Commit 3bb5f796 authored by webchick's avatar webchick

Issue #1998638 by damiankloip, dawehner, kim.pepper, cosmicdreams, alexpott,...

Issue #1998638 by damiankloip, dawehner, kim.pepper, cosmicdreams, alexpott, larowlan, Damien Tournoud: Replace almost all remaining superglobals (, , etc.) with Symfony Request object.
parent 67e93b23
...@@ -241,7 +241,7 @@ function ajax_render($commands = array()) { ...@@ -241,7 +241,7 @@ function ajax_render($commands = array()) {
// since the base page ought to have at least one JS file and one CSS file // since the base page ought to have at least one JS file and one CSS file
// loaded. It probably indicates an error, and rather than making the page // loaded. It probably indicates an error, and rather than making the page
// reload all of the files, instead we return no new files. // reload all of the files, instead we return no new files.
if (empty($_POST['ajax_page_state'][$type])) { if (!\Drupal::request()->request->get("ajax_page_state[$type]", NULL, TRUE)) {
$items[$type] = array(); $items[$type] = array();
} }
else { else {
......
...@@ -457,25 +457,28 @@ function config_get_config_directory($type = CONFIG_ACTIVE_DIRECTORY) { ...@@ -457,25 +457,28 @@ function config_get_config_directory($type = CONFIG_ACTIVE_DIRECTORY) {
* 'REMOTE_ADDR' key. * 'REMOTE_ADDR' key.
* *
* @param $variables * @param $variables
* (optional) An associative array of variables within $_SERVER that should * (optional) An associative array of variables within
* be replaced. If the special element 'url' is provided in this array, it * \Drupal::request()->server that should be replaced. If the special element
* will be used to populate some of the server defaults; it should be set to * 'url' is provided in this array, it will be used to populate some of the
* the URL of the current page request, excluding any $_GET request but * server defaults; it should be set to the URL of the current page request,
* including the script name (e.g., http://www.example.com/mysite/index.php). * excluding any GET request but including the script name
* (e.g., http://www.example.com/mysite/index.php).
* *
* @see conf_path() * @see conf_path()
* @see request_uri() * @see request_uri()
* @see \Symfony\Component\HttpFoundation\Request::getClientIP() * @see \Symfony\Component\HttpFoundation\Request::getClientIP()
*/ */
function drupal_override_server_variables($variables = array()) { function drupal_override_server_variables($variables = array()) {
$request = \Drupal::request();
$server_vars = $request->server->all();
// Allow the provided URL to override any existing values in $_SERVER. // Allow the provided URL to override any existing values in $_SERVER.
if (isset($variables['url'])) { if (isset($variables['url'])) {
$url = parse_url($variables['url']); $url = parse_url($variables['url']);
if (isset($url['host'])) { if (isset($url['host'])) {
$_SERVER['HTTP_HOST'] = $url['host']; $server_vars['HTTP_HOST'] = $url['host'];
} }
if (isset($url['path'])) { if (isset($url['path'])) {
$_SERVER['SCRIPT_NAME'] = $url['path']; $server_vars['SCRIPT_NAME'] = $url['path'];
} }
unset($variables['url']); unset($variables['url']);
} }
...@@ -492,7 +495,10 @@ function drupal_override_server_variables($variables = array()) { ...@@ -492,7 +495,10 @@ function drupal_override_server_variables($variables = array()) {
'HTTP_USER_AGENT' => NULL, 'HTTP_USER_AGENT' => NULL,
); );
// Replace elements of the $_SERVER array, as appropriate. // Replace elements of the $_SERVER array, as appropriate.
$_SERVER = $variables + $_SERVER + $defaults; $request->server->replace($variables + $server_vars + $defaults);
// @todo remove once conf_path() no longer uses $_SERVER.
$_SERVER = $request->server->all();
} }
/** /**
......
...@@ -411,7 +411,8 @@ function drupal_get_feeds($delimiter = "\n") { ...@@ -411,7 +411,8 @@ function drupal_get_feeds($delimiter = "\n") {
* Processes a URL query parameter array to remove unwanted elements. * Processes a URL query parameter array to remove unwanted elements.
* *
* @param $query * @param $query
* (optional) An array to be processed. Defaults to $_GET. * (optional) An array to be processed. Defaults to \Drupal::request()->query
* parameters.
* @param $exclude * @param $exclude
* (optional) A list of $query array keys to remove. Use "parent[child]" to * (optional) A list of $query array keys to remove. Use "parent[child]" to
* exclude nested items. * exclude nested items.
