HttpRequest: drops non-UTF8 strings, but control characters only removes

dg · dg · commit 9ad00c819e43 · 2015-02-20T01:15:22.000+01:00
diff --git a/src/Http/RequestFactory.php b/src/Http/RequestFactory.php
@@ -19,7 +19,7 @@
 class RequestFactory extends Nette\Object
 {
 	/** @internal */
-	const CHARS = '#^[\x09\x0A\x0D\x20-\x7E\xA0-\x{10FFFF}]*+\z#u';
+	const CHARS = '\x09\x0A\x0D\x20-\x7E\xA0-\x{10FFFF}';
 
 	/** @var array */
 	public $urlFilters = array(
@@ -137,6 +137,7 @@ public function createHttpRequest()
 		$gpc = (bool) get_magic_quotes_gpc();
 
 		// remove fucking quotes, control characters and check encoding
+		$reChars = '#^[' . self::CHARS . ']*+\z#u';
 		if ($gpc || !$this->binary) {
 			$list = array(& $query, & $post, & $cookies);
 			while (list($key, $val) = each($list)) {
@@ -147,7 +148,7 @@ public function createHttpRequest()
 						$k = stripslashes($k);
 					}
 
-					if (!$this->binary && is_string($k) && (!preg_match(self::CHARS, $k) || preg_last_error())) {
+					if (!$this->binary && is_string($k) && (!preg_match($reChars, $k) || preg_last_error())) {
 						// invalid key -> ignore
 
 					} elseif (is_array($v)) {
@@ -158,8 +159,8 @@ public function createHttpRequest()
 						if ($gpc && !$useFilter) {
 							$v = stripSlashes($v);
 						}
-						if (!$this->binary && (!preg_match(self::CHARS, $v) || preg_last_error())) {
-							$v = '';
+						if (!$this->binary) {
+							$v = (string) preg_replace('#[^' . self::CHARS . ']+#u', '', $v);
 						}
 						$list[$key][$k] = $v;
 					}
@@ -174,7 +175,7 @@ public function createHttpRequest()
 		$list = array();
 		if (!empty($_FILES)) {
 			foreach ($_FILES as $k => $v) {
-				if (!$this->binary && is_string($k) && (!preg_match(self::CHARS, $k) || preg_last_error())) {
+				if (!$this->binary && is_string($k) && (!preg_match($reChars, $k) || preg_last_error())) {
 					continue;
 				}
 				$v['@'] = & $files[$k];
@@ -190,7 +191,7 @@ public function createHttpRequest()
 				if ($gpc) {
 					$v['name'] = stripSlashes($v['name']);
 				}
-				if (!$this->binary && (!preg_match(self::CHARS, $v['name']) || preg_last_error())) {
+				if (!$this->binary && (!preg_match($reChars, $v['name']) || preg_last_error())) {
 					$v['name'] = '';
 				}
 				if ($v['error'] !== UPLOAD_ERR_NO_FILE) {
@@ -200,7 +201,7 @@ public function createHttpRequest()
 			}
 
 			foreach ($v['name'] as $k => $foo) {
-				if (!$this->binary && is_string($k) && (!preg_match(self::CHARS, $k) || preg_last_error())) {
+				if (!$this->binary && is_string($k) && (!preg_match($reChars, $k) || preg_last_error())) {
 					continue;
 				}
 				$list[] = array(
diff --git a/tests/Http/Request.invalidEncoding.phpt b/tests/Http/Request.invalidEncoding.phpt
@@ -13,7 +13,7 @@ require __DIR__ . '/../bootstrap.php';
 
 // Setup environment
 define('INVALID', "\xC4\x76\xC5\xBE");
-define('CONTROL_CHARACTERS', "A\x00B\x80C");
+define('CONTROL_CHARACTERS', "A\x01B\x02C");
 
 $_GET = array(
 	'invalid' => INVALID,
@@ -61,27 +61,6 @@ $_FILES = array(
 		'error' => 0,
 		'size' => 209,
 	),
-	'file2' => array(
-		'name' => array(
-			2 => INVALID,
-		),
-
-		'type' => array(
-			2 => INVALID,
-		),
-
-		'tmp_name' => array(
-			2 => 'C:\\PHP\\temp\\php1D5C.tmp',
-		),
-
-		'error' => array(
-			2 => 0,
-		),
-
-		'size' => array(
-			2 => 3013,
-		),
-	),
 );
 
 test(function() { // unfiltered data
@@ -118,19 +97,19 @@ test(function() { // filtered data
 	$request = $factory->createHttpRequest();
 
 	Assert::same( '', $request->getQuery('invalid') );
-	Assert::same( '', $request->getQuery('control') );
+	Assert::same( 'ABC', $request->getQuery('control') );
 	Assert::null( $request->getQuery(INVALID) );
 	Assert::null( $request->getQuery(CONTROL_CHARACTERS) );
 	Assert::false( isset($request->query['array'][INVALID]) );
 
 	Assert::same( '', $request->getPost('invalid') );
-	Assert::same( '', $request->getPost('control') );
+	Assert::same( 'ABC', $request->getPost('control') );
 	Assert::null( $request->getPost(INVALID) );
 	Assert::null( $request->getPost(CONTROL_CHARACTERS) );
 	Assert::false( isset($request->post['array'][INVALID]) );
 
