mirror of
https://github.com/Lastorder-DC/rhymix.git
synced 2026-01-05 09:41:40 +09:00
Use new Security and URL classes in other places
This commit is contained in:
Kijin Sung
parent
28da8948d7
commit
b962409652
3 changed files with 18 additions and 66 deletions
|
|
@ -394,11 +394,11 @@ class Context
|
|||
}
|
||||
if (strpos($current_url, 'xn--') !== false)
|
||||
{
|
||||
$current_url = self::decodeIdna($current_url);
|
||||
$current_url = Rhymix\Framework\URL::decodeIdna($current_url);
|
||||
}
|
||||
if (strpos($request_uri, 'xn--') !== false)
|
||||
{
|
||||
$request_uri = self::decodeIdna($request_uri);
|
||||
$request_uri = Rhymix\Framework\URL::decodeIdna($request_uri);
|
||||
}
|
||||
self::set('current_url', $current_url);
|
||||
self::set('request_uri', $request_uri);
|
||||
|
|
@ -1073,15 +1073,7 @@ class Context
|
|||
*/
|
||||
public static function encodeIdna($domain)
|
||||
{
|
||||
if(function_exists('idn_to_ascii'))
|
||||
{
|
||||
return idn_to_ascii($domain);
|
||||
}
|
||||
else
|
||||
{
|
||||
$encoder = new TrueBV\Punycode();
|
||||
return $encoder->encode($domain);
|
||||
}
|
||||
return Rhymix\Framework\URL::encodeIdna($domain);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -1092,15 +1084,7 @@ class Context
|
|||
*/
|
||||
public static function decodeIdna($domain)
|
||||
{
|
||||
if(function_exists('idn_to_utf8'))
|
||||
{
|
||||
return idn_to_utf8($domain);
|
||||
}
|
||||
else
|
||||
{
|
||||
$decoder = new TrueBV\Punycode();
|
||||
return $decoder->decode($domain);
|
||||
}
|
||||
return Rhymix\Framework\URL::decodeIdna($domain);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -1283,11 +1267,15 @@ class Context
|
|||
}
|
||||
|
||||
$xml = $GLOBALS['HTTP_RAW_POST_DATA'];
|
||||
if(Security::detectingXEE($xml))
|
||||
if(!Rhymix\Framework\Security::checkXEE($xml))
|
||||
{
|
||||
header("HTTP/1.0 400 Bad Request");
|
||||
exit;
|
||||
}
|
||||
if(function_exists('libxml_disable_entity_loader'))
|
||||
{
|
||||
libxml_disable_entity_loader(true);
|
||||
}
|
||||
|
||||
$oXml = new XmlParser();
|
||||
$xml_obj = $oXml->parse($xml);
|
||||
|
|
|
|||
|
|
@ -15,14 +15,14 @@ class Security
|
|||
* Action target variable. If this value is null, the method will use Context variables
|
||||
* @var mixed
|
||||
*/
|
||||
var $_targetVar = NULL;
|
||||
public $_targetVar = NULL;
|
||||
|
||||
/**
|
||||
* @constructor
|
||||
* @param mixed $var Target context
|
||||
* @return void
|
||||
*/
|
||||
function __construct($var = NULL)
|
||||
public function __construct($var = NULL)
|
||||
{
|
||||
$this->_targetVar = $var;
|
||||
}
|
||||
|
|
@ -34,7 +34,7 @@ class Security
|
|||
* separate the owner(object or array) and the item(property or element) using a dot(.)
|
||||
* @return mixed
|
||||
*/
|
||||
function encodeHTML(/* , $varName1, $varName2, ... */)
|
||||
public function encodeHTML(/* , $varName1, $varName2, ... */)
|
||||
{
|
||||
$varNames = func_get_args();
|
||||
if(count($varNames) < 0)
|
||||
|
|
@ -109,7 +109,7 @@ class Security
|
|||
* @param array $name
|
||||
* @return mixed
|
||||
*/
|
||||
function _encodeHTML($var, $name = array())
|
||||
protected function _encodeHTML($var, $name = array())
|
||||
{
|
||||
if(is_string($var))
|
||||
{
|
||||
|
|
@ -183,46 +183,9 @@ class Security
|
|||
* @param string $xml
|
||||
* @return bool
|
||||
*/
|
||||
static function detectingXEE($xml)
|
||||
public static function detectingXEE($xml)
|
||||
{
|
||||
if(!$xml) return FALSE;
|
||||
|
||||
if(strpos($xml, '<!ENTITY') !== FALSE)
|
||||
{
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
// Strip XML declaration.
|
||||
$header = preg_replace('/<\?xml.*?\?'.'>/s', '', substr($xml, 0, 100), 1);
|
||||
$xml = trim(substr_replace($xml, $header, 0, 100));
|
||||
if($xml == '')
|
||||
{
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
// Strip DTD.
|
||||
$header = preg_replace('/^<!DOCTYPE[^>]*+>/i', '', substr($xml, 0, 200), 1);
|
||||
$xml = trim(substr_replace($xml, $header, 0, 200));
|
||||
if($xml == '')
|
||||
{
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
// Confirm the XML now starts with a valid root tag. A root tag can end in [> \t\r\n]
|
||||
$root_tag = substr($xml, 0, strcspn(substr($xml, 0, 20), "> \t\r\n"));
|
||||
|
||||
// Reject a second DTD.
|
||||
if(strtoupper($root_tag) == '<!DOCTYPE')
|
||||
{
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
if(!in_array($root_tag, array('<methodCall', '<methodResponse', '<fault')))
|
||||
{
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
return FALSE;
|
||||
return !Rhymix\Framework\Security::checkXEE($xml);
|
||||
}
|
||||
}
|
||||
/* End of file : Security.class.php */
|
||||
|
|
|
|||
|
|
@ -407,9 +407,10 @@ function getFullSiteUrl()
|
|||
*
|
||||
* @return string
|
||||
*/
|
||||
function getCurrentPageUrl()
|
||||
function getCurrentPageUrl($escape = true)
|
||||
{
|
||||
return escape((RX_SSL ? 'https://' : 'http://') . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
|
||||
$url = Rhymix\Framework\URL::getCurrentURL();
|
||||
return $escape ? escape($url) : $url;
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue