|
PntHttpRequest |
PntRequestHandler |
PntSite |
PntStringConverter |
|
__construct |
getCookie |
getCpPattern |
getFunkyRequestData |
getRequestData |
getRequestParam |
getServerValue |
initHttpData |
logValidationWarning |
noMagicQuotesGpc |
pregValidate |
sanitizeGpc |
sanitizePhpAuth |
sanitizeServerValue |
validateCookieName |
validateForNullChar |
validateGpc |
validateGpcValue |
validateMinMaxValue |
validateParamName |
validatePhpAuth |
validateServerValue |
validateServerVarName |
validateServerVars |
validateSessionId |
|
<?php
/* Copyright (c) MetaClass, 2012-2017
Distributed and licensed under under the terms of the GNU Affero General Public License
version 3, or (at your option) any later version.
This program is distributed WITHOUT ANY WARRANTY; without even the implied warranty
of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
See the License, http://www.gnu.org/licenses/agpl.txt */
Gen::includeClass('PntValidationException', 'pnt/secu');
/** Http request validator. Logs validation warnings for bad input. Returns only valid input.
* Unlike ValueValidator, who expects the characters to be encoded in ValueValidator::getInternalCharset,
* this validator expects characters to be encoded as in the http request.
* StringConverter may convert from the request encoding to the internal encoding
* (but by default it does no conversion of character encoding)
* In this default implementation:
* - keys are validated to hold only alphanumeric character, dasches and underscores
* - Http header values are validated to hold visible ASCII characters. Some are validated to a
* specific character whitelist or preg pattern
* - PHP_AUTH_USER and 'PHP_AUTH_PW characters are expected to be valid (like with ISO-8859-1) #
* - requestData and cookies: all characters are expected to be valid (like with ISO-8859-1) #
* - other server variable are not validated. They are expected to come from http server settings
* or other reliable sources.
* # To be overridden on subclass HttpValidator to validate/sanitize input using other character set(s)
* like UTF-8, as this implementarion will NOT adapt automatically to a change in StringConverter::getLabelCharset
* May be overridden to do (more) sanitization.
*
* Unlike the OWASP ESAPI SafeRequest class this class does not do canonalization and
* does not explcitly use mbstrings functions. Its behavior with multi byte strings has not been tested
* and may be different depending on ini settings for mbstring.func_overload and mbstring.encoding_translation
*
* This class does not delegate to ValueValidator because ValueValidator must work with the
* character set it defines in ::getInternalCharset and return user error messages,
* while most of the validations here are specific to ASCII and the error messages are for logging
* to be evaluated later by the application administrator.
* @package pnt/web
*/
class PntHttpRequest {
public $serverVarValidationFatal; //value set overrides constructor parameter
public $gpcValidationFatal; //value set overrides constructor parameter
public $pcre_backtrack_limit = 100000; //default limit
//language dependent strings, may be overridden on HttpValidator
public $tooShort = 'too short';
public $tooLong = 'too long';
public $tooLow = 'too low';
public $tooHigh = 'too high';
public $invalid = 'invalid';
public $serverVarValidationFailed = 'Server variable validation failed for';
public $gpcValidationFailed = 'Gpc validation failed for';
/** result of ::validateServerVars kept as a context for ::validateGpc */
public $serverVars;
public $cookies;
public $get;
public $post;
/************************************************************************************
* preg and char patterns @copyright 2007-2010 The OWASP Foundation as part of the
* OWASP Enterprise Security API (ESAPI) (SafeRequest class)
* @author jah <jah@jahboite.co.uk>
* @license http://www.opensource.org/licenses/bsd-license.php New BSD license
* @version SVN: espi4php-1.0a
* @link http://www.owasp.org/index.php/ESAPI
* LICENSE: These patterns are subject to the New BSD license. You should read
* and accept the LICENSE before you use, modify, and/or redistribute this software.
*/
//pattern delimiters and D added by MetaClass
public $serverPatterns = array(
'REQUEST_METHOD' => '~^(GET|HEAD|POST|TRACE|OPTIONS|PUT|DELETE)$~D' //PUT|DELETE added by MetaClass for restful web services
, 'AUTH_TYPE' => '~^([dD][iI][gG][eE][sS][tT]|[bB][aA][sS][iI][cC])$~D'
, 'REMOTE_HOST' => '~^((?:(?:[0-9a-zA-Z][0-9a-zA-Z\-]{0,61}[0-9a-zA-Z])\.)*[a-zA-Z]{2,4}|[0-9a-zA-Z][0-9a-zA-Z\-]{0,61}[0-9a-zA-Z])$~D'
);
//REMOTE_ADDR, SERVER_ADDR
public $ipV4Pattern = '~^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$~D';
//generic preg character class pieces, backslashes for escaping added by MetaClass
public $httpCookieNamePat = '\\-_'; // \\- added by MetaClass because errors are too frequent and do not seem malicious
public $headerNameCp = '\\-_'; //actually $_SERVER has no names with -
public $headerValueCp = '!"#$%&\'()*+,\\-./\\\\;:<=>?@[\\]\\^_`{|}\\~ '; //"\t" added in constructor //basically all visible ASCII characters and tab
//generic preg character class pieces, backslashes for escaping added by MetaClass
public $serverCps = array(
'QUERY_STRING' => ' &()*+,\\-./;:=?_%!'
//% added by metaclass so that url encoded octets can get through
//! added by metaclass because js encodeURIComponent does not encode it
// , 'HTTP_HOST' => '\\-._' //strange, there is a specific pattern too, to look up in saferequest
, 'REMOTE_USER' => '!#$%&\'*+\\-.\\^_`|\\~'
, 'SCRIPT_NAME' => '!$%&\'()*+\\-,./:=@_\\~' //and REQUEST_URI with '?' added
);
public $filePathCp = ' !#$%&\'()+,-./=@[\\]\\^_`{}\\~\\\\'; //PATH_TRANSLATED
//modified by MetaClass to require eventual sign to be at the start
public $integerPattern = '/^(\\+|\\-)?[0-9]+$/'; //CONTENT_LENGTH
public $minLengths = array(
'REQUEST_METHOD' => 3
, 'SCRIPT_NAME' => 1
);
public $maxLengths = array(
'AUTH_TYPE' => 6
, 'CONTENT_TYPE' => 4096
, 'PATH_INFO' => 4096
, 'PATH_TRANSLATED' => 4096
, 'QUERY_STRING' => 4096
, 'REMOTE_HOST' => 255
, 'REMOTE_USER' => 255
, 'REQUEST_METHOD' => 7
, 'SERVER_NAME' => 255
, 'REMOTE_ADDR' => 15
, 'SERVER_ADDR' => 15
, 'SERVER_PROTOCOL' => 8
);
public $maxValues = array(
'CONTENT_LENGTH' => 2147483647 //PHP_INT_MAX on 32 bits
, 'SERVER_PORT' => 65535
);
/***************************************************************************
* the rest of this file is copyright (c) MetaClass, 2012 */
public $sessionIdCp = ',\-'; //to be overridden if non-standard session ids are used
public $logger;
public $gpcCharset;
public $nullChar;
public $validServerVars;
public $error;
|
Copyright (c) MetaClass, 2003-
This code is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
This code is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
Click here for a copy of the license or see http://www.gnu.org/licenses/ .
|
|