Remove invalid characters from REQUEST_URI

2026-05-09 20:12:14 +09:00 · 2018-07-31 19:08:02 +09:00 · 2018-07-31 19:08:02 +09:00 · 109203d12b
commit 109203d12b
parent b62a1322c9
3 changed files with 11 additions and 3 deletions
--- a/common/framework/url.php
+++ b/common/framework/url.php
@ -18,7 +18,8 @@ class URL
 	 */
 	public static function getCurrentURL(array $changes = array())
 	{
-		$url = self::getCurrentDomainURL(isset($_SERVER['REQUEST_URI']) ? $_SERVER['REQUEST_URI'] : '/');
+		$request_uri = preg_replace('/[<>"]/', '', isset($_SERVER['REQUEST_URI']) ? $_SERVER['REQUEST_URI'] : '/');
 		$url = self::getCurrentDomainURL($request_uri);
 		if (count($changes))
 		{
 			return self::modifyURL($url, $changes);
--- a/common/legacy.php
+++ b/common/legacy.php
@ -917,7 +917,7 @@ function getScriptPath()
 */
 function getRequestUriByServerEnviroment()
 {
-	return escape($_SERVER['REQUEST_URI']);
+	return preg_replace('/[<>"]/', '', $_SERVER['REQUEST_URI']);
 }
 /**
--- a/tests/unit/framework/URLTest.php
+++ b/tests/unit/framework/URLTest.php
@ -22,6 +22,13 @@ class URLTest extends \Codeception\TestCase\Test
 		// Adding and removing parameters at the same time
 		$this->assertEquals('https://www.rhymix.org/rhymix/index.php?xe=sucks&l=ko', Rhymix\Framework\URL::getCurrentURL(array('l' => 'ko', 'foo' => null)));
 		// Removing invalid characters in the current URL
 		$_SERVER['REQUEST_URI'] = '/rhymix/?foo="bar"';
 		$this->assertEquals('https://www.rhymix.org/rhymix/?foo=bar', Rhymix\Framework\URL::getCurrentURL());
 		$_SERVER['REQUEST_URI'] = '/rhymix/?foo=<bar&baz=rhymix>';
 		$this->assertEquals('https://www.rhymix.org/rhymix/?foo=bar&baz=rhymix', Rhymix\Framework\URL::getCurrentURL());
 		$this->assertEquals('https://www.rhymix.org/rhymix/?baz=rhymix&l=ko', Rhymix\Framework\URL::getCurrentURL(array('l' => 'ko', 'foo' => null)));
 		$_SERVER['REQUEST_URI'] = $old_request_uri;
 	}