revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-20 04:20:55 +01:00
Code Issues Releases Wiki Activity

Pass raw QUERY_STRING to parser

Browse source 
Summary:
Fixes issue where double-encoding of $_SERVER occurs when php.ini forces all input to be sanitized

Ex:
filter.default = full_special_chars
filter.default_flags = 36

Fix line length

Test Plan: Encountered issue on clean install when registring new user (phusr not defined for email verification). php.ini on that server contains above filter settings. nginx/php-fpm with recommended settings for that server block from setup guide.

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, epriestley

Differential Revision: https://secure.phabricator.com/D6672
This commit is contained in:
Eric Stern 2013-08-04 18:07:35 -07:00 committed by epriestley
parent 61f0671e87
commit 44a883f941
1 changed files with 60 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

64
support/PhabricatorStartup.php
View file

@ -92,6 +92,8 @@ final class PhabricatorStartup {
self::setupPHP(); self::setupPHP();
self::verifyPHP(); self::verifyPHP();
self::normalizeInput();
self::verifyRewriteRules(); self::verifyRewriteRules();
self::detectPostMaxSizeTriggered(); self::detectPostMaxSizeTriggered();
@ -227,16 +229,70 @@ final class PhabricatorStartup {
/** /**
* @task valiation * @task validation
*/ */
private static function setupPHP() { private static function setupPHP() {
error_reporting(E_ALL | E_STRICT); error_reporting(E_ALL | E_STRICT);
ini_set('memory_limit', -1); ini_set('memory_limit', -1);
} }
/**
* @task validation
*/
private static function normalizeInput() {
// Replace superglobals with unfiltered versions, disrespect php.ini (we
// filter ourselves)
$_GET = filter_input_array(INPUT_GET, FILTER_UNSAFE_RAW);
$_POST = filter_input_array(INPUT_POST, FILTER_UNSAFE_RAW);
$_SERVER = filter_input_array(INPUT_SERVER, FILTER_UNSAFE_RAW);
$_COOKIE = filter_input_array(INPUT_COOKIE, FILTER_UNSAFE_RAW);
$_ENV = filter_input_array(INPUT_ENV, FILTER_UNSAFE_RAW);
if (!is_array($_GET)) {
$_GET = array();
}
if (!is_array($_POST)) {
$_POST = array();
}
if (!is_array($_SERVER)) {
$_SERVER = array();
}
if (!is_array($_COOKIE)) {
$_COOKIE = array();
}
if (!is_array($_ENV)) {
$_ENV = array();
}
// rebuild $_REQUEST, respecting order declared in ini files
$order = ini_get('request_order');
if (!$order) {
$order = ini_get('variables_order');
}
if (!$order) {
// $_REQUEST will be empty, leave it alone
return;
}
$_REQUEST = array();
for ($i = 0; $i < strlen($order); $i++) {
switch ($order[$i]) {
case 'G':
$_REQUEST = array_merge($_REQUEST, $_GET);
break;
case 'P':
$_REQUEST = array_merge($_REQUEST, $_POST);
break;
case 'C':
$_REQUEST = array_merge($_REQUEST, $_COOKIE);
break;
default:
// $_ENV and $_SERVER never go into $_REQUEST
break;
}
}
}
/** /**
* @task valiation * @task validation
*/ */
private static function verifyPHP() { private static function verifyPHP() {
$required_version = '5.2.3'; $required_version = '5.2.3';
@ -274,7 +330,7 @@ final class PhabricatorStartup {
/** /**
* @task valiation * @task validation
*/ */
private static function verifyRewriteRules() { private static function verifyRewriteRules() {
if (isset($_REQUEST['__path__']) && strlen($_REQUEST['__path__'])) { if (isset($_REQUEST['__path__']) && strlen($_REQUEST['__path__'])) {
@ -304,7 +360,7 @@ final class PhabricatorStartup {
/** /**
* @task valiation * @task validation
*/ */
private static function validateGlobal($key) { private static function validateGlobal($key) {
static $globals = array( static $globals = array(