Commit dd7d0b13 authored by Alain Vagner's avatar Alain Vagner

bug fix (stripped query string from path) and securing path, GET, POST

parent 08561641
......@@ -90,7 +90,6 @@ class RESTHttpRequest {
$this->login = '';
$this->password = '';
}
// TODO sécuriser path, GET et si possible POST (quand input n'est pas du xml)
if ($pPathInfo != null) {
$this->path = $pPathInfo;
} else {
......@@ -99,7 +98,34 @@ class RESTHttpRequest {
} else {
$this->path = '';
}
}
}
// delete query string
if (strpos($this->path, '?')) {
$tmp = explode('?',$this->path);
$this->path = $tmp[0];
}
// secure path
$unsecure_path = explode('/', $this->path);
$secure_path = array();
foreach ($unsecure_path as $i) {
$secure_path[] = trim(stripslashes(htmlentities($i)));
}
$this->path = implode('/', $secure_path);
// secure GET, POST
foreach ($_GET as $k => $v) {
unset($_GET[$k]);
$k = trim(stripslashes(htmlentities($k)));
$v = trim(stripslashes(htmlentities($v)));
$_GET[$k] = $v;
}
foreach ($_POST as $k => $v) {
unset($_POST[$k]);
$k = trim(stripslashes(htmlentities($k)));
$v = trim(stripslashes(htmlentities($v)));
$_POST[$k] = $v;
}
}
/**
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment