it contained the following keys: @keys', array('@keys' => implode(', ', $dangerous_keys))));
79
        }
80
        return TRUE;
81
      }
82
    }
83
    return FALSE;
84
  }
85

  
54 86
  /**
55 87
   * Strips dangerous keys from the provided input.
56 88
   *

Also available in: Unified diff