Revision 240bc75b
Added by Assos Assos over 6 years ago
drupal7/includes/request-sanitizer.inc | ||
---|---|---|
1 |
<?php |
|
2 |
|
|
3 |
/** |
|
4 |
* @file |
|
5 |
* Contains code for sanitizing user input from the request. |
|
6 |
*/ |
|
7 |
|
|
8 |
/** |
|
9 |
* Sanitizes user input from the request. |
|
10 |
*/ |
|
11 |
class DrupalRequestSanitizer { |
|
12 |
|
|
13 |
/** |
|
14 |
* Tracks whether the request was already sanitized. |
|
15 |
*/ |
|
16 |
protected static $sanitized = FALSE; |
|
17 |
|
|
18 |
/** |
|
19 |
* Modifies the request to strip dangerous keys from user input. |
|
20 |
*/ |
|
21 |
public static function sanitize() { |
|
22 |
if (!self::$sanitized) { |
|
23 |
$whitelist = variable_get('sanitize_input_whitelist', array()); |
|
24 |
$log_sanitized_keys = variable_get('sanitize_input_logging', FALSE); |
|
25 |
|
|
26 |
// Process query string parameters. |
|
27 |
$get_sanitized_keys = array(); |
|
28 |
$_GET = self::stripDangerousValues($_GET, $whitelist, $get_sanitized_keys); |
|
29 |
if ($log_sanitized_keys && $get_sanitized_keys) { |
|
30 |
_drupal_trigger_error_with_delayed_logging(format_string('Potentially unsafe keys removed from query string parameters (GET): @keys', array('@keys' => implode(', ', $get_sanitized_keys))), E_USER_NOTICE); |
|
31 |
} |
|
32 |
|
|
33 |
// Process request body parameters. |
|
34 |
$post_sanitized_keys = array(); |
|
35 |
$_POST = self::stripDangerousValues($_POST, $whitelist, $post_sanitized_keys); |
|
36 |
if ($log_sanitized_keys && $post_sanitized_keys) { |
|
37 |
_drupal_trigger_error_with_delayed_logging(format_string('Potentially unsafe keys removed from request body parameters (POST): @keys', array('@keys' => implode(', ', $post_sanitized_keys))), E_USER_NOTICE); |
|
38 |
} |
|
39 |
|
|
40 |
// Process cookie parameters. |
|
41 |
$cookie_sanitized_keys = array(); |
|
42 |
$_COOKIE = self::stripDangerousValues($_COOKIE, $whitelist, $cookie_sanitized_keys); |
|
43 |
if ($log_sanitized_keys && $cookie_sanitized_keys) { |
|
44 |
_drupal_trigger_error_with_delayed_logging(format_string('Potentially unsafe keys removed from cookie parameters (COOKIE): @keys', array('@keys' => implode(', ', $cookie_sanitized_keys))), E_USER_NOTICE); |
|
45 |
} |
|
46 |
|
|
47 |
$request_sanitized_keys = array(); |
|
48 |
$_REQUEST = self::stripDangerousValues($_REQUEST, $whitelist, $request_sanitized_keys); |
|
49 |
|
|
50 |
self::$sanitized = TRUE; |
|
51 |
} |
|
52 |
} |
|
53 |
|
|
54 |
/** |
|
55 |
* Strips dangerous keys from the provided input. |
|
56 |
* |
|
57 |
* @param mixed $input |
|
58 |
* The input to sanitize. |
|
59 |
* @param string[] $whitelist |
|
60 |
* An array of keys to whitelist as safe. |
|
61 |
* @param string[] $sanitized_keys |
|
62 |
* An array of keys that have been removed. |
|
63 |
* |
|
64 |
* @return mixed |
|
65 |
* The sanitized input. |
|
66 |
*/ |
|
67 |
protected static function stripDangerousValues($input, array $whitelist, array &$sanitized_keys) { |
|
68 |
if (is_array($input)) { |
|
69 |
foreach ($input as $key => $value) { |
|
70 |
if ($key !== '' && $key[0] === '#' && !in_array($key, $whitelist, TRUE)) { |
|
71 |
unset($input[$key]); |
|
72 |
$sanitized_keys[] = $key; |
|
73 |
} |
|
74 |
else { |
|
75 |
$input[$key] = self::stripDangerousValues($input[$key], $whitelist, $sanitized_keys); |
|
76 |
} |
|
77 |
} |
|
78 |
} |
|
79 |
return $input; |
|
80 |
} |
|
81 |
|
|
82 |
} |
Also available in: Unified diff
Update to 7.58