1
0
mirror of https://github.com/phpbb/phpbb.git synced 2025-08-01 14:30:32 +02:00

[ticket/13280] Output escaping for the symfony request object

PHPBB3-13280
This commit is contained in:
Tristan Darricau
2014-11-12 11:44:56 +01:00
parent 526a97db7c
commit 0dfe1d0d8b
12 changed files with 116 additions and 56 deletions

View File

@@ -15,6 +15,10 @@ namespace phpbb;
use Symfony\Component\HttpFoundation\Request;
/**
* WARNING: The Symfony request does not escape the input and should be used very carefully
* prefer the phpbb request as possible
*/
class symfony_request extends Request
{
/**
@@ -24,24 +28,12 @@ class symfony_request extends Request
*/
public function __construct(\phpbb\request\request_interface $phpbb_request)
{
// This function is meant to sanitize the global input arrays
$sanitizer = function(&$value, $key) {
$type_cast_helper = new \phpbb\request\type_cast_helper();
$type_cast_helper->set_var($value, $value, gettype($value), true);
};
$get_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::GET);
$post_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::POST);
$server_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::SERVER);
$files_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::FILES);
$cookie_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::COOKIE);
array_walk_recursive($get_parameters, $sanitizer);
array_walk_recursive($post_parameters, $sanitizer);
array_walk_recursive($server_parameters, $sanitizer);
array_walk_recursive($files_parameters, $sanitizer);
array_walk_recursive($cookie_parameters, $sanitizer);
parent::__construct($get_parameters, $post_parameters, array(), $cookie_parameters, $files_parameters, $server_parameters);
}
}