bachir/popsu-d7
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

updated core to 7.58

Browse Source
This commit is contained in:
Bachir Soussi Chiadmi
2018-04-24 14:08:28 +02:00
parent 2c2dd76ece
commit 870831757c
140 changed files with 664 additions and 396 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
includes/bootstrap.inc
View File

@@ -8,7 +8,7 @@
/**
* The current system version.
*/
define('VERSION', '7.56');
define('VERSION', '7.58');
/**
* Core API compatibility.
@@ -2632,6 +2632,10 @@ function _drupal_bootstrap_configuration() {
timer_start('page');
// Initialize the configuration, including variables from settings.php.
drupal_settings_initialize();
// Sanitize unsafe keys from the request.
require_once DRUPAL_ROOT . '/includes/request-sanitizer.inc';
DrupalRequestSanitizer::sanitize();
}
/**

5
includes/common.inc
View File

@@ -2236,8 +2236,11 @@ function url($path = NULL, array $options = array()) {
'prefix' => ''
);
// Determine whether this is an external link, but ensure that the current
// path is always treated as internal by default (to prevent external link
// injection vulnerabilities).
if (!isset($options['external'])) {
$options['external'] = url_is_external($path);
$options['external'] = $path === $_GET['q'] ? FALSE : url_is_external($path);
}
// Preserve the original path before altering or aliasing.

82
includes/request-sanitizer.inc Normal file
View File

@@ -0,0 +1,82 @@
<?php
/**
* @file
* Contains code for sanitizing user input from the request.
*/
/**
* Sanitizes user input from the request.
*/
class DrupalRequestSanitizer {
/**
* Tracks whether the request was already sanitized.
*/
protected static $sanitized = FALSE;
/**
* Modifies the request to strip dangerous keys from user input.
*/
public static function sanitize() {
if (!self::$sanitized) {
$whitelist = variable_get('sanitize_input_whitelist', array());
$log_sanitized_keys = variable_get('sanitize_input_logging', FALSE);
// Process query string parameters.
$get_sanitized_keys = array();
$_GET = self::stripDangerousValues($_GET, $whitelist, $get_sanitized_keys);
if ($log_sanitized_keys && $get_sanitized_keys) {
_drupal_trigger_error_with_delayed_logging(format_string('Potentially unsafe keys removed from query string parameters (GET): @keys', array('@keys' => implode(', ', $get_sanitized_keys))), E_USER_NOTICE);
}
// Process request body parameters.
$post_sanitized_keys = array();
$_POST = self::stripDangerousValues($_POST, $whitelist, $post_sanitized_keys);
if ($log_sanitized_keys && $post_sanitized_keys) {
_drupal_trigger_error_with_delayed_logging(format_string('Potentially unsafe keys removed from request body parameters (POST): @keys', array('@keys' => implode(', ', $post_sanitized_keys))), E_USER_NOTICE);
}
// Process cookie parameters.
$cookie_sanitized_keys = array();
$_COOKIE = self::stripDangerousValues($_COOKIE, $whitelist, $cookie_sanitized_keys);
if ($log_sanitized_keys && $cookie_sanitized_keys) {
_drupal_trigger_error_with_delayed_logging(format_string('Potentially unsafe keys removed from cookie parameters (COOKIE): @keys', array('@keys' => implode(', ', $cookie_sanitized_keys))), E_USER_NOTICE);
}
$request_sanitized_keys = array();
$_REQUEST = self::stripDangerousValues($_REQUEST, $whitelist, $request_sanitized_keys);
self::$sanitized = TRUE;
}
}
/**
* Strips dangerous keys from the provided input.
*
* @param mixed $input
* The input to sanitize.
* @param string[] $whitelist
* An array of keys to whitelist as safe.
* @param string[] $sanitized_keys
* An array of keys that have been removed.
*
* @return mixed
* The sanitized input.
*/
protected static function stripDangerousValues($input, array $whitelist, array &$sanitized_keys) {
if (is_array($input)) {
foreach ($input as $key => $value) {
if ($key !== '' && $key[0] === '#' && !in_array($key, $whitelist, TRUE)) {
unset($input[$key]);
$sanitized_keys[] = $key;
}
else {
$input[$key] = self::stripDangerousValues($input[$key], $whitelist, $sanitized_keys);
}
}
}
return $input;
}
}