Pass raw QUERY_STRING to parser · recaptime.dev/phorge@44a883f

@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge

phorge phabricator

fork

Pass raw QUERY_STRING to parser

Summary:
Fixes issue where double-encoding of $_SERVER occurs when php.ini forces all input to be sanitized

Ex:
filter.default = full_special_chars
filter.default_flags = 36

Fix line length

Test Plan: Encountered issue on clean install when registring new user (phusr not defined for email verification). php.ini on that server contains above filter settings. nginx/php-fpm with recommended settings for that server block from setup guide.

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, epriestley

Differential Revision: https://secure.phabricator.com/D6672

authored by

Eric Stern and committed by

epriestley 12 years ago 44a883f9 61f0671e

+60 -4

1 changed file

expand all

support

PhabricatorStartup.php

+60 -4

support/PhabricatorStartup.php

··· 92 92 self::setupPHP(); 93 93 self::verifyPHP(); 94 94 95 + self::normalizeInput(); 96 + 95 97 self::verifyRewriteRules(); 96 98 97 99 self::detectPostMaxSizeTriggered(); ··· 227 229 228 230 229 231 /** 230 - * @task valiation 232 + * @task validation 231 233 */ 232 234 private static function setupPHP() { 233 235 error_reporting(E_ALL | E_STRICT); 234 236 ini_set('memory_limit', -1); 235 237 } 236 238 239 + /** 240 + * @task validation 241 + */ 242 + private static function normalizeInput() { 243 + // Replace superglobals with unfiltered versions, disrespect php.ini (we 244 + // filter ourselves) 245 + $_GET = filter_input_array(INPUT_GET, FILTER_UNSAFE_RAW); 246 + $_POST = filter_input_array(INPUT_POST, FILTER_UNSAFE_RAW); 247 + $_SERVER = filter_input_array(INPUT_SERVER, FILTER_UNSAFE_RAW); 248 + $_COOKIE = filter_input_array(INPUT_COOKIE, FILTER_UNSAFE_RAW); 249 + $_ENV = filter_input_array(INPUT_ENV, FILTER_UNSAFE_RAW); 250 + if (!is_array($_GET)) { 251 + $_GET = array(); 252 + } 253 + if (!is_array($_POST)) { 254 + $_POST = array(); 255 + } 256 + if (!is_array($_SERVER)) { 257 + $_SERVER = array(); 258 + } 259 + if (!is_array($_COOKIE)) { 260 + $_COOKIE = array(); 261 + } 262 + if (!is_array($_ENV)) { 263 + $_ENV = array(); 264 + } 265 + 266 + // rebuild $_REQUEST, respecting order declared in ini files 267 + $order = ini_get('request_order'); 268 + if (!$order) { 269 + $order = ini_get('variables_order'); 270 + } 271 + if (!$order) { 272 + // $_REQUEST will be empty, leave it alone 273 + return; 274 + } 275 + $_REQUEST = array(); 276 + for ($i = 0; $i < strlen($order); $i++) { 277 + switch ($order[$i]) { 278 + case 'G': 279 + $_REQUEST = array_merge($_REQUEST, $_GET); 280 + break; 281 + case 'P': 282 + $_REQUEST = array_merge($_REQUEST, $_POST); 283 + break; 284 + case 'C': 285 + $_REQUEST = array_merge($_REQUEST, $_COOKIE); 286 + break; 287 + default: 288 + // $_ENV and $_SERVER never go into $_REQUEST 289 + break; 290 + } 291 + } 292 + } 237 293 238 294 /** 239 - * @task valiation 295 + * @task validation 240 296 */ 241 297 private static function verifyPHP() { 242 298 $required_version = '5.2.3'; ··· 274 330 275 331 276 332 /** 277 - * @task valiation 333 + * @task validation 278 334 */ 279 335 private static function verifyRewriteRules() { 280 336 if (isset($_REQUEST['__path__']) && strlen($_REQUEST['__path__'])) { ··· 304 360 305 361 306 362 /** 307 - * @task valiation 363 + * @task validation 308 364 */ 309 365 private static function validateGlobal($key) { 310 366 static $globals = array(

Configure Feed

Configure Feed