Commit cb4a7b3b authored by Carsten  Rose's avatar Carsten Rose
Browse files

Config.php: cleanup of checking GET variables.

parent 7746e789
......@@ -384,6 +384,11 @@ const SYSTEM_SECURITY_ATTACK_DELAY = 'SECURITY_ATTACK_DELAY'; // Detected attack
const SYSTEM_SECURITY_ATTACK_DELAY_DEFAULT = 5; // Detected attack causes x seconds delay
const SYSTEM_SECURITY_SHOW_MESSAGE = 'SECURITY_SHOW_MESSAGE'; // Detected attack shows an error message
const SYSTEM_SECURITY_GET_MAX_LENGTH = 'SECURITY_GET_MAX_LENGTH'; // Trim every character (before conversion) to SECURITY_GET_MAX_LENGTH chars;
const SYSTEM_SECURITY_GET_MAX_LENGTH_DEFAULT = 50; // Default max length for get variables
const SYSTEM_SECURITY_ABSOLUTE_GET_MAX_LENGTH = 255; // Default max length for get variables
const GET_EXTRA_LENGTH_TOKEN = '_';
const SYSTEM_GFX_EXTRA_BUTTON_INFO_INLINE = 'GFX_EXTRA_BUTTON_INFO_INLINE';
const SYSTEM_GFX_EXTRA_BUTTON_INFO_BELOW = 'GFX_EXTRA_BUTTON_INFO_BELOW';
......@@ -415,7 +420,6 @@ const SYSTEM_DB_UPDATE_AUTO = 'auto';
const DOCUMENTATION_QFQ = 'DOCUMENTATION_QFQ';
const DOCUMENTATION_QFQ_URL = 'https://docs.typo3.org/typo3cms/drafts/github/T3DocumentationStarter/Public-Info-053/Manual.html';
const GET_EXTRA_LENGTH_TOKEN = '_';
// Not stored in config.qfq.ini, but used in STORE_SYSTEM
// Information for: Log / Debug / Exception
......
......@@ -72,13 +72,21 @@ class Config {
foreach ($_GET as $key => $value) {
// Check if the variable is something like 'my_name_100' - if the part after the last '_' is numerical, this means a valid, non standard length.
$arr = explode(GET_EXTRA_LENGTH_TOKEN, $key);
$cnt = count($arr);
if ($cnt > 1 && is_numeric($arr[$cnt - 1])) {
if (strlen($value) > $arr[$cnt - 1]) {
$maxLength = $arr[$cnt - 1];
if ($maxLength > SYSTEM_SECURITY_ABSOLUTE_GET_MAX_LENGTH) {
$attack = true;
break;
}
} elseif (strlen($value) > $maxLength) {
} else {
$maxLength = $config[SYSTEM_SECURITY_GET_MAX_LENGTH]; // might change again.
}
if (strlen($value) > $maxLength) {
$attack = true;
break;
}
}
}
......@@ -158,7 +166,7 @@ class Config {
Support::setIfNotSet($config, SYSTEM_SECURITY_VARS_HONEYPOT, 'email,username,password');
Support::setIfNotSet($config, SYSTEM_SECURITY_ATTACK_DELAY, SYSTEM_SECURITY_ATTACK_DELAY_DEFAULT);
Support::setIfNotSet($config, SYSTEM_SECURITY_SHOW_MESSAGE, '0');
Support::setIfNotSet($config, SYSTEM_SECURITY_GET_MAX_LENGTH, '50');
Support::setIfNotSet($config, SYSTEM_SECURITY_GET_MAX_LENGTH, SYSTEM_SECURITY_GET_MAX_LENGTH_DEFAULT);
Support::setIfNotSet($config, SYSTEM_ESCAPE_TYPE_DEFAULT, TOKEN_ESCAPE_SINGLE_TICK);
Support::setIfNotSet($config, SYSTEM_GFX_EXTRA_BUTTON_INFO_INLINE, '<span class="glyphicon glyphicon-info-sign" aria-hidden="true"></span>');
Support::setIfNotSet($config, SYSTEM_GFX_EXTRA_BUTTON_INFO_BELOW, '<span class="glyphicon glyphicon-info-sign text-info" aria-hidden="true"></span>');
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment