. */ /** * Basic security filter options. * * * Txp::get('\Textpattern\Security\Filter')->registerGlobals()->setMaxRequestUriLength(255); * * * @since 4.6.0 * @package Security. */ namespace Textpattern\Security; use \Txp; class Filter { /** * An array of protected superglobals. * * @var array */ private $protectedGlobals = array( '_SESSION', '_ENV', '_GET', '_POST', '_COOKIE', '_FILES', '_SERVER', '_REQUEST', 'GLOBALS', ); /** * Protection from those who'd bomb the site by GET. * * @throws \Textpattern\Security\Exception * @return \Textpattern\Security\Filter */ public function setMaxRequestUriLength($length) { $uri = Txp::get('\Textpattern\Server\Config')->getVariable('REQUEST_URI'); if (strlen($uri) > $length) { throw new Exception('Requested URL length exceeds application limit.'); } return $this; } /** * Wipes automatically registered superglobals. * * Protects the server from global registering and overwriting attempts. * * @throws \Textpattern\Security\Exception * @return \Textpattern\Security\Filter */ public function registerGlobals() { if (Txp::get('\Textpattern\Server\Config')->getRegisterGlobals()) { if (array_key_exists('GLOBALS', $_REQUEST) || array_key_exists('GLOBALS', $_FILES)) { throw new Exception('GLOBALS overwrite attempt detected. Please consider turning register_globals off.'); } $variables = array_merge( isset($_SESSION) ? (array)$_SESSION : array(), (array)$_ENV, (array)$_GET, (array)$_POST, (array)$_COOKIE, (array)$_FILES, (array)$_SERVER ); foreach ($variables as $variable => $value) { if (!in_array($variable, $this->protectedGlobals, true)) { unset($GLOBALS[$variable]); } } } return $this; } }