Skip to content

Commit

Permalink
RequestFactory: refactoring of removing magic quotes
Browse files Browse the repository at this point in the history
  • Loading branch information
dg committed Dec 27, 2014
1 parent ca5f760 commit 0bb4336
Show file tree
Hide file tree
Showing 3 changed files with 21 additions and 28 deletions.
6 changes: 4 additions & 2 deletions src/Http/Helpers.php
Original file line number Diff line number Diff line change
Expand Up @@ -83,11 +83,13 @@ public static function removeDuplicateCookies()
/**
* @internal
*/
public static function stripSlashes($arr)
public static function stripSlashes($arr, $onlyKeys = FALSE)
{
$res = array();
foreach ($arr as $k => $v) {
$res[stripslashes($k)] = is_array($v) ? self::stripSlashes($v) : stripslashes($v);
$res[stripslashes($k)] = is_array($v)
? self::stripSlashes($v, $onlyKeys)
: ($onlyKeys ? $v : stripslashes($v));
}
return $res;
}
Expand Down
33 changes: 12 additions & 21 deletions src/Http/RequestFactory.php
Original file line number Diff line number Diff line change
Expand Up @@ -100,38 +100,29 @@ public function createHttpRequest()
// GET, POST, COOKIE
$useFilter = (!in_array(ini_get('filter.default'), array('', 'unsafe_raw')) || ini_get('filter.default_flags'));

parse_str($url->getQuery(), $query);
$query = $url->getQueryParameters();
$post = $useFilter ? filter_input_array(INPUT_POST, FILTER_UNSAFE_RAW) : (empty($_POST) ? array() : $_POST);
$cookies = $useFilter ? filter_input_array(INPUT_COOKIE, FILTER_UNSAFE_RAW) : (empty($_COOKIE) ? array() : $_COOKIE);

$gpc = (bool) get_magic_quotes_gpc();
if (get_magic_quotes_gpc()) {
$post = Helpers::stripslashes($post, $useFilter);
$cookies = Helpers::stripslashes($cookies, $useFilter);
}

// remove fucking quotes, control characters and check encoding
if ($gpc || !$this->binary) {
// remove invalid characters
if (!$this->binary) {
$list = array(& $query, & $post, & $cookies);
while (list($key, $val) = each($list)) {
foreach ($val as $k => $v) {
unset($list[$key][$k]);

if ($gpc) {
$k = stripslashes($k);
}

if (!$this->binary && is_string($k) && (!preg_match(self::CHARS, $k) || preg_last_error())) {
// invalid key -> ignore
if (is_string($k) && (!preg_match(self::CHARS, $k) || preg_last_error())) {
unset($list[$key][$k]);

} elseif (is_array($v)) {
$list[$key][$k] = $v;
$list[] = & $list[$key][$k];

} else {
if ($gpc && !$useFilter) {
$v = stripSlashes($v);
}
if (!$this->binary && (!preg_match(self::CHARS, $v) || preg_last_error())) {
$v = '';
}
$list[$key][$k] = $v;
} elseif (!preg_match(self::CHARS, $v) || preg_last_error()) {
$list[$key][$k] = '';
}
}
}
Expand All @@ -158,7 +149,7 @@ public function createHttpRequest()
continue;

} elseif (!is_array($v['name'])) {
if ($gpc) {
if (get_magic_quotes_gpc()) {
$v['name'] = stripSlashes($v['name']);
}
if (!$this->binary && (!preg_match(self::CHARS, $v['name']) || preg_last_error())) {
Expand Down
10 changes: 5 additions & 5 deletions tests/Http/Request.request.phpt
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ $_SERVER = array(
'QUERY_STRING' => 'x param=val.&pa%%72am=val2&param3=v%20a%26l%3Du%2Be)',
'REMOTE_ADDR' => '192.168.188.66',
'REQUEST_METHOD' => 'GET',
'REQUEST_URI' => '/file.php?x param=val.&pa%%72am=val2&param3=v%20a%26l%3Du%2Be)',
'REQUEST_URI' => '/file.php?x param=val.&pa%%72am=val2&quotes\\"=\\"&param3=v%20a%26l%3Du%2Be)',
'SCRIPT_NAME' => '/file.php',
);

Expand All @@ -39,16 +39,16 @@ test(function() {
Assert::same( 'nette.org', $request->getUrl()->host );
Assert::same( 8080, $request->getUrl()->port );
Assert::same( '/file.php', $request->getUrl()->path );
Assert::same( 'x_param=val.&pa%25ram=val2&param3=v%20a%26l%3Du%2Be', $request->getUrl()->query );
Assert::same( 'x_param=val.&pa%25ram=val2&quotes%5C%22=%5C%22&param3=v%20a%26l%3Du%2Be', $request->getUrl()->query );
Assert::same( '', $request->getUrl()->fragment );
Assert::same( 'val.', $request->getQuery('x_param') );
Assert::same( 'val2', $request->getQuery('pa%ram') );
Assert::same( 'nette.org:8080', $request->getUrl()->authority );
Assert::same( 'https://nette.org:8080', $request->getUrl()->hostUrl );
Assert::same( 'https://nette.org:8080/', $request->getUrl()->baseUrl );
Assert::same( '/', $request->getUrl()->basePath );
Assert::same( 'file.php?x_param=val.&pa%25ram=val2&param3=v%20a%26l%3Du%2Be', $request->getUrl()->relativeUrl );
Assert::same( 'https://nette.org:8080/file.php?x_param=val.&pa%25ram=val2&param3=v%20a%26l%3Du%2Be', $request->getUrl()->absoluteUrl );
Assert::same( 'file.php?x_param=val.&pa%25ram=val2&quotes%5C%22=%5C%22&param3=v%20a%26l%3Du%2Be', $request->getUrl()->relativeUrl );
Assert::same( 'https://nette.org:8080/file.php?x_param=val.&pa%25ram=val2&quotes%5C%22=%5C%22&param3=v%20a%26l%3Du%2Be', $request->getUrl()->absoluteUrl );
Assert::same( '', $request->getUrl()->pathInfo );
});

Expand All @@ -65,7 +65,7 @@ test(function() {
Assert::same( 'nette.org', $request->getUrl()->host );
Assert::same( 8080, $request->getUrl()->port );
Assert::same( '/file.php', $request->getUrl()->path );
Assert::same( 'x_param=val.&pa%25ram=val2&param3=v%20a%26l%3Du%2Be%29', $request->getUrl()->query );
Assert::same( 'x_param=val.&pa%25ram=val2&quotes%5C%22=%5C%22&param3=v%20a%26l%3Du%2Be%29', $request->getUrl()->query );
Assert::same( '', $request->getUrl()->fragment );
Assert::same( 'val.', $request->getQuery('x_param') );
Assert::same( 'val2', $request->getQuery('pa%ram') );
Expand Down

0 comments on commit 0bb4336

Please sign in to comment.