diff --git a/rector.php b/rector.php index c814a7402c4d..4d06cad5598f 100644 --- a/rector.php +++ b/rector.php @@ -38,6 +38,7 @@ use Rector\PHPUnit\CodeQuality\Rector\Class_\RemoveDataProviderParamKeysRector; use Rector\PHPUnit\CodeQuality\Rector\Class_\YieldDataProviderRector; use Rector\Privatization\Rector\Property\PrivatizeFinalClassPropertyRector; +use Rector\Renaming\Rector\ConstFetch\RenameConstantRector; use Rector\Strict\Rector\Empty_\DisallowedEmptyRuleFixerRector; use Rector\Strict\Rector\If_\BooleanInIfConditionRuleFixerRector; use Rector\TypeDeclaration\Rector\ArrowFunction\AddArrowFunctionReturnTypeRector; @@ -205,4 +206,7 @@ // keep '\\' prefix string on string '\Foo\Bar' StringClassNameToClassConstantRector::SHOULD_KEEP_PRE_SLASH => true, ]) + ->withConfiguredRule(RenameConstantRector::class, [ + 'FILTER_DEFAULT' => 'FILTER_UNSAFE_RAW', + ]) ->withCodeQualityLevel(34); diff --git a/system/HTTP/IncomingRequest.php b/system/HTTP/IncomingRequest.php index 72b1ce0ca5df..260f7457fadc 100644 --- a/system/HTTP/IncomingRequest.php +++ b/system/HTTP/IncomingRequest.php @@ -572,10 +572,10 @@ public function getJsonVar($index = null, bool $assoc = false, ?int $filter = nu return null; } - $filter ??= FILTER_DEFAULT; + $filter ??= FILTER_UNSAFE_RAW; $flags = is_array($flags) ? $flags : (is_numeric($flags) ? (int) $flags : 0); - if ($filter !== FILTER_DEFAULT + if ($filter !== FILTER_UNSAFE_RAW || ( (is_numeric($flags) && $flags !== 0) || is_array($flags) && $flags !== [] @@ -656,12 +656,12 @@ public function getRawInputVar($index = null, ?int $filter = null, $flags = null [$output, $data] = [$data, null]; } - $filter ??= FILTER_DEFAULT; + $filter ??= FILTER_UNSAFE_RAW; $flags = is_array($flags) ? $flags : (is_numeric($flags) ? (int) $flags : 0); if (is_array($output) && ( - $filter !== FILTER_DEFAULT + $filter !== FILTER_UNSAFE_RAW || ( (is_numeric($flags) && $flags !== 0) || is_array($flags) && $flags !== [] diff --git a/system/HTTP/RequestTrait.php b/system/HTTP/RequestTrait.php index 3c3da161a3be..e0efd46324a1 100644 --- a/system/HTTP/RequestTrait.php +++ b/system/HTTP/RequestTrait.php @@ -260,7 +260,7 @@ public function fetchGlobal(string $name, $index = null, ?int $filter = null, $f } // Null filters cause null values to return. - $filter ??= FILTER_DEFAULT; + $filter ??= FILTER_UNSAFE_RAW; $flags = is_array($flags) ? $flags : (is_numeric($flags) ? (int) $flags : 0); // Return all values when $index is null @@ -312,7 +312,7 @@ public function fetchGlobal(string $name, $index = null, ?int $filter = null, $f if (is_array($value) && ( - $filter !== FILTER_DEFAULT + $filter !== FILTER_UNSAFE_RAW || ( (is_numeric($flags) && $flags !== 0) || is_array($flags) && $flags !== [] diff --git a/system/Helpers/cookie_helper.php b/system/Helpers/cookie_helper.php index fb1c1f366fed..e3b10a1b60f6 100644 --- a/system/Helpers/cookie_helper.php +++ b/system/Helpers/cookie_helper.php @@ -88,7 +88,7 @@ function get_cookie($index, bool $xssClean = false, ?string $prefix = '') } $request = service('request'); - $filter = $xssClean ? FILTER_SANITIZE_FULL_SPECIAL_CHARS : FILTER_DEFAULT; + $filter = $xssClean ? FILTER_SANITIZE_FULL_SPECIAL_CHARS : FILTER_UNSAFE_RAW; return $request->getCookie($prefix . $index, $filter); } diff --git a/tests/system/HTTP/IncomingRequestTest.php b/tests/system/HTTP/IncomingRequestTest.php index 1240d0885b23..eb6aa04d3a6a 100644 --- a/tests/system/HTTP/IncomingRequestTest.php +++ b/tests/system/HTTP/IncomingRequestTest.php @@ -607,6 +607,13 @@ public static function provideCanGrabGetRawInputVar(): iterable null, null, ], + [ + 'username=admin001&role=administrator&usepass=0', + 'username', + 'admin001', + null, + FILTER_UNSAFE_RAW, + ], [ 'username=admin001&role=administrator&usepass=0', ['role', 'usepass'],