GNUsocial
/
gnu-social
4
0
Fork 1
Code Issues Releases Wiki Activity

[UTIL] Sanitise instead of validate in common_copy_args() 

And remove common_validate_utf8() which is now unused.
This commit is contained in:
Alexei Sorokin 2020-09-15 14:53:35 +03:00
parent fde929b151
commit 2ef944d5c4
2 changed files with 14 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
lib/util/util.php
View File

@ -1234,27 +1234,6 @@ function common_shorten_links($text, $always = false, User $user=null)
} }
} }
/**
* Very basic stripping of invalid UTF-8 input text.
*
* @param string $str
* @return mixed string or null if invalid input
*
* @todo ideally we should drop bad chars, and maybe do some of the checks
* from common_xml_safe_str. But we can't strip newlines, etc.
* @todo Unicode normalization might also be useful, but not needed now.
*/
function common_validate_utf8($str)
{
// preg_replace will return NULL on invalid UTF-8 input.
//
// Note: empty regex //u also caused NULL return on some
// production machines, but none of our test machines.
//
// This should be replaced with a more reliable check.
return preg_replace('/\x00/u', '', $str);
}
/** /**
* Make sure an arbitrary string is safe for output in XML as a single line. * Make sure an arbitrary string is safe for output in XML as a single line.
* *
@ -2200,26 +2179,25 @@ function common_config_append($main, $sub, $value)
/** /**
* Pull arguments from a GET/POST/REQUEST array with first-level input checks: * Pull arguments from a GET/POST/REQUEST array with first-level input checks:
* strips "magic quotes" slashes if necessary, and kills invalid UTF-8 strings. * strips "magic quotes" slashes if necessary,
* and replaces invalid in UTF-8 sequences with question marks.
* *
* @param array $from * @param array $from
* @return array * @return array
*/ */
function common_copy_args($from) function common_copy_args(array $from): array
{ {
$to = [];
$strip = get_magic_quotes_gpc(); $strip = get_magic_quotes_gpc();
foreach ($from as $k => $v) { return array_map(function ($v) use ($strip) {
if (is_array($v)) { if (is_array($v)) {
$to[$k] = common_copy_args($v); return common_copy_args($v);
} else { } else {
if ($strip) { if ($strip) {
$v = stripslashes($v); $v = stripslashes($v);
} }
$to[$k] = strval(common_validate_utf8($v)); return mb_scrub($v);
} }
} }, $from);
return $to;
} }
/** /**

12
public/index.php
View File

@ -305,14 +305,16 @@ function main()
// If the site is private, and they're not on one of the "public" // If the site is private, and they're not on one of the "public"
// parts of the site, redirect to login // parts of the site, redirect to login
if (!$user && common_config('site', 'private') if (
is_null($user)
&& common_config('site', 'private')
&& !isLoginAction($action) && !isLoginAction($action)
&& !preg_match('/rss$/', $action) && !preg_match('/rss$/', $action)
&& $action != 'robotstxt' && $action !== 'robotstxt'
&& !preg_match('/^Api/', $action)) { && !preg_match('/^Api/', $action)
) {
// set returnto // set returnto
$rargs =& common_copy_args($args); $rargs = common_copy_args($args);
unset($rargs['action']); unset($rargs['action']);
if (common_config('site', 'fancy')) { if (common_config('site', 'fancy')) {
unset($rargs['p']); unset($rargs['p']);