从代码里面我们可以看出,对于请求参数里面的#字符,这里添加了限制。Drupal的表单API,呈现数组里面的key都是以#开头的,对于以#开头的数据,Drupal以前默认未加过滤清理,导致黑客可以借助这里,植入代码。 Drupal7补丁地址
https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=2266d2a83db50e2f97682d9a0fb8a18e2722cba5
Drupal8补丁地址:
https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac8738fa69df34a0635f0907d661b509ff9a28f
以Drupal7的安全补丁为例:
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc index 655db6d..880557e 100644 --- a/includes/bootstrap.inc +++ b/includes/bootstrap.inc @@ -2632,6 +2632,10 @@ function _drupal_bootstrap_configuration() { timer_start('page'); // Initialize the configuration, including variables from settings.php. drupal_settings_initialize(); + + // Sanitize unsafe keys from the request. + require_once DRUPAL_ROOT . '/includes/request-sanitizer.inc'; + DrupalRequestSanitizer::sanitize(); } /** diff --git a/includes/request-sanitizer.inc b/includes/request-sanitizer.inc new file mode 100644 index 0000000..1daa6b5 --- /dev/null +++ b/includes/request-sanitizer.inc @@ -0,0 +1,82 @@ +<?php + +/** + * @file + * Contains code for sanitizing user input from the request. + */ + +/** + * Sanitizes user input from the request. + */ +class DrupalRequestSanitizer { + + /** + * Tracks whether the request was already sanitized. + */ + protected static $sanitized = FALSE; + + /** + * Modifies the request to strip dangerous keys from user input. + */ + public static function sanitize() { + if (!self::$sanitized) { + $whitelist = variable_get('sanitize_input_whitelist', array()); + $log_sanitized_keys = variable_get('sanitize_input_logging', FALSE); + + // Process query string parameters. + $get_sanitized_keys = array(); + $_GET = self::stripDangerousValues($_GET, $whitelist, $get_sanitized_keys); + if ($log_sanitized_keys && $get_sanitized_keys) { + _drupal_trigger_error_with_delayed_logging(format_string('Potentially unsafe keys removed from query string parameters (GET): @keys', array('@keys' => implode(', ', $get_sanitized_keys))), E_USER_NOTICE); + } + + // Process request body parameters. + $post_sanitized_keys = array(); + $_POST = self::stripDangerousValues($_POST, $whitelist, $post_sanitized_keys); + if ($log_sanitized_keys && $post_sanitized_keys) { + _drupal_trigger_error_with_delayed_logging(format_string('Potentially unsafe keys removed from request body parameters (POST): @keys', array('@keys' => implode(', ', $post_sanitized_keys))), E_USER_NOTICE); + } + + // Process cookie parameters. + $cookie_sanitized_keys = array(); + $_COOKIE = self::stripDangerousValues($_COOKIE, $whitelist, $cookie_sanitized_keys); + if ($log_sanitized_keys && $cookie_sanitized_keys) { + _drupal_trigger_error_with_delayed_logging(format_string('Potentially unsafe keys removed from cookie parameters (COOKIE): @keys', array('@keys' => implode(', ', $cookie_sanitized_keys))), E_USER_NOTICE); + } + + $request_sanitized_keys = array(); + $_REQUEST = self::stripDangerousValues($_REQUEST, $whitelist, $request_sanitized_keys); + + self::$sanitized = TRUE; + } + } + + /** + * Strips dangerous keys from the provided input. + * + * @param mixed $input + * The input to sanitize. + * @param string[] $whitelist + * An array of keys to whitelist as safe. + * @param string[] $sanitized_keys + * An array of keys that have been removed. + * + * @return mixed + * The sanitized input. + */ + protected static function stripDangerousValues($input, array $whitelist, array &$sanitized_keys) { + if (is_array($input)) { + foreach ($input as $key => $value) { + if ($key !== '' && $key[0] === '#' && !in_array($key, $whitelist, TRUE)) { + unset($input[$key]); + $sanitized_keys[] = $key; + } + else { + $input[$key] = self::stripDangerousValues($input[$key], $whitelist, $sanitized_keys); + } + } + } + return $input; + } +