Commit 80608319 authored by Enis Nuredini's avatar Enis Nuredini
Browse files

Merge branch 'F13242SanitizeForAllStores' into 'develop'

Fixes #13242 - Sanitize for all stores available. New default settings

See merge request !369
parents fca18b4b fcc7cf5b
Pipeline #6512 passed with stages
in 2 minutes and 49 seconds
......@@ -141,7 +141,7 @@ Sanitize class
{{name:store:**sanitize**:escape:default:message}}
Values in STORE_CLIENT *C* (Client=Browser) and STORE_FORM *F* (Form, HTTP 'post') are checked against a
sanitize class. Values from other stores are *not* checked against any sanitize class, even if a sanitize class is specified.
sanitize class. Values from other stores are *not* checked against any sanitize class, unless a sanitize class is specified.
* Variables get by default the sanitize class defined in the corresponding `FormElement`. If not defined,
the default class is ``digit``.
......
......@@ -78,38 +78,6 @@ const SQL_FORM_ELEMENT_NATIVE_TG_COUNT = "SELECT `fe`.*, IFNULL(`feTg`.`maxLengt
const NAME_TG_COPIES = '_tgCopies'; // Number of templatesGroup copies to create on the fly. Also used in SQL_FORM_ELEMENT_NATIVE_TG_COUNT.
const FE_TG_INDEX = '_tgIndex'; // Index of the current copy of a templateGroup FE.
// SANITIZE Classifier
const SANITIZE_ALLOW_AUTO = "auto"; // Default for FormElements
const SANITIZE_ALLOW_ALNUMX = "alnumx";
const SANITIZE_ALLOW_DIGIT = "digit";
const SANITIZE_ALLOW_NUMERICAL = "numerical";
const SANITIZE_ALLOW_EMAIL = "email";
const SANITIZE_ALLOW_PATTERN = "pattern";
const SANITIZE_ALLOW_ALLBUT = "allbut";
const SANITIZE_ALLOW_ALL = "all";
const SANITIZE_DEFAULT = SANITIZE_ALLOW_DIGIT; // for {{variable}} expressions without checkType
const SANITIZE_EXCEPTION = 'exception';
const SANITIZE_EMPTY_STRING = 'empty string';
const SANITIZE_VIOLATE = '!!';
const SANITIZE_ALLOW_ALNUMX_MESSAGE = 'Allowed characters: 0...9, [latin character], @-_.m;: /()';
const SANITIZE_ALLOW_DIGIT_MESSAGE = 'Allowed characters: 0...9';
const SANITIZE_ALLOW_NUMERICAL_MESSAGE = 'Allowed characters: 0...9 and .+-';
const SANITIZE_ALLOW_EMAIL_MESSAGE = 'Requested format: string@domain.tld';
const SANITIZE_ALLOW_ALLBUT_MESSAGE = 'Forbidden characters: ^[]{}%\#';
const SANITIZE_TYPE_MESSAGE_VIOLATE_EMPTY = 'e';
const SANITIZE_TYPE_MESSAGE_VIOLATE_ZERO = '0';
const SANITIZE_TYPE_MESSAGE_VIOLATE_CLASS = 'c';
const PATTERN_ALNUMX = '^[@\-_\.,;: \/\(\)a-zA-Z0-9ÀÈÌÒÙàèìòùÁÉÍÓÚÝáéíóúýÂÊÎÔÛâêîôûÃÑÕãñõÄËÏÖÜŸäëïöüÿçß]*$';
const PATTERN_DIGIT = '^[\d]*$';
const PATTERN_NUMERICAL = '^[\d.+-]*$';
const PATTERN_EMAIL = '^([a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,})?$';
const PATTERN_ALLBUT = '^[^\[\]{}%\\\\#]*$';
const PATTERN_ALL = '.*';
// Index wrap setup table
......@@ -412,6 +380,59 @@ const STORE_ZERO = "0"; // value: 0, might helpfull if variable is empty but use
const STORE_USE_DEFAULT = "FSRVD";
// SANITIZE Classifier
const SANITIZE_ALLOW_AUTO = "auto"; // Default for FormElements
const SANITIZE_ALLOW_ALNUMX = "alnumx";
const SANITIZE_ALLOW_DIGIT = "digit";
const SANITIZE_ALLOW_NUMERICAL = "numerical";
const SANITIZE_ALLOW_EMAIL = "email";
const SANITIZE_ALLOW_PATTERN = "pattern";
const SANITIZE_ALLOW_ALLBUT = "allbut";
const SANITIZE_ALLOW_ALL = "all";
const SANITIZE_DEFAULT = SANITIZE_ALLOW_DIGIT; // for {{variable}} expressions without checkType
const SANITIZE_DEFAULT_OF_STORE = [
STORE_FORM => SANITIZE_ALLOW_DIGIT,
STORE_SIP => SANITIZE_ALLOW_ALL,
STORE_RECORD => SANITIZE_ALLOW_ALL,
STORE_BEFORE => SANITIZE_ALLOW_ALL,
STORE_PARENT_RECORD => SANITIZE_ALLOW_ALL,
STORE_TABLE_DEFAULT => SANITIZE_ALLOW_ALL,
STORE_TABLE_COLUMN_TYPES => SANITIZE_ALLOW_ALL,
STORE_CLIENT => SANITIZE_ALLOW_DIGIT,
STORE_TYPO3 => SANITIZE_ALLOW_ALL,
STORE_VAR => SANITIZE_ALLOW_ALL,
STORE_ZERO => SANITIZE_ALLOW_ALL,
STORE_EMPTY => SANITIZE_ALLOW_ALL,
STORE_SYSTEM => SANITIZE_ALLOW_ALL,
STORE_EXTRA => SANITIZE_ALLOW_ALL,
STORE_USER => SANITIZE_ALLOW_ALL,
STORE_LDAP => SANITIZE_ALLOW_ALL,
STORE_ADDITIONAL_FORM_ELEMENTS => SANITIZE_ALLOW_ALL,
];
const SANITIZE_EXCEPTION = 'exception';
const SANITIZE_EMPTY_STRING = 'empty string';
const SANITIZE_VIOLATE = '!!';
const SANITIZE_ALLOW_ALNUMX_MESSAGE = 'Allowed characters: 0...9, [latin character], @-_.m;: /()';
const SANITIZE_ALLOW_DIGIT_MESSAGE = 'Allowed characters: 0...9';
const SANITIZE_ALLOW_NUMERICAL_MESSAGE = 'Allowed characters: 0...9 and .+-';
const SANITIZE_ALLOW_EMAIL_MESSAGE = 'Requested format: string@domain.tld';
const SANITIZE_ALLOW_ALLBUT_MESSAGE = 'Forbidden characters: ^[]{}%\#';
const SANITIZE_TYPE_MESSAGE_VIOLATE_EMPTY = 'e';
const SANITIZE_TYPE_MESSAGE_VIOLATE_ZERO = '0';
const SANITIZE_TYPE_MESSAGE_VIOLATE_CLASS = 'c';
const PATTERN_ALNUMX = '^[@\-_\.,;: \/\(\)a-zA-Z0-9ÀÈÌÒÙàèìòùÁÉÍÓÚÝáéíóúýÂÊÎÔÛâêîôûÃÑÕãñõÄËÏÖÜŸäëïöüÿçß]*$';
const PATTERN_DIGIT = '^[\d]*$';
const PATTERN_NUMERICAL = '^[\d.+-]*$';
const PATTERN_EMAIL = '^([a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,})?$';
const PATTERN_ALLBUT = '^[^\[\]{}%\\\\#]*$';
const PATTERN_ALL = '.*';
//
// Store: Definitions / Members
//
......
......@@ -149,20 +149,20 @@ class Store {
self::$sanitizeStore = [
STORE_FORM => true,
STORE_SIP => false,
STORE_RECORD => false,
STORE_SIP => true,
STORE_RECORD => true,
STORE_BEFORE => false,
STORE_PARENT_RECORD => false,
STORE_TABLE_DEFAULT => false,
STORE_TABLE_COLUMN_TYPES => false,
STORE_CLIENT => true,
STORE_TYPO3 => false,
STORE_VAR => false,
STORE_VAR => true,
STORE_ZERO => false,
STORE_EMPTY => false,
STORE_SYSTEM => false,
STORE_EXTRA => false,
STORE_USER => false,
STORE_USER => true,
STORE_LDAP => false,
STORE_ADDITIONAL_FORM_ELEMENTS => false,
];
......@@ -175,6 +175,14 @@ class Store {
self::fillStoreSip();
}
/**
* @param $storeName
* @return bool - true if store accepts sanitize class
*/
public function getSanitizeStore($storeName){
return self::$sanitizeStore[$storeName];
}
/**
* Returns a pointer to this Class.
*
......@@ -530,10 +538,6 @@ class Store {
$useStores = STORE_USE_DEFAULT;
}
// no sanitizeClass specified: take predefined (if exist) or default.
if ($sanitizeClass === '' || $sanitizeClass === null) {
$sanitizeClass = isset(self::$sanitizeClass[$key]) ? self::$sanitizeClass[$key] : SANITIZE_DEFAULT;
}
$len = strlen(SIP_PREFIX_BASE64);
......@@ -567,6 +571,12 @@ class Store {
}
}
// no sanitizeClass specified: take predefined (if exist) or default.
if ($sanitizeClass === '' || $sanitizeClass === null) {
$sanitizeDefault = SANITIZE_DEFAULT_OF_STORE[$store];
$sanitizeClass = isset(self::$sanitizeClass[$key]) ? self::$sanitizeClass[$key] : $sanitizeDefault;
}
$rawVal = isset(self::$raw[$store][$finalKey]) ? self::$raw[$store][$finalKey] : null;
if (self::$sanitizeStore[$store] && $sanitizeClass != '') {
if ($sanitizeClass == SANITIZE_ALLOW_PATTERN) {
......
......@@ -468,4 +468,25 @@ class StoreTest extends TestCase {
$this->assertEquals(array(), $this->store->getStore('unknownstore'));
}
/**
* @throws \CodeException
* @throws \UserFormException
*/
public function testSanitizeNonDefault() {
foreach ([STORE_FORM, STORE_RECORD, STORE_SIP, STORE_BEFORE, STORE_PARENT_RECORD,
STORE_TABLE_DEFAULT, STORE_TABLE_COLUMN_TYPES, STORE_CLIENT, STORE_TYPO3,
STORE_VAR, STORE_SYSTEM, STORE_USER, STORE_LDAP] as $storeName) {
$this->store->setVar('color', 'green', $storeName);
if ($this->store->getSanitizeStore($storeName)) {
$this->assertEquals('!!digit!!', $this->store->getVar('color', $storeName, SANITIZE_ALLOW_DIGIT), "Retrieve 'color' from STORE $storeName");
}
}
# var is not in R but in C. No sanatize given: C should complain
$this->store->setVar('color1', 'green', STORE_CLIENT);
$this->assertEquals('!!digit!!', $this->store->getVar('color1', 'RC'), "Retrieve 'color' from STORE_FORM");
}
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment