Loading includes/bootstrap.inc +4 −0 Original line number Diff line number Diff line Loading @@ -2632,6 +2632,10 @@ function _drupal_bootstrap_configuration() { timer_start('page'); // Initialize the configuration, including variables from settings.php. drupal_settings_initialize(); // Sanitize unsafe keys from the request. require_once DRUPAL_ROOT . '/includes/request-sanitizer.inc'; DrupalRequestSanitizer::sanitize(); } /** Loading includes/request-sanitizer.inc 0 → 100644 +82 −0 Original line number Diff line number Diff line <?php /** * @file * Contains code for sanitizing user input from the request. */ /** * Sanitizes user input from the request. */ class DrupalRequestSanitizer { /** * Tracks whether the request was already sanitized. */ protected static $sanitized = FALSE; /** * Modifies the request to strip dangerous keys from user input. */ public static function sanitize() { if (!self::$sanitized) { $whitelist = variable_get('sanitize_input_whitelist', array()); $log_sanitized_keys = variable_get('sanitize_input_logging', FALSE); // Process query string parameters. $get_sanitized_keys = array(); $_GET = self::stripDangerousValues($_GET, $whitelist, $get_sanitized_keys); if ($log_sanitized_keys && $get_sanitized_keys) { _drupal_trigger_error_with_delayed_logging(format_string('Potentially unsafe keys removed from query string parameters (GET): @keys', array('@keys' => implode(', ', $get_sanitized_keys))), E_USER_NOTICE); } // Process request body parameters. $post_sanitized_keys = array(); $_POST = self::stripDangerousValues($_POST, $whitelist, $post_sanitized_keys); if ($log_sanitized_keys && $post_sanitized_keys) { _drupal_trigger_error_with_delayed_logging(format_string('Potentially unsafe keys removed from request body parameters (POST): @keys', array('@keys' => implode(', ', $post_sanitized_keys))), E_USER_NOTICE); } // Process cookie parameters. $cookie_sanitized_keys = array(); $_COOKIE = self::stripDangerousValues($_COOKIE, $whitelist, $cookie_sanitized_keys); if ($log_sanitized_keys && $cookie_sanitized_keys) { _drupal_trigger_error_with_delayed_logging(format_string('Potentially unsafe keys removed from cookie parameters (COOKIE): @keys', array('@keys' => implode(', ', $cookie_sanitized_keys))), E_USER_NOTICE); } $request_sanitized_keys = array(); $_REQUEST = self::stripDangerousValues($_REQUEST, $whitelist, $request_sanitized_keys); self::$sanitized = TRUE; } } /** * Strips dangerous keys from the provided input. * * @param mixed $input * The input to sanitize. * @param string[] $whitelist * An array of keys to whitelist as safe. * @param string[] $sanitized_keys * An array of keys that have been removed. * * @return mixed * The sanitized input. */ protected static function stripDangerousValues($input, array $whitelist, array &$sanitized_keys) { if (is_array($input)) { foreach ($input as $key => $value) { if ($key !== '' && $key[0] === '#' && !in_array($key, $whitelist, TRUE)) { unset($input[$key]); $sanitized_keys[] = $key; } else { $input[$key] = self::stripDangerousValues($input[$key], $whitelist, $sanitized_keys); } } } return $input; } } Loading
includes/bootstrap.inc +4 −0 Original line number Diff line number Diff line Loading @@ -2632,6 +2632,10 @@ function _drupal_bootstrap_configuration() { timer_start('page'); // Initialize the configuration, including variables from settings.php. drupal_settings_initialize(); // Sanitize unsafe keys from the request. require_once DRUPAL_ROOT . '/includes/request-sanitizer.inc'; DrupalRequestSanitizer::sanitize(); } /** Loading
includes/request-sanitizer.inc 0 → 100644 +82 −0 Original line number Diff line number Diff line <?php /** * @file * Contains code for sanitizing user input from the request. */ /** * Sanitizes user input from the request. */ class DrupalRequestSanitizer { /** * Tracks whether the request was already sanitized. */ protected static $sanitized = FALSE; /** * Modifies the request to strip dangerous keys from user input. */ public static function sanitize() { if (!self::$sanitized) { $whitelist = variable_get('sanitize_input_whitelist', array()); $log_sanitized_keys = variable_get('sanitize_input_logging', FALSE); // Process query string parameters. $get_sanitized_keys = array(); $_GET = self::stripDangerousValues($_GET, $whitelist, $get_sanitized_keys); if ($log_sanitized_keys && $get_sanitized_keys) { _drupal_trigger_error_with_delayed_logging(format_string('Potentially unsafe keys removed from query string parameters (GET): @keys', array('@keys' => implode(', ', $get_sanitized_keys))), E_USER_NOTICE); } // Process request body parameters. $post_sanitized_keys = array(); $_POST = self::stripDangerousValues($_POST, $whitelist, $post_sanitized_keys); if ($log_sanitized_keys && $post_sanitized_keys) { _drupal_trigger_error_with_delayed_logging(format_string('Potentially unsafe keys removed from request body parameters (POST): @keys', array('@keys' => implode(', ', $post_sanitized_keys))), E_USER_NOTICE); } // Process cookie parameters. $cookie_sanitized_keys = array(); $_COOKIE = self::stripDangerousValues($_COOKIE, $whitelist, $cookie_sanitized_keys); if ($log_sanitized_keys && $cookie_sanitized_keys) { _drupal_trigger_error_with_delayed_logging(format_string('Potentially unsafe keys removed from cookie parameters (COOKIE): @keys', array('@keys' => implode(', ', $cookie_sanitized_keys))), E_USER_NOTICE); } $request_sanitized_keys = array(); $_REQUEST = self::stripDangerousValues($_REQUEST, $whitelist, $request_sanitized_keys); self::$sanitized = TRUE; } } /** * Strips dangerous keys from the provided input. * * @param mixed $input * The input to sanitize. * @param string[] $whitelist * An array of keys to whitelist as safe. * @param string[] $sanitized_keys * An array of keys that have been removed. * * @return mixed * The sanitized input. */ protected static function stripDangerousValues($input, array $whitelist, array &$sanitized_keys) { if (is_array($input)) { foreach ($input as $key => $value) { if ($key !== '' && $key[0] === '#' && !in_array($key, $whitelist, TRUE)) { unset($input[$key]); $sanitized_keys[] = $key; } else { $input[$key] = self::stripDangerousValues($input[$key], $whitelist, $sanitized_keys); } } } return $input; } }
