From aa710df2db2512f6065f91dcf8b5fc7d100edf41 Mon Sep 17 00:00:00 2001 From: Nathan Guse Date: Fri, 13 Sep 2013 09:52:02 -0500 Subject: [ticket/11832] Create phpbb_symfony_request to handle initiating symfony_request Now symfony_request is also a service (removed the function phpbb_create_symfony_request). Inject symfony request into filesystem Cleanup for the tests PHPBB3-11832 --- phpBB/phpbb/symfony_request.php | 46 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 phpBB/phpbb/symfony_request.php (limited to 'phpBB/phpbb/symfony_request.php') diff --git a/phpBB/phpbb/symfony_request.php b/phpBB/phpbb/symfony_request.php new file mode 100644 index 0000000000..29ab8c000e --- /dev/null +++ b/phpBB/phpbb/symfony_request.php @@ -0,0 +1,46 @@ +set_var($value, $value, gettype($value), true); + }; + + $get_parameters = $phpbb_request->get_super_global(phpbb_request_interface::GET); + $post_parameters = $phpbb_request->get_super_global(phpbb_request_interface::POST); + $server_parameters = $phpbb_request->get_super_global(phpbb_request_interface::SERVER); + $files_parameters = $phpbb_request->get_super_global(phpbb_request_interface::FILES); + $cookie_parameters = $phpbb_request->get_super_global(phpbb_request_interface::COOKIE); + + array_walk_recursive($get_parameters, $sanitizer); + array_walk_recursive($post_parameters, $sanitizer); + + parent::__construct($get_parameters, $post_parameters, array(), $cookie_parameters, $files_parameters, $server_parameters); + } +} -- cgit v1.2.1 From 9d8ac2b0ceb24dd14df61d083505941afb1b52c4 Mon Sep 17 00:00:00 2001 From: Nils Adermann Date: Tue, 17 Sep 2013 17:12:41 +0200 Subject: [ticket/11700] Fix unit tests after develop merge PHPBB3-11700 --- phpBB/phpbb/symfony_request.php | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) (limited to 'phpBB/phpbb/symfony_request.php') diff --git a/phpBB/phpbb/symfony_request.php b/phpBB/phpbb/symfony_request.php index 29ab8c000e..92784c213b 100644 --- a/phpBB/phpbb/symfony_request.php +++ b/phpBB/phpbb/symfony_request.php @@ -7,6 +7,8 @@ * */ +namespace phpbb; + use Symfony\Component\HttpFoundation\Request; /** @@ -17,26 +19,26 @@ if (!defined('IN_PHPBB')) exit; } -class phpbb_symfony_request extends Request +class symfony_request extends Request { /** * Constructor * - * @param phpbb_request_interface $phpbb_request + * @param phpbb\request\request_interface $phpbb_request */ - public function __construct(phpbb_request_interface $phpbb_request) + public function __construct(\phpbb\request\request_interface $phpbb_request) { // This function is meant to sanitize the global input arrays $sanitizer = function(&$value, $key) { - $type_cast_helper = new phpbb_request_type_cast_helper(); + $type_cast_helper = new \phpbb\request\type_cast_helper(); $type_cast_helper->set_var($value, $value, gettype($value), true); }; - $get_parameters = $phpbb_request->get_super_global(phpbb_request_interface::GET); - $post_parameters = $phpbb_request->get_super_global(phpbb_request_interface::POST); - $server_parameters = $phpbb_request->get_super_global(phpbb_request_interface::SERVER); - $files_parameters = $phpbb_request->get_super_global(phpbb_request_interface::FILES); - $cookie_parameters = $phpbb_request->get_super_global(phpbb_request_interface::COOKIE); + $get_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::GET); + $post_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::POST); + $server_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::SERVER); + $files_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::FILES); + $cookie_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::COOKIE); array_walk_recursive($get_parameters, $sanitizer); array_walk_recursive($post_parameters, $sanitizer); -- cgit