Provide an extension point to $_SERVER reads

As discussed in #2569, this commit adds a new function, server_safe, which could potentially server as a safe way to get $_SERVER values. Right now, the only storage used is $_SERVER, but that could change in the future. Picked from 2f1a3b3
symphonycms · Jun 16, 2017 · 3e3c280 · 3e3c280
1 parent ebd6985
commit 3e3c280
Show file tree

Hide file tree

Showing 6 changed files with 33 additions and 14 deletions.
diff --git a/symphony/content/content.publish.php b/symphony/content/content.publish.php
@@ -890,7 +890,7 @@ public function __actionIndex()
                      */
                     Symphony::ExtensionManager()->notifyMembers('EntryPostDelete', '/publish/', array('entry_id' => $checked));
 
-                    redirect($_SERVER['REQUEST_URI']);
+                    redirect(server_safe('REQUEST_URI'));
                     break;
                 default:
                     list($option, $field_id, $value) = explode('-', $_POST['with-selected'], 3);
@@ -941,7 +941,7 @@ public function __actionIndex()
                             ));
                         }
 
-                        redirect($_SERVER['REQUEST_URI']);
+                        redirect(server_safe('REQUEST_URI'));
                     }
             }
         }

diff --git a/symphony/lib/boot/bundle.php b/symphony/lib/boot/bundle.php
@@ -12,7 +12,7 @@
 
     // Redirect to installer if it exists
     if (!file_exists(CONFIG)) {
-        $bInsideInstaller = (bool)preg_match('%(/|\\\\)install(/|\\\\)index.php$%', $_SERVER['SCRIPT_FILENAME']);
+        $bInsideInstaller = (bool)preg_match('%(/|\\\\)install(/|\\\\)index.php$%', server_safe('SCRIPT_FILENAME'));
 
         if (!$bInsideInstaller && Symphony::isInstallerAvailable()) {
             header(sprintf('Location: %s/install/', URL));

diff --git a/symphony/lib/boot/defines.php b/symphony/lib/boot/defines.php
@@ -208,27 +208,27 @@
  * Returns the environmental variable if HTTPS is in use.
  * @var string|boolean
  */
-define_safe('HTTPS', $_SERVER['HTTPS']);
+define_safe('HTTPS', server_safe('HTTPS'));
 
 /**
  * Returns the current host, ie. google.com
  * @var string
  */
-$http_host = $_SERVER['HTTP_HOST'];
+$http_host = server_safe('HTTP_HOST');
 define_safe('HTTP_HOST', function_exists('idn_to_utf8') ? idn_to_utf8($http_host) : $http_host);
 unset($http_host);
 
 /**
  * Returns the IP address of the machine that is viewing the current page.
  * @var string
  */
-define_safe('REMOTE_ADDR', $_SERVER['REMOTE_ADDR']);
+define_safe('REMOTE_ADDR', server_safe('REMOTE_ADDR'));
 
 /**
  * Returns the User Agent string of the browser that is viewing the current page
  * @var string
  */
-define_safe('HTTP_USER_AGENT', $_SERVER['HTTP_USER_AGENT']);
+define_safe('HTTP_USER_AGENT', server_safe('HTTP_USER_AGENT'));
 
 /**
  * If HTTPS is on, `__SECURE__` will be set to true, otherwise false. Use union of
@@ -237,16 +237,14 @@
  * @var string|boolean
  */
 define_safe('__SECURE__',
-    (HTTPS == 'on' ||
-        isset($_SERVER['HTTP_X_FORWARDED_PROTO']) &&
-        $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')
+    (HTTPS == 'on' || server_safe('HTTP_X_FORWARDED_PROTO') == 'https')
 );
 
 /**
  * The root url directory.
  * @var string
  */
-define_safe('DIRROOT', rtrim(dirname($_SERVER['PHP_SELF']), '\/'));
+define_safe('DIRROOT', rtrim(dirname(server_safe('PHP_SELF')), '\/'));
 
 /**
  * The current domain name.

diff --git a/symphony/lib/boot/func.utilities.php b/symphony/lib/boot/func.utilities.php
@@ -67,6 +67,26 @@ function define_safe($name, $value)
     }
 }
 
+/**
+ * Retrieve a value from the $_SERVER array. Makes sure the key exists.
+ * Returns null otherwise.
+ *
+ * This function is an extension point. We could check other storage for
+ * specific values or enforce some security restrictions.
+ *
+ * @param string $name
+ *  The name of the value to retrieve
+ * @return mixed
+ *  The value, is it exists
+ */
+function server_safe($name)
+{
+    if (isset($_SERVER[$name])) {
+        return $_SERVER[$name];
+    }
+    return null;
+}
+
 /**
  * Returns the current URL string from within the Administration
  * context. It omits the Symphony directory from the current URL.
@@ -231,7 +251,7 @@ function symphony_launcher($mode)
     $output = $renderer->display(getCurrentPage());
 
     // #1808
-    if (isset($_SERVER['HTTP_MOD_REWRITE'])) {
+    if (server_safe('HTTP_MOD_REWRITE') != null) {
         $output = file_get_contents(GenericExceptionHandler::getTemplate('fatalerror.rewrite'));
         $output = str_replace('{ASSETS_URL}', ASSETS_URL, $output);
         $output = str_replace('{SYMPHONY_URL}', SYMPHONY_URL, $output);

diff --git a/symphony/lib/toolkit/class.frontendpage.php b/symphony/lib/toolkit/class.frontendpage.php
@@ -344,7 +344,7 @@ private function __buildPage()
         $this->_pageData = $page;
         $path = explode('/', $page['path']);
         $root_page = is_array($path) ? array_shift($path) : $path;
-        $current_path = explode(dirname($_SERVER['SCRIPT_NAME']), $_SERVER['REQUEST_URI'], 2);
+        $current_path = explode(dirname(server_safe('SCRIPT_NAME')), server_safe('REQUEST_URI'), 2);
         $current_path = '/' . ltrim(end($current_path), '/');
         $split_path = explode('?', $current_path, 3);
         $current_path = rtrim(current($split_path), '/');

diff --git a/symphony/lib/toolkit/class.page.php b/symphony/lib/toolkit/class.page.php
@@ -337,7 +337,8 @@ public function isRequestValid()
         if (!$max_size) {
             return true;
         }
-        if ($_SERVER['REQUEST_METHOD'] === 'POST' && (int)$_SERVER['CONTENT_LENGTH'] > General::convertHumanFileSizeToBytes($max_size)) {
+
+        if (server_safe('REQUEST_METHOD') === 'POST' && (int)server_safe('CONTENT_LENGTH') > General::convertHumanFileSizeToBytes($max_size)) {
             return false;
         }