...@@ -490,7 +491,7 @@ function drupal_get_destination() { ...@@ -490,7 +491,7 @@ function drupal_get_destination() {
* The returned array contains a 'path' that may be passed separately to url(). * The returned array contains a 'path' that may be passed separately to url().
* For example: * For example:
* @code * @code
* $options = drupal_parse_url($_GET['destination']); * $options = drupal_parse_url(\Drupal::request()->query->get('destination'));
* $my_url = url($options['path'], $options); * $my_url = url($options['path'], $options);
* $my_link = l('Example link', $options['path'], $options); * $my_link = l('Example link', $options['path'], $options);
* @endcode * @endcode
...@@ -501,7 +502,7 @@ function drupal_get_destination() { ...@@ -501,7 +502,7 @@ function drupal_get_destination() {
* $options['query'] and the fragment into $options['fragment']. * $options['query'] and the fragment into $options['fragment'].
* *
* @param $url * @param $url
* The URL string to parse, f.e. $_GET['destination']. * The URL string to parse.
* *
* @return * @return
* An associative array containing the keys: * An associative array containing the keys:
...@@ -1886,6 +1887,7 @@ function drupal_html_id($id) { ...@@ -1886,6 +1887,7 @@ function drupal_html_id($id) {
// take into account IDs that are already in use on the base page. // take into account IDs that are already in use on the base page.
$seen_ids_init = &drupal_static(__FUNCTION__ . ':init'); $seen_ids_init = &drupal_static(__FUNCTION__ . ':init');
if (!isset($seen_ids_init)) { if (!isset($seen_ids_init)) {
$ajax_html_ids = \Drupal::request()->request->get('ajax_html_ids');
// Ideally, Drupal would provide an API to persist state information about // Ideally, Drupal would provide an API to persist state information about
// prior page requests in the database, and we'd be able to add this // prior page requests in the database, and we'd be able to add this
// function's $seen_ids static variable to that state information in order // function's $seen_ids static variable to that state information in order
...@@ -1895,7 +1897,7 @@ function drupal_html_id($id) { ...@@ -1895,7 +1897,7 @@ function drupal_html_id($id) {
// normally not recommended as it could open up security risks, but because // normally not recommended as it could open up security risks, but because
// the raw POST data is cast to a number before being returned by this // the raw POST data is cast to a number before being returned by this
// function, this usage is safe. // function, this usage is safe.
if (empty($_POST['ajax_html_ids'])) { if (empty($ajax_html_ids)) {
$seen_ids_init = array(); $seen_ids_init = array();
} }
else { else {
...@@ -1904,7 +1906,7 @@ function drupal_html_id($id) { ...@@ -1904,7 +1906,7 @@ function drupal_html_id($id) {
// requested id. $_POST['ajax_html_ids'] contains the ids as they were // requested id. $_POST['ajax_html_ids'] contains the ids as they were
// returned by this function, potentially with the appended counter, so // returned by this function, potentially with the appended counter, so
// we parse that to reconstruct the $seen_ids array. // we parse that to reconstruct the $seen_ids array.
$ajax_html_ids = explode(' ', $_POST['ajax_html_ids']); $ajax_html_ids = explode(' ', $ajax_html_ids);
foreach ($ajax_html_ids as $seen_id) { foreach ($ajax_html_ids as $seen_id) {
// We rely on '--' being used solely for separating a base id from the // We rely on '--' being used solely for separating a base id from the
// counter, which this function ensures when returning an id. // counter, which this function ensures when returning an id.
......
...@@ -495,7 +495,8 @@ function form_type_checkboxes_value($element, $input = FALSE) { ...@@ -495,7 +495,8 @@ function form_type_checkboxes_value($element, $input = FALSE) {
// NULL elements from the array before constructing the return value, to // NULL elements from the array before constructing the return value, to
// simulate the behavior of web browsers (which do not send unchecked // simulate the behavior of web browsers (which do not send unchecked
// checkboxes to the server at all). This will not affect non-programmatic // checkboxes to the server at all). This will not affect non-programmatic
// form submissions, since all values in $_POST are strings. // form submissions, since all values in \Drupal::request()->request are
// strings.
foreach ($input as $key => $value) { foreach ($input as $key => $value) {
if (!isset($value)) { if (!isset($value)) {
unset($input[$key]); unset($input[$key]);
......
...@@ -253,9 +253,19 @@ function install_state_defaults() { ...@@ -253,9 +253,19 @@ function install_state_defaults() {
* modified with information gleaned from the beginning of the page request. * modified with information gleaned from the beginning of the page request.
*/ */
function install_begin_request(&$install_state) { function install_begin_request(&$install_state) {
// A request object from the HTTPFoundation to tell us about the request.
$request = Request::createFromGlobals();
// Create a minimal container so that t() and $request will work. This
// container will be overriden but it's needed for the very early installation
// process when database tasks run.
$container = new ContainerBuilder();
$container->set('request', $request);
\Drupal::setContainer($container);
// Add any installation parameters passed in via the URL. // Add any installation parameters passed in via the URL.
if ($install_state['interactive']) { if ($install_state['interactive']) {
$install_state['parameters'] += $_GET; $install_state['parameters'] += $request->query->all();
} }
// Validate certain core settings that are used throughout the installation. // Validate certain core settings that are used throughout the installation.
...@@ -288,13 +298,10 @@ function install_begin_request(&$install_state) { ...@@ -288,13 +298,10 @@ function install_begin_request(&$install_state) {
// _drupal_load_test_overrides() sets the simpletest_conf_path in-memory // _drupal_load_test_overrides() sets the simpletest_conf_path in-memory
// setting in this case. // setting in this case.
if ($install_state['interactive'] && drupal_valid_test_ua() && !settings()->get('simpletest_conf_path')) { if ($install_state['interactive'] && drupal_valid_test_ua() && !settings()->get('simpletest_conf_path')) {
header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden'); header($request->server->get('SERVER_PROTOCOL') . ' 403 Forbidden');
exit; exit;
} }
// A request object from the HTTPFoundation to tell us about the request.
$request = Request::createFromGlobals();
// If we have a language selected and it is not yet saved in the system // If we have a language selected and it is not yet saved in the system
// (eg. pre-database data screens we are unable to persistently store // (eg. pre-database data screens we are unable to persistently store
// the default language), we should set language_default so the proper // the default language), we should set language_default so the proper
...@@ -324,10 +331,6 @@ function install_begin_request(&$install_state) { ...@@ -324,10 +331,6 @@ function install_begin_request(&$install_state) {
// Determine whether the configuration system is ready to operate. // Determine whether the configuration system is ready to operate.
$install_state['config_verified'] = install_verify_config_directory(CONFIG_ACTIVE_DIRECTORY) && install_verify_config_directory(CONFIG_STAGING_DIRECTORY); $install_state['config_verified'] = install_verify_config_directory(CONFIG_ACTIVE_DIRECTORY) && install_verify_config_directory(CONFIG_STAGING_DIRECTORY);
// Create a minimal container for t() to work.
// This container will be overriden but it needed for the very early
// installation process when database tasks run.
$container = new ContainerBuilder();
// Register the translation services. // Register the translation services.
install_register_translation_service($container); install_register_translation_service($container);
\Drupal::setContainer($container); \Drupal::setContainer($container);
...@@ -1355,7 +1358,7 @@ function install_select_profile(&$install_state) { ...@@ -1355,7 +1358,7 @@ function install_select_profile(&$install_state) {
* *
* A profile will be selected if: * A profile will be selected if:
* - Only one profile is available, * - Only one profile is available,
* - A profile was submitted through $_POST, * - A profile was submitted through \Drupal::request()->request,
* - Exactly one of the profiles is marked as "exclusive". * - Exactly one of the profiles is marked as "exclusive".
* If multiple profiles are marked as "exclusive" then no profile will be * If multiple profiles are marked as "exclusive" then no profile will be
* selected. * selected.
...@@ -1369,12 +1372,13 @@ function install_select_profile(&$install_state) { ...@@ -1369,12 +1372,13 @@ function install_select_profile(&$install_state) {
*/ */
function _install_select_profile($profiles) { function _install_select_profile($profiles) {
// Don't need to choose profile if only one available. // Don't need to choose profile if only one available.
$request_params = \Drupal::request()->request;
if (count($profiles) == 1) { if (count($profiles) == 1) {
$profile = array_pop($profiles); $profile = array_pop($profiles);
return $profile->name; return $profile->name;
} }
elseif (!empty($_POST['profile']) && isset($profiles[$_POST['profile']])) { elseif ($request_params->has('profile') && ($profile = $request_params->get('profile')) && isset($profiles[$profile])) {
return $profiles[$_POST['profile']]->name; return $profiles[$profile]->name;
} }
// Check for a profile marked as "exclusive" and ensure that only one // Check for a profile marked as "exclusive" and ensure that only one
// profile is marked as such. // profile is marked as such.
...@@ -1555,6 +1559,7 @@ function install_select_language(&$install_state) { ...@@ -1555,6 +1559,7 @@ function install_select_language(&$install_state) {
// Find all available translation files. // Find all available translation files.
$files = install_find_translations(); $files = install_find_translations();
$install_state['translations'] += $files; $install_state['translations'] += $files;
$request_params = \Drupal::request()->request;
// If a valid language code is set, continue with the next installation step. // If a valid language code is set, continue with the next installation step.
