Commit e116f8d3 authored by xjm's avatar xjm

SA-CORE-2018-004 by David_Rothstein, alexpott, larowlan, Heine, Pere Orga,...

SA-CORE-2018-004 by David_Rothstein, alexpott, larowlan, Heine, Pere Orga, tim.plunkett, mlhess, xjm, Jasu_M, drumm, cashwilliams, quicksketch, dawehner, pwolanin, samuel.mortenson

(cherry picked from commit bb6d3966)
parent d01bb4f6
...@@ -2,6 +2,8 @@ ...@@ -2,6 +2,8 @@
namespace Drupal\Core\Security; namespace Drupal\Core\Security;
use Drupal\Component\Utility\UrlHelper;
use Symfony\Component\HttpFoundation\ParameterBag;
use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Request;
/** /**
...@@ -39,33 +41,89 @@ class RequestSanitizer { ...@@ -39,33 +41,89 @@ class RequestSanitizer {
*/ */
public static function sanitize(Request $request, $whitelist, $log_sanitized_keys = FALSE) { public static function sanitize(Request $request, $whitelist, $log_sanitized_keys = FALSE) {
if (!$request->attributes->get(self::SANITIZED, FALSE)) { if (!$request->attributes->get(self::SANITIZED, FALSE)) {
// Process query string parameters. $update_globals = FALSE;
$get_sanitized_keys = []; $bags = [
$request->query->replace(static::stripDangerousValues($request->query->all(), $whitelist, $get_sanitized_keys)); 'query' => 'Potentially unsafe keys removed from query string parameters (GET): %s',
if ($log_sanitized_keys && !empty($get_sanitized_keys)) { 'request' => 'Potentially unsafe keys removed from request body parameters (POST): %s',
trigger_error(sprintf('Potentially unsafe keys removed from query string parameters (GET): %s', implode(', ', $get_sanitized_keys))); 'cookies' => 'Potentially unsafe keys removed from cookie parameters: %s',
];
foreach ($bags as $bag => $message) {
if (static::processParameterBag($request->$bag, $whitelist, $log_sanitized_keys, $bag, $message)) {
$update_globals = TRUE;
}
} }
if ($update_globals) {
// Request body parameters. $request->overrideGlobals();
$post_sanitized_keys = [];
$request->request->replace(static::stripDangerousValues($request->request->all(), $whitelist, $post_sanitized_keys));
if ($log_sanitized_keys && !empty($post_sanitized_keys)) {
trigger_error(sprintf('Potentially unsafe keys removed from request body parameters (POST): %s', implode(', ', $post_sanitized_keys)));
} }
$request->attributes->set(self::SANITIZED, TRUE);
}
return $request;
}
// Cookie parameters. /**
$cookie_sanitized_keys = []; * Processes a request parameter bag.
$request->cookies->replace(static::stripDangerousValues($request->cookies->all(), $whitelist, $cookie_sanitized_keys)); *
if ($log_sanitized_keys && !empty($cookie_sanitized_keys)) { * @param \Symfony\Component\HttpFoundation\ParameterBag $bag
trigger_error(sprintf('Potentially unsafe keys removed from cookie parameters: %s', implode(', ', $cookie_sanitized_keys))); * The parameter bag to process.
* @param string[] $whitelist
* An array of keys to whitelist as safe.
* @param bool $log_sanitized_keys
* Set to TRUE to log keys that are sanitized.
* @param string $bag_name
* The request parameter bag name. Either 'query', 'request' or 'cookies'.
* @param string $message
* The message to log if the parameter bag contains keys that are removed.
* If the message contains %s that is replaced by a list of removed keys.
*
* @return bool
* TRUE if the parameter bag has been sanitized, FALSE if not.
*/
protected static function processParameterBag(ParameterBag $bag, $whitelist, $log_sanitized_keys, $bag_name, $message) {
$sanitized = FALSE;
$sanitized_keys = [];
$bag->replace(static::stripDangerousValues($bag->all(), $whitelist, $sanitized_keys));
if (!empty($sanitized_keys)) {
$sanitized = TRUE;
if ($log_sanitized_keys) {
trigger_error(sprintf($message, implode(', ', $sanitized_keys)));
} }
}
if (!empty($get_sanitized_keys) || !empty($post_sanitized_keys) || !empty($cookie_sanitized_keys)) { if ($bag->has('destination')) {
$request->overrideGlobals(); $destination_dangerous_keys = static::checkDestination($bag->get('destination'), $whitelist);
if (!empty($destination_dangerous_keys)) {
// The destination is removed rather than sanitized because the URL
// generator service is not available and this method is called very
// early in the bootstrap.
$bag->remove('destination');
$sanitized = TRUE;
if ($log_sanitized_keys) {
trigger_error(sprintf('Potentially unsafe destination removed from %s parameter bag because it contained the following keys: %s', $bag_name, implode(', ', $destination_dangerous_keys)));
}
} }
$request->attributes->set(self::SANITIZED, TRUE);
} }
return $request; return $sanitized;
}
/**
* Checks a destination string to see if it is dangerous.
*
* @param string $destination
* The destination string to check.
* @param array $whitelist
* An array of keys to whitelist as safe.
*
* @return array
* The dangerous keys found in the destination parameter.
*/
protected static function checkDestination($destination, array $whitelist) {
$dangerous_keys = [];
$parts = UrlHelper::parse($destination);
// If there is a query string, check its query parameters.
if (!empty($parts['query'])) {
static::stripDangerousValues($parts['query'], $whitelist, $dangerous_keys);
}
return $dangerous_keys;
} }
/** /**
......
...@@ -8,6 +8,7 @@ ...@@ -8,6 +8,7 @@
use Drupal\Core\Ajax\AjaxResponse; use Drupal\Core\Ajax\AjaxResponse;
use Drupal\Core\Ajax\ReplaceCommand; use Drupal\Core\Ajax\ReplaceCommand;
use Drupal\Core\Form\FormStateInterface; use Drupal\Core\Form\FormStateInterface;
use Drupal\Core\Render\Element;
use Drupal\Core\Render\Element\FormElement; use Drupal\Core\Render\Element\FormElement;
use Drupal\Core\Site\Settings; use Drupal\Core\Site\Settings;
use Drupal\Core\Url; use Drupal\Core\Url;
...@@ -175,6 +176,9 @@ public static function uploadAjaxCallback(&$form, FormStateInterface &$form_stat ...@@ -175,6 +176,9 @@ public static function uploadAjaxCallback(&$form, FormStateInterface &$form_stat
$form_parents = explode('/', $request->query->get('element_parents')); $form_parents = explode('/', $request->query->get('element_parents'));
// Sanitize form parents before using them.
$form_parents = array_filter($form_parents, [Element::class, 'child']);
// Retrieve the element to be rendered. // Retrieve the element to be rendered.
$form = NestedArray::getValue($form, $form_parents); $form = NestedArray::getValue($form, $form_parents);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment