RequestFactory: refactoring of removing magic quotes

Author: dg

src/Http/Helpers.php

@@ -83,11 +83,13 @@ public static function removeDuplicateCookies()
 	/**
 	 * @internal
 	 */
-	public static function stripSlashes($arr)
+	public static function stripSlashes($arr, $onlyKeys = FALSE)
 	{
 		$res = array();
 		foreach ($arr as $k => $v) {
-			$res[stripslashes($k)] = is_array($v) ? self::stripSlashes($v) : stripslashes($v);
+			$res[stripslashes($k)] = is_array($v)
+				? self::stripSlashes($v, $onlyKeys)
+				: ($onlyKeys ? $v : stripslashes($v));
 		}
 		return $res;
 	}

src/Http/RequestFactory.php

@@ -100,38 +100,29 @@ public function createHttpRequest()
 		// GET, POST, COOKIE
 		$useFilter = (!in_array(ini_get('filter.default'), array('', 'unsafe_raw')) || ini_get('filter.default_flags'));
 
-		parse_str($url->getQuery(), $query);
+		$query = $url->getQueryParameters();
 		$post = $useFilter ? filter_input_array(INPUT_POST, FILTER_UNSAFE_RAW) : (empty($_POST) ? array() : $_POST);
 		$cookies = $useFilter ? filter_input_array(INPUT_COOKIE, FILTER_UNSAFE_RAW) : (empty($_COOKIE) ? array() : $_COOKIE);
 
-		$gpc = (bool) get_magic_quotes_gpc();
+		if (get_magic_quotes_gpc()) {
+			$post = Helpers::stripslashes($post, $useFilter);
+			$cookies = Helpers::stripslashes($cookies, $useFilter);
+		}
 
-		// remove fucking quotes, control characters and check encoding
-		if ($gpc || !$this->binary) {
+		// remove invalid characters
+		if (!$this->binary) {
 			$list = array(& $query, & $post, & $cookies);
 			while (list($key, $val) = each($list)) {
 				foreach ($val as $k => $v) {
-					unset($list[$key][$k]);
-
-					if ($gpc) {
-						$k = stripslashes($k);
-					}
-
-					if (!$this->binary && is_string($k) && (!preg_match(self::CHARS, $k) || preg_last_error())) {
-						// invalid key -> ignore
+					if (is_string($k) && (!preg_match(self::CHARS, $k) || preg_last_error())) {
+						unset($list[$key][$k]);
 
 					} elseif (is_array($v)) {
 						$list[$key][$k] = $v;
 						$list[] = & $list[$key][$k];
 
-					} else {
-						if ($gpc && !$useFilter) {
-							$v = stripSlashes($v);
-						}
-						if (!$this->binary && (!preg_match(self::CHARS, $v) || preg_last_error())) {
-							$v = '';
-						}
-						$list[$key][$k] = $v;
+					} elseif (!preg_match(self::CHARS, $v) || preg_last_error()) {
+						$list[$key][$k] = '';
 					}
 				}
 			}
@@ -158,7 +149,7 @@ public function createHttpRequest()
 				continue;
 
 			} elseif (!is_array($v['name'])) {
-				if ($gpc) {
+				if (get_magic_quotes_gpc()) {
 					$v['name'] = stripSlashes($v['name']);
 				}
 				if (!$this->binary && (!preg_match(self::CHARS, $v['name']) || preg_last_error())) {

tests/Http/Request.request.phpt

@@ -18,7 +18,7 @@ $_SERVER = array(
 	'QUERY_STRING' => 'x param=val.&pa%%72am=val2&param3=v%20a%26l%3Du%2Be)',
 	'REMOTE_ADDR' => '192.168.188.66',
 	'REQUEST_METHOD' => 'GET',
-	'REQUEST_URI' => '/file.php?x param=val.&pa%%72am=val2&param3=v%20a%26l%3Du%2Be)',
+	'REQUEST_URI' => '/file.php?x param=val.&pa%%72am=val2&quotes\\"=\\"&param3=v%20a%26l%3Du%2Be)',
 	'SCRIPT_NAME' => '/file.php',
 );
 
@@ -39,16 +39,16 @@ test(function() {
 	Assert::same( 'nette.org',  $request->getUrl()->host );
 	Assert::same( 8080,  $request->getUrl()->port );
 	Assert::same( '/file.php',  $request->getUrl()->path );
-	Assert::same( 'x_param=val.&pa%25ram=val2&param3=v%20a%26l%3Du%2Be',  $request->getUrl()->query );
+	Assert::same( 'x_param=val.&pa%25ram=val2&quotes%5C%22=%5C%22&param3=v%20a%26l%3Du%2Be',  $request->getUrl()->query );
 	Assert::same( '',  $request->getUrl()->fragment );
 	Assert::same( 'val.',  $request->getQuery('x_param') );
 	Assert::same( 'val2',  $request->getQuery('pa%ram') );
 	Assert::same( 'nette.org:8080',  $request->getUrl()->authority );
 	Assert::same( 'https://nette.org:8080',  $request->getUrl()->hostUrl );
 	Assert::same( 'https://nette.org:8080/',  $request->getUrl()->baseUrl );
 	Assert::same( '/',  $request->getUrl()->basePath );
-	Assert::same( 'file.php?x_param=val.&pa%25ram=val2&param3=v%20a%26l%3Du%2Be',  $request->getUrl()->relativeUrl );
-	Assert::same( 'https://nette.org:8080/file.php?x_param=val.&pa%25ram=val2&param3=v%20a%26l%3Du%2Be',  $request->getUrl()->absoluteUrl );
+	Assert::same( 'file.php?x_param=val.&pa%25ram=val2&quotes%5C%22=%5C%22&param3=v%20a%26l%3Du%2Be',  $request->getUrl()->relativeUrl );
+	Assert::same( 'https://nette.org:8080/file.php?x_param=val.&pa%25ram=val2&quotes%5C%22=%5C%22&param3=v%20a%26l%3Du%2Be',  $request->getUrl()->absoluteUrl );
 	Assert::same( '',  $request->getUrl()->pathInfo );
 });
 
@@ -65,7 +65,7 @@ test(function() {
 	Assert::same( 'nette.org',  $request->getUrl()->host );
 	Assert::same( 8080,  $request->getUrl()->port );
 	Assert::same( '/file.php',  $request->getUrl()->path );
-	Assert::same( 'x_param=val.&pa%25ram=val2&param3=v%20a%26l%3Du%2Be%29',  $request->getUrl()->query );
+	Assert::same( 'x_param=val.&pa%25ram=val2&quotes%5C%22=%5C%22&param3=v%20a%26l%3Du%2Be%29',  $request->getUrl()->query );
 	Assert::same( '',  $request->getUrl()->fragment );
 	Assert::same( 'val.',  $request->getQuery('x_param') );
 	Assert::same( 'val2',  $request->getQuery('pa%ram') );