-
-
Save paragonie-scott/dca4690a504a1d860575041eb274eeef to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc | |
index 23179ca98d..bfbbb81876 100644 | |
--- a/includes/bootstrap.inc | |
+++ b/includes/bootstrap.inc | |
@@ -1142,6 +1142,7 @@ function _drupal_bootstrap($phase) { | |
timer_start('page'); | |
// Initialize the configuration | |
conf_init(); | |
+ _drupal_bootstrap_sanitize_request(); | |
break; | |
case DRUPAL_BOOTSTRAP_EARLY_PAGE_CACHE: | |
@@ -1603,3 +1604,57 @@ function filter_xss_bad_protocol($string, $decode = TRUE) { | |
} while ($before != $string); | |
return check_plain($string); | |
} | |
+ | |
+/** | |
+ * Sanitizes unsafe keys from the request. | |
+ */ | |
+function _drupal_bootstrap_sanitize_request() { | |
+ global $conf; | |
+ static $sanitized; | |
+ | |
+ if (!$sanitized) { | |
+ // Ensure the whitelist array exists. | |
+ if (!isset($conf['sanitize_input_whitelist']) || !is_array($conf['sanitize_input_whitelist'])) { | |
+ $conf['sanitize_input_whitelist'] = array(); | |
+ } | |
+ | |
+ $sanitized_keys = _drupal_bootstrap_sanitize_input($_GET, $conf['sanitize_input_whitelist']); | |
+ $sanitized_keys = array_merge($sanitized_keys, _drupal_bootstrap_sanitize_input($_POST, $conf['sanitize_input_whitelist'])); | |
+ $sanitized_keys = array_merge($sanitized_keys, _drupal_bootstrap_sanitize_input($_REQUEST, $conf['sanitize_input_whitelist'])); | |
+ $sanitized_keys = array_merge($sanitized_keys, _drupal_bootstrap_sanitize_input($_COOKIE, $conf['sanitize_input_whitelist'])); | |
+ $sanitized_keys = array_unique($sanitized_keys); | |
+ | |
+ if (count($sanitized_keys) && !empty($conf['sanitize_input_logging'])) { | |
+ trigger_error(check_plain(sprintf('Potentially unsafe keys removed from request parameters: %s', implode(', ', $sanitized_keys)), E_USER_WARNING)); | |
+ } | |
+ | |
+ $sanitized = TRUE; | |
+ } | |
+} | |
+ | |
+/** | |
+ * Sanitizes unsafe keys from user input. | |
+ * | |
+ * @param mixed $input | |
+ * Input to sanitize. | |
+ * @param array $whitelist | |
+ * Whitelist of values. | |
+ * @return array | |
+ */ | |
+function _drupal_bootstrap_sanitize_input(&$input, $whitelist = array()) { | |
+ $sanitized_keys = array(); | |
+ | |
+ if (is_array($input)) { | |
+ foreach ($input as $key => $value) { | |
+ if ($key !== '' && $key[0] === '#' && !in_array($key, $whitelist, TRUE)) { | |
+ unset($input[$key]); | |
+ $sanitized_keys[] = $key; | |
+ } | |
+ elseif (is_array($input[$key])) { | |
+ $sanitized_keys = array_merge($sanitized_keys, _drupal_bootstrap_sanitize_input($input[$key], $whitelist)); | |
+ } | |
+ } | |
+ } | |
+ | |
+ return $sanitized_keys; | |
+} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment