From b20a0eed13cfaa4c52800426c8f23f416dd766f1 Mon Sep 17 00:00:00 2001 From: Eric Stern Date: Mon, 5 Aug 2013 11:45:21 -0700 Subject: [PATCH] Filter only possibly-tainted keys from superglobals Summary: Ensures that weird behavior from filter_input_array does not remove keys from superglobals. Should fix T3677. Test Plan: Checked that $_SERVER contained same number of keys before and after filtering, and that those affected by the original bug continue to be filtered correctly. Reviewers: epriestley, btrahan Reviewed By: epriestley CC: zorfling, aran, Korvin, wez Maniphest Tasks: T3677 Differential Revision: https://secure.phabricator.com/D6680 --- support/PhabricatorStartup.php | 43 +++++++++++++++++++--------------- 1 file changed, 24 insertions(+), 19 deletions(-) diff --git a/support/PhabricatorStartup.php b/support/PhabricatorStartup.php index 45674a701f..d02d565ab2 100644 --- a/support/PhabricatorStartup.php +++ b/support/PhabricatorStartup.php @@ -242,25 +242,30 @@ final class PhabricatorStartup { private static function normalizeInput() { // Replace superglobals with unfiltered versions, disrespect php.ini (we // filter ourselves) - $_GET = filter_input_array(INPUT_GET, FILTER_UNSAFE_RAW); - $_POST = filter_input_array(INPUT_POST, FILTER_UNSAFE_RAW); - $_SERVER = filter_input_array(INPUT_SERVER, FILTER_UNSAFE_RAW); - $_COOKIE = filter_input_array(INPUT_COOKIE, FILTER_UNSAFE_RAW); - $_ENV = filter_input_array(INPUT_ENV, FILTER_UNSAFE_RAW); - if (!is_array($_GET)) { - $_GET = array(); - } - if (!is_array($_POST)) { - $_POST = array(); - } - if (!is_array($_SERVER)) { - $_SERVER = array(); - } - if (!is_array($_COOKIE)) { - $_COOKIE = array(); - } - if (!is_array($_ENV)) { - $_ENV = array(); + $filter = array(INPUT_GET, INPUT_POST, + INPUT_SERVER, INPUT_ENV, INPUT_COOKIE); + foreach ($filter as $type) { + $filtered = filter_input_array($type, FILTER_UNSAFE_RAW); + if (!is_array($filtered)) { + continue; + } + switch ($type) { + case INPUT_SERVER: + $_SERVER = array_merge($_SERVER, $filtered); + break; + case INPUT_GET: + $_GET = array_merge($_GET, $filtered); + break; + case INPUT_COOKIE: + $_COOKIE = array_merge($_COOKIE, $filtered); + break; + case INPUT_POST: + $_POST = array_merge($_POST, $filtered); + break; + case INPUT_ENV; + $_ENV = array_merge($_ENV, $filtered); + break; + } } // rebuild $_REQUEST, respecting order declared in ini files