123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114 |
- <?php
- class DrupalRequestSanitizer {
-
- protected static $sanitized = FALSE;
-
- public static function sanitize() {
- if (!self::$sanitized) {
- $whitelist = variable_get('sanitize_input_whitelist', array());
- $log_sanitized_keys = variable_get('sanitize_input_logging', FALSE);
-
- $get_sanitized_keys = array();
- $_GET = self::stripDangerousValues($_GET, $whitelist, $get_sanitized_keys);
- if ($log_sanitized_keys && $get_sanitized_keys) {
- _drupal_trigger_error_with_delayed_logging(format_string('Potentially unsafe keys removed from query string parameters (GET): @keys', array('@keys' => implode(', ', $get_sanitized_keys))), E_USER_NOTICE);
- }
-
- $post_sanitized_keys = array();
- $_POST = self::stripDangerousValues($_POST, $whitelist, $post_sanitized_keys);
- if ($log_sanitized_keys && $post_sanitized_keys) {
- _drupal_trigger_error_with_delayed_logging(format_string('Potentially unsafe keys removed from request body parameters (POST): @keys', array('@keys' => implode(', ', $post_sanitized_keys))), E_USER_NOTICE);
- }
-
- $cookie_sanitized_keys = array();
- $_COOKIE = self::stripDangerousValues($_COOKIE, $whitelist, $cookie_sanitized_keys);
- if ($log_sanitized_keys && $cookie_sanitized_keys) {
- _drupal_trigger_error_with_delayed_logging(format_string('Potentially unsafe keys removed from cookie parameters (COOKIE): @keys', array('@keys' => implode(', ', $cookie_sanitized_keys))), E_USER_NOTICE);
- }
- $request_sanitized_keys = array();
- $_REQUEST = self::stripDangerousValues($_REQUEST, $whitelist, $request_sanitized_keys);
- self::$sanitized = TRUE;
- }
- }
-
- public static function cleanDestination() {
- $dangerous_keys = array();
- $log_sanitized_keys = variable_get('sanitize_input_logging', FALSE);
- $parts = drupal_parse_url($_GET['destination']);
-
- if (!empty($parts['query'])) {
- $whitelist = variable_get('sanitize_input_whitelist', array());
- self::stripDangerousValues($parts['query'], $whitelist, $dangerous_keys);
- if (!empty($dangerous_keys)) {
-
-
- unset($_GET['destination']);
- unset($_REQUEST['destination']);
- if ($log_sanitized_keys) {
- trigger_error(format_string('Potentially unsafe destination removed from query string parameters (GET) because it contained the following keys: @keys', array('@keys' => implode(', ', $dangerous_keys))));
- }
- return TRUE;
- }
- }
- return FALSE;
- }
-
- protected static function stripDangerousValues($input, array $whitelist, array &$sanitized_keys) {
- if (is_array($input)) {
- foreach ($input as $key => $value) {
- if ($key !== '' && $key[0] === '#' && !in_array($key, $whitelist, TRUE)) {
- unset($input[$key]);
- $sanitized_keys[] = $key;
- }
- else {
- $input[$key] = self::stripDangerousValues($input[$key], $whitelist, $sanitized_keys);
- }
- }
- }
- return $input;
- }
- }
|