// When translations from the localization server are used, any language code // When translations from the localization server are used, any language code
...@@ -1562,9 +1567,9 @@ function install_select_language(&$install_state) { ...@@ -1562,9 +1567,9 @@ function install_select_language(&$install_state) {
// langauges available at http://localize.drupal.org. // langauges available at http://localize.drupal.org.
// When files from the translation directory are used, we only accept // When files from the translation directory are used, we only accept
// languages for which a file is available. // languages for which a file is available.
if (!empty($_POST['langcode'])) { if ($request_params->has('langcode')) {
$standard_languages = LanguageManager::getStandardLanguageList(); $standard_languages = LanguageManager::getStandardLanguageList();
$langcode = $_POST['langcode']; $langcode = $request_params->get('langcode');
if ($langcode == 'en' || isset($files[$langcode]) || isset($standard_languages[$langcode])) { if ($langcode == 'en' || isset($files[$langcode]) || isset($standard_languages[$langcode])) {
$install_state['parameters']['langcode'] = $langcode; $install_state['parameters']['langcode'] = $langcode;
return; return;
...@@ -2106,7 +2111,8 @@ function install_configure_form($form, &$form_state, &$install_state) { ...@@ -2106,7 +2111,8 @@ function install_configure_form($form, &$form_state, &$install_state) {
// especially out of place on the last page of the installer, where it would // especially out of place on the last page of the installer, where it would
// distract from the message that the Drupal installation has completed // distract from the message that the Drupal installation has completed
// successfully.) // successfully.)
if (empty($_POST) && (!drupal_verify_install_file(DRUPAL_ROOT . '/' . $settings_file, FILE_EXIST|FILE_READABLE|FILE_NOT_WRITABLE) || !drupal_verify_install_file(DRUPAL_ROOT . '/' . $settings_dir, FILE_NOT_WRITABLE, 'dir'))) { $post_params = \Drupal::request()->request->all();
if (empty($post_params) && (!drupal_verify_install_file(DRUPAL_ROOT . '/' . $settings_file, FILE_EXIST|FILE_READABLE|FILE_NOT_WRITABLE) || !drupal_verify_install_file(DRUPAL_ROOT . '/' . $settings_dir, FILE_NOT_WRITABLE, 'dir'))) {
drupal_set_message(t('All necessary changes to %dir and %file have been made, so you should remove write permissions to them now in order to avoid security risks. If you are unsure how to do so, consult the <a href="@handbook_url">online handbook</a>.', array('%dir' => $settings_dir, '%file' => $settings_file, '@handbook_url' => 'http://drupal.org/server-permissions')), 'warning'); drupal_set_message(t('All necessary changes to %dir and %file have been made, so you should remove write permissions to them now in order to avoid security risks. If you are unsure how to do so, consult the <a href="@handbook_url">online handbook</a>.', array('%dir' => $settings_dir, '%file' => $settings_file, '@handbook_url' => 'http://drupal.org/server-permissions')), 'warning');
} }
......
...@@ -100,7 +100,8 @@ ...@@ -100,7 +100,8 @@
* $langcode = language_from_url($languages); * $langcode = language_from_url($languages);
* *
* // If we are on an administrative path, override with the default language. * // If we are on an administrative path, override with the default language.
* if (isset($_GET['q']) && strtok($_GET['q'], '/') == 'admin') { * $query = \Drupal::request()->query;
* if ($query->has('q') && strtok($query->get('q'), '/') == 'admin') {
* return language_default()->id; * return language_default()->id;
* } * }
* return $langcode; * return $langcode;
......
...@@ -5,13 +5,6 @@ ...@@ -5,13 +5,6 @@
* API functions for processing and sending e-mail. * API functions for processing and sending e-mail.
*/ */
/**
* Auto-detect appropriate line endings for e-mails.
*
* $settings['mail_line_endings'] will override this setting.
*/
define('MAIL_LINE_ENDINGS', isset($_SERVER['WINDIR']) || strpos($_SERVER['SERVER_SOFTWARE'], 'Win32') !== FALSE ? "\r\n" : "\n");
/** /**
* Composes and optionally sends an e-mail message. * Composes and optionally sends an e-mail message.
* *
...@@ -431,7 +424,7 @@ function drupal_html_to_text($string, $allowed_tags = NULL) { ...@@ -431,7 +424,7 @@ function drupal_html_to_text($string, $allowed_tags = NULL) {
if (isset($casing)) { if (isset($casing)) {
$chunk = $casing($chunk); $chunk = $casing($chunk);
} }
$line_endings = settings()->get('mail_line_endings', MAIL_LINE_ENDINGS); $line_endings = settings()->get('mail_line_endings', PHP_EOL);
// Format it and apply the current indentation. // Format it and apply the current indentation.
$output .= drupal_wrap_mail($chunk, implode('', $indent)) . $line_endings; $output .= drupal_wrap_mail($chunk, implode('', $indent)) . $line_endings;
// Remove non-quotation markers from indentation. // Remove non-quotation markers from indentation.
......
...@@ -16,13 +16,13 @@ ...@@ -16,13 +16,13 @@
* *
* @return * @return
* The number of the current requested page, within the pager represented by * The number of the current requested page, within the pager represented by
* $element. This is determined from the URL query parameter $_GET['page'], or * $element. This is determined from the URL query parameter
* 0 by default. Note that this number may differ from the actual page being * \Drupal::request()->query->get('page'), or 0 by default. Note that this
* displayed. For example, if a search for "example text" brings up three * number may differ from the actual page being displayed. For example, if a
* pages of results, but a users visits search/node/example+text?page=10, this * search for "example text" brings up three pages of results, but a users
* function will return 10, even though the default pager implementation * visits search/node/example+text?page=10, this function will return 10, even
* adjusts for this and still displays the third page of search results at * though the default pager implementation adjusts for this and still displays
* that URL. * the third page of search results at that URL.
* *
* @see pager_default_initialize() * @see pager_default_initialize()
*/ */
...@@ -109,10 +109,11 @@ function pager_find_page($element = 0) { ...@@ -109,10 +109,11 @@ function pager_find_page($element = 0) {
* *
* @return * @return
* The number of the current page, within the pager represented by $element. * The number of the current page, within the pager represented by $element.
* This is determined from the URL query parameter $_GET['page'], or 0 by * This is determined from the URL query parameter
* default. However, if a page that does not correspond to the actual range * \Drupal::request()->query->get('page), or 0 by default. However, if a page
* of the result set was requested, this function will return the closest * that does not correspond to the actual range of the result set was
* page actually within the result set. * requested, this function will return the closest page actually within the
* result set.
*/ */
function pager_default_initialize($total, $limit, $element = 0) { function pager_default_initialize($total, $limit, $element = 0) {
global $pager_page_array, $pager_total, $pager_total_items, $pager_limits; global $pager_page_array, $pager_total, $pager_total_items, $pager_limits;
......
...@@ -83,7 +83,8 @@ function _drupal_session_read($sid) { ...@@ -83,7 +83,8 @@ function _drupal_session_read($sid) {
// Handle the case of first time visitors and clients that don't store // Handle the case of first time visitors and clients that don't store
// cookies (eg. web crawlers). // cookies (eg. web crawlers).
$insecure_session_name = substr(session_name(), 1); $insecure_session_name = substr(session_name(), 1);
if (!isset($_COOKIE[session_name()]) && !isset($_COOKIE[$insecure_session_name])) { $cookies = \Drupal::request()->cookies;
if (!$cookies->has(session_name()) && !$cookies->has($insecure_session_name)) {
$user = new UserSession(); $user = new UserSession();
return ''; return '';
} }
...@@ -95,9 +96,9 @@ function _drupal_session_read($sid) { ...@@ -95,9 +96,9 @@ function _drupal_session_read($sid) {
if (\Drupal::request()->isSecure()) { if (\Drupal::request()->isSecure()) {
$values = db_query("SELECT u.*, s.* FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.ssid = :ssid", array(':ssid' => $sid))->fetchAssoc(); $values = db_query("SELECT u.*, s.* FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.ssid = :ssid", array(':ssid' => $sid))->fetchAssoc();
if (!$values) { if (!$values) {
if (isset($_COOKIE[$insecure_session_name])) { if ($cookies->has($insecure_session_name)) {
$values = db_query("SELECT u.*, s.* FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.sid = :sid AND s.uid = 0", array( $values = db_query("SELECT u.*, s.* FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.sid = :sid AND s.uid = 0", array(
':sid' => $_COOKIE[$insecure_session_name])) ':sid' => $cookies->get($insecure_session_name)))
->fetchAssoc(); ->fetchAssoc();
} }
} }
...@@ -188,13 +189,14 @@ function _drupal_session_write($sid, $value) { ...@@ -188,13 +189,14 @@ function _drupal_session_write($sid, $value) {
// On HTTPS connections, use the session ID as both 'sid' and 'ssid'. // On HTTPS connections, use the session ID as both 'sid' and 'ssid'.
