view core/lib/Drupal/Core/Logger/LogMessageParser.php @ 13:5fb285c0d0e3

Update Drupal core to 8.4.7 via Composer. Security update; I *think* we've been lucky to get away with this so far, as we don't support self-registration which seems to be used by the so-called "drupalgeddon 2" attack that 8.4.5 was vulnerable to.
author Chris Cannam
date Mon, 23 Apr 2018 09:33:26 +0100
parents 4c8ae668cc8c
children 129ea1e6d783
line wrap: on
line source
<?php

namespace Drupal\Core\Logger;

/**
 * Parses log messages and their placeholders.
 */
class LogMessageParser implements LogMessageParserInterface {

  /**
   * {@inheritdoc}
   */
  public function parseMessagePlaceholders(&$message, array &$context) {
    $variables = [];
    $has_psr3 = FALSE;
    if (($start = strpos($message, '{')) !== FALSE && strpos($message, '}') > $start) {
      $has_psr3 = TRUE;
      // Transform PSR3 style messages containing placeholders to
      // \Drupal\Component\Utility\SafeMarkup::format() style.
      $message = preg_replace('/\{(.*)\}/U', '@$1', $message);
    }
    foreach ($context as $key => $variable) {
      // PSR3 style placeholders.
      if ($has_psr3) {
        // Keys are not prefixed with anything according to PSR3 specs.
        // If the message is "User {username} created" the variable key will be
        // just "username".
        if (strpos($message, '@' . $key) !== FALSE) {
          $key = '@' . $key;
        }
      }
      if (!empty($key) && ($key[0] === '@' || $key[0] === '%' || $key[0] === '!')) {
        // The key is now in \Drupal\Component\Utility\SafeMarkup::format() style.
        $variables[$key] = $variable;
      }
    }

    return $variables;
  }

}