Révision 01f36513
Ajouté par Assos Assos il y a environ 6 ans
drupal7/includes/request-sanitizer.inc | ||
---|---|---|
51 | 51 |
} |
52 | 52 |
} |
53 | 53 |
|
54 |
/** |
|
55 |
* Removes the destination if it is dangerous. |
|
56 |
* |
|
57 |
* Note this can only be called after common.inc has been included. |
|
58 |
* |
|
59 |
* @return bool |
|
60 |
* TRUE if the destination has been removed from $_GET, FALSE if not. |
|
61 |
*/ |
|
62 |
public static function cleanDestination() { |
|
63 |
$dangerous_keys = array(); |
|
64 |
$log_sanitized_keys = variable_get('sanitize_input_logging', FALSE); |
|
65 |
|
|
66 |
$parts = drupal_parse_url($_GET['destination']); |
|
67 |
// If there is a query string, check its query parameters. |
|
68 |
if (!empty($parts['query'])) { |
|
69 |
$whitelist = variable_get('sanitize_input_whitelist', array()); |
|
70 |
|
|
71 |
self::stripDangerousValues($parts['query'], $whitelist, $dangerous_keys); |
|
72 |
if (!empty($dangerous_keys)) { |
|
73 |
// The destination is removed rather than sanitized to mirror the |
|
74 |
// handling of external destinations. |
|
75 |
unset($_GET['destination']); |
|
76 |
unset($_REQUEST['destination']); |
|
77 |
if ($log_sanitized_keys) { |
|
78 |
trigger_error(format_string('Potentially unsafe destination removed from query string parameters (GET) because it contained the following keys: @keys', array('@keys' => implode(', ', $dangerous_keys)))); |
|
79 |
} |
|
80 |
return TRUE; |
|
81 |
} |
|
82 |
} |
|
83 |
return FALSE; |
|
84 |
} |
|
85 |
|
|
54 | 86 |
/** |
55 | 87 |
* Strips dangerous keys from the provided input. |
56 | 88 |
* |
Formats disponibles : Unified diff
Weekly update of contrib modules