paragonie-scott/drupal-6.x-2018-002.patch Secret

## drupal-6.x-2018-002.patch
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
index 23179ca98d..bfbbb81876 100644
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -1142,6 +1142,7 @@ function _drupal_bootstrap($phase) {
       timer_start('page');
       // Initialize the configuration
       conf_init();
+      _drupal_bootstrap_sanitize_request();
       break;

     case DRUPAL_BOOTSTRAP_EARLY_PAGE_CACHE:
@@ -1603,3 +1604,57 @@ function filter_xss_bad_protocol($string, $decode = TRUE) {
   } while ($before != $string);
   return check_plain($string);
 }
+
+/**
+ * Sanitizes unsafe keys from the request.
+ */
+function _drupal_bootstrap_sanitize_request() {
+  global $conf;
+  static $sanitized;
+
+  if (!$sanitized) {
+    // Ensure the whitelist array exists.
+    if (!isset($conf['sanitize_input_whitelist']) || !is_array($conf['sanitize_input_whitelist'])) {
+      $conf['sanitize_input_whitelist'] = array();
+    }
+
+    $sanitized_keys = _drupal_bootstrap_sanitize_input($_GET, $conf['sanitize_input_whitelist']);
+    $sanitized_keys = array_merge($sanitized_keys, _drupal_bootstrap_sanitize_input($_POST, $conf['sanitize_input_whitelist']));
+    $sanitized_keys = array_merge($sanitized_keys, _drupal_bootstrap_sanitize_input($_REQUEST, $conf['sanitize_input_whitelist']));
+    $sanitized_keys = array_merge($sanitized_keys, _drupal_bootstrap_sanitize_input($_COOKIE, $conf['sanitize_input_whitelist']));
+    $sanitized_keys = array_unique($sanitized_keys);
+
+    if (count($sanitized_keys) && !empty($conf['sanitize_input_logging'])) {
+      trigger_error(check_plain(sprintf('Potentially unsafe keys removed from request parameters: %s', implode(', ', $sanitized_keys)), E_USER_WARNING));
+    }
+
+    $sanitized = TRUE;
+  }
+}
+
+/**
+ * Sanitizes unsafe keys from user input.
+ *
+ * @param mixed $input
+ *   Input to sanitize.
+ * @param array $whitelist
+ *   Whitelist of values.
+ * @return array
+ */
+function _drupal_bootstrap_sanitize_input(&$input, $whitelist = array()) {
+  $sanitized_keys = array();
+
+  if (is_array($input)) {
+    foreach ($input as $key => $value) {
+      if ($key !== '' && $key[0] === '#' && !in_array($key, $whitelist, TRUE)) {
+        unset($input[$key]);
+        $sanitized_keys[] = $key;
+      }
+      elseif (is_array($input[$key])) {
+        $sanitized_keys = array_merge($sanitized_keys, _drupal_bootstrap_sanitize_input($input[$key], $whitelist));
+      }
+    }
+  }
+
+  return $sanitized_keys;
+}
	diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
	index 23179ca98d..bfbbb81876 100644
	--- a/includes/bootstrap.inc
	+++ b/includes/bootstrap.inc
	@@ -1142,6 +1142,7 @@ function _drupal_bootstrap($phase) {
	timer_start('page');
	// Initialize the configuration
	conf_init();
	+ _drupal_bootstrap_sanitize_request();
	break;

	case DRUPAL_BOOTSTRAP_EARLY_PAGE_CACHE:
	@@ -1603,3 +1604,57 @@ function filter_xss_bad_protocol($string, $decode = TRUE) {
	} while ($before != $string);
	return check_plain($string);
	}
	+
	+/**
	+ * Sanitizes unsafe keys from the request.
	+ */
	+function _drupal_bootstrap_sanitize_request() {
	+ global $conf;
	+ static $sanitized;
	+
	+ if (!$sanitized) {
	+ // Ensure the whitelist array exists.
	+ if (!isset($conf['sanitize_input_whitelist']) \|\| !is_array($conf['sanitize_input_whitelist'])) {
	+ $conf['sanitize_input_whitelist'] = array();
	+ }
	+
	+ $sanitized_keys = _drupal_bootstrap_sanitize_input($_GET, $conf['sanitize_input_whitelist']);
	+ $sanitized_keys = array_merge($sanitized_keys, _drupal_bootstrap_sanitize_input($_POST, $conf['sanitize_input_whitelist']));
	+ $sanitized_keys = array_merge($sanitized_keys, _drupal_bootstrap_sanitize_input($_REQUEST, $conf['sanitize_input_whitelist']));
	+ $sanitized_keys = array_merge($sanitized_keys, _drupal_bootstrap_sanitize_input($_COOKIE, $conf['sanitize_input_whitelist']));
	+ $sanitized_keys = array_unique($sanitized_keys);
	+
	+ if (count($sanitized_keys) && !empty($conf['sanitize_input_logging'])) {
	+ trigger_error(check_plain(sprintf('Potentially unsafe keys removed from request parameters: %s', implode(', ', $sanitized_keys)), E_USER_WARNING));
	+ }
	+
	+ $sanitized = TRUE;
	+ }
	+}
	+
	+/**
	+ * Sanitizes unsafe keys from user input.
	+ *
	+ * @param mixed $input
	+ * Input to sanitize.
	+ * @param array $whitelist
	+ * Whitelist of values.
	+ * @return array
	+ */
	+function _drupal_bootstrap_sanitize_input(&$input, $whitelist = array()) {
	+ $sanitized_keys = array();
	+
	+ if (is_array($input)) {
	+ foreach ($input as $key => $value) {
	+ if ($key !== '' && $key[0] === '#' && !in_array($key, $whitelist, TRUE)) {
	+ unset($input[$key]);
	+ $sanitized_keys[] = $key;
	+ }
	+ elseif (is_array($input[$key])) {
	+ $sanitized_keys = array_merge($sanitized_keys, _drupal_bootstrap_sanitize_input($input[$key], $whitelist));
	+ }
	+ }
	+ }
	+
	+ return $sanitized_keys;
	+}