从代码里面我们可以看出,对于请求参数里面的#字符,这里添加了限制。Drupal的表单API,呈现数组里面的key都是以#开头的,对于以#开头的数据,Drupal以前默认未加过滤清理,导致黑客可以借助这里,植入代码。 Drupal7补丁地址
https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=2266d2a83db50e2f97682d9a0fb8a18e2722cba5
Drupal8补丁地址:
https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac8738fa69df34a0635f0907d661b509ff9a28f
以Drupal7的安全补丁为例:
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
index 655db6d..880557e 100644
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -2632,6 +2632,10 @@ function _drupal_bootstrap_configuration() {
timer_start('page');
// Initialize the configuration, including variables from settings.php.
drupal_settings_initialize();
+
+ // Sanitize unsafe keys from the request.
+ require_once DRUPAL_ROOT . '/includes/request-sanitizer.inc';
+ DrupalRequestSanitizer::sanitize();
}
/**
diff --git a/includes/request-sanitizer.inc b/includes/request-sanitizer.inc
new file mode 100644
index 0000000..1daa6b5
--- /dev/null
+++ b/includes/request-sanitizer.inc
@@ -0,0 +1,82 @@
+<?php
+
+/**
+ * @file
+ * Contains code for sanitizing user input from the request.
+ */
+
+/**
+ * Sanitizes user input from the request.
+ */
+class DrupalRequestSanitizer {
+
+ /**
+ * Tracks whether the request was already sanitized.
+ */
+ protected static $sanitized = FALSE;
+
+ /**
+ * Modifies the request to strip dangerous keys from user input.
+ */
+ public static function sanitize() {
+ if (!self::$sanitized) {
+ $whitelist = variable_get('sanitize_input_whitelist', array());
+ $log_sanitized_keys = variable_get('sanitize_input_logging', FALSE);
+
+ // Process query string parameters.
+ $get_sanitized_keys = array();
+ $_GET = self::stripDangerousValues($_GET, $whitelist, $get_sanitized_keys);
+ if ($log_sanitized_keys && $get_sanitized_keys) {
+ _drupal_trigger_error_with_delayed_logging(format_string('Potentially unsafe keys removed from query string parameters (GET): @keys', array('@keys' => implode(', ', $get_sanitized_keys))), E_USER_NOTICE);
+ }
+
+ // Process request body parameters.
+ $post_sanitized_keys = array();
+ $_POST = self::stripDangerousValues($_POST, $whitelist, $post_sanitized_keys);
+ if ($log_sanitized_keys && $post_sanitized_keys) {
+ _drupal_trigger_error_with_delayed_logging(format_string('Potentially unsafe keys removed from request body parameters (POST): @keys', array('@keys' => implode(', ', $post_sanitized_keys))), E_USER_NOTICE);
+ }
+
+ // Process cookie parameters.
+ $cookie_sanitized_keys = array();
+ $_COOKIE = self::stripDangerousValues($_COOKIE, $whitelist, $cookie_sanitized_keys);
+ if ($log_sanitized_keys && $cookie_sanitized_keys) {
+ _drupal_trigger_error_with_delayed_logging(format_string('Potentially unsafe keys removed from cookie parameters (COOKIE): @keys', array('@keys' => implode(', ', $cookie_sanitized_keys))), E_USER_NOTICE);
+ }
+
+ $request_sanitized_keys = array();
+ $_REQUEST = self::stripDangerousValues($_REQUEST, $whitelist, $request_sanitized_keys);
+
+ self::$sanitized = TRUE;
+ }
+ }
+
+ /**
+ * Strips dangerous keys from the provided input.
+ *
+ * @param mixed $input
+ * The input to sanitize.
+ * @param string[] $whitelist
+ * An array of keys to whitelist as safe.
+ * @param string[] $sanitized_keys
+ * An array of keys that have been removed.
+ *
+ * @return mixed
+ * The sanitized input.
+ */
+ protected static function stripDangerousValues($input, array $whitelist, array &$sanitized_keys) {
+ if (is_array($input)) {
+ foreach ($input as $key => $value) {
+ if ($key !== '' && $key[0] === '#' && !in_array($key, $whitelist, TRUE)) {
+ unset($input[$key]);
+ $sanitized_keys[] = $key;
+ }
+ else {
+ $input[$key] = self::stripDangerousValues($input[$key], $whitelist, $sanitized_keys);
+ }
+ }
+ }
+ return $input;
+ }
+
