Commit cb4a7b3b authored by Carsten  Rose's avatar Carsten Rose
Browse files

Config.php: cleanup of checking GET variables.

parent 7746e789
...@@ -384,6 +384,11 @@ const SYSTEM_SECURITY_ATTACK_DELAY = 'SECURITY_ATTACK_DELAY'; // Detected attack ...@@ -384,6 +384,11 @@ const SYSTEM_SECURITY_ATTACK_DELAY = 'SECURITY_ATTACK_DELAY'; // Detected attack
const SYSTEM_SECURITY_ATTACK_DELAY_DEFAULT = 5; // Detected attack causes x seconds delay const SYSTEM_SECURITY_ATTACK_DELAY_DEFAULT = 5; // Detected attack causes x seconds delay
const SYSTEM_SECURITY_SHOW_MESSAGE = 'SECURITY_SHOW_MESSAGE'; // Detected attack shows an error message const SYSTEM_SECURITY_SHOW_MESSAGE = 'SECURITY_SHOW_MESSAGE'; // Detected attack shows an error message
const SYSTEM_SECURITY_GET_MAX_LENGTH = 'SECURITY_GET_MAX_LENGTH'; // Trim every character (before conversion) to SECURITY_GET_MAX_LENGTH chars; const SYSTEM_SECURITY_GET_MAX_LENGTH = 'SECURITY_GET_MAX_LENGTH'; // Trim every character (before conversion) to SECURITY_GET_MAX_LENGTH chars;
const SYSTEM_SECURITY_GET_MAX_LENGTH_DEFAULT = 50; // Default max length for get variables
const SYSTEM_SECURITY_ABSOLUTE_GET_MAX_LENGTH = 255; // Default max length for get variables
const GET_EXTRA_LENGTH_TOKEN = '_';
const SYSTEM_GFX_EXTRA_BUTTON_INFO_INLINE = 'GFX_EXTRA_BUTTON_INFO_INLINE'; const SYSTEM_GFX_EXTRA_BUTTON_INFO_INLINE = 'GFX_EXTRA_BUTTON_INFO_INLINE';
const SYSTEM_GFX_EXTRA_BUTTON_INFO_BELOW = 'GFX_EXTRA_BUTTON_INFO_BELOW'; const SYSTEM_GFX_EXTRA_BUTTON_INFO_BELOW = 'GFX_EXTRA_BUTTON_INFO_BELOW';
...@@ -415,7 +420,6 @@ const SYSTEM_DB_UPDATE_AUTO = 'auto'; ...@@ -415,7 +420,6 @@ const SYSTEM_DB_UPDATE_AUTO = 'auto';
const DOCUMENTATION_QFQ = 'DOCUMENTATION_QFQ'; const DOCUMENTATION_QFQ = 'DOCUMENTATION_QFQ';
const DOCUMENTATION_QFQ_URL = 'https://docs.typo3.org/typo3cms/drafts/github/T3DocumentationStarter/Public-Info-053/Manual.html'; const DOCUMENTATION_QFQ_URL = 'https://docs.typo3.org/typo3cms/drafts/github/T3DocumentationStarter/Public-Info-053/Manual.html';
const GET_EXTRA_LENGTH_TOKEN = '_';
// Not stored in config.qfq.ini, but used in STORE_SYSTEM // Not stored in config.qfq.ini, but used in STORE_SYSTEM
// Information for: Log / Debug / Exception // Information for: Log / Debug / Exception
......
...@@ -72,13 +72,21 @@ class Config { ...@@ -72,13 +72,21 @@ class Config {
foreach ($_GET as $key => $value) { foreach ($_GET as $key => $value) {
// Check if the variable is something like 'my_name_100' - if the part after the last '_' is numerical, this means a valid, non standard length. // Check if the variable is something like 'my_name_100' - if the part after the last '_' is numerical, this means a valid, non standard length.
$arr = explode(GET_EXTRA_LENGTH_TOKEN, $key); $arr = explode(GET_EXTRA_LENGTH_TOKEN, $key);
$cnt = count($arr); $cnt = count($arr);
if ($cnt > 1 && is_numeric($arr[$cnt - 1])) { if ($cnt > 1 && is_numeric($arr[$cnt - 1])) {
if (strlen($value) > $arr[$cnt - 1]) { $maxLength = $arr[$cnt - 1];
if ($maxLength > SYSTEM_SECURITY_ABSOLUTE_GET_MAX_LENGTH) {
$attack = true; $attack = true;
break;
} }
} elseif (strlen($value) > $maxLength) { } else {
$maxLength = $config[SYSTEM_SECURITY_GET_MAX_LENGTH]; // might change again.
}
if (strlen($value) > $maxLength) {
$attack = true; $attack = true;
break;
} }
} }
} }
...@@ -158,7 +166,7 @@ class Config { ...@@ -158,7 +166,7 @@ class Config {
Support::setIfNotSet($config, SYSTEM_SECURITY_VARS_HONEYPOT, 'email,username,password'); Support::setIfNotSet($config, SYSTEM_SECURITY_VARS_HONEYPOT, 'email,username,password');
Support::setIfNotSet($config, SYSTEM_SECURITY_ATTACK_DELAY, SYSTEM_SECURITY_ATTACK_DELAY_DEFAULT); Support::setIfNotSet($config, SYSTEM_SECURITY_ATTACK_DELAY, SYSTEM_SECURITY_ATTACK_DELAY_DEFAULT);
Support::setIfNotSet($config, SYSTEM_SECURITY_SHOW_MESSAGE, '0'); Support::setIfNotSet($config, SYSTEM_SECURITY_SHOW_MESSAGE, '0');
Support::setIfNotSet($config, SYSTEM_SECURITY_GET_MAX_LENGTH, '50'); Support::setIfNotSet($config, SYSTEM_SECURITY_GET_MAX_LENGTH, SYSTEM_SECURITY_GET_MAX_LENGTH_DEFAULT);
Support::setIfNotSet($config, SYSTEM_ESCAPE_TYPE_DEFAULT, TOKEN_ESCAPE_SINGLE_TICK); Support::setIfNotSet($config, SYSTEM_ESCAPE_TYPE_DEFAULT, TOKEN_ESCAPE_SINGLE_TICK);
Support::setIfNotSet($config, SYSTEM_GFX_EXTRA_BUTTON_INFO_INLINE, '<span class="glyphicon glyphicon-info-sign" aria-hidden="true"></span>'); Support::setIfNotSet($config, SYSTEM_GFX_EXTRA_BUTTON_INFO_INLINE, '<span class="glyphicon glyphicon-info-sign" aria-hidden="true"></span>');
Support::setIfNotSet($config, SYSTEM_GFX_EXTRA_BUTTON_INFO_BELOW, '<span class="glyphicon glyphicon-info-sign text-info" aria-hidden="true"></span>'); Support::setIfNotSet($config, SYSTEM_GFX_EXTRA_BUTTON_INFO_BELOW, '<span class="glyphicon glyphicon-info-sign text-info" aria-hidden="true"></span>');
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment