Verzeichnisstruktur phpBB-3.2.0
- Veröffentlicht
- 06.01.2017
So funktioniert es
|
|
Auf das letzte Element klicken. Dies geht jeweils ein Schritt zurück |
Auf das Icon klicken, dies öffnet das Verzeichnis. Nochmal klicken schließt das Verzeichnis. |
|
|
(Beispiel Datei-Icons)
|
Auf das Icon klicken um den Quellcode anzuzeigen |
request.php
001 <?php
002 /**
003 *
004 * This file is part of the phpBB Forum Software package.
005 *
006 * @copyright (c) phpBB Limited <https://www.phpbb.com>
007 * @license GNU General Public License, version 2 (GPL-2.0)
008 *
009 * For full copyright and license information, please see
010 * the docs/CREDITS.txt file.
011 *
012 */
013
014 namespace phpbb\request;
015
016 /**
017 * All application input is accessed through this class.
018 *
019 * It provides a method to disable access to input data through super globals.
020 * This should force MOD authors to read about data validation.
021 */
022 class request implements \phpbb\request\request_interface
023 {
024 /**
025 * @var array The names of super global variables that this class should protect if super globals are disabled.
026 */
027 protected $super_globals = array(
028 \phpbb\request\request_interface::POST => '_POST',
029 \phpbb\request\request_interface::GET => '_GET',
030 \phpbb\request\request_interface::REQUEST => '_REQUEST',
031 \phpbb\request\request_interface::COOKIE => '_COOKIE',
032 \phpbb\request\request_interface::SERVER => '_SERVER',
033 \phpbb\request\request_interface::FILES => '_FILES',
034 );
035
036 /**
037 * @var array Stores original contents of $_REQUEST array.
038 */
039 protected $original_request = null;
040
041 /**
042 * @var
043 */
044 protected $super_globals_disabled = false;
045
046 /**
047 * @var array An associative array that has the value of super global constants as keys and holds their data as values.
048 */
049 protected $input;
050
051 /**
052 * @var \phpbb\request\type_cast_helper_interface An instance of a type cast helper providing convenience methods for type conversions.
053 */
054 protected $type_cast_helper;
055
056 /**
057 * Initialises the request class, that means it stores all input data in {@link $input input}
058 * and then calls {@link \phpbb\request\deactivated_super_global \phpbb\request\deactivated_super_global}
059 */
060 public function __construct(\phpbb\request\type_cast_helper_interface $type_cast_helper = null, $disable_super_globals = true)
061 {
062 if ($type_cast_helper)
063 {
064 $this->type_cast_helper = $type_cast_helper;
065 }
066 else
067 {
068 $this->type_cast_helper = new \phpbb\request\type_cast_helper();
069 }
070
071 foreach ($this->super_globals as $const => $super_global)
072 {
073 $this->input[$const] = isset($GLOBALS[$super_global]) ? $GLOBALS[$super_global] : array();
074 }
075
076 // simulate request_order = GP
077 $this->original_request = $this->input[\phpbb\request\request_interface::REQUEST];
078 $this->input[\phpbb\request\request_interface::REQUEST] = $this->input[\phpbb\request\request_interface::POST] + $this->input[\phpbb\request\request_interface::GET];
079
080 if ($disable_super_globals)
081 {
082 $this->disable_super_globals();
083 }
084 }
085
086 /**
087 * Getter for $super_globals_disabled
088 *
089 * @return bool Whether super globals are disabled or not.
090 */
091 public function super_globals_disabled()
092 {
093 return $this->super_globals_disabled;
094 }
095
096 /**
097 * Disables access of super globals specified in $super_globals.
098 * This is achieved by overwriting the super globals with instances of {@link \phpbb\request\deactivated_super_global \phpbb\request\deactivated_super_global}
099 */
100 public function disable_super_globals()
101 {
102 if (!$this->super_globals_disabled)
103 {
104 foreach ($this->super_globals as $const => $super_global)
105 {
106 unset($GLOBALS[$super_global]);
107 $GLOBALS[$super_global] = new \phpbb\request\deactivated_super_global($this, $super_global, $const);
108 }
109
110 $this->super_globals_disabled = true;
111 }
112 }
113
114 /**
115 * Enables access of super globals specified in $super_globals if they were disabled by {@link disable_super_globals disable_super_globals}.
116 * This is achieved by making the super globals point to the data stored within this class in {@link $input input}.
117 */
118 public function enable_super_globals()
119 {
120 if ($this->super_globals_disabled)
121 {
122 foreach ($this->super_globals as $const => $super_global)
123 {
124 $GLOBALS[$super_global] = $this->input[$const];
125 }
126
127 $GLOBALS['_REQUEST'] = $this->original_request;
128
129 $this->super_globals_disabled = false;
130 }
131 }
132
133 /**
134 * This function allows overwriting or setting a value in one of the super global arrays.
135 *
136 * Changes which are performed on the super globals directly will not have any effect on the results of
137 * other methods this class provides. Using this function should be avoided if possible! It will
138 * consume twice the the amount of memory of the value
139 *
140 * @param string $var_name The name of the variable that shall be overwritten
141 * @param mixed $value The value which the variable shall contain.
142 * If this is null the variable will be unset.
143 * @param \phpbb\request\request_interface::POST|GET|REQUEST|COOKIE $super_global
144 * Specifies which super global shall be changed
145 */
146 public function overwrite($var_name, $value, $super_global = \phpbb\request\request_interface::REQUEST)
147 {
148 if (!isset($this->super_globals[$super_global]))
149 {
150 return;
151 }
152
153 $this->type_cast_helper->add_magic_quotes($value);
154
155 // setting to null means unsetting
156 if ($value === null)
157 {
158 unset($this->input[$super_global][$var_name]);
159 if (!$this->super_globals_disabled())
160 {
161 unset($GLOBALS[$this->super_globals[$super_global]][$var_name]);
162 }
163 }
164 else
165 {
166 $this->input[$super_global][$var_name] = $value;
167 if (!$this->super_globals_disabled())
168 {
169 $GLOBALS[$this->super_globals[$super_global]][$var_name] = $value;
170 }
171 }
172
173 if (!$this->super_globals_disabled())
174 {
175 unset($GLOBALS[$this->super_globals[$super_global]][$var_name]);
176 $GLOBALS[$this->super_globals[$super_global]][$var_name] = $value;
177 }
178 }
179
180 /**
181 * Central type safe input handling function.
182 * All variables in GET or POST requests should be retrieved through this function to maximise security.
183 *
184 * @param string|array $var_name The form variable's name from which data shall be retrieved.
185 * If the value is an array this may be an array of indizes which will give
186 * direct access to a value at any depth. E.g. if the value of "var" is array(1 => "a")
187 * then specifying array("var", 1) as the name will return "a".
188 * @param mixed $default A default value that is returned if the variable was not set.
189 * This function will always return a value of the same type as the default.
190 * @param bool $multibyte If $default is a string this paramater has to be true if the variable may contain any UTF-8 characters
191 * Default is false, causing all bytes outside the ASCII range (0-127) to be replaced with question marks
192 * @param \phpbb\request\request_interface::POST|GET|REQUEST|COOKIE $super_global
193 * Specifies which super global should be used
194 *
195 * @return mixed The value of $_REQUEST[$var_name] run through {@link set_var set_var} to ensure that the type is the
196 * the same as that of $default. If the variable is not set $default is returned.
197 */
198 public function variable($var_name, $default, $multibyte = false, $super_global = \phpbb\request\request_interface::REQUEST)
199 {
200 return $this->_variable($var_name, $default, $multibyte, $super_global, true);
201 }
202
203 /**
204 * Get a variable, but without trimming strings.
205 * Same functionality as variable(), except does not run trim() on strings.
206 * This method should be used when handling passwords.
207 *
208 * @param string|array $var_name The form variable's name from which data shall be retrieved.
209 * If the value is an array this may be an array of indizes which will give
210 * direct access to a value at any depth. E.g. if the value of "var" is array(1 => "a")
211 * then specifying array("var", 1) as the name will return "a".
212 * @param mixed $default A default value that is returned if the variable was not set.
213 * This function will always return a value of the same type as the default.
214 * @param bool $multibyte If $default is a string this paramater has to be true if the variable may contain any UTF-8 characters
215 * Default is false, causing all bytes outside the ASCII range (0-127) to be replaced with question marks
216 * @param \phpbb\request\request_interface::POST|GET|REQUEST|COOKIE $super_global
217 * Specifies which super global should be used
218 *
219 * @return mixed The value of $_REQUEST[$var_name] run through {@link set_var set_var} to ensure that the type is the
220 * the same as that of $default. If the variable is not set $default is returned.
221 */
222 public function untrimmed_variable($var_name, $default, $multibyte = false, $super_global = \phpbb\request\request_interface::REQUEST)
223 {
224 return $this->_variable($var_name, $default, $multibyte, $super_global, false);
225 }
226
227 /**
228 * {@inheritdoc}
229 */
230 public function raw_variable($var_name, $default, $super_global = \phpbb\request\request_interface::REQUEST)
231 {
232 $path = false;
233
234 // deep direct access to multi dimensional arrays
235 if (is_array($var_name))
236 {
237 $path = $var_name;
238 // make sure at least the variable name is specified
239 if (empty($path))
240 {
241 return (is_array($default)) ? array() : $default;
242 }
243 // the variable name is the first element on the path
244 $var_name = array_shift($path);
245 }
246
247 if (!isset($this->input[$super_global][$var_name]))
248 {
249 return (is_array($default)) ? array() : $default;
250 }
251 $var = $this->input[$super_global][$var_name];
252
253 if ($path)
254 {
255 // walk through the array structure and find the element we are looking for
256 foreach ($path as $key)
257 {
258 if (is_array($var) && isset($var[$key]))
259 {
260 $var = $var[$key];
261 }
262 else
263 {
264 return (is_array($default)) ? array() : $default;
265 }
266 }
267 }
268
269 return $var;
270 }
271
272 /**
273 * Shortcut method to retrieve SERVER variables.
274 *
275 * Also fall back to getenv(), some CGI setups may need it (probably not, but
276 * whatever).
277 *
278 * @param string|array $var_name See \phpbb\request\request_interface::variable
279 * @param mixed $Default See \phpbb\request\request_interface::variable
280 *
281 * @return mixed The server variable value.
282 */
283 public function server($var_name, $default = '')
284 {
285 $multibyte = true;
286
287 if ($this->is_set($var_name, \phpbb\request\request_interface::SERVER))
288 {
289 return $this->variable($var_name, $default, $multibyte, \phpbb\request\request_interface::SERVER);
290 }
291 else
292 {
293 $var = getenv($var_name);
294 $this->type_cast_helper->recursive_set_var($var, $default, $multibyte);
295 return $var;
296 }
297 }
298
299 /**
300 * Shortcut method to retrieve the value of client HTTP headers.
301 *
302 * @param string|array $header_name The name of the header to retrieve.
303 * @param mixed $default See \phpbb\request\request_interface::variable
304 *
305 * @return mixed The header value.
306 */
307 public function header($header_name, $default = '')
308 {
309 $var_name = 'HTTP_' . str_replace('-', '_', strtoupper($header_name));
310 return $this->server($var_name, $default);
311 }
312
313 /**
314 * Shortcut method to retrieve $_FILES variables
315 *
316 * @param string $form_name The name of the file input form element
317 *
318 * @return array The uploaded file's information or an empty array if the
319 * variable does not exist in _FILES.
320 */
321 public function file($form_name)
322 {
323 return $this->variable($form_name, array('name' => 'none'), true, \phpbb\request\request_interface::FILES);
324 }
325
326 /**
327 * Checks whether a certain variable was sent via POST.
328 * To make sure that a request was sent using POST you should call this function
329 * on at least one variable.
330 *
331 * @param string $name The name of the form variable which should have a
332 * _p suffix to indicate the check in the code that creates the form too.
333 *
334 * @return bool True if the variable was set in a POST request, false otherwise.
335 */
336 public function is_set_post($name)
337 {
338 return $this->is_set($name, \phpbb\request\request_interface::POST);
339 }
340
341 /**
342 * Checks whether a certain variable is set in one of the super global
343 * arrays.
