Changeset View
Changeset View
Standalone View
Standalone View
support/PhabricatorStartup.php
| Show First 20 Lines • Show All 410 Lines • ▼ Show 20 Lines | /* -( Validation )--------------------------------------------------------- */ | ||||
| * @task validation | * @task validation | ||||
| */ | */ | ||||
| private static function normalizeInput() { | private static function normalizeInput() { | ||||
| // Replace superglobals with unfiltered versions, disrespect php.ini (we | // Replace superglobals with unfiltered versions, disrespect php.ini (we | ||||
| // filter ourselves). | // filter ourselves). | ||||
| // NOTE: We don't filter INPUT_SERVER because we don't want to overwrite | // NOTE: We don't filter INPUT_SERVER because we don't want to overwrite | ||||
| // changes made in "preamble.php". | // changes made in "preamble.php". | ||||
| // NOTE: WE don't filter INPUT_POST because we may be constructing it | |||||
| // lazily if "enable_post_data_reading" is disabled. | |||||
| $filter = array( | $filter = array( | ||||
| INPUT_GET, | INPUT_GET, | ||||
| INPUT_POST, | |||||
| INPUT_ENV, | INPUT_ENV, | ||||
| INPUT_COOKIE, | INPUT_COOKIE, | ||||
| ); | ); | ||||
| foreach ($filter as $type) { | foreach ($filter as $type) { | ||||
| $filtered = filter_input_array($type, FILTER_UNSAFE_RAW); | $filtered = filter_input_array($type, FILTER_UNSAFE_RAW); | ||||
| if (!is_array($filtered)) { | if (!is_array($filtered)) { | ||||
| continue; | continue; | ||||
| } | } | ||||
| switch ($type) { | switch ($type) { | ||||
| case INPUT_GET: | case INPUT_GET: | ||||
| $_GET = array_merge($_GET, $filtered); | $_GET = array_merge($_GET, $filtered); | ||||
| break; | break; | ||||
| case INPUT_COOKIE: | case INPUT_COOKIE: | ||||
| $_COOKIE = array_merge($_COOKIE, $filtered); | $_COOKIE = array_merge($_COOKIE, $filtered); | ||||
| break; | break; | ||||
| case INPUT_POST: | |||||
| $_POST = array_merge($_POST, $filtered); | |||||
| break; | |||||
| case INPUT_ENV; | case INPUT_ENV; | ||||
| $env = array_merge($_ENV, $filtered); | $env = array_merge($_ENV, $filtered); | ||||
| $_ENV = self::filterEnvSuperglobal($env); | $_ENV = self::filterEnvSuperglobal($env); | ||||
| break; | break; | ||||
| } | } | ||||
| } | } | ||||
| // rebuild $_REQUEST, respecting order declared in ini files | self::rebuildRequest(); | ||||
| } | |||||
| /** | |||||
| * @task validation | |||||
| */ | |||||
| public static function rebuildRequest() { | |||||
| // Rebuild $_REQUEST, respecting order declared in ".ini" files. | |||||
| $order = ini_get('request_order'); | $order = ini_get('request_order'); | ||||
| if (!$order) { | if (!$order) { | ||||
| $order = ini_get('variables_order'); | $order = ini_get('variables_order'); | ||||
| } | } | ||||
| if (!$order) { | if (!$order) { | ||||
| // $_REQUEST will be empty, leave it alone | // $_REQUEST will be empty, so leave it alone. | ||||
| return; | return; | ||||
| } | } | ||||
| $_REQUEST = array(); | $_REQUEST = array(); | ||||
| for ($i = 0; $i < strlen($order); $i++) { | for ($ii = 0; $ii < strlen($order); $ii++) { | ||||
| switch ($order[$i]) { | switch ($order[$ii]) { | ||||
| case 'G': | case 'G': | ||||
| $_REQUEST = array_merge($_REQUEST, $_GET); | $_REQUEST = array_merge($_REQUEST, $_GET); | ||||
| break; | break; | ||||
| case 'P': | case 'P': | ||||
| $_REQUEST = array_merge($_REQUEST, $_POST); | $_REQUEST = array_merge($_REQUEST, $_POST); | ||||
| break; | break; | ||||
| case 'C': | case 'C': | ||||
| $_REQUEST = array_merge($_REQUEST, $_COOKIE); | $_REQUEST = array_merge($_REQUEST, $_COOKIE); | ||||
| break; | break; | ||||
| default: | default: | ||||
| // $_ENV and $_SERVER never go into $_REQUEST | // $_ENV and $_SERVER never go into $_REQUEST. | ||||
| break; | break; | ||||
| } | } | ||||
| } | } | ||||
| } | } | ||||
| /** | /** | ||||
| * Adjust `$_ENV` before execution. | * Adjust `$_ENV` before execution. | ||||
| ▲ Show 20 Lines • Show All 110 Lines • ▼ Show 20 Lines | /* -( Validation )--------------------------------------------------------- */ | ||||
| * @task validation | * @task validation | ||||
| */ | */ | ||||
| private static function detectPostMaxSizeTriggered() { | private static function detectPostMaxSizeTriggered() { | ||||
| // If this wasn't a POST, we're fine. | // If this wasn't a POST, we're fine. | ||||
| if ($_SERVER['REQUEST_METHOD'] != 'POST') { | if ($_SERVER['REQUEST_METHOD'] != 'POST') { | ||||
| return; | return; | ||||
| } | } | ||||
| // If "enable_post_data_reading" is off, we won't have $_POST and this | |||||
| // condition is effectively impossible. | |||||
| if (!ini_get('enable_post_data_reading')) { | |||||
| return; | |||||
| } | |||||
| // If there's POST data, clearly we're in good shape. | // If there's POST data, clearly we're in good shape. | ||||
| if ($_POST) { | if ($_POST) { | ||||
| return; | return; | ||||
| } | } | ||||
| // For HTML5 drag-and-drop file uploads, Safari submits the data as | // For HTML5 drag-and-drop file uploads, Safari submits the data as | ||||
| // "application/x-www-form-urlencoded". For most files this generates | // "application/x-www-form-urlencoded". For most files this generates | ||||
| // something in POST because most files decode to some nonempty (albeit | // something in POST because most files decode to some nonempty (albeit | ||||
| ▲ Show 20 Lines • Show All 408 Lines • Show Last 20 Lines | |||||