 	Assert::same( '', $request->getCookie('invalid') );
-	Assert::same( '', $request->getCookie('control') );
+	Assert::same( 'ABC', $request->getCookie('control') );
 	Assert::null( $request->getCookie(INVALID) );
 	Assert::null( $request->getCookie(CONTROL_CHARACTERS) );
 	Assert::false( isset($request->cookies['array'][INVALID]) );
@@ -139,6 +118,4 @@ test(function() { // filtered data
 	Assert::null( $request->getFile(CONTROL_CHARACTERS) );
 	Assert::type( 'Nette\Http\FileUpload', $request->files['file1'] );
 	Assert::same( '', $request->files['file1']->name );
-	Assert::type( 'Nette\Http\FileUpload', $request->files['file2'][2] );
-	Assert::same( '', $request->files['file2'][2]->name );
 });

Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@`
`19`	`19`	`class RequestFactory extends Nette\Object`
`20`	`20`	`{`
`21`	`21`	`/** @internal */`
`22`		`- const CHARS = '#^[\x09\x0A\x0D\x20-\x7E\xA0-\x{10FFFF}]*+\z#u';`
	`22`	`+ const CHARS = '\x09\x0A\x0D\x20-\x7E\xA0-\x{10FFFF}';`
`23`	`23`
`24`	`24`	`/** @var array */`
`25`	`25`	`public $urlFilters = array(`
`@@ -137,6 +137,7 @@ public function createHttpRequest()`
`137`	`137`	`$gpc = (bool) get_magic_quotes_gpc();`
`138`	`138`
`139`	`139`	`// remove fucking quotes, control characters and check encoding`
	`140`	`+ $reChars = '#^[' . self::CHARS . ']*+\z#u';`
`140`	`141`	`if ($gpc \|\| !$this->binary) {`
`141`	`142`	`$list = array(& $query, & $post, & $cookies);`
`142`	`143`	`while (list($key, $val) = each($list)) {`
`@@ -147,7 +148,7 @@ public function createHttpRequest()`
`147`	`148`	`$k = stripslashes($k);`
`148`	`149`	`}`
`149`	`150`
`150`		`- if (!$this->binary && is_string($k) && (!preg_match(self::CHARS, $k) \|\| preg_last_error())) {`
	`151`	`+ if (!$this->binary && is_string($k) && (!preg_match($reChars, $k) \|\| preg_last_error())) {`
`151`	`152`	`// invalid key -> ignore`
`152`	`153`
`153`	`154`	`} elseif (is_array($v)) {`
`@@ -158,8 +159,8 @@ public function createHttpRequest()`
`158`	`159`	`if ($gpc && !$useFilter) {`
`159`	`160`	`$v = stripSlashes($v);`
`160`	`161`	`}`
`161`		`- if (!$this->binary && (!preg_match(self::CHARS, $v) \|\| preg_last_error())) {`
`162`		`- $v = '';`
	`162`	`+ if (!$this->binary) {`
	`163`	`+ $v = (string) preg_replace('#[^' . self::CHARS . ']+#u', '', $v);`
`163`	`164`	`}`
`164`	`165`	`$list[$key][$k] = $v;`
`165`	`166`	`}`
`@@ -174,7 +175,7 @@ public function createHttpRequest()`
`174`	`175`	`$list = array();`
`175`	`176`	`if (!empty($_FILES)) {`
`176`	`177`	`foreach ($_FILES as $k => $v) {`
`177`		`- if (!$this->binary && is_string($k) && (!preg_match(self::CHARS, $k) \|\| preg_last_error())) {`
	`178`	`+ if (!$this->binary && is_string($k) && (!preg_match($reChars, $k) \|\| preg_last_error())) {`
`178`	`179`	`continue;`
`179`	`180`	`}`
`180`	`181`	`$v['@'] = & $files[$k];`
`@@ -190,7 +191,7 @@ public function createHttpRequest()`
`190`	`191`	`if ($gpc) {`
`191`	`192`	`$v['name'] = stripSlashes($v['name']);`
`192`	`193`	`}`
`193`		`- if (!$this->binary && (!preg_match(self::CHARS, $v['name']) \|\| preg_last_error())) {`
	`194`	`+ if (!$this->binary && (!preg_match($reChars, $v['name']) \|\| preg_last_error())) {`
`194`	`195`	`$v['name'] = '';`
`195`	`196`	`}`
`196`	`197`	`if ($v['error'] !== UPLOAD_ERR_NO_FILE) {`
`@@ -200,7 +201,7 @@ public function createHttpRequest()`
`200`	`201`	`}`
`201`	`202`
`202`	`203`	`foreach ($v['name'] as $k => $foo) {`
`203`		`- if (!$this->binary && is_string($k) && (!preg_match(self::CHARS, $k) \|\| preg_last_error())) {`
	`204`	`+ if (!$this->binary && is_string($k) && (!preg_match($reChars, $k) \|\| preg_last_error())) {`
`204`	`205`	`continue;`
`205`	`206`	`}`
`206`	`207`	`$list[] = array(`