344 *
345 * @param string $var Name of the variable
346 * @param \phpbb\request\request_interface::POST|GET|REQUEST|COOKIE $super_global
347 * Specifies the super global which shall be checked
348 *
349 * @return bool True if the variable was sent as input
350 */
351 public function is_set($var, $super_global = \phpbb\request\request_interface::REQUEST)
352 {
353 return isset($this->input[$super_global][$var]);
354 }
355
356 /**
357 * Checks whether the current request is an AJAX request (XMLHttpRequest)
358 *
359 * @return bool True if the current request is an ajax request
360 */
361 public function is_ajax()
362 {
363 return $this->header('X-Requested-With') == 'XMLHttpRequest';
364 }
365
366 /**
367 * Checks if the current request is happening over HTTPS.
368 *
369 * @return bool True if the request is secure.
370 */
371 public function is_secure()
372 {
373 $https = $this->server('HTTPS');
374 $https = $this->server('HTTP_X_FORWARDED_PROTO') === 'https' ? 'on' : $https;
375 return !empty($https) && $https !== 'off';
376 }
377
378 /**
379 * Returns all variable names for a given super global
380 *
381 * @param \phpbb\request\request_interface::POST|GET|REQUEST|COOKIE $super_global
382 * The super global from which names shall be taken
383 *
384 * @return array All variable names that are set for the super global.
385 * Pay attention when using these, they are unsanitised!
386 */
387 public function variable_names($super_global = \phpbb\request\request_interface::REQUEST)
388 {
389 if (!isset($this->input[$super_global]))
390 {
391 return array();
392 }
393
394 return array_keys($this->input[$super_global]);
395 }
396
397 /**
398 * Helper function used by variable() and untrimmed_variable().
399 *
400 * @param string|array $var_name The form variable's name from which data shall be retrieved.
401 * If the value is an array this may be an array of indizes which will give
402 * direct access to a value at any depth. E.g. if the value of "var" is array(1 => "a")
403 * then specifying array("var", 1) as the name will return "a".
404 * @param mixed $default A default value that is returned if the variable was not set.
405 * This function will always return a value of the same type as the default.
406 * @param bool $multibyte If $default is a string this paramater has to be true if the variable may contain any UTF-8 characters
407 * Default is false, causing all bytes outside the ASCII range (0-127) to be replaced with question marks
408 * @param \phpbb\request\request_interface::POST|GET|REQUEST|COOKIE $super_global
409 * Specifies which super global should be used
410 * @param bool $trim Indicates whether trim() should be applied to string values.
411 *
412 * @return mixed The value of $_REQUEST[$var_name] run through {@link set_var set_var} to ensure that the type is the
413 * the same as that of $default. If the variable is not set $default is returned.
414 */
415 protected function _variable($var_name, $default, $multibyte = false, $super_global = \phpbb\request\request_interface::REQUEST, $trim = true)
416 {
417 $var = $this->raw_variable($var_name, $default, $super_global);
418
419 // Return prematurely if raw variable is empty array or the same as
420 // the default. Using strict comparison to ensure that one can't
421 // prevent proper type checking on any input variable
422 if ($var === array() || $var === $default)
423 {
424 return $var;
425 }
426
427 $this->type_cast_helper->recursive_set_var($var, $default, $multibyte, $trim);
428
429 return $var;
430 }
431
432 /**
433 * {@inheritdoc}
434 */
435 public function get_super_global($super_global = \phpbb\request\request_interface::REQUEST)
436 {
437 return $this->input[$super_global];
438 }
439
440 /**
441 * {@inheritdoc}
442 */
443 public function escape($var, $multibyte)
444 {
445 if (is_array($var))
446 {
447 $result = array();
448 foreach ($var as $key => $value)
449 {
450 $this->type_cast_helper->set_var($key, $key, gettype($key), $multibyte);
451 $result[$key] = $this->escape($value, $multibyte);
452 }
453 $var = $result;
454 }
455 else
456 {
457 $this->type_cast_helper->set_var($var, $var, 'string', $multibyte);
458 }
459
460 return $var;
461 }
462 }
463