Chris@13: attributes->get(self::SANITIZED, FALSE)) { Chris@15: $update_globals = FALSE; Chris@15: $bags = [ Chris@15: 'query' => 'Potentially unsafe keys removed from query string parameters (GET): %s', Chris@15: 'request' => 'Potentially unsafe keys removed from request body parameters (POST): %s', Chris@15: 'cookies' => 'Potentially unsafe keys removed from cookie parameters: %s', Chris@15: ]; Chris@15: foreach ($bags as $bag => $message) { Chris@15: if (static::processParameterBag($request->$bag, $whitelist, $log_sanitized_keys, $bag, $message)) { Chris@15: $update_globals = TRUE; Chris@15: } Chris@13: } Chris@15: if ($update_globals) { Chris@13: $request->overrideGlobals(); Chris@13: } Chris@13: $request->attributes->set(self::SANITIZED, TRUE); Chris@13: } Chris@13: return $request; Chris@13: } Chris@13: Chris@13: /** Chris@15: * Processes a request parameter bag. Chris@15: * Chris@15: * @param \Symfony\Component\HttpFoundation\ParameterBag $bag Chris@15: * The parameter bag to process. Chris@15: * @param string[] $whitelist Chris@15: * An array of keys to whitelist as safe. Chris@15: * @param bool $log_sanitized_keys Chris@15: * Set to TRUE to log keys that are sanitized. Chris@15: * @param string $bag_name Chris@15: * The request parameter bag name. Either 'query', 'request' or 'cookies'. Chris@15: * @param string $message Chris@15: * The message to log if the parameter bag contains keys that are removed. Chris@15: * If the message contains %s that is replaced by a list of removed keys. Chris@15: * Chris@15: * @return bool Chris@15: * TRUE if the parameter bag has been sanitized, FALSE if not. Chris@15: */ Chris@15: protected static function processParameterBag(ParameterBag $bag, $whitelist, $log_sanitized_keys, $bag_name, $message) { Chris@15: $sanitized = FALSE; Chris@15: $sanitized_keys = []; Chris@15: $bag->replace(static::stripDangerousValues($bag->all(), $whitelist, $sanitized_keys)); Chris@15: if (!empty($sanitized_keys)) { Chris@15: $sanitized = TRUE; Chris@15: if ($log_sanitized_keys) { Chris@15: trigger_error(sprintf($message, implode(', ', $sanitized_keys))); Chris@15: } Chris@15: } Chris@15: Chris@15: if ($bag->has('destination')) { Chris@17: $destination = $bag->get('destination'); Chris@17: $destination_dangerous_keys = static::checkDestination($destination, $whitelist); Chris@15: if (!empty($destination_dangerous_keys)) { Chris@15: // The destination is removed rather than sanitized because the URL Chris@15: // generator service is not available and this method is called very Chris@15: // early in the bootstrap. Chris@15: $bag->remove('destination'); Chris@15: $sanitized = TRUE; Chris@15: if ($log_sanitized_keys) { Chris@15: trigger_error(sprintf('Potentially unsafe destination removed from %s parameter bag because it contained the following keys: %s', $bag_name, implode(', ', $destination_dangerous_keys))); Chris@15: } Chris@15: } Chris@17: // Sanitize the destination parameter (which is often used for redirects) Chris@17: // to prevent open redirect attacks leading to other domains. Chris@17: if (UrlHelper::isExternal($destination)) { Chris@17: // The destination is removed because it is an external URL. Chris@17: $bag->remove('destination'); Chris@17: $sanitized = TRUE; Chris@17: if ($log_sanitized_keys) { Chris@17: trigger_error(sprintf('Potentially unsafe destination removed from %s parameter bag because it points to an external URL.', $bag_name)); Chris@17: } Chris@17: } Chris@15: } Chris@15: return $sanitized; Chris@15: } Chris@15: Chris@15: /** Chris@15: * Checks a destination string to see if it is dangerous. Chris@15: * Chris@15: * @param string $destination Chris@15: * The destination string to check. Chris@15: * @param array $whitelist Chris@15: * An array of keys to whitelist as safe. Chris@15: * Chris@15: * @return array Chris@15: * The dangerous keys found in the destination parameter. Chris@15: */ Chris@15: protected static function checkDestination($destination, array $whitelist) { Chris@15: $dangerous_keys = []; Chris@15: $parts = UrlHelper::parse($destination); Chris@15: // If there is a query string, check its query parameters. Chris@15: if (!empty($parts['query'])) { Chris@15: static::stripDangerousValues($parts['query'], $whitelist, $dangerous_keys); Chris@15: } Chris@15: return $dangerous_keys; Chris@15: } Chris@15: Chris@15: /** Chris@13: * Strips dangerous keys from $input. Chris@13: * Chris@13: * @param mixed $input Chris@13: * The input to sanitize. Chris@13: * @param string[] $whitelist Chris@13: * An array of keys to whitelist as safe. Chris@13: * @param string[] $sanitized_keys Chris@13: * An array of keys that have been removed. Chris@13: * Chris@13: * @return mixed Chris@13: * The sanitized input. Chris@13: */ Chris@13: protected static function stripDangerousValues($input, array $whitelist, array &$sanitized_keys) { Chris@13: if (is_array($input)) { Chris@13: foreach ($input as $key => $value) { Chris@13: if ($key !== '' && $key[0] === '#' && !in_array($key, $whitelist, TRUE)) { Chris@13: unset($input[$key]); Chris@13: $sanitized_keys[] = $key; Chris@13: } Chris@13: else { Chris@13: $input[$key] = static::stripDangerousValues($input[$key], $whitelist, $sanitized_keys); Chris@13: } Chris@13: } Chris@13: } Chris@13: return $input; Chris@13: } Chris@13: Chris@13: }