daggerhart/d5-drupalgeddon2.patch

## d5-drupalgeddon2.patch
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
index 2f18c58..93ffef6 100644
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -912,6 +912,7 @@ function _drupal_bootstrap($phase) {
       drupal_unset_globals();
       // Initialize the configuration
       conf_init();
+      drupal_request_sanitizer_sanitize();
       break;

     case DRUPAL_BOOTSTRAP_EARLY_PAGE_CACHE:
@@ -1025,3 +1026,58 @@ function get_t() {
   }
   return $t;
 }
+
+/**
+ * Modifies the request to strip dangerous keys from user input.
+ */
+function drupal_request_sanitizer_sanitize() {
+  static $sanitized = FALSE;
+  if (!$sanitized) {
+    $whitelist = variable_get('sanitize_input_whitelist', array());
+
+    // Process query string parameters.
+    $get_sanitized_keys = array();
+    $_GET = drupal_request_sanitizer_strip_dangerous_values($_GET, $whitelist, $get_sanitized_keys);
+
+    // Process request body parameters.
+    $post_sanitized_keys = array();
+    $_POST = drupal_request_sanitizer_strip_dangerous_values($_POST, $whitelist, $post_sanitized_keys);
+
+    // Process cookie parameters.
+    $cookie_sanitized_keys = array();
+    $_COOKIE = drupal_request_sanitizer_strip_dangerous_values($_COOKIE, $whitelist, $cookie_sanitized_keys);
+
+    $request_sanitized_keys = array();
+    $_REQUEST = drupal_request_sanitizer_strip_dangerous_values($_REQUEST, $whitelist, $request_sanitized_keys);
+
+    $sanitized = TRUE;
+  }
+}
+
+/**
+ * Strips dangerous keys from the provided input.
+ *
+ * @param mixed $input
+ *   The input to sanitize.
+ * @param string[] $whitelist
+ *   An array of keys to whitelist as safe.
+ * @param string[] $sanitized_keys
+ *   An array of keys that have been removed.
+ *
+ * @return mixed
+ *   The sanitized input.
+ */
+function drupal_request_sanitizer_strip_dangerous_values($input, $whitelist, &$sanitized_keys) {
+  if (is_array($input)) {
+    foreach ($input as $key => $value) {
+      if ($key !== '' && $key[0] === '#' && !in_array($key, $whitelist, TRUE)) {
+        unset($input[$key]);
+        $sanitized_keys[] = $key;
+      }
+      else {
+        $input[$key] = drupal_request_sanitizer_strip_dangerous_values($input[$key], $whitelist, $sanitized_keys);
+      }
+    }
+  }
+  return $input;
+}
	diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
	index 2f18c58..93ffef6 100644
	--- a/includes/bootstrap.inc
	+++ b/includes/bootstrap.inc
	@@ -912,6 +912,7 @@ function _drupal_bootstrap($phase) {
	drupal_unset_globals();
	// Initialize the configuration
	conf_init();
	+ drupal_request_sanitizer_sanitize();
	break;

	case DRUPAL_BOOTSTRAP_EARLY_PAGE_CACHE:
	@@ -1025,3 +1026,58 @@ function get_t() {
	}
	return $t;
	}
	+
	+/**
	+ * Modifies the request to strip dangerous keys from user input.
	+ */
	+function drupal_request_sanitizer_sanitize() {
	+ static $sanitized = FALSE;
	+ if (!$sanitized) {
	+ $whitelist = variable_get('sanitize_input_whitelist', array());
	+
	+ // Process query string parameters.
	+ $get_sanitized_keys = array();
	+ $_GET = drupal_request_sanitizer_strip_dangerous_values($_GET, $whitelist, $get_sanitized_keys);
	+
	+ // Process request body parameters.
	+ $post_sanitized_keys = array();
	+ $_POST = drupal_request_sanitizer_strip_dangerous_values($_POST, $whitelist, $post_sanitized_keys);
	+
	+ // Process cookie parameters.
	+ $cookie_sanitized_keys = array();
	+ $_COOKIE = drupal_request_sanitizer_strip_dangerous_values($_COOKIE, $whitelist, $cookie_sanitized_keys);
	+
	+ $request_sanitized_keys = array();
	+ $_REQUEST = drupal_request_sanitizer_strip_dangerous_values($_REQUEST, $whitelist, $request_sanitized_keys);
	+
	+ $sanitized = TRUE;
	+ }
	+}
	+
	+/**
	+ * Strips dangerous keys from the provided input.
	+ *
	+ * @param mixed $input
	+ * The input to sanitize.
	+ * @param string[] $whitelist
	+ * An array of keys to whitelist as safe.
	+ * @param string[] $sanitized_keys
	+ * An array of keys that have been removed.
	+ *
	+ * @return mixed
	+ * The sanitized input.
	+ */
	+function drupal_request_sanitizer_strip_dangerous_values($input, $whitelist, &$sanitized_keys) {
	+ if (is_array($input)) {
	+ foreach ($input as $key => $value) {
	+ if ($key !== '' && $key[0] === '#' && !in_array($key, $whitelist, TRUE)) {
	+ unset($input[$key]);
	+ $sanitized_keys[] = $key;
	+ }
	+ else {
	+ $input[$key] = drupal_request_sanitizer_strip_dangerous_values($input[$key], $whitelist, $sanitized_keys);
	+ }
	+ }
	+ }
	+ return $input;
	+}