diff --git a/src/Http/RequestFactory.php b/src/Http/RequestFactory.php
index 9be953bd..732c8b0c 100644
--- a/src/Http/RequestFactory.php
+++ b/src/Http/RequestFactory.php
@@ -81,8 +81,12 @@ public function createHttpRequest(): Request
}
// path & query
+ $reChars = '#^[' . self::CHARS . ']*+\z#u';
$requestUrl = $_SERVER['REQUEST_URI'] ?? '/';
$requestUrl = preg_replace('#^\w++://[^/]++#', '', $requestUrl);
+ if (!$this->binary && (!preg_match($reChars, rawurldecode($requestUrl)) || preg_last_error())) {
+ // TODO: invalid request
+ }
$requestUrl = Strings::replace($requestUrl, $this->urlFilters['url']);
$tmp = explode('?', $requestUrl, 2);
$path = Url::unescape($tmp[0], '%/?#');
@@ -100,34 +104,20 @@ public function createHttpRequest(): Request
}
$url->setScriptPath($path);
- // GET, POST, COOKIE
+ // POST, COOKIE
$useFilter = (!in_array(ini_get('filter.default'), ['', 'unsafe_raw'], true) || ini_get('filter.default_flags'));
-
- $query = $url->getQueryParameters();
$post = $useFilter ? filter_input_array(INPUT_POST, FILTER_UNSAFE_RAW) : (empty($_POST) ? [] : $_POST);
$cookies = $useFilter ? filter_input_array(INPUT_COOKIE, FILTER_UNSAFE_RAW) : (empty($_COOKIE) ? [] : $_COOKIE);
// remove invalid characters
- $reChars = '#^[' . self::CHARS . ']*+\z#u';
if (!$this->binary) {
- $list = [&$query, &$post, &$cookies];
- foreach ($list as $key => &$val) {
- foreach ($val as $k => $v) {
- if (is_string($k) && (!preg_match($reChars, $k) || preg_last_error())) {
- unset($list[$key][$k]);
-
- } elseif (is_array($v)) {
- $list[$key][$k] = $v;
- $list[] = &$list[$key][$k];
-
- } else {
- $list[$key][$k] = (string) preg_replace('#[^' . self::CHARS . ']+#u', '', $v);
- }
- }
+ if (!preg_match($reChars, rawurldecode(http_build_query($post))) || preg_last_error()) {
+ $post = [];
+ }
+ if (!preg_match($reChars, rawurldecode(http_build_query($cookies))) || preg_last_error()) {
+ $cookies = [];
}
- unset($list, $key, $val, $k, $v);
}
- $url->setQuery($query);
// FILES and create FileUpload objects