Révision 01f36513
Ajouté par Assos Assos il y a environ 6 ans
| drupal7/includes/request-sanitizer.inc | ||
|---|---|---|
| 51 | 51 |
} |
| 52 | 52 |
} |
| 53 | 53 |
|
| 54 |
/** |
|
| 55 |
* Removes the destination if it is dangerous. |
|
| 56 |
* |
|
| 57 |
* Note this can only be called after common.inc has been included. |
|
| 58 |
* |
|
| 59 |
* @return bool |
|
| 60 |
* TRUE if the destination has been removed from $_GET, FALSE if not. |
|
| 61 |
*/ |
|
| 62 |
public static function cleanDestination() {
|
|
| 63 |
$dangerous_keys = array(); |
|
| 64 |
$log_sanitized_keys = variable_get('sanitize_input_logging', FALSE);
|
|
| 65 |
|
|
| 66 |
$parts = drupal_parse_url($_GET['destination']); |
|
| 67 |
// If there is a query string, check its query parameters. |
|
| 68 |
if (!empty($parts['query'])) {
|
|
| 69 |
$whitelist = variable_get('sanitize_input_whitelist', array());
|
|
| 70 |
|
|
| 71 |
self::stripDangerousValues($parts['query'], $whitelist, $dangerous_keys); |
|
| 72 |
if (!empty($dangerous_keys)) {
|
|
| 73 |
// The destination is removed rather than sanitized to mirror the |
|
| 74 |
// handling of external destinations. |
|
| 75 |
unset($_GET['destination']); |
|
| 76 |
unset($_REQUEST['destination']); |
|
| 77 |
if ($log_sanitized_keys) {
|
|
| 78 |
trigger_error(format_string('Potentially unsafe destination removed from query string parameters (GET) because it contained the following keys: @keys', array('@keys' => implode(', ', $dangerous_keys))));
|
|
| 79 |
} |
|
| 80 |
return TRUE; |
|
| 81 |
} |
|
| 82 |
} |
|
| 83 |
return FALSE; |
|
| 84 |
} |
|
| 85 |
|
|
| 54 | 86 |
/** |
| 55 | 87 |
* Strips dangerous keys from the provided input. |
| 56 | 88 |
* |
Formats disponibles : Unified diff
Weekly update of contrib modules