Page MenuHomestyx hydra
Files F233020

No OneTemporary
Actions

View Options

diff --git a/src/aphront/AphrontRequest.php b/src/aphront/AphrontRequest.php
index 282ed13774..aba20d6747 100644
--- a/src/aphront/AphrontRequest.php
+++ b/src/aphront/AphrontRequest.php
@@ -1,337 +1,392 @@
<?php
/**
*
* @task data Accessing Request Data
*
* @group aphront
*/
final class AphrontRequest {
// NOTE: These magic request-type parameters are automatically included in
// certain requests (e.g., by phabricator_render_form(), JX.Request,
// JX.Workflow, and ConduitClient) and help us figure out what sort of
// response the client expects.
const TYPE_AJAX = '__ajax__';
const TYPE_FORM = '__form__';
const TYPE_CONDUIT = '__conduit__';
const TYPE_WORKFLOW = '__wflow__';
+ const TYPE_CONTINUE = '__continue__';
private $host;
private $path;
private $requestData;
private $user;
private $applicationConfiguration;
final public function __construct($host, $path) {
$this->host = $host;
$this->path = $path;
}
final public function setApplicationConfiguration(
$application_configuration) {
$this->applicationConfiguration = $application_configuration;
return $this;
}
final public function getApplicationConfiguration() {
return $this->applicationConfiguration;
}
final public function setPath($path) {
$this->path = $path;
return $this;
}
final public function getPath() {
return $this->path;
}
final public function getHost() {
// The "Host" header may include a port number, or may be a malicious
// header in the form "realdomain.com:ignored@evil.com". Invoke the full
// parser to extract the real domain correctly. See here for coverage of
// a similar issue in Django:
//
// https://www.djangoproject.com/weblog/2012/oct/17/security/
$uri = new PhutilURI('http://'.$this->host);
return $uri->getDomain();
}
/* -( Accessing Request Data )--------------------------------------------- */
/**
* @task data
*/
final public function setRequestData(array $request_data) {
$this->requestData = $request_data;
return $this;
}
/**
* @task data
*/
final public function getRequestData() {
return $this->requestData;
}
/**
* @task data
*/
final public function getInt($name, $default = null) {
if (isset($this->requestData[$name])) {
return (int)$this->requestData[$name];
} else {
return $default;
}
}
/**
* @task data
*/
final public function getBool($name, $default = null) {
if (isset($this->requestData[$name])) {
if ($this->requestData[$name] === 'true') {
return true;
} else if ($this->requestData[$name] === 'false') {
return false;
} else {
return (bool)$this->requestData[$name];
}
} else {
return $default;
}
}
/**
* @task data
*/
final public function getStr($name, $default = null) {
if (isset($this->requestData[$name])) {
$str = (string)$this->requestData[$name];
// Normalize newline craziness.
$str = str_replace(
array("\r\n", "\r"),
array("\n", "\n"),
$str);
return $str;
} else {
return $default;
}
}
/**
* @task data
*/
final public function getArr($name, $default = array()) {
if (isset($this->requestData[$name]) &&
is_array($this->requestData[$name])) {
return $this->requestData[$name];
} else {
return $default;
}
}
/**
* @task data
*/
final public function getStrList($name, $default = array()) {
if (!isset($this->requestData[$name])) {
return $default;
}
$list = $this->getStr($name);
$list = preg_split('/[\s,]+/', $list, $limit = -1, PREG_SPLIT_NO_EMPTY);
return $list;
}
/**
* @task data
*/
final public function getExists($name) {
return array_key_exists($name, $this->requestData);
}
final public function getFileExists($name) {
return isset($_FILES[$name]) &&
(idx($_FILES[$name], 'error') !== UPLOAD_ERR_NO_FILE);
}
final public function isHTTPPost() {
return ($_SERVER['REQUEST_METHOD'] == 'POST');
}
final public function isAjax() {
return $this->getExists(self::TYPE_AJAX);
}
final public function isJavelinWorkflow() {
return $this->getExists(self::TYPE_WORKFLOW);
}
final public function isConduit() {
return $this->getExists(self::TYPE_CONDUIT);
}
public static function getCSRFTokenName() {
return '__csrf__';
}
public static function getCSRFHeaderName() {
return 'X-Phabricator-Csrf';
}
final public function validateCSRF() {
$token_name = self::getCSRFTokenName();
$token = $this->getStr($token_name);
// No token in the request, check the HTTP header which is added for Ajax
// requests.
if (empty($token)) {
// PHP mangles HTTP headers by uppercasing them and replacing hyphens with
// underscores, then prepending 'HTTP_'.