v1.2.1 From 7aa8f6461f1e85cf91931f56b95384e54fec07c2 Mon Sep 17 00:00:00 2001 From: Andreas Fischer Date: Wed, 30 Oct 2013 13:05:28 +0100 Subject: [task/code-sniffer] Remove the IN_PHPBB check side-effect from class files. PHPBB3-11980 --- phpBB/phpbb/symfony_request.php | 8 -------- 1 file changed, 8 deletions(-) (limited to 'phpBB/phpbb/symfony_request.php') diff --git a/phpBB/phpbb/symfony_request.php b/phpBB/phpbb/symfony_request.php index 92784c213b..ebe862a565 100644 --- a/phpBB/phpbb/symfony_request.php +++ b/phpBB/phpbb/symfony_request.php @@ -11,14 +11,6 @@ namespace phpbb; use Symfony\Component\HttpFoundation\Request; -/** -* @ignore -*/ -if (!defined('IN_PHPBB')) -{ - exit; -} - class symfony_request extends Request { /** -- cgit v1.2.1 From a759704b39fc1c1353f865a633759b1369589b67 Mon Sep 17 00:00:00 2001 From: Yuriy Rusko Date: Tue, 27 May 2014 20:18:06 +0200 Subject: [ticket/12594] Remove @package tags and update file headers PHPBB3-12594 --- phpBB/phpbb/symfony_request.php | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'phpBB/phpbb/symfony_request.php') diff --git a/phpBB/phpbb/symfony_request.php b/phpBB/phpbb/symfony_request.php index ebe862a565..62e155aa23 100644 --- a/phpBB/phpbb/symfony_request.php +++ b/phpBB/phpbb/symfony_request.php @@ -1,9 +1,13 @@ +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. * */ -- cgit v1.2.1 From bae172447602d876da733a5fbfb06f5f6f1b3d42 Mon Sep 17 00:00:00 2001 From: Tristan Darricau Date: Sun, 15 Jun 2014 15:29:56 +0200 Subject: [ticket/12715] Cleanup comments in \phpbb\symfony_request PHPBB3-12715 --- phpBB/phpbb/symfony_request.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/phpbb/symfony_request.php') diff --git a/phpBB/phpbb/symfony_request.php b/phpBB/phpbb/symfony_request.php index 62e155aa23..bf9ddec493 100644 --- a/phpBB/phpbb/symfony_request.php +++ b/phpBB/phpbb/symfony_request.php @@ -20,7 +20,7 @@ class symfony_request extends Request /** * Constructor * - * @param phpbb\request\request_interface $phpbb_request + * @param \phpbb\request\request_interface $phpbb_request */ public function __construct(\phpbb\request\request_interface $phpbb_request) { -- cgit v1.2.1 From 28ef238a5ccd41833de364ab14ff21a254a9beaf Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sat, 1 Nov 2014 16:26:40 +0100 Subject: [ticket/security-164] Sanitize all global variables in symfony_request class SECURITY-164 --- phpBB/phpbb/symfony_request.php | 3 +++ 1 file changed, 3 insertions(+) (limited to 'phpBB/phpbb/symfony_request.php') diff --git a/phpBB/phpbb/symfony_request.php b/phpBB/phpbb/symfony_request.php index bf9ddec493..ad949a35f2 100644 --- a/phpBB/phpbb/symfony_request.php +++ b/phpBB/phpbb/symfony_request.php @@ -38,6 +38,9 @@ class symfony_request extends Request array_walk_recursive($get_parameters, $sanitizer); array_walk_recursive($post_parameters, $sanitizer); + array_walk_recursive($server_parameters, $sanitizer); + array_walk_recursive($files_parameters, $sanitizer); + array_walk_recursive($cookie_parameters, $sanitizer); parent::__construct($get_parameters, $post_parameters, array(), $cookie_parameters, $files_parameters, $server_parameters); } -- cgit v1.2.1 From 13b59af1ffd0af652ba0ce3bc3f2594fc448fdb5 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Mon, 3 Nov 2014 17:14:18 +0100 Subject: [ticket/13280] Add additional sanitizer for ampersands in server superglobal PHPBB3-13280 --- phpBB/phpbb/symfony_request.php | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'phpBB/phpbb/symfony_request.php') diff --git a/phpBB/phpbb/symfony_request.php