Changeset 5937
- Timestamp:
- 01/14/12 19:53:37 (4 months ago)
- Location:
- trunk
- Files:
-
- 1 added
- 2 edited
-
core/httprequest.core.php (modified) (6 diffs)
-
core/router.core.php (modified) (6 diffs)
-
tests/unittests/core/router.core.php (added)
Legend:
- Unmodified
- Added
- Removed
-
trunk/core/httprequest.core.php
r5704 r5937 125 125 * 5) Detect REST Tunneling through POST and set request_method accordingly 126 126 */ 127 public function __construct( )127 public function __construct($ids_on = false) 128 128 { 129 129 # 1) Drop $_REQUEST. Usage is forbidden. 130 130 unset($_REQUEST); 131 131 132 # 2) Run Intrusion Detection System (on GET, POST, COOKIES) 133 $doorKeeper = new Clansuite_DoorKeeper; 134 $doorKeeper->runIDS(); 132 if($ids_on === true) 133 { 134 # 2) Run Intrusion Detection System (on GET, POST, COOKIES) 135 $doorKeeper = new Clansuite_DoorKeeper; 136 $doorKeeper->runIDS(); 137 } 135 138 136 139 /** … … 637 640 * This method takes care for REST (Representational State Transfer) by tunneling PUT, DELETE through POST (principal of least power). 638 641 * Ok, this is faked or spoofed REST, but lowers the power of POST and it's short and nice in html forms. 639 * @todo allow'GET' through POST?642 * @todo consider allowing 'GET' through POST? 640 643 * 641 644 * @see https://wiki.nbic.nl/index.php/REST.inc … … 644 647 public function detectRESTTunneling() 645 648 { 646 # this will allow DELETE and PUT 647 $rest_methodnames = array('DELETE', 'PUT'); 649 $allowed_rest_methodnames = array('DELETE', 'PUT'); 648 650 649 651 # request_method has to be POST AND GET has to to have the method GET 650 if ($_SERVER['REQUEST_METHOD'] == 'POST' and isset($_GET['method']))652 if ($_SERVER['REQUEST_METHOD'] == 'POST' and $this->issetParameter('GET', 'method')) 651 653 { 652 654 # check for allowed rest commands 653 if (in_array(mb_strtoupper($_GET['method']), $ rest_methodnames))655 if (in_array(mb_strtoupper($_GET['method']), $allowed_rest_methodnames)) 654 656 { 655 657 # set the internal (tunneled) method as new REQUEST_METHOD … … 676 678 } 677 679 } 678 elseif($_SERVER['REQUEST_METHOD'] == 'GET' and isset($_GET['method'])) # $this->issetParameter('GET', 'method')680 elseif($_SERVER['REQUEST_METHOD'] == 'GET' and $this->issetParameter('GET', 'method')) 679 681 { 680 682 # NOPE, there's no tunneling through GET! … … 684 686 685 687 /** 686 * Get the REQUEST METHOD 687 * Returns the internal request method first, then $_SERVER REQUEST_METHOD. 688 * Get the REQUEST METHOD (POST, GET, PUT, DELETE) 689 * 690 * The internally set request_method (PUT or DELETE) is returned first, 691 * because we might have a REST-tunneling. 688 692 * 689 693 * @return string request method … … 691 695 public static function getRequestMethod() 692 696 { 693 # first get the internally set request_method (PUT or DELETE) because we might have a REST-tunneling694 697 if(isset(self::$request_method)) 695 698 { 696 699 return self::$request_method; 697 700 } 698 else # this will be POST or GET 699 { 700 #if(in_array(strtolower($_SERVER['REQUEST_METHOD']), array('get','post')) 701 #{ 702 return $_SERVER['REQUEST_METHOD']; 703 #} 701 else 702 { 703 return $_SERVER['REQUEST_METHOD']; 704 704 } 705 705 } -
trunk/core/router.core.php
r5519 r5937 223 223 public static function buildURL($urlstring, $internal_url = true) 224 224 { 225 # if urlstring is already a qualified url 225 # if urlstring is already a qualified url (http://...) 226 226 if(false !== strpos($urlstring, WWW_ROOT . 'index.php?mod=')) 227 227 { … … 237 237 else # ROOT/index.php?mod=abc&action=123&etc... 238 238 { 239 $url_values = explode('/', ltrim($urlstring, '/')); 240 $url_keys = array('mod', 'sub', 'action', 'id'); 241 $url_data = Clansuite_Functions::array_unequal_combine($url_keys, $url_values); 239 # remove all double slahes 240 while (false !== strpos($urlstring, '//')) 241 { 242 $url = str_replace('//', '/', $urlstring); 243 } 244 245 # get only the part after "index.php=?" 246 if(false !== strpos($urlstring, 'index.php?')) 247 { 248 $urlstring = strstr($urlstring, 'index.php?'); 249 } 250 251 # and explode the string into an indexed array 252 $urlstring = ltrim($urlstring, '/'); 253 $url_params_idx_array = explode('/', $urlstring); 254 255 var_dump($url_params_idx_array); 256 257 /** 258 * This turns the indexed url parameters array into a named one. 259 * [0]=> "news" to [mod] => "news" 260 * [1]=> "show" to [action] => "show" 261 * 262 * It also a static whitelist for url parameter keys. 263 * 264 * @todo how do i get the dynamic parameter names in here? year, date, etc. 265 * To solve this, maybe, the first index might be used to load the routes of that module. 266 * Then a reverse lookup in the routes table. For now this is static. 267 */ 268 if($url_params_idx_array[1] === 'admin') 269 { 270 # module admin whitelist 271 $url_keys = array('mod', 'sub', 'action', 'id', 'type'); 272 } 273 else 274 { 275 # public module whitelist 276 $url_keys = array('mod', 'action', 'id', 'type'); 277 } 278 279 $url_data = Clansuite_Functions::array_unequal_combine($url_keys, $url_params_idx_array); 242 280 $url = ''; 243 281 … … 255 293 } 256 294 295 #Clansuite_Debug::printR(WWW_ROOT . 'index.php?' . $url); 257 296 #Clansuite_Debug::firebug(WWW_ROOT . 'index.php?' . $url); 258 297 return WWW_ROOT . 'index.php?' . $url; … … 338 377 unset($route_pattern); 339 378 340 #Clansuite_Debug::printR($route_values);379 Clansuite_Debug::printR($route_values); 341 380 342 381 $matches = ''; … … 422 461 * Checks if Apache Module "mod_rewrite" is loaded/enabled 423 462 * and Rewrite Engine is enabled in .htaccess" 424 * 463 * 425 464 * @return boolean True, if mod_rewrite on. 426 465 */ … … 468 507 * A multislash removal is not needed, because of the later usage of preg_split. 469 508 * 470 * @param string $re uest_uril this is basicallyClansuite_HttpRequest::getRequestURI509 * @param string $request_url Clansuite_HttpRequest::getRequestURI 471 510 * 472 511 * @return string Request URL
Note: See TracChangeset
for help on using the changeset viewer.
