diff options
| author | Maat <maat-pub@mageia.biz> | 2020-05-08 21:52:11 +0200 |
|---|---|---|
| committer | Maat <maat-pub@mageia.biz> | 2020-05-08 21:52:11 +0200 |
| commit | 8ea437e30605e0f66b5220bf904a61d7c1d11ddd (patch) | |
| tree | e0db2bb4a012d5b06a633160b19f62f4868ecd28 /phpBB/phpbb/request | |
| parent | 36bc1870f21fac04736a1049c1d5b8e127d729f4 (diff) | |
| parent | 2fdd46b36431ae0f58bb2e78e42553168db9a0ff (diff) | |
| download | forums-8ea437e30605e0f66b5220bf904a61d7c1d11ddd.tar forums-8ea437e30605e0f66b5220bf904a61d7c1d11ddd.tar.gz forums-8ea437e30605e0f66b5220bf904a61d7c1d11ddd.tar.bz2 forums-8ea437e30605e0f66b5220bf904a61d7c1d11ddd.tar.xz forums-8ea437e30605e0f66b5220bf904a61d7c1d11ddd.zip | |
Merge remote-tracking branch 'upstream/prep-release-3.2.9'
Diffstat (limited to 'phpBB/phpbb/request')
| -rw-r--r-- | phpBB/phpbb/request/deactivated_super_global.php | 2 | ||||
| -rw-r--r-- | phpBB/phpbb/request/request.php | 86 | ||||
| -rw-r--r-- | phpBB/phpbb/request/request_interface.php | 22 | ||||
| -rw-r--r-- | phpBB/phpbb/request/type_cast_helper.php | 66 | ||||
| -rw-r--r-- | phpBB/phpbb/request/type_cast_helper_interface.php | 14 |
5 files changed, 74 insertions, 116 deletions
diff --git a/phpBB/phpbb/request/deactivated_super_global.php b/phpBB/phpbb/request/deactivated_super_global.php index b6cad59be4..ab56240b14 100644 --- a/phpBB/phpbb/request/deactivated_super_global.php +++ b/phpBB/phpbb/request/deactivated_super_global.php @@ -56,7 +56,7 @@ class deactivated_super_global implements \ArrayAccess, \Countable, \IteratorAgg $file = ''; $line = 0; - $message = 'Illegal use of $' . $this->name . '. You must use the request class or request_var() to access input data. Found in %s on line %d. This error message was generated by deactivated_super_global.'; + $message = 'Illegal use of $' . $this->name . '. You must use the request class to access input data. Found in %s on line %d. This error message was generated by deactivated_super_global.'; $backtrace = debug_backtrace(); if (isset($backtrace[1])) diff --git a/phpBB/phpbb/request/request.php b/phpBB/phpbb/request/request.php index 00ff9064cb..a0267d1370 100644 --- a/phpBB/phpbb/request/request.php +++ b/phpBB/phpbb/request/request.php @@ -150,8 +150,6 @@ class request implements \phpbb\request\request_interface return; } - $this->type_cast_helper->add_magic_quotes($value); - // setting to null means unsetting if ($value === null) { @@ -219,6 +217,51 @@ class request implements \phpbb\request\request_interface } /** + * {@inheritdoc} + */ + public function raw_variable($var_name, $default, $super_global = \phpbb\request\request_interface::REQUEST) + { + $path = false; + + // deep direct access to multi dimensional arrays + if (is_array($var_name)) + { + $path = $var_name; + // make sure at least the variable name is specified + if (empty($path)) + { + return (is_array($default)) ? array() : $default; + } + // the variable name is the first element on the path + $var_name = array_shift($path); + } + + if (!isset($this->input[$super_global][$var_name])) + { + return (is_array($default)) ? array() : $default; + } + $var = $this->input[$super_global][$var_name]; + + if ($path) + { + // walk through the array structure and find the element we are looking for + foreach ($path as $key) + { + if (is_array($var) && isset($var[$key])) + { + $var = $var[$key]; + } + else + { + return (is_array($default)) ? array() : $default; + } + } + } + + return $var; + } + + /** * Shortcut method to retrieve SERVER variables. * * Also fall back to getenv(), some CGI setups may need it (probably not, but @@ -363,41 +406,14 @@ class request implements \phpbb\request\request_interface */ protected function _variable($var_name, $default, $multibyte = false, $super_global = \phpbb\request\request_interface::REQUEST, $trim = true) { - $path = false; - - // deep direct access to multi dimensional arrays - if (is_array($var_name)) - { - $path = $var_name; - // make sure at least the variable name is specified - if (empty($path)) - { - return (is_array($default)) ? array() : $default; - } - // the variable name is the first element on the path - $var_name = array_shift($path); - } + $var = $this->raw_variable($var_name, $default, $super_global); - if (!isset($this->input[$super_global][$var_name])) + // Return prematurely if raw variable is empty array or the same as + // the default. Using strict comparison to ensure that one can't + // prevent proper type checking on any input variable + if ($var === array() || $var === $default) { - return (is_array($default)) ? array() : $default; - } - $var = $this->input[$super_global][$var_name]; - - if ($path) - { - // walk through the array structure and find the element we are looking for - foreach ($path as $key) - { - if (is_array($var) && isset($var[$key])) - { - $var = $var[$key]; - } - else - { - return (is_array($default)) ? array() : $default; - } - } + return $var; } $this->type_cast_helper->recursive_set_var($var, $default, $multibyte, $trim); diff --git a/phpBB/phpbb/request/request_interface.php b/phpBB/phpbb/request/request_interface.php index 47b3b3a4ed..3bfa8bb424 100644 --- a/phpBB/phpbb/request/request_interface.php +++ b/phpBB/phpbb/request/request_interface.php @@ -65,6 +65,28 @@ interface request_interface public function variable($var_name, $default, $multibyte = false, $super_global = \phpbb\request\request_interface::REQUEST); /** + * Get a variable without trimming strings and without escaping. + * This method MUST NOT be used with queries. + * Same functionality as variable(), except does not run trim() on strings + * and does not escape input. + * This method should only be used when the raw input is needed without + * any escaping, i.e. for database password during the installation. + * + * @param string|array $var_name The form variable's name from which data shall be retrieved. + * If the value is an array this may be an array of indizes which will give + * direct access to a value at any depth. E.g. if the value of "var" is array(1 => "a") + * then specifying array("var", 1) as the name will return "a". + * @param mixed $default A default value that is returned if the variable was not set. + * This function will always return a value of the same type as the default. + * @param \phpbb\request\request_interface::POST|GET|REQUEST|COOKIE $super_global + * Specifies which super global should be used + * + * @return mixed The value of $_REQUEST[$var_name] run through {@link set_var set_var} to ensure that the type is the + * the same as that of $default. If the variable is not set $default is returned. + */ + public function raw_variable($var_name, $default, $super_global = \phpbb\request\request_interface::REQUEST); + + /** * Shortcut method to retrieve SERVER variables. * * @param string|array $var_name See \phpbb\request\request_interface::variable diff --git a/phpBB/phpbb/request/type_cast_helper.php b/phpBB/phpbb/request/type_cast_helper.php index bc654e6182..912494998d 100644 --- a/phpBB/phpbb/request/type_cast_helper.php +++ b/phpBB/phpbb/request/type_cast_helper.php @@ -18,69 +18,6 @@ namespace phpbb\request; */ class type_cast_helper implements \phpbb\request\type_cast_helper_interface { - - /** - * @var string Whether slashes need to be stripped from input - */ - protected $strip; - - /** - * Initialises the type cast helper class. - * All it does is find out whether magic quotes are turned on. - */ - public function __construct() - { - if (version_compare(PHP_VERSION, '5.4.0-dev', '>=')) - { - $this->strip = false; - } - else - { - $this->strip = (@get_magic_quotes_gpc()) ? true : false; - } - } - - /** - * Recursively applies addslashes to a variable. - * - * @param mixed &$var Variable passed by reference to which slashes will be added. - */ - public function addslashes_recursively(&$var) - { - if (is_string($var)) - { - $var = addslashes($var); - } - else if (is_array($var)) - { - $var_copy = $var; - $var = array(); - foreach ($var_copy as $key => $value) - { - if (is_string($key)) - { - $key = addslashes($key); - } - $var[$key] = $value; - - $this->addslashes_recursively($var[$key]); - } - } - } - - /** - * Recursively applies addslashes to a variable if magic quotes are turned on. - * - * @param mixed &$var Variable passed by reference to which slashes will be added. - */ - public function add_magic_quotes(&$var) - { - if ($this->strip) - { - $this->addslashes_recursively($var); - } - } - /** * Set variable $result to a particular type. * @@ -129,8 +66,6 @@ class type_cast_helper implements \phpbb\request\type_cast_helper_interface $result = preg_replace('/[\x80-\xFF]/', '?', $result); } } - - $result = ($this->strip) ? stripslashes($result) : $result; } } @@ -172,7 +107,6 @@ class type_cast_helper implements \phpbb\request\type_cast_helper_interface } list($default_key, $default_value) = each($default); - $value_type = gettype($default_value); $key_type = gettype($default_key); $_var = $var; diff --git a/phpBB/phpbb/request/type_cast_helper_interface.php b/phpBB/phpbb/request/type_cast_helper_interface.php index 2cb28d021f..9671573bf1 100644 --- a/phpBB/phpbb/request/type_cast_helper_interface.php +++ b/phpBB/phpbb/request/type_cast_helper_interface.php @@ -19,20 +19,6 @@ namespace phpbb\request; interface type_cast_helper_interface { /** - * Recursively applies addslashes to a variable. - * - * @param mixed &$var Variable passed by reference to which slashes will be added. - */ - public function addslashes_recursively(&$var); - - /** - * Recursively applies addslashes to a variable if magic quotes are turned on. - * - * @param mixed &$var Variable passed by reference to which slashes will be added. - */ - public function add_magic_quotes(&$var); - - /** * Set variable $result to a particular type. * * @param mixed &$result The variable to fill |