mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Correctly process request parameters other than GET or POST, dont use globals in the class but inject it

This commit is contained in:
Bernhard Posselt 2014-04-12 15:02:19 +02:00
parent 266325eac4
commit e7fa2790f3
2 changed files with 39 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
lib/private/appframework/http/request.php
View File

@ -60,7 +60,10 @@ class Request implements \ArrayAccess, \Countable, IRequest {
* @param string|false 'requesttoken' the requesttoken or false when not available * @param string|false 'requesttoken' the requesttoken or false when not available
* @see http://www.php.net/manual/en/reserved.variables.php * @see http://www.php.net/manual/en/reserved.variables.php
*/ */
public function __construct(array $vars=array()) { public function __construct(array $vars=array(), $stream='php://input') {
$this->inputStream = $stream;
$this->items['params'] = array();
foreach($this->allowedKeys as $name) { foreach($this->allowedKeys as $name) {
$this->items[$name] = isset($vars[$name]) $this->items[$name] = isset($vars[$name])
@ -68,25 +71,29 @@ class Request implements \ArrayAccess, \Countable, IRequest {
: array(); : array();
} }
if (defined('PHPUNIT_RUN') && PHPUNIT_RUN // 'application/json' must be decoded manually.
&& in_array('fakeinput', stream_get_wrappers())) { if (strpos($this->getHeader('Content-Type'), 'application/json') !== false) {
$this->inputStream = 'fakeinput://data'; $params = json_decode(file_get_contents($this->inputStream), true);
} else { if(count($params) > 0) {
$this->inputStream = 'php://input'; $this->items['params'] = $params;
} }
// Handle application/x-www-form-urlencoded for methods other than GET
// Only 'application/x-www-form-urlencoded' requests are automatically // or post correctly
// transformed by PHP, 'application/json' must be decoded manually. } elseif($vars['method'] !== 'GET'
if ($this->method === 'POST' && $vars['method'] !== 'POST'
&& strpos($this->getHeader('Content-Type'), 'application/json') !== false && strpos($this->getHeader('Content-Type'), 'application/x-www-form-urlencoded') !== false) {
) {
$this->items['params'] = $this->items['post'] = json_decode(file_get_contents($this->inputStream), true); parse_str(file_get_contents($this->inputStream), $params);
} if(is_array($params)) {
$this->items['params'] = $params;
}
}
$this->items['parameters'] = array_merge( $this->items['parameters'] = array_merge(
$this->items['get'], $this->items['get'],
$this->items['post'], $this->items['post'],
$this->items['urlParams'] $this->items['urlParams'],
$this->items['params']
); );
} }
@ -313,47 +320,22 @@ class Request implements \ArrayAccess, \Countable, IRequest {
* @throws \LogicException * @throws \LogicException
*/ */
protected function getContent() { protected function getContent() {
if ($this->content === false && $this->method === 'PUT') {
throw new \LogicException(
'"put" can only be accessed once if not '
. 'application/x-www-form-urlencoded or application/json.'
);
}
// If the content can't be parsed into an array then return a stream resource. // If the content can't be parsed into an array then return a stream resource.
if ($this->method === 'PUT' if ($this->method === 'PUT'
&& strpos($this->getHeader('Content-Type'), 'application/x-www-form-urlencoded') === false && strpos($this->getHeader('Content-Type'), 'application/x-www-form-urlencoded') === false
&& strpos($this->getHeader('Content-Type'), 'application/json') === false && strpos($this->getHeader('Content-Type'), 'application/json') === false
) { ) {
if ($this->content === false) {
throw new \LogicException(
'"put" can only be accessed once if not '
. 'application/x-www-form-urlencoded or application/json.'
);
}
$this->content = false; $this->content = false;
return fopen($this->inputStream, 'rb'); return fopen($this->inputStream, 'rb');
} else {
return $this->parameters;
} }
if (is_null($this->content)) {
$this->content = file_get_contents($this->inputStream);
/*
* Normal jquery ajax requests are sent as application/x-www-form-urlencoded
* and in $_GET and $_POST PHP transformes the data into an array.
* The first condition mimics this.
* The second condition allows for sending raw application/json data while
* still getting the result as an array.
*
*/
if (strpos($this->getHeader('Content-Type'), 'application/x-www-form-urlencoded') !== false) {
parse_str($this->content, $content);
if(is_array($content)) {
$this->content = $content;
}
} elseif (strpos($this->getHeader('Content-Type'), 'application/json') !== false) {
$content = json_decode($this->content, true);
if(is_array($content)) {
$this->content = $content;
}
}
}
return $this->content;
} }
/** /**

9
lib/private/server.php
View File

@ -35,6 +35,13 @@ class Server extends SimpleContainer implements IServerContainer {
$requesttoken = false; $requesttoken = false;
} }
if (defined('PHPUNIT_RUN') && PHPUNIT_RUN
&& in_array('fakeinput', stream_get_wrappers())) {
$stream = 'fakeinput://data';
} else {
$stream = 'php://input';
}
return new Request( return new Request(
array( array(
'get' => $_GET, 'get' => $_GET,
@ -48,7 +55,7 @@ class Server extends SimpleContainer implements IServerContainer {
: null, : null,
'urlParams' => $urlParams, 'urlParams' => $urlParams,
'requesttoken' => $requesttoken, 'requesttoken' => $requesttoken,
) ), $stream
); );
}); });
$this->registerService('PreviewManager', function($c) { $this->registerService('PreviewManager', function($c) {