1 bootstrap.inc _backdrop_bootstrap_sanitize_request()

Sanitizes unsafe input from the PHP request super-globals.

File

core/includes/bootstrap.inc, line 3310
Functions that need to be loaded on every Backdrop request.

Code

function _backdrop_bootstrap_sanitize_request() {
  // Remove dangerous keys from input data.
  $allowlist = settings_get('sanitize_input_allowlist', array());
  if (empty($allowlist)) {
    // @todo Remove forbidden backwards compatibility word in Backdrop 2.x.
    // cspell:disable-next-line
    $allowlist = settings_get('sanitize_input_whitelist', array());
  }
  $log_sanitized_keys = settings_get('sanitize_input_logging');

  // Process query string parameters.
  $sanitized_keys = _backdrop_bootstrap_sanitize_input($_GET, $allowlist);
  if ($sanitized_keys && $log_sanitized_keys) {
    trigger_error(format_string('Potentially unsafe keys removed from query string parameters (GET): @keys', array('@keys' => implode(', ', $sanitized_keys))), E_USER_WARNING);
  }
  // Process request body parameters.
  $sanitized_keys = _backdrop_bootstrap_sanitize_input($_POST, $allowlist);
  if ($sanitized_keys && $log_sanitized_keys) {
    trigger_error(format_string('Potentially unsafe keys removed from request body parameters (POST): @keys', array('@keys' => implode(', ', $sanitized_keys))), E_USER_WARNING);
  }
  // Process cookie parameters.
  $sanitized_keys = _backdrop_bootstrap_sanitize_input($_COOKIE, $allowlist);
  if ($sanitized_keys && $log_sanitized_keys) {
    trigger_error(format_string('Potentially unsafe keys removed from cookie parameters (COOKIE): @keys', array('@keys' => implode(', ', $sanitized_keys))), E_USER_WARNING);
  }
  // Process request global. No need to log; already logged in $_GET and $_POST.
  _backdrop_bootstrap_sanitize_input($_REQUEST, $allowlist);

  // Sanitize the destination parameter (which is often used for redirects) to
  // prevent open redirect attacks leading to other domains. Sanitize both
  // $_GET['destination'] and $_REQUEST['destination'] to protect code that
  // relies on either, but do not sanitize $_POST to avoid interfering with
  // unrelated form submissions. The sanitization happens here because
  // url_is_external() requires settings.php variables to be available.
  if (isset($_GET['destination']) || isset($_REQUEST['destination'])) {
    require_once BACKDROP_ROOT . '/core/includes/common.inc';
    // If the destination is an external URL, remove it.
    if (isset($_GET['destination']) && url_is_external($_GET['destination'])) {
      $sanitized_keys = array('External URL in GET: ' . $_GET['destination']);
    }
    // If there's still something in $_REQUEST['destination'] that didn't come
    // from $_GET, check it too.
    if (isset($_REQUEST['destination']) && (!isset($_GET['destination']) || $_REQUEST['destination'] != $_GET['destination']) && url_is_external($_REQUEST['destination'])) {
      $sanitized_keys = array('External URL in REQUEST: ' . $_REQUEST['destination']);
    }

    // If there is a query string, check its query parameters.
    if (isset($_GET['destination'])) {
      $destination_parts = backdrop_parse_url($_GET['destination']);
    }

    if (!empty($destination_parts['query'])) {
      $sanitized_keys = _backdrop_bootstrap_sanitize_input($destination_parts['query'], $allowlist);
    }

    if ($sanitized_keys) {
      unset($_GET['destination']);
      unset($_REQUEST['destination']);
      if ($log_sanitized_keys) {
        trigger_error(format_string('Potentially unsafe values removed from the destination query parameter: @keys', array('@keys' => implode(', ', $sanitized_keys))), E_USER_WARNING);
      }
    }
  }
}