- Timestamp:
- May 26, 2019 1:59:55 AM (5 years ago)
- Location:
- trunk/lib
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/lib/App.inc.php
r685 r686 486 486 487 487 // To get a safe hostname, remove port and invalid hostname characters. 488 $safe_http_host = preg_replace('/[^a-z\d.:-]/', '', strtok(getenv('HTTP_HOST'), ':')); 488 $safe_http_host = preg_replace('/[^a-z\d.:-]/', '', strtok(getenv('HTTP_HOST'), ':')); // FIXME: strtok shouldn't be used if there is a chance HTTP_HOST may be empty except for the port, e.g., `:80` will return `80` 489 489 // If strtok() matched a ':' in the previous line, the rest of the string contains the port number (or FALSE) 490 490 $safe_http_port = preg_replace('/[^0-9]/', '', strtok('')); … … 1118 1118 } 1119 1119 1120 // If the URL is empty, use REQUEST_URI without the QUERY_STRING.1120 // If the URL is empty, use REQUEST_URI stripped of its query string. 1121 1121 if ('' == $url) { 1122 $url = str_replace([getenv('QUERY_STRING'), '?'], '', getenv('REQUEST_URI'));1122 $url = (strstr(getenv('REQUEST_URI'), '?', true) ?: getenv('REQUEST_URI')); // strstr() returns false if '?' is not found, so use a shorthand ternary operator. 1123 1123 } 1124 1124 … … 1208 1208 } 1209 1209 1210 /** 1211 * Prints a hidden form element with the PHPSESSID when cookies are not used, as well 1212 * as hidden form elements for GET_VARS that might be in use. 1213 * 1214 * @param mixed $carry_args Additional url arguments to carry in the query, 1215 * or FALSE to prevent carrying queries. Can be any of the following formats: 1216 * array('key1', key2', key3') <-- to save these keys if in the form data. 1217 * array('key1'=>'value', key2'='value') <-- to set keys to default values if not present in form data. 1218 * false <-- To not carry any queries. If URL already has queries those will be retained. 1219 * @param bool $include_csrf_token Set to true to include the csrf_token in the form. Only use this for forms with action="post" to prevent the token from being revealed in the URL. 1220 */ 1221 public function printHiddenSession($carry_args=null, $include_csrf_token=false) 1210 /* 1211 * Returns a string containing <input type="hidden" > for session, carried queries, and CSRF token. 1212 * 1213 * @access public 1214 * @param (see printHiddenSession) 1215 * @return string 1216 * @author Quinn Comendant <quinn@strangecode.com> 1217 * @since 25 May 2019 15:01:40 1218 */ 1219 public function getHiddenSession($carry_args=null, $include_csrf_token=false) 1222 1220 { 1223 1221 if (!$this->running) { … … 1225 1223 return false; 1226 1224 } 1225 1226 $out = ''; 1227 1227 1228 1228 // Get any provided query arguments to include in the final hidden form data. … … 1260 1260 foreach ($val as $subval) { 1261 1261 if ('' != $key && '' != $subval) { 1262 printf('<input type="hidden" name="%s[]" value="%s" />', $key, $subval);1262 $out .= sprintf('<input type="hidden" name="%s[]" value="%s" />', $key, $subval); 1263 1263 } 1264 1264 } 1265 1265 } else if ('' != $key && '' != $val) { 1266 printf('<input type="hidden" name="%s" value="%s" />', $key, $val);1266 $out .= sprintf('<input type="hidden" name="%s" value="%s" />', $key, $val); 1267 1267 } 1268 1268 } … … 1280 1280 && $this->getParam('session_use_trans_sid') 1281 1281 ) { 1282 printf('<input type="hidden" name="%s" value="%s" />', session_name(), session_id());1282 $out .= sprintf('<input type="hidden" name="%s" value="%s" />', session_name(), session_id()); 1283 1283 } 1284 1284 … … 1286 1286 // This token can be validated upon form submission with $app->verifyCSRFToken() or $app->requireValidCSRFToken() 1287 1287 if ($this->getParam('csrf_token_enabled') && $include_csrf_token) { 1288 printf('<input type="hidden" name="%s" value="%s" />', $this->getParam('csrf_token_name'), $this->getCSRFToken()); 1289 } 1288 $out .= sprintf('<input type="hidden" name="%s" value="%s" />', $this->getParam('csrf_token_name'), $this->getCSRFToken()); 1289 } 1290 1291 return $out; 1292 } 1293 1294 /** 1295 * Prints a hidden form element with the PHPSESSID when cookies are not used, as well 1296 * as hidden form elements for GET_VARS that might be in use. 1297 * 1298 * @param mixed $carry_args Additional url arguments to carry in the query, 1299 * or FALSE to prevent carrying queries. Can be any of the following formats: 1300 * array('key1', key2', key3') <-- to save these keys if in the form data. 1301 * array('key1'=>'value', key2'='value') <-- to set keys to default values if not present in form data. 1302 * false <-- To not carry any queries. If URL already has queries those will be retained. 1303 * @param bool $include_csrf_token Set to true to include the csrf_token in the form. Only use this for forms with action="post" to prevent the token from being revealed in the URL. 1304 */ 1305 public function printHiddenSession($carry_args=null, $include_csrf_token=false) 1306 { 1307 echo $this->getHiddenSession($carry_args, $include_csrf_token); 1290 1308 } 1291 1309 -
trunk/lib/Navigation.inc.php
r682 r686 440 440 } 441 441 442 $actual_uri = $include_query ? $_SERVER['REQUEST_URI'] : strtok($_SERVER['REQUEST_URI'], '?');443 $test_uri = $include_query ? $test_uri : strtok($test_uri, '?');442 $actual_uri = $include_query ? $_SERVER['REQUEST_URI'] : (strstr(getenv('REQUEST_URI'), '?', true) ?: getenv('REQUEST_URI')); // strstr() returns false if '?' is not found, so use a shorthand ternary operator. 443 $test_uri = $include_query ? $test_uri : (strstr($test_uri, '?', true) ?: $test_uri); // strstr() returns false if '?' is not found, so use a shorthand ternary operator. 444 444 if (mb_strtolower($test_uri) == mb_strtolower($actual_uri)) { 445 445 // $app->logMsg(sprintf('Current page (%s) == test URI (%s)', $actual_uri, $test_uri), LOG_DEBUG, __FILE__, __LINE__);
Note: See TracChangeset
for help on using the changeset viewer.