Skip to content

Commit

Permalink
Add validator class for HTTP parameters
Browse files Browse the repository at this point in the history
  • Loading branch information
@fisharebest
fisharebest committed Oct 1, 2021
1 parent 6d966f6 commit 8d9c2b6
Show file tree
Hide file tree
Showing 13 changed files with 223 additions and 47 deletions.
3 changes: 2 additions & 1 deletion app/Http/RequestHandlers/AddChildToFamilyAction.php
View file
Expand Up @@ -23,6 +23,7 @@
use Fisharebest\Webtrees\Registry;
use Fisharebest\Webtrees\Services\GedcomEditService;
use Fisharebest\Webtrees\Tree;
use Fisharebest\Webtrees\Validator;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\RequestHandlerInterface;
Expand Down Expand Up @@ -78,7 +79,7 @@ public function handle(ServerRequestInterface $request): ResponseInterface
$family->createFact('1 CHIL @' . $child->xref() . '@', false);

$base_url = $request->getAttribute('base_url');
$url = str_starts_with($params['url'], $base_url) ? $params['url'] : $child->url();
$url = Validator::parsedBody($request)->localUrl($base_url)->string('url') ?? $child->url();

return redirect($url);
}
Expand Down
3 changes: 2 additions & 1 deletion app/Http/RequestHandlers/AddChildToIndividualAction.php
View file
Expand Up @@ -23,6 +23,7 @@
use Fisharebest\Webtrees\Registry;
use Fisharebest\Webtrees\Services\GedcomEditService;
use Fisharebest\Webtrees\Tree;
use Fisharebest\Webtrees\Validator;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\RequestHandlerInterface;
Expand Down Expand Up @@ -86,7 +87,7 @@ public function handle(ServerRequestInterface $request): ResponseInterface
$child->createFact('1 FAMC @' . $family->xref() . '@', false);

$base_url = $request->getAttribute('base_url');
$url = str_starts_with($params['url'], $base_url) ? $params['url'] : $child->url();
$url = Validator::parsedBody($request)->localUrl($base_url)->string('url') ?? $child->url();

return redirect($url);
}
Expand Down
3 changes: 2 additions & 1 deletion app/Http/RequestHandlers/AddParentToIndividualAction.php
View file
Expand Up @@ -23,6 +23,7 @@
use Fisharebest\Webtrees\Registry;
use Fisharebest\Webtrees\Services\GedcomEditService;
use Fisharebest\Webtrees\Tree;
use Fisharebest\Webtrees\Validator;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\RequestHandlerInterface;
Expand Down Expand Up @@ -86,7 +87,7 @@ public function handle(ServerRequestInterface $request): ResponseInterface
$parent->createFact('1 FAMS @' . $family->xref() . '@', false);

$base_url = $request->getAttribute('base_url');
$url = str_starts_with($params['url'], $base_url) ? $params['url'] : $parent->url();
$url = Validator::parsedBody($request)->localUrl($base_url)->string('url') ?? $parent->url();

return redirect($url);
}
Expand Down
3 changes: 2 additions & 1 deletion app/Http/RequestHandlers/AddSpouseToFamilyAction.php
View file
Expand Up @@ -23,6 +23,7 @@
use Fisharebest\Webtrees\Registry;
use Fisharebest\Webtrees\Services\GedcomEditService;
use Fisharebest\Webtrees\Tree;
use Fisharebest\Webtrees\Validator;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\RequestHandlerInterface;
Expand Down Expand Up @@ -95,7 +96,7 @@ public function handle(ServerRequestInterface $request): ResponseInterface
$family->createFact('1 ' . $link . ' @' . $spouse->xref() . '@', false);

$base_url = $request->getAttribute('base_url');
$url = str_starts_with($params['url'], $base_url) ? $params['url'] : $spouse->url();
$url = Validator::parsedBody($request)->localUrl($base_url)->string('url') ?? $spouse->url();

return redirect($url);
}
Expand Down
3 changes: 2 additions & 1 deletion app/Http/RequestHandlers/AddSpouseToIndividualAction.php
View file
Expand Up @@ -23,6 +23,7 @@
use Fisharebest\Webtrees\Registry;
use Fisharebest\Webtrees\Services\GedcomEditService;
use Fisharebest\Webtrees\Tree;
use Fisharebest\Webtrees\Validator;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\RequestHandlerInterface;
Expand Down Expand Up @@ -89,7 +90,7 @@ public function handle(ServerRequestInterface $request): ResponseInterface
$spouse->createFact('1 FAMS @' . $family->xref() . '@', false);

$base_url = $request->getAttribute('base_url');
$url = str_starts_with($params['url'], $base_url) ? $params['url'] : $spouse->url();
$url = Validator::parsedBody($request)->localUrl($base_url)->string('url') ?? $spouse->url();

return redirect($url);
}
Expand Down
3 changes: 2 additions & 1 deletion app/Http/RequestHandlers/AddUnlinkedAction.php
View file
Expand Up @@ -21,6 +21,7 @@

use Fisharebest\Webtrees\Services\GedcomEditService;
use Fisharebest\Webtrees\Tree;
use Fisharebest\Webtrees\Validator;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\RequestHandlerInterface;
Expand Down Expand Up @@ -66,7 +67,7 @@ public function handle(ServerRequestInterface $request): ResponseInterface
$individual = $tree->createIndividual("0 @@ INDI\n" . $gedcom);

$base_url = $request->getAttribute('base_url');
$url = str_starts_with($params['url'], $base_url) ? $params['url'] : $individual->url();
$url = Validator::parsedBody($request)->localUrl($base_url)->string('url') ?? $individual->url();

return redirect($url);
}
Expand Down
17 changes: 8 additions & 9 deletions app/Http/RequestHandlers/ContactAction.php
View file
Expand Up @@ -30,6 +30,7 @@
use Fisharebest\Webtrees\Services\MessageService;
use Fisharebest\Webtrees\Services\UserService;
use Fisharebest\Webtrees\Tree;
use Fisharebest\Webtrees\Validator;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\RequestHandlerInterface;
Expand Down Expand Up @@ -87,13 +88,13 @@ public function handle(ServerRequestInterface $request): ResponseInterface
$tree = $request->getAttribute('tree');
assert($tree instanceof Tree);

$params = (array) $request->getParsedBody();
$body = $params['body'];
$from_email = $params['from_email'];
$from_name = $params['from_name'];
$subject = $params['subject'];
$to = $params['to'];
$url = $params['url'];
$base_url = $request->getAttribute('base_url');
$body = Validator::parsedBody($request)->string('body') ?? '';
$from_email = Validator::parsedBody($request)->string('from_email') ?? '';
$from_name = Validator::parsedBody($request)->string('from_name') ?? '';
$subject = Validator::parsedBody($request)->string('subject') ?? '';
$to = Validator::parsedBody($request)->string('to') ?? '';
$url = Validator::parsedBody($request)->localUrl($base_url)->string('url') ?? '';
$ip = $request->getAttribute('client-ip');
$to_user = $this->user_service->findByUserName($to);

Expand All @@ -117,8 +118,6 @@ public function handle(ServerRequestInterface $request): ResponseInterface
$errors = true;
}

$base_url = $request->getAttribute('base_url');

if (preg_match('/(?!' . preg_quote($base_url, '/') . ')(((?:ftp|http|https):\/\/)[a-zA-Z0-9.-]+)/', $subject . $body, $match)) {
FlashMessages::addMessage(I18N::translate('You are not allowed to send messages that contain external links.') . ' ' . /* I18N: e.g. ‘You should delete the “https://” from “https://www.example.com” and try again.’ */
I18N::translate('You should delete the “%1$s” from “%2$s” and try again.', $match[2], $match[1]), 'danger');
Expand Down
3 changes: 2 additions & 1 deletion app/Http/RequestHandlers/EditFactAction.php
View file
Expand Up @@ -26,6 +26,7 @@
use Fisharebest\Webtrees\Services\GedcomEditService;
use Fisharebest\Webtrees\Services\ModuleService;
use Fisharebest\Webtrees\Tree;
use Fisharebest\Webtrees\Validator;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\RequestHandlerInterface;
Expand Down Expand Up @@ -115,7 +116,7 @@ public function handle(ServerRequestInterface $request): ResponseInterface
}

$base_url = $request->getAttribute('base_url');
$url = str_starts_with($params['url'], $base_url) ? $params['url'] : $record->url();
$url = Validator::parsedBody($request)->localUrl($base_url)->string('url') ?? $record->url();

return redirect($url);
}
Expand Down
3 changes: 2 additions & 1 deletion app/Http/RequestHandlers/EditRawFactAction.php
View file
Expand Up @@ -22,6 +22,7 @@
use Fisharebest\Webtrees\Auth;
use Fisharebest\Webtrees\Registry;
use Fisharebest\Webtrees\Tree;
use Fisharebest\Webtrees\Validator;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\RequestHandlerInterface;
Expand Down Expand Up @@ -73,7 +74,7 @@ public function handle(ServerRequestInterface $request): ResponseInterface
}

