clones/Froxlor
1
0
Fork 0
mirror of https://github.com/Froxlor/Froxlor.git synced 2024-09-21 18:37:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

hardening requests

Browse Source
This commit is contained in:
envoyr 2022-02-20 18:30:57 +01:00
parent e057314795
commit 1e4da4850e
No known key found for this signature in database
GPG Key ID: 5A16F49AF96F462F
2 changed files with 30 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
lib/Froxlor/UI/Request.php
View File

@ -1,6 +1,9 @@
<?php
namespace Froxlor\UI;
use Froxlor\PhpHelper;
use voku\helper\AntiXSS;
/**
* This file is part of the Froxlor project.
* Copyright (c) 2010 the Froxlor Team (see authors).
@ -13,11 +16,34 @@ namespace Froxlor\UI;
* @author Froxlor team <team@froxlor.org> (2010-)
* @author Maurice Preuß <hello@envoyr.com>
* @license GPLv2 http://files.froxlor.org/misc/COPYING.txt
* @package API
* @package Request
*
*/
class Request
{
/**
* Check for xss attempts and clean important globals and
* unsetting every variable registered in $_REQUEST and as variable itself
*/
public static function cleanAll()
{
foreach ($_REQUEST as $key => $value) {
if (isset($$key)) {
unset($$key);
}
}
unset($value);
$antiXss = new AntiXSS();
// check $_GET
PhpHelper::cleanGlobal($_GET, $antiXss);
// check $_POST
PhpHelper::cleanGlobal($_POST, $antiXss);
// check $_COOKIE
PhpHelper::cleanGlobal($_COOKIE, $antiXss);
}
/**
* Get key from current request.
*
@ -27,6 +53,8 @@ class Request
*/
public static function get($key, string $default = null)
{
self::cleanAll();
return $_GET[$key] ?? $_POST[$key] ?? $default;
}

19
lib/init.php
View File

@ -67,27 +67,10 @@ UI::initTwig();
/**
* Register Globals Security Fix
* - unsetting every variable registered in $_REQUEST and as variable itself
*/
foreach ($_REQUEST as $key => $value) {
if (isset($$key)) {
unset($$key);
}
}
/**
* check for xss attempts and clean important globals
*/
$antiXss = new AntiXSS();
// check $_GET
PhpHelper::cleanGlobal($_GET, $antiXss);
// check $_POST
PhpHelper::cleanGlobal($_POST, $antiXss);
// check $_COOKIE
PhpHelper::cleanGlobal($_COOKIE, $antiXss);
Request::cleanAll();
unset($_);
unset($value);
unset($key);
$filename = htmlentities(basename($_SERVER['SCRIPT_NAME']));