if (\Drupal::request()->isSecure()) { if (\Drupal::request()->isSecure()) {
$key['ssid'] = $sid; $key['ssid'] = $sid;
$cookies = \Drupal::request()->cookies;
// The "secure pages" setting allows a site to simultaneously use both // The "secure pages" setting allows a site to simultaneously use both
// secure and insecure session cookies. If enabled and both cookies are // secure and insecure session cookies. If enabled and both cookies are
// presented then use both keys. // presented then use both keys.
if (settings()->get('mixed_mode_sessions', FALSE)) { if (settings()->get('mixed_mode_sessions', FALSE)) {
$insecure_session_name = substr(session_name(), 1); $insecure_session_name = substr(session_name(), 1);
if (isset($_COOKIE[$insecure_session_name])) { if ($cookies->has($insecure_session_name)) {
$key['sid'] = $_COOKIE[$insecure_session_name]; $key['sid'] = $cookies->get($insecure_session_name);
} }
} }
} }
...@@ -241,9 +243,8 @@ function drupal_session_initialize() { ...@@ -241,9 +243,8 @@ function drupal_session_initialize() {
session_set_save_handler('_drupal_session_open', '_drupal_session_close', '_drupal_session_read', '_drupal_session_write', '_drupal_session_destroy', '_drupal_session_garbage_collection'); session_set_save_handler('_drupal_session_open', '_drupal_session_close', '_drupal_session_read', '_drupal_session_write', '_drupal_session_destroy', '_drupal_session_garbage_collection');
$is_https = \Drupal::request()->isSecure(); $is_https = \Drupal::request()->isSecure();
// We use !empty() in the following check to ensure that blank session IDs $cookies = \Drupal::request()->cookies;
// are not valid. if (($cookies->has(session_name()) && ($session_name = $cookies->get(session_name()))) || ($is_https && settings()->get('mixed_mode_sessions', FALSE) && ($cookies->has(substr(session_name(), 1))) && ($session_name = $cookies->get(substr(session_name(), 1))))) {
if (!empty($_COOKIE[session_name()]) || ($is_https && settings()->get('mixed_mode_sessions', FALSE) && !empty($_COOKIE[substr(session_name(), 1)]))) {
// If a session cookie exists, initialize the session. Otherwise the // If a session cookie exists, initialize the session. Otherwise the
// session is only started on demand in drupal_session_commit(), making // session is only started on demand in drupal_session_commit(), making
// anonymous users not use a session cookie unless something is stored in // anonymous users not use a session cookie unless something is stored in
...@@ -267,7 +268,7 @@ function drupal_session_initialize() { ...@@ -267,7 +268,7 @@ function drupal_session_initialize() {
if ($is_https && settings()->get('mixed_mode_sessions', FALSE)) { if ($is_https && settings()->get('mixed_mode_sessions', FALSE)) {
$insecure_session_name = substr(session_name(), 1); $insecure_session_name = substr(session_name(), 1);
$session_id = Crypt::hashBase64(uniqid(mt_rand(), TRUE)); $session_id = Crypt::hashBase64(uniqid(mt_rand(), TRUE));
$_COOKIE[$insecure_session_name] = $session_id; $cookies->set($insecure_session_name, $session_id);
} }
} }
date_default_timezone_set(drupal_get_user_timezone()); date_default_timezone_set(drupal_get_user_timezone());
...@@ -323,7 +324,8 @@ function drupal_session_commit() { ...@@ -323,7 +324,8 @@ function drupal_session_commit() {
$insecure_session_name = substr(session_name(), 1); $insecure_session_name = substr(session_name(), 1);
$params = session_get_cookie_params(); $params = session_get_cookie_params();
$expire = $params['lifetime'] ? REQUEST_TIME + $params['lifetime'] : 0; $expire = $params['lifetime'] ? REQUEST_TIME + $params['lifetime'] : 0;
setcookie($insecure_session_name, $_COOKIE[$insecure_session_name], $expire, $params['path'], $params['domain'], FALSE, $params['httponly']); $cookie_params = \Drupal::request()->cookies;
setcookie($insecure_session_name, $cookie_params->get($insecure_session_name), $expire, $params['path'], $params['domain'], FALSE, $params['httponly']);
} }
} }
// Write the session data. // Write the session data.
