Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
typo3
qfq
Commits
cb4a7b3b
Commit
cb4a7b3b
authored
Jun 30, 2017
by
Carsten Rose
Browse files
Config.php: cleanup of checking GET variables.
parent
7746e789
Changes
2
Hide whitespace changes
Inline
Side-by-side
extension/qfq/qfq/Constants.php
View file @
cb4a7b3b
...
...
@@ -384,6 +384,11 @@ const SYSTEM_SECURITY_ATTACK_DELAY = 'SECURITY_ATTACK_DELAY'; // Detected attack
const
SYSTEM_SECURITY_ATTACK_DELAY_DEFAULT
=
5
;
// Detected attack causes x seconds delay
const
SYSTEM_SECURITY_SHOW_MESSAGE
=
'SECURITY_SHOW_MESSAGE'
;
// Detected attack shows an error message
const
SYSTEM_SECURITY_GET_MAX_LENGTH
=
'SECURITY_GET_MAX_LENGTH'
;
// Trim every character (before conversion) to SECURITY_GET_MAX_LENGTH chars;
const
SYSTEM_SECURITY_GET_MAX_LENGTH_DEFAULT
=
50
;
// Default max length for get variables
const
SYSTEM_SECURITY_ABSOLUTE_GET_MAX_LENGTH
=
255
;
// Default max length for get variables
const
GET_EXTRA_LENGTH_TOKEN
=
'_'
;
const
SYSTEM_GFX_EXTRA_BUTTON_INFO_INLINE
=
'GFX_EXTRA_BUTTON_INFO_INLINE'
;
const
SYSTEM_GFX_EXTRA_BUTTON_INFO_BELOW
=
'GFX_EXTRA_BUTTON_INFO_BELOW'
;
...
...
@@ -415,7 +420,6 @@ const SYSTEM_DB_UPDATE_AUTO = 'auto';
const
DOCUMENTATION_QFQ
=
'DOCUMENTATION_QFQ'
;
const
DOCUMENTATION_QFQ_URL
=
'https://docs.typo3.org/typo3cms/drafts/github/T3DocumentationStarter/Public-Info-053/Manual.html'
;
const
GET_EXTRA_LENGTH_TOKEN
=
'_'
;
// Not stored in config.qfq.ini, but used in STORE_SYSTEM
// Information for: Log / Debug / Exception
...
...
extension/qfq/qfq/store/Config.php
View file @
cb4a7b3b
...
...
@@ -72,13 +72,21 @@ class Config {
foreach
(
$_GET
as
$key
=>
$value
)
{
// Check if the variable is something like 'my_name_100' - if the part after the last '_' is numerical, this means a valid, non standard length.
$arr
=
explode
(
GET_EXTRA_LENGTH_TOKEN
,
$key
);
$cnt
=
count
(
$arr
);
if
(
$cnt
>
1
&&
is_numeric
(
$arr
[
$cnt
-
1
]))
{
if
(
strlen
(
$value
)
>
$arr
[
$cnt
-
1
])
{
$maxLength
=
$arr
[
$cnt
-
1
];
if
(
$maxLength
>
SYSTEM_SECURITY_ABSOLUTE_GET_MAX_LENGTH
)
{
$attack
=
true
;
break
;
}
}
elseif
(
strlen
(
$value
)
>
$maxLength
)
{
}
else
{
$maxLength
=
$config
[
SYSTEM_SECURITY_GET_MAX_LENGTH
];
// might change again.
}
if
(
strlen
(
$value
)
>
$maxLength
)
{
$attack
=
true
;
break
;
}
}
}
...
...
@@ -158,7 +166,7 @@ class Config {
Support
::
setIfNotSet
(
$config
,
SYSTEM_SECURITY_VARS_HONEYPOT
,
'email,username,password'
);
Support
::
setIfNotSet
(
$config
,
SYSTEM_SECURITY_ATTACK_DELAY
,
SYSTEM_SECURITY_ATTACK_DELAY_DEFAULT
);
Support
::
setIfNotSet
(
$config
,
SYSTEM_SECURITY_SHOW_MESSAGE
,
'0'
);
Support
::
setIfNotSet
(
$config
,
SYSTEM_SECURITY_GET_MAX_LENGTH
,
'50'
);
Support
::
setIfNotSet
(
$config
,
SYSTEM_SECURITY_GET_MAX_LENGTH
,
SYSTEM_SECURITY_GET_MAX_LENGTH_DEFAULT
);
Support
::
setIfNotSet
(
$config
,
SYSTEM_ESCAPE_TYPE_DEFAULT
,
TOKEN_ESCAPE_SINGLE_TICK
);
Support
::
setIfNotSet
(
$config
,
SYSTEM_GFX_EXTRA_BUTTON_INFO_INLINE
,
'<span class="glyphicon glyphicon-info-sign" aria-hidden="true"></span>'
);
Support
::
setIfNotSet
(
$config
,
SYSTEM_GFX_EXTRA_BUTTON_INFO_BELOW
,
'<span class="glyphicon glyphicon-info-sign text-info" aria-hidden="true"></span>'
);
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment