hardening requests
This commit is contained in:
envoyr
@@ -1,6 +1,9 @@
|
|||||||
<?php
|
<?php
|
||||||
namespace Froxlor\UI;
|
namespace Froxlor\UI;
|
||||||
|
|
||||||
|
use Froxlor\PhpHelper;
|
||||||
|
use voku\helper\AntiXSS;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* This file is part of the Froxlor project.
|
* This file is part of the Froxlor project.
|
||||||
* Copyright (c) 2010 the Froxlor Team (see authors).
|
* Copyright (c) 2010 the Froxlor Team (see authors).
|
||||||
@@ -13,11 +16,34 @@ namespace Froxlor\UI;
|
|||||||
* @author Froxlor team <team@froxlor.org> (2010-)
|
* @author Froxlor team <team@froxlor.org> (2010-)
|
||||||
* @author Maurice Preuß <hello@envoyr.com>
|
* @author Maurice Preuß <hello@envoyr.com>
|
||||||
* @license GPLv2 http://files.froxlor.org/misc/COPYING.txt
|
* @license GPLv2 http://files.froxlor.org/misc/COPYING.txt
|
||||||
* @package API
|
* @package Request
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
class Request
|
class Request
|
||||||
{
|
{
|
||||||
|
/**
|
||||||
|
* Check for xss attempts and clean important globals and
|
||||||
|
* unsetting every variable registered in $_REQUEST and as variable itself
|
||||||
|
*/
|
||||||
|
public static function cleanAll()
|
||||||
|
{
|
||||||
|
foreach ($_REQUEST as $key => $value) {
|
||||||
|
if (isset($$key)) {
|
||||||
|
unset($$key);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
unset($value);
|
||||||
|
|
||||||
|
$antiXss = new AntiXSS();
|
||||||
|
|
||||||
|
// check $_GET
|
||||||
|
PhpHelper::cleanGlobal($_GET, $antiXss);
|
||||||
|
// check $_POST
|
||||||
|
PhpHelper::cleanGlobal($_POST, $antiXss);
|
||||||
|
// check $_COOKIE
|
||||||
|
PhpHelper::cleanGlobal($_COOKIE, $antiXss);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Get key from current request.
|
* Get key from current request.
|
||||||
*
|
*
|
||||||
@@ -27,6 +53,8 @@ class Request
|
|||||||
*/
|
*/
|
||||||
public static function get($key, string $default = null)
|
public static function get($key, string $default = null)
|
||||||
{
|
{
|
||||||
|
self::cleanAll();
|
||||||
|
|
||||||
return $_GET[$key] ?? $_POST[$key] ?? $default;
|
return $_GET[$key] ?? $_POST[$key] ?? $default;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
19
lib/init.php
19
lib/init.php
@@ -67,27 +67,10 @@ UI::initTwig();
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* Register Globals Security Fix
|
* Register Globals Security Fix
|
||||||
* - unsetting every variable registered in $_REQUEST and as variable itself
|
|
||||||
*/
|
*/
|
||||||
foreach ($_REQUEST as $key => $value) {
|
Request::cleanAll();
|
||||||
if (isset($$key)) {
|
|
||||||
unset($$key);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* check for xss attempts and clean important globals
|
|
||||||
*/
|
|
||||||
$antiXss = new AntiXSS();
|
|
||||||
// check $_GET
|
|
||||||
PhpHelper::cleanGlobal($_GET, $antiXss);
|
|
||||||
// check $_POST
|
|
||||||
PhpHelper::cleanGlobal($_POST, $antiXss);
|
|
||||||
// check $_COOKIE
|
|
||||||
PhpHelper::cleanGlobal($_COOKIE, $antiXss);
|
|
||||||
|
|
||||||
unset($_);
|
unset($_);
|
||||||
unset($value);
|
|
||||||
unset($key);
|
unset($key);
|
||||||
|
|
||||||
$filename = htmlentities(basename($_SERVER['SCRIPT_NAME']));
|
$filename = htmlentities(basename($_SERVER['SCRIPT_NAME']));
|
||||||
|
|||||||
Reference in New Issue
Block a user