From 0bf6966c5228d446c4f0d3862619db0f619c7369 Mon Sep 17 00:00:00 2001 From: Igor Wiedler Date: Wed, 13 Jul 2011 19:20:16 +0200 Subject: [feature/request-class] Add server(), header() and is_ajax() to request Extend the request class with helpers for reading server vars (server()) and HTTP request headers (header()). Refactor the existing code base to make use of these helpers, make $_SERVER a deactivated super global. Also introduce an is_ajax() method, which checks the X-Requested-With header for the value 'XMLHttpRequest', which is sent by JavaScript libraries, such as jQuery. PHPBB3-9716 --- phpBB/includes/request/request.php | 61 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 58 insertions(+), 3 deletions(-) (limited to 'phpBB/includes/request/request.php') diff --git a/phpBB/includes/request/request.php b/phpBB/includes/request/request.php index 7d284a9bf7..f60d870773 100644 --- a/phpBB/includes/request/request.php +++ b/phpBB/includes/request/request.php @@ -32,7 +32,8 @@ class phpbb_request implements phpbb_request_interface phpbb_request_interface::POST => '_POST', phpbb_request_interface::GET => '_GET', phpbb_request_interface::REQUEST => '_REQUEST', - phpbb_request_interface::COOKIE => '_COOKIE' + phpbb_request_interface::COOKIE => '_COOKIE', + phpbb_request_interface::SERVER => '_SERVER', ); /** @@ -193,11 +194,12 @@ class phpbb_request implements phpbb_request_interface * Default is false, causing all bytes outside the ASCII range (0-127) to be replaced with question marks * @param phpbb_request_interface::POST|GET|REQUEST|COOKIE $super_global * Specifies which super global should be used + * @param bool $html_encode When true, html encoding will be applied * * @return mixed The value of $_REQUEST[$var_name] run through {@link set_var set_var} to ensure that the type is the * the same as that of $default. If the variable is not set $default is returned. */ - public function variable($var_name, $default, $multibyte = false, $super_global = phpbb_request_interface::REQUEST) + public function variable($var_name, $default, $multibyte = false, $super_global = phpbb_request_interface::REQUEST, $html_encode = true) { $path = false; @@ -236,11 +238,54 @@ class phpbb_request implements phpbb_request_interface } } - $this->type_cast_helper->recursive_set_var($var, $default, $multibyte); + $this->type_cast_helper->recursive_set_var($var, $default, $multibyte, $html_encode); return $var; } + /** + * Shortcut method to retrieve SERVER variables. + * + * Also fall back to getenv(), some CGI setups may need it (probably not, but + * whatever). + * + * @param string|array $var_name See phpbb_request_interface::variable + * @param mixed $Default See phpbb_request_interface::variable + * @param bool $html_encode See phpbb_request_interface::variable + * + * @return mixed The server variable value. + */ + public function server($var_name, $default = '', $html_encode = false) + { + $multibyte = true; + + if ($this->is_set($var_name, phpbb_request_interface::SERVER)) + { + return $this->variable($var_name, $default, $multibyte, phpbb_request_interface::SERVER); + } + else + { + $var = getenv($var_name); + $this->type_cast_helper->recursive_set_var($var, $default, $multibyte); + return $var; + } + } + + /** + * Shortcut method to retrieve the value of client HTTP headers. + * + * @param string|array $header_name The name of the header to retrieve. + * @param mixed $default See phpbb_request_interface::variable + * @param bool $html_encode See phpbb_request_interface::variable + * + * @return mixed The header value. + */ + public function header($header_name, $default = '', $html_encode = true) + { + $var_name = 'HTTP_'.str_replace('-', '_', strtoupper($header_name)); + return $this->server($var_name, $default, $html_encode); + } + /** * Checks whether a certain variable was sent via POST. * To make sure that a request was sent using POST you should call this function @@ -271,6 +316,16 @@ class phpbb_request implements phpbb_request_interface return isset($this->input[$super_global][$var]); } + /** + * Checks whether the current request is an AJAX request (XMLHttpRequest) + * + * @return bool True if the current request is an ajax request + */ + public function is_ajax() + { + return $this->header('X-Requested-With') == 'XMLHttpRequest'; + } + /** * Returns all variable names for a given super global * -- cgit v1.2.1 From 76aa24e6b7d4c17f2494782b11a6d13b22905f38 Mon Sep 17 00:00:00 2001 From: Igor Wiedler Date: Sat, 16 Jul 2011 14:59:52 +0200 Subject: [feature/request-class] Minor spacing CS adjustments PHPBB3-9716 --- phpBB/includes/request/request.