Skip to content

Instantly share code, notes, and snippets.

@paragonie-scott
Created March 28, 2018 20:23
Show Gist options
  • Save paragonie-scott/dca4690a504a1d860575041eb274eeef to your computer and use it in GitHub Desktop.
Save paragonie-scott/dca4690a504a1d860575041eb274eeef to your computer and use it in GitHub Desktop.
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
index 23179ca98d..bfbbb81876 100644
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -1142,6 +1142,7 @@ function _drupal_bootstrap($phase) {
timer_start('page');
// Initialize the configuration
conf_init();
+ _drupal_bootstrap_sanitize_request();
break;
case DRUPAL_BOOTSTRAP_EARLY_PAGE_CACHE:
@@ -1603,3 +1604,57 @@ function filter_xss_bad_protocol($string, $decode = TRUE) {
} while ($before != $string);
return check_plain($string);
}
+
+/**
+ * Sanitizes unsafe keys from the request.
+ */
+function _drupal_bootstrap_sanitize_request() {
+ global $conf;
+ static $sanitized;
+
+ if (!$sanitized) {
+ // Ensure the whitelist array exists.
+ if (!isset($conf['sanitize_input_whitelist']) || !is_array($conf['sanitize_input_whitelist'])) {
+ $conf['sanitize_input_whitelist'] = array();
+ }
+
+ $sanitized_keys = _drupal_bootstrap_sanitize_input($_GET, $conf['sanitize_input_whitelist']);
+ $sanitized_keys = array_merge($sanitized_keys, _drupal_bootstrap_sanitize_input($_POST, $conf['sanitize_input_whitelist']));
+ $sanitized_keys = array_merge($sanitized_keys, _drupal_bootstrap_sanitize_input($_REQUEST, $conf['sanitize_input_whitelist']));
+ $sanitized_keys = array_merge($sanitized_keys, _drupal_bootstrap_sanitize_input($_COOKIE, $conf['sanitize_input_whitelist']));
+ $sanitized_keys = array_unique($sanitized_keys);
+
+ if (count($sanitized_keys) && !empty($conf['sanitize_input_logging'])) {
+ trigger_error(check_plain(sprintf('Potentially unsafe keys removed from request parameters: %s', implode(', ', $sanitized_keys)), E_USER_WARNING));
+ }
+
+ $sanitized = TRUE;
+ }
+}
+
+/**
+ * Sanitizes unsafe keys from user input.
+ *
+ * @param mixed $input
+ * Input to sanitize.
+ * @param array $whitelist
+ * Whitelist of values.
+ * @return array
+ */
+function _drupal_bootstrap_sanitize_input(&$input, $whitelist = array()) {
+ $sanitized_keys = array();
+
+ if (is_array($input)) {
+ foreach ($input as $key => $value) {
+ if ($key !== '' && $key[0] === '#' && !in_array($key, $whitelist, TRUE)) {
+ unset($input[$key]);
+ $sanitized_keys[] = $key;
+ }
+ elseif (is_array($input[$key])) {
+ $sanitized_keys = array_merge($sanitized_keys, _drupal_bootstrap_sanitize_input($input[$key], $whitelist));
+ }
+ }
+ }
+
+ return $sanitized_keys;
+}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment