Changeset 686 for trunk/lib


Ignore:
Timestamp:
May 26, 2019 1:59:55 AM (5 years ago)
Author:
anonymous
Message:

Add getHiddenSession() method. Use strstr() instead of strtok() for getting queryless URI.

Location:
trunk/lib
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/lib/App.inc.php

    r685 r686  
    486486
    487487        // To get a safe hostname, remove port and invalid hostname characters.
    488         $safe_http_host = preg_replace('/[^a-z\d.:-]/', '', strtok(getenv('HTTP_HOST'), ':'));
     488        $safe_http_host = preg_replace('/[^a-z\d.:-]/', '', strtok(getenv('HTTP_HOST'), ':')); // FIXME: strtok shouldn't be used if there is a chance HTTP_HOST may be empty except for the port, e.g., `:80` will return `80`
    489489        // If strtok() matched a ':' in the previous line, the rest of the string contains the port number (or FALSE)
    490490        $safe_http_port = preg_replace('/[^0-9]/', '', strtok(''));
     
    11181118        }
    11191119
    1120         // If the URL is empty, use REQUEST_URI without the QUERY_STRING.
     1120        // If the URL is empty, use REQUEST_URI stripped of its query string.
    11211121        if ('' == $url) {
    1122             $url = str_replace([getenv('QUERY_STRING'), '?'], '', getenv('REQUEST_URI'));
     1122            $url = (strstr(getenv('REQUEST_URI'), '?', true) ?: getenv('REQUEST_URI')); // strstr() returns false if '?' is not found, so use a shorthand ternary operator.
    11231123        }
    11241124
     
    12081208    }
    12091209
    1210     /**
    1211      * Prints a hidden form element with the PHPSESSID when cookies are not used, as well
    1212      * as hidden form elements for GET_VARS that might be in use.
    1213      *
    1214      * @param  mixed  $carry_args        Additional url arguments to carry in the query,
    1215      *                                   or FALSE to prevent carrying queries. Can be any of the following formats:
    1216      *                                      array('key1', key2', key3')  <-- to save these keys if in the form data.
    1217      *                                      array('key1'=>'value', key2'='value')  <-- to set keys to default values if not present in form data.
    1218      *                                      false  <-- To not carry any queries. If URL already has queries those will be retained.
    1219      * @param   bool    $include_csrf_token     Set to true to include the csrf_token in the form. Only use this for forms with action="post" to prevent the token from being revealed in the URL.
    1220      */
    1221     public function printHiddenSession($carry_args=null, $include_csrf_token=false)
     1210    /*
     1211    * Returns a string containing <input type="hidden" > for session, carried queries, and CSRF token.
     1212    *
     1213    * @access   public
     1214    * @param    (see printHiddenSession)
     1215    * @return   string
     1216    * @author   Quinn Comendant <quinn@strangecode.com>
     1217    * @since    25 May 2019 15:01:40
     1218    */
     1219    public function getHiddenSession($carry_args=null, $include_csrf_token=false)
    12221220    {
    12231221        if (!$this->running) {
     
    12251223            return false;
    12261224        }
     1225
     1226        $out = '';
    12271227
    12281228        // Get any provided query arguments to include in the final hidden form data.
     
    12601260                    foreach ($val as $subval) {
    12611261                        if ('' != $key && '' != $subval) {
    1262                             printf('<input type="hidden" name="%s[]" value="%s" />', $key, $subval);
     1262                            $out .= sprintf('<input type="hidden" name="%s[]" value="%s" />', $key, $subval);
    12631263                        }
    12641264                    }
    12651265                } else if ('' != $key && '' != $val) {
    1266                     printf('<input type="hidden" name="%s" value="%s" />', $key, $val);
     1266                    $out .= sprintf('<input type="hidden" name="%s" value="%s" />', $key, $val);
    12671267                }
    12681268            }
     
    12801280        && $this->getParam('session_use_trans_sid')
    12811281        ) {
    1282             printf('<input type="hidden" name="%s" value="%s" />', session_name(), session_id());
     1282            $out .= sprintf('<input type="hidden" name="%s" value="%s" />', session_name(), session_id());
    12831283        }
    12841284
     
    12861286        // This token can be validated upon form submission with $app->verifyCSRFToken() or $app->requireValidCSRFToken()
    12871287        if ($this->getParam('csrf_token_enabled') && $include_csrf_token) {
    1288             printf('<input type="hidden" name="%s" value="%s" />', $this->getParam('csrf_token_name'), $this->getCSRFToken());
    1289         }
     1288            $out .= sprintf('<input type="hidden" name="%s" value="%s" />', $this->getParam('csrf_token_name'), $this->getCSRFToken());
     1289        }
     1290
     1291        return $out;
     1292    }
     1293
     1294    /**
     1295     * Prints a hidden form element with the PHPSESSID when cookies are not used, as well
     1296     * as hidden form elements for GET_VARS that might be in use.
     1297     *
     1298     * @param  mixed  $carry_args        Additional url arguments to carry in the query,
     1299     *                                   or FALSE to prevent carrying queries. Can be any of the following formats:
     1300     *                                      array('key1', key2', key3')  <-- to save these keys if in the form data.
     1301     *                                      array('key1'=>'value', key2'='value')  <-- to set keys to default values if not present in form data.
     1302     *                                      false  <-- To not carry any queries. If URL already has queries those will be retained.
     1303     * @param   bool    $include_csrf_token     Set to true to include the csrf_token in the form. Only use this for forms with action="post" to prevent the token from being revealed in the URL.
     1304     */
     1305    public function printHiddenSession($carry_args=null, $include_csrf_token=false)
     1306    {
     1307        echo $this->getHiddenSession($carry_args, $include_csrf_token);
    12901308    }
    12911309

  • trunk/lib/Navigation.inc.php

    r682 r686  
    440440        }
    441441
    442         $actual_uri = $include_query ? $_SERVER['REQUEST_URI'] : strtok($_SERVER['REQUEST_URI'], '?');
    443         $test_uri = $include_query ? $test_uri : strtok($test_uri, '?');
     442        $actual_uri = $include_query ? $_SERVER['REQUEST_URI'] : (strstr(getenv('REQUEST_URI'), '?', true) ?: getenv('REQUEST_URI')); // strstr() returns false if '?' is not found, so use a shorthand ternary operator.
     443        $test_uri = $include_query ? $test_uri : (strstr($test_uri, '?', true) ?: $test_uri); // strstr() returns false if '?' is not found, so use a shorthand ternary operator.
    444444        if (mb_strtolower($test_uri) == mb_strtolower($actual_uri)) {
    445445            // $app->logMsg(sprintf('Current page (%s) == test URI (%s)', $actual_uri, $test_uri), LOG_DEBUG, __FILE__, __LINE__);
Note: See TracChangeset for help on using the changeset viewer.