$php_index = self::getCSRFHeaderName();
$php_index = strtoupper($php_index);
$php_index = str_replace('-', '_', $php_index);
$php_index = 'HTTP_'.$php_index;
$token = idx($_SERVER, $php_index);
}
$valid = $this->getUser()->validateCSRFToken($token);
if (!$valid) {
// Add some diagnostic details so we can figure out if some CSRF issues
// are JS problems or people accessing Ajax URIs directly with their
// browsers.
if ($token) {
$token_info = "with an invalid CSRF token";
} else {
$token_info = "without a CSRF token";
}
if ($this->isAjax()) {
$more_info = "(This was an Ajax request, {$token_info}.)";
} else {
$more_info = "(This was a web request, {$token_info}.)";
}
// This should only be able to happen if you load a form, pull your
// internet for 6 hours, and then reconnect and immediately submit,
// but give the user some indication of what happened since the workflow
// is incredibly confusing otherwise.
throw new AphrontCSRFException(
"The form you just submitted did not include a valid CSRF token. ".
"This token is a technical security measure which prevents a ".
"certain type of login hijacking attack. However, the token can ".
"become invalid if you leave a page open for more than six hours ".
"without a connection to the internet. To fix this problem: reload ".
"the page, and then resubmit it. All data inserted to the form will ".
"be lost in some browsers so copy them somewhere before reloading.\n\n".
$more_info);
}
return true;
}
final public function isFormPost() {
$post = $this->getExists(self::TYPE_FORM) &&
$this->isHTTPPost();
if (!$post) {
return false;
}
return $this->validateCSRF();
}
final public function getCookie($name, $default = null) {
return idx($_COOKIE, $name, $default);
}
final public function clearCookie($name) {
$this->setCookie($name, '', time() - (60 * 60 * 24 * 30));
}
final public function setCookie($name, $value, $expire = null) {
// Ensure cookies are only set on the configured domain.
$base_uri = PhabricatorEnv::getEnvConfig('phabricator.base-uri');
$base_uri = new PhutilURI($base_uri);
$base_domain = $base_uri->getDomain();
$base_protocol = $base_uri->getProtocol();
$host = $this->getHost();
if ($base_domain != $host) {
throw new Exception(
"This install of Phabricator is configured as '{$base_domain}' but ".
"you are accessing it via '{$host}'. Access Phabricator via ".
"the primary configured domain.");
}
if ($expire === null) {
$expire = time() + (60 * 60 * 24 * 365 * 5);
}
$is_secure = ($base_protocol == 'https');
setcookie(
$name,
$value,
$expire,
$path = '/',
$base_domain,
$is_secure,
$http_only = true);
return $this;
}
final public function setUser($user) {
$this->user = $user;
return $this;
}
final public function getUser() {
return $this->user;
}
final public function getRequestURI() {
$get = $_GET;
unset($get['__path__']);
$path = phutil_escape_uri($this->getPath());
return id(new PhutilURI($path))->setQueryParams($get);
}
final public function isDialogFormPost() {
return $this->isFormPost() && $this->getStr('__dialog__');
}
final public function getRemoteAddr() {
return $_SERVER['REMOTE_ADDR'];
}
public function isHTTPS() {
if (empty($_SERVER['HTTPS'])) {
return false;
}
if (!strcasecmp($_SERVER["HTTPS"], "off")) {
return false;
}
return true;
}
+ public function isContinueRequest() {
+ return $this->isFormPost() && $this->getStr('__continue__');
+ }
+
+ /**
+ * Get application request parameters in a flattened form suitable for
+ * inclusion in an HTTP request, excluding parameters with special meanings.
+ * This is primarily useful if you want to ask the user for more input and
+ * then resubmit their request.
+ *
+ * @return dict<string, string> Original request parameters.
+ */
+ public function getPassthroughRequestParameters() {
+ $data = self::flattenData($this->getRequestData());
+
+ // Remove magic parameters like __dialog__ and __ajax__.
+ foreach ($data as $key => $value) {
+ if (strncmp($key, '__', 2)) {
+ unset($data[$key]);
+ }
+ }
+
+ return $data;
+ }
+
+
+ /**
+ * Flatten an array of key-value pairs (possibly including arrays as values)
+ * into a list of key-value pairs suitable for submitting via HTTP request
+ * (with arrays flattened).
+ *
+ * @param dict<string, wild> Data to flatten.
+ * @return dict<string, string> Flat data suitable for inclusion in an HTTP
+ * request.
+ */
+ public static function flattenData(array $data) {
+ $result = array();
+ foreach ($data as $key => $value) {
+ if (is_array($value)) {
+ foreach (self::flattenData($value) as $fkey => $fvalue) {
+ $fkey = '['.preg_replace('/(?=\[)|$/', ']', $fkey, $limit = 1);
+ $result[$key.$fkey] = $fvalue;
+ }
+ } else {
+ $result[$key] = (string)$value;
+ }
+ }
+
+ ksort($result);
+
+ return $result;
+ }
+
+
}
diff --git a/src/aphront/__tests__/AphrontRequestTestCase.php b/src/aphront/__tests__/AphrontRequestTestCase.php
index 7001ba94d8..95bc224c11 100644
--- a/src/aphront/__tests__/AphrontRequestTestCase.php
+++ b/src/aphront/__tests__/AphrontRequestTestCase.php
@@ -1,82 +1,134 @@
<?php
final class AphrontRequestTestCase extends PhabricatorTestCase {
public function testRequestDataAccess() {
$r = new AphrontRequest('example.com', '/');
$r->setRequestData(
array(
'str_empty' => '',
'str' => 'derp',
'str_true' => 'true',
'str_false' => 'false',
'zero' => '0',
'one' => '1',
'arr_empty' => array(),
'arr_num' => array(1, 2, 3),
'comma' => ',',
'comma_1' => 'a, b',
'comma_2' => ' ,a ,, b ,,,, ,, ',
'comma_3' => '0',
'comma_4' => 'a, a, b, a',
'comma_5' => "a\nb, c\n\nd\n\n\n,\n",
));
$this->assertEqual(1, $r->getInt('one'));
$this->assertEqual(0, $r->getInt('zero'));
$this->assertEqual(null, $r->getInt('does-not-exist'));
$this->assertEqual(0, $r->getInt('str_empty'));
$this->assertEqual(true, $r->getBool('one'));
$this->assertEqual(false, $r->getBool('zero'));
$this->assertEqual(true, $r->getBool('str_true'));
$this->assertEqual(false, $r->getBool('str_false'));
$this->assertEqual(true, $r->getBool('str'));
$this->assertEqual(null, $r->getBool('does-not-exist'));
$this->assertEqual(false, $r->getBool('str_empty'));
$this->assertEqual('derp', $r->getStr('str'));
$this->assertEqual('', $r->getStr('str_empty'));
$this->assertEqual(null, $r->getStr('does-not-exist'));
$this->assertEqual(array(), $r->getArr('arr_empty'));
$this->assertEqual(array(1, 2, 3), $r->getArr('arr_num'));
$this->assertEqual(null, $r->getArr('str_empty', null));
$this->assertEqual(null, $r->getArr('str_true', null));
$this->assertEqual(null, $r->getArr('does-not-exist', null));
$this->assertEqual(array(), $r->getArr('does-not-exist'));
$this->assertEqual(array(), $r->getStrList('comma'));
$this->assertEqual(array('a', 'b'), $r->getStrList('comma_1'));
$this->assertEqual(array('a', 'b'), $r->getStrList('comma_2'));
$this->assertEqual(array('0'), $r->getStrList('comma_3'));
$this->assertEqual(array('a', 'a', 'b', 'a'), $r->getStrList('comma_4'));
$this->assertEqual(array('a', 'b', 'c', 'd'), $r->getStrList('comma_5'));
$this->assertEqual(array(), $r->getStrList('does-not-exist'));
$this->assertEqual(null, $r->getStrList('does-not-exist', null));
$this->assertEqual(true, $r->getExists('str'));
$this->assertEqual(false, $r->getExists('does-not-exist'));
}
public function testHostAttacks() {
static $tests = array(
'domain.com' => 'domain.com',
'domain.com:80' => 'domain.com',
'evil.com:evil.com@real.com' => 'real.com',
'evil.com:evil.com@real.com:80' => 'real.com',
);
foreach ($tests as $input => $expect) {
$r = new AphrontRequest($input, '/');
$this->assertEqual(
$expect,
$r->getHost(),
'Host: '.$input);
}
}
+ public function testFlattenRequestData() {
+ $test_cases = array(
+ array(
+ 'a' => 'a',
+ 'b' => '1',
+ 'c' => '',
+ ),
+ array(
+ 'a' => 'a',
+ 'b' => '1',
+ 'c' => '',
+ ),
+
+ array(
+ 'x' => array(
+ 0 => 'a',
+ 1 => 'b',
+ 2 => 'c',
+ ),
+ ),
+ array(
+ 'x[0]' => 'a',
+ 'x[1]' => 'b',
+ 'x[2]' => 'c',
+ ),
+
+ array(
+ 'x' => array(
+ 'y' => array(
+ 'z' => array(
+ 40 => 'A',
+ 50 => 'B',
+ 'C' => 60,
+ ),
+ ),
+ ),
+ ),
+ array(
+ 'x[y][z][40]' => 'A',
+ 'x[y][z][50]' => 'B',
+ 'x[y][z][C]' => '60',
+ ),
+ );
+
+ for ($ii = 0; $ii < count($test_cases); $ii += 2) {
+ $input = $test_cases[$ii];
+ $expect = $test_cases[$ii + 1];
+
+ $this->assertEqual($expect, AphrontRequest::flattenData($input));
+ }
+ }
+
}

File Metadata

Mime Type
text/x-diff
Expires
Sun, Jul 27, 7:46 PM (1 w, 10 h ago)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
186111
Default Alt Text
(14 KB)

Event Timeline

styx copyright 2020 sirocyl / ellie (kymkdd) / ncommander / styx contributors
Use of other names and brands is not intended to reflect a claim of, or right to, use the name or brand.
styx is an operating system using the Linux kernel and components, and "styx Linux" as a phrase does not reflect the inclusion of the Linux brand or trademark in the styx project.
Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.
Terms and Conditions (TODO: fix this!)