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/includes/request/request.php') diff --git a/phpBB/includes/request/request.php b/phpBB/includes/request/request.php index f60d870773..13493387a8 100644 --- a/phpBB/includes/request/request.php +++ b/phpBB/includes/request/request.php @@ -282,7 +282,7 @@ class phpbb_request implements phpbb_request_interface */ public function header($header_name, $default = '', $html_encode = true) { - $var_name = 'HTTP_'.str_replace('-', '_', strtoupper($header_name)); + $var_name = 'HTTP_' . str_replace('-', '_', strtoupper($header_name)); return $this->server($var_name, $default, $html_encode); } -- cgit v1.2.1 From 24e9fb24d105b8e475dbaf66fd99be2839b86675 Mon Sep 17 00:00:00 2001 From: Igor Wiedler Date: Sat, 6 Aug 2011 19:47:12 +0200 Subject: [feature/request-class] Make server() use the $html_encode parameter $request->server() should not auto html-escape values. header() however should. Also introduce some tests for this behaviour. Thanks to nn- for catching this. PHPBB3-9716 --- phpBB/includes/request/request.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'phpBB/includes/request/request.php') diff --git a/phpBB/includes/request/request.php b/phpBB/includes/request/request.php index 13493387a8..466397480b 100644 --- a/phpBB/includes/request/request.php +++ b/phpBB/includes/request/request.php @@ -261,12 +261,12 @@ class phpbb_request implements phpbb_request_interface if ($this->is_set($var_name, phpbb_request_interface::SERVER)) { - return $this->variable($var_name, $default, $multibyte, phpbb_request_interface::SERVER); + return $this->variable($var_name, $default, $multibyte, phpbb_request_interface::SERVER, $html_encode); } else { $var = getenv($var_name); - $this->type_cast_helper->recursive_set_var($var, $default, $multibyte); + $this->type_cast_helper->recursive_set_var($var, $default, $multibyte, $html_encode); return $var; } } -- cgit v1.2.1 From a48889fed83b007202e76ddf1ba5436eca310df0 Mon Sep 17 00:00:00 2001 From: Igor Wiedler Date: Thu, 18 Aug 2011 22:21:50 +0200 Subject: [feature/request-class] Add is_secure method to request for HTTPS PHPBB3-9716 --- phpBB/includes/request/request.php | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'phpBB/includes/request/request.php') diff --git a/phpBB/includes/request/request.php b/phpBB/includes/request/request.php index 466397480b..8659ee8998 100644 --- a/phpBB/includes/request/request.php +++ b/phpBB/includes/request/request.php @@ -326,6 +326,16 @@ class phpbb_request implements phpbb_request_interface return $this->header('X-Requested-With') == 'XMLHttpRequest'; } + /** + * Checks if the current request is happening over HTTPS. + * + * @return bool True if the request is secure. + */ + public function is_secure() + { + return $this->server('HTTPS') == 'on'; + } + /** * Returns all variable names for a given super global * -- cgit v1.2.1 From fd08cd8dd013c0d1bf8e18611f798c6987d9de9c Mon Sep 17 00:00:00 2001 From: Igor Wiedler Date: Thu, 18 Aug 2011 23:19:48 +0200 Subject: [feature/request-class] Remove $html_encode arg, force manual decoding PHPBB3-9716 --- phpBB/includes/request/request.php | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) (limited to 'phpBB/includes/request/request.php') diff --git a/phpBB/includes/request/request.php b/phpBB/includes/request/request.php index 8659ee8998..9386088a07 100644 --- a/phpBB/includes/request/request.php +++ b/phpBB/includes/request/request.php @@ -194,12 +194,11 @@ class phpbb_request implements phpbb_request_interface * Default is false, causing all bytes outside the ASCII range (0-127) to be replaced with question marks * @param phpbb_request_interface::POST|GET|REQUEST|COOKIE $super_global * Specifies which super global should be used - * @param bool $html_encode When true, html encoding will be applied * * @return mixed The value of $_REQUEST[$var_name] run through {@link set_var set_var} to ensure that the type is the * the same as that of $default. If the variable is not set $default is returned. */ - public function variable($var_name, $default, $multibyte = false, $super_global = phpbb_request_interface::REQUEST, $html_encode = true) + public function variable($var_name, $default, $multibyte = false, $super_global = phpbb_request_interface::REQUEST) { $path = false; @@ -238,7 +237,7 @@ class phpbb_request implements phpbb_request_interface } } - $this->type_cast_helper->recursive_set_var($var, $default, $multibyte, $html_encode); + $this->type_cast_helper->recursive_set_var($var, $default, $multibyte); return $var; } @@ -251,22 +250,21 @@ class phpbb_request implements phpbb_request_interface * * @param string|array $var_name See phpbb_request_interface::variable * @param mixed $Default See phpbb_request_interface::variable - * @param bool $html_encode See phpbb_request_interface::variable * * @return mixed The server variable value. */ - public function server($var_name, $default = '', $html_encode = false) + public function server($var_name, $default = '') { $multibyte = true; if ($this->is_set($var_name, phpbb_request_interface::SERVER)) { - return $this->variable($var_name, $default, $multibyte, phpbb_request_interface::SERVER, $html_encode); + return $this->variable($var_name, $default, $multibyte, phpbb_request_interface::SERVER); } else { $var = getenv($var_name); - $this->type_cast_helper->recursive_set_var($var, $default, $multibyte, $html_encode); + $this->type_cast_helper->recursive_set_var($var, $default, $multibyte); return $var; } } @@ -276,14 +274,13 @@ class phpbb_request implements phpbb_request_interface * * @param string|array $header_name The name of the header to retrieve. * @param mixed $default See phpbb_request_interface::variable - * @param bool $html_encode See phpbb_request_interface::variable * * @return mixed The header value. */ - public function header($header_name, $default = '', $html_encode = true) + public function header($header_name, $default = '') { $var_name = 'HTTP_' . str_replace('-', '_', strtoupper($header_name)); - return $this->server($var_name, $default, $html_encode); + return $this->server($var_name, $default); } /** -- cgit v1.2.1 From 7a04c9048c110f0bd21ea3e9e869e17b408d640e Mon Sep 17 00:00:00 2001 From: Unknown Date: Sat, 31 Dec 2011 13:32:52 +0000 Subject: [ticket/9916] Updating header license and removing Version $Id$ PHPBB3-9916 --- phpBB/includes/request/request.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/includes/request/request.php') diff --git a/phpBB/includes/request/request.php b/phpBB/includes/request/request.php index 9386088a07..4e425dbd27 100644 --- a/phpBB/includes/request/request.php +++ b/phpBB/includes/request/request.php @@ -3,7 +3,7 @@ * * @package phpbb_request * @copyright (c) 2010 phpBB Group -* @license http://opensource.org/licenses/gpl-license.php GNU Public License +* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2 * */ -- cgit v1.2.1 From b3cd5a649be62f175de651a16ae02c5f709ca2f4 Mon Sep 17 00:00:00 2001 From: Nathaniel Guse Date: Mon, 3 Sep 2012 13:32:33 -0500 Subject: [ticket/8713] Do not trim login inputs Create a function to request variables which are not trimmed. All requests for passwords (except forum passwords) now use the untrimmed request function. PHPBB3-8713 --- phpBB/includes/request/request.php | 63 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) (limited to 'phpBB/includes/request/request.php') diff --git a/phpBB/includes/request/request.php b/phpBB/includes/request/request.php index 4e425dbd27..747ca09624 100644 --- a/phpBB/includes/request/request.php +++ b/phpBB/includes/request/request.php @@ -242,6 +242,69 @@ class phpbb_request implements phpbb_request_interface return $var; } + /** + * Get a variable, but without trimming strings + * Same functionality as variable(), except does not run trim() on strings + * All variables in GET or POST requests should be retrieved through this function to maximise security. + * + * @param string|array $var_name The form variable's name from which data shall be retrieved. + * If the value is an array this may be an array of indizes which will give + * direct access to a value at any depth. E.g. if the value of "var" is array(1 => "a") + * then specifying array("var", 1) as the name will return "a". + * @param mixed $default A default value that is returned if the variable was not set. + * This function will always return a value of the same type as the default. + * @param bool $multibyte If $default is a string this paramater has to be true if the variable may contain any UTF-8 characters + * Default is false, causing all bytes outside the ASCII range (0-127) to be replaced with question marks + * @param phpbb_request_interface::POST|GET|REQUEST|COOKIE $super_global + * Specifies which super global should be used + * + * @return mixed The value of $_REQUEST[$var_name] run through {@link set_var set_var} to ensure that the type is the + * the same as that of $default. If the variable is not set $default is returned. + */ + public function untrimed_variable($var_name, $default, $multibyte, $super_global = phpbb_request_interface::REQUEST) + { + $path = false; + + // deep direct access to multi dimensional arrays + if (is_array($var_name)) + { + $path = $var_name; + // make sure at least the variable name is specified + if (empty($path)) + { + return (is_array($default)) ? array() : $default; + } + // the variable name is the first element on the path + $var_name = array_shift($path); + } + + if (!isset($this->input[$super_global][$var_name])) + { + return (is_array($default)) ? array() : $default; + } + $var = $this->input[$super_global][$var_name]; + + if ($path) + { + // walk through the array structure and find the element we are looking for + foreach ($path as $key) + { + if (is_array($var) && isset($var[$key])) + { + $var = $var[$key]; + } + else + { + return (is_array($default)) ? array() : $default; + } + } + } + + $this->type_cast_helper->recursive_set_var($var, $default, $multibyte, false); + + return $var; + } + /** * Shortcut method to retrieve SERVER variables. * -- cgit v1.2.1 From b62c37c5799d4b9e018358c38a731d6664acadf1 Mon Sep 17 00:00:00 2001 From: Andreas Fischer Date: Sat, 8 Sep 2012 14:09:12 +0200 Subject: [ticket/8713] DRY: variable() and untrimed_variable() into a protected method. PHPBB3-8713 --- phpBB/includes/request/request.php | 144 +++++++++++++++++-------------------- 1 file changed, 64 insertions(+), 80 deletions(-) (limited to 'phpBB/includes/request/request.php') diff --git a/phpBB/includes/request/request.php b/phpBB/includes/request/request.php index 747ca09624..c6b6610af5 100644 --- a/phpBB/includes/request/request.php +++ b/phpBB/includes/request/request.php @@ -200,46 +200,7 @@ class phpbb_request implements phpbb_request_interface */ public function variable($var_name, $default, $multibyte = false, $super_global = phpbb_request_interface::REQUEST) { - $path = false; - - // deep direct access to multi dimensional arrays - if (is_array($var_name)) - { - $path = $var_name; - // make sure at least the variable name is specified - if (empty($path)) - { - return (is_array($default)) ? array() : $default; - } - // the variable name is the first element on the path - $var_name = array_shift($path); - } - - if (!isset($this->input[$super_global][$var_name])) - { - return (is_array($default)) ? array() : $default; - } - $var = $this->input[$super_global][$var_name]; - - if ($path) - { - // walk through the array structure and find the element we are looking for - foreach ($path as $key) - { - if (is_array($var) && isset($var[$key])) - { - $var = $var[$key]; - } - else - { - return (is_array($default)) ? array() : $default; - } - } - } - - $this->type_cast_helper->recursive_set_var($var, $default, $multibyte); - - return $var; + return $this->_variable($var_name, $default, $multibyte, $super_global, true); } /** @@ -263,46 +224,7 @@ class phpbb_request implements phpbb_request_interface */ public function untrimed_variable($var_name, $default, $multibyte, $super_global = phpbb_request_interface::REQUEST) { - $path = false; - - // deep direct access to multi dimensional arrays - if (is_array($var_name)) - { - $path = $var_name; - // make sure at least the variable name is specified - if (empty($path)) - { - return (is_array($default)) ? array() : $default; - } - // the variable name is the first element on the path - $var_name = array_shift($path); - } - - if (!isset($this->input[$super_global][$var_name])) - { - return (is_array($default)) ? array() : $default; - } - $var = $this->input[$super_global][$var_name]; - - if ($path) - { - // walk through the array structure and find the element we are looking for - foreach ($path as $key) - { - if (is_array($var) && isset($var[$key])) - { - $var = $var[$key]; - } - else - { - return (is_array($default)) ? array() : $default; - } - } - } - - $this->type_cast_helper->recursive_set_var($var, $default, $multibyte, false); - - return $var; + return $this->_variable($var_name, $default, $multibyte, $super_global, false); } /** @@ -414,4 +336,66 @@ class phpbb_request implements phpbb_request_interface return array_keys($this->input[$super_global]); } + + /** + * Helper function used by variable() and untrimed_variable(). + * + * @param string|array $var_name The form variable's name from which data shall be retrieved. + * If the value is an array this may be an array of indizes which will give + * direct access to a value at any depth. E.g. if the value of "var" is array(1 => "a") + * then specifying array("var", 1) as the name will return "a". + * @param mixed $default A default value that is