PHP Cross Reference - Textpattern - Source: /textpattern/vendors/Textpattern/Security/Filter.php

Source: /textpattern/vendors/Textpattern/Security/Filter.php - 112 lines - 2959 bytes - Summary - Text - Print

Description: Basic security filter options.
   1  <?php
   2  
   3  /*
   4   * Textpattern Content Management System
   5   * http://textpattern.com
   6   *
   7   * Copyright (C) 2016 The Textpattern Development Team
   8   *
   9   * This file is part of Textpattern.
  10   *
  11   * Textpattern is free software; you can redistribute it and/or
  12   * modify it under the terms of the GNU General Public License
  13   * as published by the Free Software Foundation, version 2.
  14   *
  15   * Textpattern is distributed in the hope that it will be useful,
  16   * but WITHOUT ANY WARRANTY; without even the implied warranty of
  17   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  18   * GNU General Public License for more details.
  19   *
  20   * You should have received a copy of the GNU General Public License
  21   * along with Textpattern. If not, see <http://www.gnu.org/licenses/>.
  22   */
  23  
  24  /**
  25   * Basic security filter options.
  26   *
  27   * <code>
  28   * Txp::get('\Textpattern\Security\Filter')->registerGlobals()->setMaxRequestUriLength(255);
  29   * </code>
  30   *
  31   * @since   4.6.0
  32   * @package Security.
  33   */
  34  
  35  namespace Textpattern\Security;
  36  
  37  use \Txp;
  38  
  39  class Filter
  40  {
  41      /**
  42       * An array of protected superglobals.
  43       *
  44       * @var array
  45       */
  46  
  47      private $protectedGlobals = array(
  48          '_SESSION',
  49          '_ENV',
  50          '_GET',
  51          '_POST',
  52          '_COOKIE',
  53          '_FILES',
  54          '_SERVER',
  55          '_REQUEST',
  56          'GLOBALS',
  57      );
  58  
  59      /**
  60       * Protection from those who'd bomb the site by GET.
  61       *
  62       * @throws \Textpattern\Security\Exception
  63       * @return \Textpattern\Security\Filter
  64       */
  65  
  66      public function setMaxRequestUriLength($length)
  67      {
  68          $uri = Txp::get('\Textpattern\Server\Config')->getVariable('REQUEST_URI');
  69  
  70          if (strlen($uri) > $length) {
  71              throw new Exception('Requested URL length exceeds application limit.');
  72          }
  73  
  74          return $this;
  75      }
  76  
  77      /**
  78       * Wipes automatically registered superglobals.
  79       *
  80       * Protects the server from global registering and overwriting attempts.
  81       *
  82       * @throws \Textpattern\Security\Exception
  83       * @return \Textpattern\Security\Filter
  84       */
  85  
  86      public function registerGlobals()
  87      {
  88          if (Txp::get('\Textpattern\Server\Config')->getRegisterGlobals()) {
  89              if (array_key_exists('GLOBALS', $_REQUEST) || array_key_exists('GLOBALS', $_FILES)) {
  90                  throw new Exception('GLOBALS overwrite attempt detected. Please consider turning register_globals off.');
  91              }
  92  
  93              $variables = array_merge(
  94                  isset($_SESSION) ? (array)$_SESSION : array(),
  95                  (array)$_ENV,
  96                  (array)$_GET,
  97                  (array)$_POST,
  98                  (array)$_COOKIE,
  99                  (array)$_FILES,
 100                  (array)$_SERVER
 101              );
 102  
 103              foreach ($variables as $variable => $value) {
 104                  if (!in_array($variable, $this->protectedGlobals, true)) {
 105                      unset($GLOBALS[$variable]);
 106                  }
 107              }
 108          }
 109  
 110          return $this;
 111      }
 112  }