mirror of
https://github.com/PrivateBin/PrivateBin.git
synced 2026-04-25 22:46:44 -04:00
inputs sanitation & remove some obsolete version checks
using filter_vars instead of filter_input, because our unit tests depend on manipulating global arrays, which are not used by filter_input - we would have to mock the function in the unit testing, it therefore is cleaner to use the same code paths in testing as in production some inputs in I18n and TrafficLimiter remain unfiltered, since we already validate them by other means (IP lib and/or preg_match) our minimum PHP version is 7.3, so we can drop the two < 5.6 fallback checks
This commit is contained in:
El RIDO
+19
-20
@@ -82,13 +82,10 @@ class Request
|
||||
*/
|
||||
private function getPasteId()
|
||||
{
|
||||
// RegEx to check for valid paste ID (16 base64 chars)
|
||||
$pasteIdRegEx = '/^[a-f0-9]{16}$/';
|
||||
|
||||
foreach ($_GET as $key => $value) {
|
||||
// only return if value is empty and key matches RegEx
|
||||
if (($value === '') and preg_match($pasteIdRegEx, $key, $match)) {
|
||||
return $match[0];
|
||||
// only return if value is empty and key is 16 hex chars
|
||||
if (($value === '') && strlen($key) === 16 && ctype_xdigit($key)) {
|
||||
return $key;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -121,7 +118,13 @@ class Request
|
||||
}
|
||||
break;
|
||||
default:
|
||||
$this->_params = $_GET;
|
||||
$this->_params = filter_var_array($_GET, array(
|
||||
'deletetoken' => FILTER_SANITIZE_SPECIAL_CHARS,
|
||||
'jsonld' => FILTER_SANITIZE_SPECIAL_CHARS,
|
||||
'link' => FILTER_SANITIZE_URL,
|
||||
'pasteid' => FILTER_SANITIZE_SPECIAL_CHARS,
|
||||
'shortenviayourls' => FILTER_SANITIZE_SPECIAL_CHARS,
|
||||
), false);
|
||||
}
|
||||
if (
|
||||
!array_key_exists('pasteid', $this->_params) &&
|
||||
@@ -209,9 +212,8 @@ class Request
|
||||
*/
|
||||
public function getHost()
|
||||
{
|
||||
return array_key_exists('HTTP_HOST', $_SERVER) ?
|
||||
htmlspecialchars($_SERVER['HTTP_HOST']) :
|
||||
'localhost';
|
||||
$host = array_key_exists('HTTP_HOST', $_SERVER) ? filter_var($_SERVER['HTTP_HOST'], FILTER_SANITIZE_URL) : '';
|
||||
return empty($host) ? 'localhost' : $host;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -222,10 +224,8 @@ class Request
|
||||
*/
|
||||
public function getRequestUri()
|
||||
{
|
||||
return array_key_exists('REQUEST_URI', $_SERVER) ?
|
||||
htmlspecialchars(
|
||||
parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH)
|
||||
) : '/';
|
||||
$uri = array_key_exists('REQUEST_URI', $_SERVER) ? filter_var($_SERVER['REQUEST_URI'], FILTER_SANITIZE_URL) : '';
|
||||
return empty($uri) ? '/' : $uri;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -275,10 +275,9 @@ class Request
|
||||
}
|
||||
|
||||
// advanced case: media type negotiation
|
||||
$mediaTypes = array();
|
||||
if ($hasAcceptHeader) {
|
||||
$mediaTypeRanges = explode(',', trim($acceptHeader));
|
||||
foreach ($mediaTypeRanges as $mediaTypeRange) {
|
||||
$mediaTypes = array();
|
||||
foreach (explode(',', trim($acceptHeader)) as $mediaTypeRange) {
|
||||
if (preg_match(
|
||||
'#(\*/\*|[a-z\-]+/[a-z\-+*]+(?:\s*;\s*[^q]\S*)*)(?:\s*;\s*q\s*=\s*(0(?:\.\d{0,3})|1(?:\.0{0,3})))?#',
|
||||
trim($mediaTypeRange), $match
|
||||
@@ -287,6 +286,9 @@ class Request
|
||||
$match[2] = '1.0';
|
||||
} else {
|
||||
$match[2] = (string) floatval($match[2]);
|
||||
if ($match[2] === '0.0') {
|
||||
continue;
|
||||
}
|
||||
}
|
||||
if (!isset($mediaTypes[$match[2]])) {
|
||||
$mediaTypes[$match[2]] = array();
|
||||
@@ -296,9 +298,6 @@ class Request
|
||||
}
|
||||
krsort($mediaTypes);
|
||||
foreach ($mediaTypes as $acceptedQuality => $acceptedValues) {
|
||||
if ($acceptedQuality === '0.0') {
|
||||
continue;
|
||||
}
|
||||
foreach ($acceptedValues as $acceptedValue) {
|
||||
if (
|
||||
strpos($acceptedValue, self::MIME_HTML) === 0 ||
|
||||
|
||||
Reference in New Issue
Block a user