...@@ -356,11 +358,12 @@ function drupal_session_regenerate() { ...@@ -356,11 +358,12 @@ function drupal_session_regenerate() {
} }
$is_https = \Drupal::request()->isSecure(); $is_https = \Drupal::request()->isSecure();
$cookies = \Drupal::request()->cookies;
if ($is_https && settings()->get('mixed_mode_sessions', FALSE)) { if ($is_https && settings()->get('mixed_mode_sessions', FALSE)) {
$insecure_session_name = substr(session_name(), 1); $insecure_session_name = substr(session_name(), 1);
if (!isset($GLOBALS['lazy_session']) && isset($_COOKIE[$insecure_session_name])) { if (!isset($GLOBALS['lazy_session']) && $cookies->has($insecure_session_name)) {
$old_insecure_session_id = $_COOKIE[$insecure_session_name]; $old_insecure_session_id = $cookies->get($insecure_session_name);
} }
$params = session_get_cookie_params(); $params = session_get_cookie_params();
$session_id = Crypt::hashBase64(uniqid(mt_rand(), TRUE) . Crypt::randomBytes(55)); $session_id = Crypt::hashBase64(uniqid(mt_rand(), TRUE) . Crypt::randomBytes(55));
...@@ -369,7 +372,7 @@ function drupal_session_regenerate() { ...@@ -369,7 +372,7 @@ function drupal_session_regenerate() {
// it will expire when the browser is closed. // it will expire when the browser is closed.
$expire = $params['lifetime'] ? REQUEST_TIME + $params['lifetime'] : 0; $expire = $params['lifetime'] ? REQUEST_TIME + $params['lifetime'] : 0;
setcookie($insecure_session_name, $session_id, $expire, $params['path'], $params['domain'], FALSE, $params['httponly']); setcookie($insecure_session_name, $session_id, $expire, $params['path'], $params['domain'], FALSE, $params['httponly']);
$_COOKIE[$insecure_session_name] = $session_id; $cookies->set($insecure_session_name, $session_id);
} }
if (drupal_session_started()) { if (drupal_session_started()) {
...@@ -461,13 +464,14 @@ function _drupal_session_destroy($sid) { ...@@ -461,13 +464,14 @@ function _drupal_session_destroy($sid) {
* Force the secure value of the cookie. * Force the secure value of the cookie.
*/ */
function _drupal_session_delete_cookie($name, $secure = NULL) { function _drupal_session_delete_cookie($name, $secure = NULL) {
if (isset($_COOKIE[$name]) || (!\Drupal::request()->isSecure() && $secure === TRUE)) { $cookies = \Drupal::request()->cookies;
if ($cookies->has($name) || (!\Drupal::request()->isSecure() && $secure === TRUE)) {
$params = session_get_cookie_params(); $params = session_get_cookie_params();
if ($secure !== NULL) { if ($secure !== NULL) {
$params['secure'] = $secure; $params['secure'] = $secure;
} }
setcookie($name, '', REQUEST_TIME - 3600, $params['path'], $params['domain'], $params['secure'], $params['httponly']); setcookie($name, '', REQUEST_TIME - 3600, $params['path'], $params['domain'], $params['secure'], $params['httponly']);
unset($_COOKIE[$name]); $cookies->remove($name);
} }
} }
......
...@@ -34,7 +34,8 @@ class Url { ...@@ -34,7 +34,8 @@ class Url {
* http_build_query() directly. * http_build_query() directly.
* *
* @param array $query * @param array $query
* The query parameter array to be processed, e.g. $_GET. * The query parameter array to be processed,
* e.g. \Drupal::request()->query->all().
* @param string $parent * @param string $parent
* Internal use only. Used to build the $query array key for nested items. * Internal use only. Used to build the $query array key for nested items.
* *
...@@ -118,13 +119,14 @@ public static function filterQueryParameters(array $query, array $exclude = arra ...@@ -118,13 +119,14 @@ public static function filterQueryParameters(array $query, array $exclude = arra
* The returned array contains a 'path' that may be passed separately to url(). * The returned array contains a 'path' that may be passed separately to url().
* For example: * For example:
* @code * @code
* $options = Url::parse($_GET['destination']); * $options = Url::parse(\Drupal::request()->query->get('destination'));
* $my_url = url($options['path'], $options); * $my_url = url($options['path'], $options);
* $my_link = l('Example link', $options['path'], $options); * $my_link = l('Example link', $options['path'], $options);
* @endcode * @endcode
* *
* @param string $url * @param string $url
* The URL string to parse, f.e. $_GET['destination']. * The URL string to parse, i.e.
* \Drupal::request()->query->get('destination').
* *
* @return * @return
* An associative array containing the keys: * An associative array containing the keys:
......
...@@ -95,10 +95,11 @@ protected function ajaxRender(Request $request) { ...@@ -95,10 +95,11 @@ protected function ajaxRender(Request $request) {
// diffing logic using array_diff_key(). // diffing logic using array_diff_key().
$ajax_page_state = $request->request->get('ajax_page_state'); $ajax_page_state = $request->request->get('ajax_page_state');
foreach (array('css', 'js') as $type) { foreach (array('css', 'js') as $type) {
// It is highly suspicious if $_POST['ajax_page_state'][$type] is empty, // It is highly suspicious if
// since the base page ought to have at least one JS file and one CSS file // $request->request->get("ajax_page_state[$type]") is empty, since the
// loaded. It probably indicates an error, and rather than making the page // base page ought to have at least one JS file and one CSS file loaded.
