diff options
author | matt <matt@59fd770c-687e-43c8-a1e3-f5a4ff64c105> | 2009-03-25 09:57:03 +0300 |
---|---|---|
committer | matt <matt@59fd770c-687e-43c8-a1e3-f5a4ff64c105> | 2009-03-25 09:57:03 +0300 |
commit | eb7b288c7a2acd11a9c2f8645f3e4a4692e7012b (patch) | |
tree | 2f8fe1db0d354134feb26cc423a9486bebfb69b4 /core | |
parent | 82e5ad5eb4d2dbcf2e8c5dd0b3aabf01f978cf92 (diff) |
- in all piwik, we now don't read from _REQUEST as it includes _COOKIE. We instead read data from union of _GET and _POST
- clarified how to test piwik for xss referer injection
Diffstat (limited to 'core')
-rw-r--r-- | core/API/Request.php | 7 | ||||
-rw-r--r-- | core/Common.php | 4 | ||||
-rw-r--r-- | core/FrontController.php | 1 | ||||
-rw-r--r-- | core/Tracker.php | 2 | ||||
-rw-r--r-- | core/Tracker/Generator.php | 4 | ||||
-rw-r--r-- | core/ViewDataTable.php | 4 |
6 files changed, 11 insertions, 11 deletions
diff --git a/core/API/Request.php b/core/API/Request.php index 79993992ac..60bef14822 100644 --- a/core/API/Request.php +++ b/core/API/Request.php @@ -47,12 +47,13 @@ class Piwik_API_Request * * @param string GET request that defines the API call (must at least contain a "method" parameter) * Example: method=UserSettings.getWideScreen&idSite=1&date=yesterday&period=week&format=xml - * If a request is not provided, then we use the $_REQUEST superglobal and fetch + * If a request is not provided, then we use the $_GET and $_POST superglobal and fetch * the values directly from the HTTP GET query. */ function __construct($request = null) { - $requestArray = $_REQUEST; + $defaultRequest = $_GET + $_POST; + $requestArray = $defaultRequest; if(!is_null($request)) { @@ -67,7 +68,7 @@ class Piwik_API_Request Zend_Registry::get('access')->reloadAccess(); } - $requestArray = array_merge($_REQUEST, $requestArray); + $requestArray = $requestArray + $defaultRequest; } foreach($requestArray as &$element) diff --git a/core/Common.php b/core/Common.php index 4d3b38815f..c3e167cffe 100644 --- a/core/Common.php +++ b/core/Common.php @@ -376,7 +376,7 @@ class Piwik_Common } /** - * Returns a sanitized variable value from the $_REQUEST superglobal. + * Returns a sanitized variable value from the $_GET and $_POST superglobal. * If the variable doesn't have a value or an empty value, returns the defaultValue if specified. * If the variable doesn't have neither a value nor a default value provided, an exception is raised. * @@ -395,7 +395,7 @@ class Piwik_Common { if(is_null($requestArrayToUse)) { - $requestArrayToUse = $_REQUEST; + $requestArrayToUse = $_GET + $_POST; } $varDefault = self::sanitizeInputValues( $varDefault ); diff --git a/core/FrontController.php b/core/FrontController.php index 1c2948a0a1..aa2fc38a59 100644 --- a/core/FrontController.php +++ b/core/FrontController.php @@ -280,7 +280,6 @@ class Piwik_FrontController for ($i=1; $i < $_SERVER['argc']; $i++) { parse_str($_SERVER['argv'][$i],$tmp); - $_REQUEST = array_merge($_REQUEST, $tmp); $_GET = array_merge($_GET, $tmp); } } diff --git a/core/Tracker.php b/core/Tracker.php index bad522f78b..2dfaa9ef3c 100644 --- a/core/Tracker.php +++ b/core/Tracker.php @@ -47,7 +47,7 @@ class Piwik_Tracker public function __construct() { - $this->request = $_REQUEST; + $this->request = $_GET + $_POST; } public function main() diff --git a/core/Tracker/Generator.php b/core/Tracker/Generator.php index ea1178123f..c52b1d904f 100644 --- a/core/Tracker/Generator.php +++ b/core/Tracker/Generator.php @@ -112,7 +112,7 @@ class Piwik_Tracker_Generator */ public function __construct() { - $_COOKIE = $_GET = $_REQUEST = $_POST = array(); + $_COOKIE = $_GET = $_POST = array(); // init GET and REQUEST to the empty array $this->setFakeRequest(); @@ -582,7 +582,7 @@ class Piwik_Tracker_Generator */ protected function setFakeRequest() { - $_REQUEST = $_GET = $this->currentget; + $_GET = $this->currentget; } /** diff --git a/core/ViewDataTable.php b/core/ViewDataTable.php index bf4340c30d..c450cc80f5 100644 --- a/core/ViewDataTable.php +++ b/core/ViewDataTable.php @@ -566,9 +566,9 @@ abstract class Piwik_ViewDataTable */ protected function getDefaultOrCurrent( $nameVar ) { - if(isset($_REQUEST[$nameVar])) + if(isset($_GET[$nameVar])) { - return htmlspecialchars($_REQUEST[$nameVar]); + return htmlspecialchars($_GET[$nameVar]); } $default = $this->getDefault($nameVar); return $default; |