$base_url = $request->getAttribute('base_url');
$url = str_starts_with($params['url'], $base_url) ? $params['url'] : $record->url();
$url = Validator::parsedBody($request)->localUrl($base_url)->string('url') ?? $record->url();

return redirect($url);
}
Expand Down
13 changes: 4 additions & 9 deletions app/Http/RequestHandlers/EmptyClipboard.php
View file
Expand Up @@ -19,16 +19,12 @@

namespace Fisharebest\Webtrees\Http\RequestHandlers;

use Fisharebest\Webtrees\Auth;
use Fisharebest\Webtrees\Registry;
use Fisharebest\Webtrees\Services\ClipboardService;
use Fisharebest\Webtrees\Tree;
use Fisharebest\Webtrees\Validator;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\RequestHandlerInterface;

use function assert;
use function is_string;
use function redirect;

/**
Expand Down Expand Up @@ -57,12 +53,11 @@ public function __construct(ClipboardService $clipboard_service)
*/
public function handle(ServerRequestInterface $request): ResponseInterface
{
$params = (array) $request->getParsedBody();

$this->clipboard_service->emptyClipboard();

$base_url = $request->getAttribute('base_url');
$url = str_starts_with($params['url'], $base_url) ? $params['url'] : $request->getHeaderLine('Referer');
$base_url = $request->getAttribute('base_url');
$default_url = $request->getHeaderLine('Referer');
$url = Validator::parsedBody($request)->localUrl($base_url)->string('url') ?? $default_url;

return redirect($url);
}
Expand Down
17 changes: 7 additions & 10 deletions app/Http/RequestHandlers/LoginAction.php
View file
Expand Up @@ -30,6 +30,7 @@
use Fisharebest\Webtrees\Services\UserService;
use Fisharebest\Webtrees\Session;
use Fisharebest\Webtrees\Tree;
use Fisharebest\Webtrees\Validator;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\RequestHandlerInterface;
Expand Down Expand Up @@ -66,13 +67,12 @@ public function __construct(UpgradeService $upgrade_service, UserService $user_s
*/
public function handle(ServerRequestInterface $request): ResponseInterface
{
$tree = $request->getAttribute('tree');

$params = (array) $request->getParsedBody();

$username = $params['username'];
$password = $params['password'];
$url = $params['url'];
$tree = $request->getAttribute('tree');
$base_url = $request->getAttribute('base_url');
$default_url = route(HomePage::class);
$username = Validator::parsedBody($request)->string('username') ?? '';
$password = Validator::parsedBody($request)->string('password') ?? '';
$url = Validator::parsedBody($request)->localUrl($base_url)->string('url') ?? $default_url;

try {
$this->doLogin($username, $password);
Expand All @@ -82,9 +82,6 @@ public function handle(ServerRequestInterface $request): ResponseInterface
}

// Redirect to the target URL
$base_url = $request->getAttribute('base_url');
$url = str_starts_with($url, $base_url) ? $url : route(HomePage::class);

return redirect($url);
} catch (Exception $ex) {
// Failed to log in.
Expand Down
22 changes: 11 additions & 11 deletions app/Http/RequestHandlers/MessageAction.php
View file
Expand Up @@ -27,6 +27,7 @@
use Fisharebest\Webtrees\Services\MessageService;
use Fisharebest\Webtrees\Services\UserService;
use Fisharebest\Webtrees\Tree;
use Fisharebest\Webtrees\Validator;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\RequestHandlerInterface;
Expand Down Expand Up @@ -69,14 +70,16 @@ public function handle(ServerRequestInterface $request): ResponseInterface
$tree = $request->getAttribute('tree');
assert($tree instanceof Tree);

$user = $request->getAttribute('user');
$params = (array) $request->getParsedBody();
$body = $params['body'];
$subject = $params['subject'];
$to = $params['to'];
$url = $params['url'];
$to_user = $this->user_service->findByUserName($to);
$ip = $request->getAttribute('client-ip');
$user = $request->getAttribute('user');
$params = (array) $request->getParsedBody();
$body = $params['body'];
$subject = $params['subject'];
$to = $params['to'];
$to_user = $this->user_service->findByUserName($to);
$ip = $request->getAttribute('client-ip');
$base_url = $request->getAttribute('base_url');
$default_url = route(TreePage::class, ['tree' => $tree->name()]);
$url = Validator::parsedBody($request)->localUrl($base_url)->string('url') ?? $default_url;

if ($to_user === null || $to_user->getPreference(UserInterface::PREF_CONTACT_METHOD) === 'none') {
throw new HttpAccessDeniedException('Invalid contact user id');
Expand All @@ -95,9 +98,6 @@ public function handle(ServerRequestInterface $request): ResponseInterface
if ($this->message_service->deliverMessage($user, $to_user, $subject, $body, $url, $ip)) {
FlashMessages::addMessage(I18N::translate('The message was successfully sent to %s.', e($to_user->realName())), 'success');

$base_url = $request->getAttribute('base_url');
$url = str_starts_with($url, $base_url) ? $url : route(TreePage::class, ['tree' => $tree->name()]);

return redirect($url);
}

Expand Down

0 comments on commit 8d9c2b6

Please sign in to comment.