Project

General

Profile

Revision 240bc75b

Added by Assos Assos over 6 years ago

Update to 7.58

View differences:

drupal7/includes/request-sanitizer.inc
1
<?php
2

  
3
/**
4
 * @file
5
 * Contains code for sanitizing user input from the request.
6
 */
7

  
8
/**
9
 * Sanitizes user input from the request.
10
 */
11
class DrupalRequestSanitizer {
12

  
13
  /**
14
   * Tracks whether the request was already sanitized.
15
   */
16
  protected static $sanitized = FALSE;
17

  
18
  /**
19
   * Modifies the request to strip dangerous keys from user input.
20
   */
21
  public static function sanitize() {
22
    if (!self::$sanitized) {
23
      $whitelist = variable_get('sanitize_input_whitelist', array());
24
      $log_sanitized_keys = variable_get('sanitize_input_logging', FALSE);
25

  
26
      // Process query string parameters.
27
      $get_sanitized_keys = array();
28
      $_GET = self::stripDangerousValues($_GET, $whitelist, $get_sanitized_keys);
29
      if ($log_sanitized_keys && $get_sanitized_keys) {
30
        _drupal_trigger_error_with_delayed_logging(format_string('Potentially unsafe keys removed from query string parameters (GET): @keys', array('@keys' => implode(', ', $get_sanitized_keys))), E_USER_NOTICE);
31
      }
32

  
33
      // Process request body parameters.
34
      $post_sanitized_keys = array();
35
      $_POST = self::stripDangerousValues($_POST, $whitelist, $post_sanitized_keys);
36
      if ($log_sanitized_keys && $post_sanitized_keys) {
37
        _drupal_trigger_error_with_delayed_logging(format_string('Potentially unsafe keys removed from request body parameters (POST): @keys', array('@keys' => implode(', ', $post_sanitized_keys))), E_USER_NOTICE);
38
      }
39

  
40
      // Process cookie parameters.
41
      $cookie_sanitized_keys = array();
42
      $_COOKIE = self::stripDangerousValues($_COOKIE, $whitelist, $cookie_sanitized_keys);
43
      if ($log_sanitized_keys && $cookie_sanitized_keys) {
44
        _drupal_trigger_error_with_delayed_logging(format_string('Potentially unsafe keys removed from cookie parameters (COOKIE): @keys', array('@keys' => implode(', ', $cookie_sanitized_keys))), E_USER_NOTICE);
45
      }
46

  
47
      $request_sanitized_keys = array();
48
      $_REQUEST = self::stripDangerousValues($_REQUEST, $whitelist, $request_sanitized_keys);
49

  
50
      self::$sanitized = TRUE;
51
    }
52
  }
53

  
54
  /**
55
   * Strips dangerous keys from the provided input.
56
   *
57
   * @param mixed $input
58
   *   The input to sanitize.
59
   * @param string[] $whitelist
60
   *   An array of keys to whitelist as safe.
61
   * @param string[] $sanitized_keys
62
   *   An array of keys that have been removed.
63
   *
64
   * @return mixed
65
   *   The sanitized input.
66
   */
67
  protected static function stripDangerousValues($input, array $whitelist, array &$sanitized_keys) {
68
    if (is_array($input)) {
69
      foreach ($input as $key => $value) {
70
        if ($key !== '' && $key[0] === '#' && !in_array($key, $whitelist, TRUE)) {
71
          unset($input[$key]);
72
          $sanitized_keys[] = $key;
73
        }
74
        else {
75
          $input[$key] = self::stripDangerousValues($input[$key], $whitelist, $sanitized_keys);
76
        }
77
      }
78
    }
79
    return $input;
80
  }
81

  
82
}

Also available in: Unified diff