Created
October 22, 2018 11:29
-
-
Save 3mkay/83e5e20e3d229fbebb0e380b88af12b9 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit 26da01fc021a516a752f61d09dc03a508b75230f | |
Author: Lee Rowlands <lee.rowlands@previousnext.com.au> | |
Date: Tue Mar 27 20:06:03 2018 +1000 | |
SA-CORE-2018-002 by Jasu_M, samuel.mortenson, David_Rothstein, xjm, mlhess, larowlan, pwolanin, alexpott, dsnopek, Pere Orga, cashwilliams, dawehner, tim.plunkett, drumm | |
diff --git a/core/lib/Drupal/Core/DrupalKernel.php b/core/lib/Drupal/Core/DrupalKernel.php | |
index fc36f66..8b4d3da 100644 | |
--- a/core/lib/Drupal/Core/DrupalKernel.php | |
+++ b/core/lib/Drupal/Core/DrupalKernel.php | |
@@ -19,6 +19,7 @@ | |
use Drupal\Core\Http\TrustedHostsRequestFactory; | |
use Drupal\Core\Installer\InstallerRedirectTrait; | |
use Drupal\Core\Language\Language; | |
+use Drupal\Core\Security\RequestSanitizer; | |
use Drupal\Core\Site\Settings; | |
use Drupal\Core\Test\TestDatabase; | |
use Symfony\Cmf\Component\Routing\RouteObjectInterface; | |
@@ -541,6 +542,12 @@ public function loadLegacyIncludes() { | |
* {@inheritdoc} | |
*/ | |
public function preHandle(Request $request) { | |
+ // Sanitize the request. | |
+ $request = RequestSanitizer::sanitize( | |
+ $request, | |
+ (array) Settings::get(RequestSanitizer::SANITIZE_WHITELIST, []), | |
+ (bool) Settings::get(RequestSanitizer::SANITIZE_LOG, FALSE) | |
+ ); | |
$this->loadLegacyIncludes(); | |
diff --git a/core/lib/Drupal/Core/Security/RequestSanitizer.php b/core/lib/Drupal/Core/Security/RequestSanitizer.php | |
new file mode 100644 | |
index 0000000..8ba17b9 | |
--- /dev/null | |
+++ b/core/lib/Drupal/Core/Security/RequestSanitizer.php | |
@@ -0,0 +1,99 @@ | |
+<?php | |
+ | |
+namespace Drupal\Core\Security; | |
+ | |
+use Symfony\Component\HttpFoundation\Request; | |
+ | |
+/** | |
+ * Sanitizes user input. | |
+ */ | |
+class RequestSanitizer { | |
+ | |
+ /** | |
+ * Request attribute to mark the request as sanitized. | |
+ */ | |
+ const SANITIZED = '_drupal_request_sanitized'; | |
+ | |
+ /** | |
+ * The name of the setting that configures the whitelist. | |
+ */ | |
+ const SANITIZE_WHITELIST = 'sanitize_input_whitelist'; | |
+ | |
+ /** | |
+ * The name of the setting that determines if sanitized keys are logged. | |
+ */ | |
+ const SANITIZE_LOG = 'sanitize_input_logging'; | |
+ | |
+ /** | |
+ * Strips dangerous keys from user input. | |
+ * | |
+ * @param \Symfony\Component\HttpFoundation\Request $request | |
+ * The incoming request to sanitize. | |
+ * @param string[] $whitelist | |
+ * An array of keys to whitelist as safe. See default.settings.php. | |
+ * @param bool $log_sanitized_keys | |
+ * (optional) Set to TRUE to log an keys that are sanitized. | |
+ * | |
+ * @return \Symfony\Component\HttpFoundation\Request | |
+ * The sanitized request. | |
+ */ | |
+ public static function sanitize(Request $request, $whitelist, $log_sanitized_keys = FALSE) { | |
+ if (!$request->attributes->get(self::SANITIZED, FALSE)) { | |
+ // Process query string parameters. | |
+ $get_sanitized_keys = []; | |
+ $request->query->replace(static::stripDangerousValues($request->query->all(), $whitelist, $get_sanitized_keys)); | |
+ if ($log_sanitized_keys && !empty($get_sanitized_keys)) { | |
+ trigger_error(sprintf('Potentially unsafe keys removed from query string parameters (GET): %s', implode(', ', $get_sanitized_keys))); | |
+ } | |
+ | |
+ // Request body parameters. | |
+ $post_sanitized_keys = []; | |
+ $request->request->replace(static::stripDangerousValues($request->request->all(), $whitelist, $post_sanitized_keys)); | |
+ if ($log_sanitized_keys && !empty($post_sanitized_keys)) { | |
+ trigger_error(sprintf('Potentially unsafe keys removed from request body parameters (POST): %s', implode(', ', $post_sanitized_keys))); | |
+ } | |
+ | |
+ // Cookie parameters. | |
+ $cookie_sanitized_keys = []; | |
+ $request->cookies->replace(static::stripDangerousValues($request->cookies->all(), $whitelist, $cookie_sanitized_keys)); | |
+ if ($log_sanitized_keys && !empty($cookie_sanitized_keys)) { | |
+ trigger_error(sprintf('Potentially unsafe keys removed from cookie parameters: %s', implode(', ', $cookie_sanitized_keys))); | |
+ } | |
+ | |
+ if (!empty($get_sanitized_keys) || !empty($post_sanitized_keys) || !empty($cookie_sanitized_keys)) { | |
+ $request->overrideGlobals(); | |
+ } | |
+ $request->attributes->set(self::SANITIZED, TRUE); | |
+ } | |
+ return $request; | |
+ } | |
+ | |
+ /** | |
+ * Strips dangerous keys from $input. | |
+ * | |
+ * @param mixed $input | |
+ * The input to sanitize. | |
+ * @param string[] $whitelist | |
+ * An array of keys to whitelist as safe. | |
+ * @param string[] $sanitized_keys | |
+ * An array of keys that have been removed. | |
+ * | |
+ * @return mixed | |
+ * The sanitized input. | |
+ */ | |
+ protected static function stripDangerousValues($input, array $whitelist, array &$sanitized_keys) { | |
+ if (is_array($input)) { | |
+ foreach ($input as $key => $value) { | |
+ if ($key !== '' && $key[0] === '#' && !in_array($key, $whitelist, TRUE)) { | |
+ unset($input[$key]); | |
+ $sanitized_keys[] = $key; | |
+ } | |
+ else { | |
+ $input[$key] = static::stripDangerousValues($input[$key], $whitelist, $sanitized_keys); | |
+ } | |
+ } | |
+ } | |
+ return $input; | |
+ } | |
+ | |
+} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment