diff options
| author | Nils Adermann <naderman@naderman.de> | 2014-11-16 16:50:15 +0100 |
|---|---|---|
| committer | Nils Adermann <naderman@naderman.de> | 2014-11-16 16:50:15 +0100 |
| commit | 4ffdb129388d72cdcc790f1c3713e3770d8aeca9 (patch) | |
| tree | 21782b0a29593cc789b8e206eb0624aaf3febdd0 /phpBB/phpbb/symfony_request.php | |
| parent | e27b69f42a4d23ceb2f19050366a3f7d91887c69 (diff) | |
| parent | 0dfe1d0d8b007ec7b7cae0715cfb2e5f4e33bad4 (diff) | |
| download | forums-4ffdb129388d72cdcc790f1c3713e3770d8aeca9.tar forums-4ffdb129388d72cdcc790f1c3713e3770d8aeca9.tar.gz forums-4ffdb129388d72cdcc790f1c3713e3770d8aeca9.tar.bz2 forums-4ffdb129388d72cdcc790f1c3713e3770d8aeca9.tar.xz forums-4ffdb129388d72cdcc790f1c3713e3770d8aeca9.zip | |
Merge remote-tracking branch 'github-nicofuma/ticket/13280' into develop-ascraeus
* github-nicofuma/ticket/13280:
[ticket/13280] Output escaping for the symfony request object
[ticket/13280] Add new tests
[ticket/13280] Make the tests failing
[ticket/13280] Revert "Merge pull request #3107 from marc1706/ticket/13280"
Diffstat (limited to 'phpBB/phpbb/symfony_request.php')
| -rw-r--r-- | phpBB/phpbb/symfony_request.php | 24 |
1 files changed, 4 insertions, 20 deletions
diff --git a/phpBB/phpbb/symfony_request.php b/phpBB/phpbb/symfony_request.php index 02d22c480f..2931cae3cc 100644 --- a/phpBB/phpbb/symfony_request.php +++ b/phpBB/phpbb/symfony_request.php @@ -15,6 +15,10 @@ namespace phpbb; use Symfony\Component\HttpFoundation\Request; +/** + * WARNING: The Symfony request does not escape the input and should be used very carefully + * prefer the phpbb request as possible + */ class symfony_request extends Request { /** @@ -24,32 +28,12 @@ class symfony_request extends Request */ public function __construct(\phpbb\request\request_interface $phpbb_request) { - // This function is meant to sanitize the global input arrays - $sanitizer = function(&$value, $key) { - $type_cast_helper = new \phpbb\request\type_cast_helper(); - $type_cast_helper->set_var($value, $value, gettype($value), true); - }; - - // This function is meant for additional handling of server variables - $server_sanitizer = function(&$value, $key) use ($sanitizer) { - $sanitizer($value, $key); - $value = str_replace('&', '&', $value); - }; - $get_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::GET); $post_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::POST); $server_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::SERVER); $files_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::FILES); $cookie_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::COOKIE); - array_walk_recursive($get_parameters, $sanitizer); - array_walk_recursive($post_parameters, $sanitizer); - array_walk_recursive($files_parameters, $sanitizer); - array_walk_recursive($cookie_parameters, $sanitizer); - - // Run special sanitizer for server superglobal - array_walk_recursive($server_parameters, $server_sanitizer); - parent::__construct($get_parameters, $post_parameters, array(), $cookie_parameters, $files_parameters, $server_parameters); } } |