returned if the variable was not set. + * This function will always return a value of the same type as the default. + * @param bool $multibyte If $default is a string this paramater has to be true if the variable may contain any UTF-8 characters + * Default is false, causing all bytes outside the ASCII range (0-127) to be replaced with question marks + * @param phpbb_request_interface::POST|GET|REQUEST|COOKIE $super_global + * Specifies which super global should be used + * @param bool $trim Indicates whether trim() should be applied to string values. + * + * @return mixed The value of $_REQUEST[$var_name] run through {@link set_var set_var} to ensure that the type is the + * the same as that of $default. If the variable is not set $default is returned. + */ + protected function _variable($var_name, $default, $multibyte = false, $super_global = phpbb_request_interface::REQUEST, $trim = true) + { + $path = false; + + // deep direct access to multi dimensional arrays + if (is_array($var_name)) + { + $path = $var_name; + // make sure at least the variable name is specified + if (empty($path)) + { + return (is_array($default)) ? array() : $default; + } + // the variable name is the first element on the path + $var_name = array_shift($path); + } + + if (!isset($this->input[$super_global][$var_name])) + { + return (is_array($default)) ? array() : $default; + } + $var = $this->input[$super_global][$var_name]; + + if ($path) + { + // walk through the array structure and find the element we are looking for + foreach ($path as $key) + { + if (is_array($var) && isset($var[$key])) + { + $var = $var[$key]; + } + else + { + return (is_array($default)) ? array() : $default; + } + } + } + + $this->type_cast_helper->recursive_set_var($var, $default, $multibyte, $trim); + + return $var; + } } -- cgit v1.2.1 From f2607fc9e80c6f9ad7543b7be5ea6f294aa6c40a Mon Sep 17 00:00:00 2001 From: Andreas Fischer Date: Sat, 8 Sep 2012 14:15:56 +0200 Subject: [ticket/8713] Rename untrimed_variable() to untrimmed_variable(). PHPBB3-8713 --- phpBB/includes/request/request.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'phpBB/includes/request/request.php') diff --git a/phpBB/includes/request/request.php b/phpBB/includes/request/request.php index c6b6610af5..aa62c3b610 100644 --- a/phpBB/includes/request/request.php +++ b/phpBB/includes/request/request.php @@ -222,7 +222,7 @@ class phpbb_request implements phpbb_request_interface * @return mixed The value of $_REQUEST[$var_name] run through {@link set_var set_var} to ensure that the type is the * the same as that of $default. If the variable is not set $default is returned. */ - public function untrimed_variable($var_name, $default, $multibyte, $super_global = phpbb_request_interface::REQUEST) + public function untrimmed_variable($var_name, $default, $multibyte, $super_global = phpbb_request_interface::REQUEST) { return $this->_variable($var_name, $default, $multibyte, $super_global, false); } @@ -338,7 +338,7 @@ class phpbb_request implements phpbb_request_interface } /** - * Helper function used by variable() and untrimed_variable(). + * Helper function used by variable() and untrimmed_variable(). * * @param string|array $var_name The form variable's name from which data shall be retrieved. * If the value is an array this may be an array of indizes which will give -- cgit v1.2.1 From 238fab3bb908013fb0d7c95278b0a2a3b7fa5bae Mon Sep 17 00:00:00 2001 From: Andreas Fischer Date: Sun, 9 Sep 2012 21:41:29 +0200 Subject: [ticket/8713] Update untrimmed_variable() doc block. PHPBB3-8713 --- phpBB/includes/request/request.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'phpBB/includes/request/request.php') diff --git a/phpBB/includes/request/request.php b/phpBB/includes/request/request.php index aa62c3b610..a06fc0d85d 100644 --- a/phpBB/includes/request/request.php +++ b/phpBB/includes/request/request.php @@ -204,9 +204,9 @@ class phpbb_request implements phpbb_request_interface } /** - * Get a variable, but without trimming strings - * Same functionality as variable(), except does not run trim() on strings - * All variables in GET or POST requests should be retrieved through this function to maximise security. + * Get a variable, but without trimming strings. + * Same functionality as variable(), except does not run trim() on strings. + * This method should be used when handling passwords. * * @param string|array $var_name The form variable's name from which data shall be retrieved. * If the value is an array this may be an array of indizes which will give -- cgit v1.2.1