b/phpBB/phpbb/symfony_request.php index ad949a35f2..4d357a5c56 100644 --- a/phpBB/phpbb/symfony_request.php +++ b/phpBB/phpbb/symfony_request.php @@ -30,6 +30,11 @@ class symfony_request extends Request $type_cast_helper->set_var($value, $value, gettype($value), true); }; + // This function is meant for additional handling of server variables + $server_sanitizer = function(&$value, $key) { + $value = str_replace('&', '&', $value); + }; + $get_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::GET); $post_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::POST); $server_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::SERVER); @@ -41,6 +46,7 @@ class symfony_request extends Request array_walk_recursive($server_parameters, $sanitizer); array_walk_recursive($files_parameters, $sanitizer); array_walk_recursive($cookie_parameters, $sanitizer); + array_walk_recursive($server_parameters, $server_sanitizer); parent::__construct($get_parameters, $post_parameters, array(), $cookie_parameters, $files_parameters, $server_parameters); } -- cgit v1.2.1 From 3986470b3c77240310f51bb101cccf180b9e4c1e Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Tue, 4 Nov 2014 16:14:11 +0100 Subject: [ticket/13280] Seperate server sanitizer call and add comment PHPBB3-13280 --- phpBB/phpbb/symfony_request.php | 2 ++ 1 file changed, 2 insertions(+) (limited to 'phpBB/phpbb/symfony_request.php') diff --git a/phpBB/phpbb/symfony_request.php b/phpBB/phpbb/symfony_request.php index 4d357a5c56..23e5e6e29f 100644 --- a/phpBB/phpbb/symfony_request.php +++ b/phpBB/phpbb/symfony_request.php @@ -46,6 +46,8 @@ class symfony_request extends Request array_walk_recursive($server_parameters, $sanitizer); array_walk_recursive($files_parameters, $sanitizer); array_walk_recursive($cookie_parameters, $sanitizer); + + // Run additional sanitizer for server superglobal array_walk_recursive($server_parameters, $server_sanitizer); parent::__construct($get_parameters, $post_parameters, array(), $cookie_parameters, $files_parameters, $server_parameters); -- cgit v1.2.1 From 32881dbe31a945b6d2449a3f7e1bf7c5e73cd0a6 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Tue, 4 Nov 2014 16:54:45 +0100 Subject: [ticket/13280] Only run sanitizer for server superglobal and modify tests PHPBB3-13280 --- phpBB/phpbb/symfony_request.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'phpBB/phpbb/symfony_request.php') diff --git a/phpBB/phpbb/symfony_request.php b/phpBB/phpbb/symfony_request.php index 23e5e6e29f..02d22c480f 100644 --- a/phpBB/phpbb/symfony_request.php +++ b/phpBB/phpbb/symfony_request.php @@ -31,7 +31,8 @@ class symfony_request extends Request }; // This function is meant for additional handling of server variables - $server_sanitizer = function(&$value, $key) { + $server_sanitizer = function(&$value, $key) use ($sanitizer) { + $sanitizer($value, $key); $value = str_replace('&', '&', $value); }; @@ -43,11 +44,10 @@ class symfony_request extends Request array_walk_recursive($get_parameters, $sanitizer); array_walk_recursive($post_parameters, $sanitizer); - array_walk_recursive($server_parameters, $sanitizer); array_walk_recursive($files_parameters, $sanitizer); array_walk_recursive($cookie_parameters, $sanitizer); - // Run additional sanitizer for server superglobal + // Run special sanitizer for server superglobal array_walk_recursive($server_parameters, $server_sanitizer); parent::__construct($get_parameters, $post_parameters, array(), $cookie_parameters, $files_parameters, $server_parameters); -- cgit v1.2.1 From 6d533d2f8630d5bed2bfdbfd09cc9c689fbad1b5 Mon Sep 17 00:00:00 2001 From: Tristan Darricau Date: Wed, 12 Nov 2014 