Home Explore Help
Sign In
bachir
/
edlp_d8
1
0
Fork 0
Files Issues 8 Pull Requests 0 Wiki
Tree: 6811f6e586
Branches Tags
edlp_d8
/
core
/
lib
/
Drupal
/
Core
/
Security
/
RequestSanitizer.php

RequestSanitizer.php 3.3 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899 
  1. <?php
    2. 

  2. 

  3. namespace Drupal\Core\Security;
    4. 

  4. 

  5. use Symfony\Component\HttpFoundation\Request;
    6. 

  6. 

  7. /**
    8. 

  8.  * Sanitizes user input.
    9. 

  9.  */
    10. 

  10. class RequestSanitizer {
    11. 

  11. 

  12.   /**
    13. 

  13.    * Request attribute to mark the request as sanitized.
    14. 

  14.    */
    15. 

  15.   const SANITIZED = '_drupal_request_sanitized';
    16. 

  16. 

  17.   /**
    18. 

  18.    * The name of the setting that configures the whitelist.
    19. 

  19.    */
    20. 

  20.   const SANITIZE_WHITELIST = 'sanitize_input_whitelist';
    21. 

  21. 

  22.   /**
    23. 

  23.    * The name of the setting that determines if sanitized keys are logged.
    24. 

  24.    */
    25. 

  25.   const SANITIZE_LOG = 'sanitize_input_logging';
    26. 

  26. 

  27.   /**
    28. 

  28.    * Strips dangerous keys from user input.
    29. 

  29.    *
    30. 

  30.    * @param \Symfony\Component\HttpFoundation\Request $request
    31. 

  31.    *   The incoming request to sanitize.
    32. 

  32.    * @param string[] $whitelist
    33. 

  33.    *   An array of keys to whitelist as safe. See default.settings.php.
    34. 

  34.    * @param bool $log_sanitized_keys
    35. 

  35.    *   (optional) Set to TRUE to log an keys that are sanitized.
    36. 

  36.    *
    37. 

  37.    * @return \Symfony\Component\HttpFoundation\Request
    38. 

  38.    *   The sanitized request.
    39. 

  39.    */
    40. 

  40.   public static function sanitize(Request $request, $whitelist, $log_sanitized_keys = FALSE) {
    41. 

  41.     if (!$request->attributes->get(self::SANITIZED, FALSE)) {
    42. 

  42.       // Process query string parameters.
    43. 

  43.       $get_sanitized_keys = [];
    44. 

  44.       $request->query->replace(static::stripDangerousValues($request->query->all(), $whitelist, $get_sanitized_keys));
    45. 

  45.       if ($log_sanitized_keys && !empty($get_sanitized_keys)) {
    46. 

  46.         trigger_error(sprintf('Potentially unsafe keys removed from query string parameters (GET): %s', implode(', ', $get_sanitized_keys)));
    47. 

  47.       }
    48. 

  48. 

  49.       // Request body parameters.
    50. 

  50.       $post_sanitized_keys = [];
    51. 

  51.       $request->request->replace(static::stripDangerousValues($request->request->all(), $whitelist, $post_sanitized_keys));
    52. 

  52.       if ($log_sanitized_keys && !empty($post_sanitized_keys)) {
    53. 

  53.         trigger_error(sprintf('Potentially unsafe keys removed from request body parameters (POST): %s', implode(', ', $post_sanitized_keys)));
    54. 

  54.       }
    55. 

  55. 

  56.       // Cookie parameters.
    57. 

  57.       $cookie_sanitized_keys = [];
    58. 

  58.       $request->cookies->replace(static::stripDangerousValues($request->cookies->all(), $whitelist, $cookie_sanitized_keys));
    59. 

  59.       if ($log_sanitized_keys && !empty($cookie_sanitized_keys)) {
    60. 

  60.         trigger_error(sprintf('Potentially unsafe keys removed from cookie parameters: %s', implode(', ', $cookie_sanitized_keys)));
    61. 

  61.       }
    62. 

  62. 

  63.       if (!empty($get_sanitized_keys) || !empty($post_sanitized_keys) || !empty($cookie_sanitized_keys)) {
    64. 

  64.         $request->overrideGlobals();
    65. 

  65.       }
    66. 

  66.       $request->attributes->set(self::SANITIZED, TRUE);
    67. 

  67.     }
    68. 

  68.     return $request;
    69. 

  69.   }
    70. 

  70. 

  71.   /**
    72. 

  72.    * Strips dangerous keys from $input.
    73. 

  73.    *
    74. 

  74.    * @param mixed $input
    75. 

  75.    *   The input to sanitize.
    76. 

  76.    * @param string[] $whitelist
    77. 

  77.    *   An array of keys to whitelist as safe.
    78. 

  78.    * @param string[] $sanitized_keys
    79. 

  79.    *   An array of keys that have been removed.
    80. 

  80.    *
    81. 

  81.    * @return mixed
    82. 

  82.    *   The sanitized input.
    83. 

  83.    */
    84. 

  84.   protected static function stripDangerousValues($input, array $whitelist, array &$sanitized_keys) {
    85. 

  85.     if (is_array($input)) {
    86. 

  86.       foreach ($input as $key => $value) {
    87. 

  87.         if ($key !== '' && $key[0] === '#' && !in_array($key, $whitelist, TRUE)) {
    88. 

  88.           unset($input[$key]);
    89. 

  89.           $sanitized_keys[] = $key;
    90. 

  90.         }
    91. 

  91.         else {
    92. 

  92.           $input[$key] = static::stripDangerousValues($input[$key], $whitelist, $sanitized_keys);
    93. 

  93.         }
    94. 

  94.       }
    95. 

  95.     }
    96. 

  96.     return $input;
    97. 

  97.   }
    98. 

  98. 

  99. }
    100.