// reload all of the files, instead we return no new files. // It probably indicates an error, and rather than making the page reload
// all of the files, instead we return no new files.
if (empty($ajax_page_state[$type])) { if (empty($ajax_page_state[$type])) {
$items[$type] = array(); $items[$type] = array();
} }
......
...@@ -48,9 +48,10 @@ public function checkRedirectUrl(FilterResponseEvent $event) { ...@@ -48,9 +48,10 @@ public function checkRedirectUrl(FilterResponseEvent $event) {
$options = array(); $options = array();
$destination = $event->getRequest()->query->get('destination'); $destination = $event->getRequest()->query->get('destination');
// A destination in $_GET always overrides the current RedirectResponse. // A destination from \Drupal::request()->query always overrides the
// We do not allow absolute URLs to be passed via $_GET, as this can be an // current RedirectResponse. We do not allow absolute URLs to be passed
// attack vector, with the following exception: // via \Drupal::request()->query, as this can be an attack vector, with
// the following exception:
// - Absolute URLs that point to this site (i.e. same base URL and // - Absolute URLs that point to this site (i.e. same base URL and
// base path) are allowed. // base path) are allowed.
if ($destination && (!url_is_external($destination) || _external_url_is_local($destination))) { if ($destination && (!url_is_external($destination) || _external_url_is_local($destination))) {
......
...@@ -569,7 +569,7 @@ public function retrieveForm($form_id, &$form_state) { ...@@ -569,7 +569,7 @@ public function retrieveForm($form_id, &$form_state) {
public function processForm($form_id, &$form, &$form_state) { public function processForm($form_id, &$form, &$form_state) {
$form_state['values'] = array(); $form_state['values'] = array();
// With $_GET, these forms are always submitted if requested. // With GET, these forms are always submitted if requested.
if ($form_state['method'] == 'get' && !empty($form_state['always_process'])) { if ($form_state['method'] == 'get' && !empty($form_state['always_process'])) {
if (!isset($form_state['input']['form_build_id'])) { if (!isset($form_state['input']['form_build_id'])) {
$form_state['input']['form_build_id'] = $form['#build_id']; $form_state['input']['form_build_id'] = $form['#build_id'];
...@@ -1490,9 +1490,10 @@ protected function handleInputElement($form_id, &$element, &$form_state) { ...@@ -1490,9 +1490,10 @@ protected function handleInputElement($form_id, &$element, &$form_state) {
$name = array_shift($element['#parents']); $name = array_shift($element['#parents']);
$element['#name'] = $name; $element['#name'] = $name;
if ($element['#type'] == 'file') { if ($element['#type'] == 'file') {
// To make it easier to handle $_FILES in file.inc, we place all // To make it easier to handle files in file.inc, we place all
// file fields in the 'files' array. Also, we do not support // file fields in the 'files' array. Also, we do not support
// nested file names. // nested file names.
// @todo Remove this files prefix now?
$element['#name'] = 'files[' . $element['#name'] . ']'; $element['#name'] = 'files[' . $element['#name'] . ']';
} }
elseif (count($element['#parents'])) { elseif (count($element['#parents'])) {
...@@ -1608,7 +1609,8 @@ protected function handleInputElement($form_id, &$element, &$form_state) { ...@@ -1608,7 +1609,8 @@ protected function handleInputElement($form_id, &$element, &$form_state) {
if (!empty($element['#is_button'])) { if (!empty($element['#is_button'])) {
// All buttons in the form need to be tracked for // All buttons in the form need to be tracked for
// form_state_values_clean() and for the self::doBuildForm() code that // form_state_values_clean() and for the self::doBuildForm() code that
// handles a form submission containing no button information in $_POST. // handles a form submission containing no button information in
// \Drupal::request()->request.
$form_state['buttons'][] = $element; $form_state['buttons'][] = $element;
if ($this->buttonWasClicked($element, $form_state)) { if ($this->buttonWasClicked($element, $form_state)) {
$form_state['triggering_element'] = $element; $form_state['triggering_element'] = $element;
...@@ -1668,15 +1670,15 @@ protected function buttonWasClicked($element, &$form_state) { ...@@ -1668,15 +1670,15 @@ protected function buttonWasClicked($element, &$form_state) {
// buttons on a form share the same name (usually 'op'), and the specific // buttons on a form share the same name (usually 'op'), and the specific
// return value is used to determine which was clicked. This ONLY works as