10:30:27 +0100 Subject: [ticket/13280] Revert "Merge pull request #3107 from marc1706/ticket/13280" This reverts commit a1b58d05d158ff7afd789c1b27821e17198f8d58, reversing changes made to 0e772afb9db640e54e84cfccaddcf74f3edbb3fb. PHPBB3-13280 --- phpBB/phpbb/symfony_request.php | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) (limited to 'phpBB/phpbb/symfony_request.php') diff --git a/phpBB/phpbb/symfony_request.php b/phpBB/phpbb/symfony_request.php index 02d22c480f..ad949a35f2 100644 --- a/phpBB/phpbb/symfony_request.php +++ b/phpBB/phpbb/symfony_request.php @@ -30,12 +30,6 @@ class symfony_request extends Request $type_cast_helper->set_var($value, $value, gettype($value), true); }; - // This function is meant for additional handling of server variables - $server_sanitizer = function(&$value, $key) use ($sanitizer) { - $sanitizer($value, $key); - $value = str_replace('&', '&', $value); - }; - $get_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::GET); $post_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::POST); $server_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::SERVER); @@ -44,12 +38,10 @@ class symfony_request extends Request array_walk_recursive($get_parameters, $sanitizer); array_walk_recursive($post_parameters, $sanitizer); + array_walk_recursive($server_parameters, $sanitizer); array_walk_recursive($files_parameters, $sanitizer); array_walk_recursive($cookie_parameters, $sanitizer); - // Run special sanitizer for server superglobal - array_walk_recursive($server_parameters, $server_sanitizer); - parent::__construct($get_parameters, $post_parameters, array(), $cookie_parameters, $files_parameters, $server_parameters); } } -- cgit v1.2.1 From 0dfe1d0d8b007ec7b7cae0715cfb2e5f4e33bad4 Mon Sep 17 00:00:00 2001 From: Tristan Darricau Date: Wed, 12 Nov 2014 11:44:56 +0100 Subject: [ticket/13280] Output escaping for the symfony request object PHPBB3-13280 --- phpBB/phpbb/symfony_request.php | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) (limited to 'phpBB/phpbb/symfony_request.php') diff --git a/phpBB/phpbb/symfony_request.php b/phpBB/phpbb/symfony_request.php index ad949a35f2..2931cae3cc 100644 --- a/phpBB/phpbb/symfony_request.php +++ b/phpBB/phpbb/symfony_request.php @@ -15,6 +15,10 @@ namespace phpbb; use Symfony\Component\HttpFoundation\Request; +/** + * WARNING: The Symfony request does not escape the input and should be used very carefully + * prefer the phpbb request as possible + */ class symfony_request extends Request { /** @@ -24,24 +28,12 @@ class symfony_request extends Request */ public function __construct(\phpbb\request\request_interface $phpbb_request) { - // This function is meant to sanitize the global input arrays - $sanitizer = function(&$value, $key) { - $type_cast_helper = new \phpbb\request\type_cast_helper(); - $type_cast_helper->set_var($value, $value, gettype($value), true); - }; - $get_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::GET); $post_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::POST); $server_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::SERVER); $files_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::FILES); $cookie_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::COOKIE); - array_walk_recursive($get_parameters, $sanitizer); - array_walk_recursive($post_parameters, $sanitizer); - array_walk_recursive($server_parameters, $sanitizer); - array_walk_recursive($files_parameters, $sanitizer); - array_walk_recursive($cookie_parameters, $sanitizer); - parent::__construct($get_parameters, $post_parameters, array(), $cookie_parameters, $files_parameters, $server_parameters); } } -- cgit v1.2.1