From ef7d23dbd340649302abd90d50c246f9c54cedfa Mon Sep 17 00:00:00 2001 From: "John Paul E. Balandan, CPA" Date: Sun, 31 Oct 2021 19:37:52 +0800 Subject: [PATCH] Replace usage of `FILTER_SANITIZE_STRING` --- system/HTTP/CLIRequest.php | 8 +++----- system/HTTP/CURLRequest.php | 12 +++--------- system/Router/RouteCollection.php | 8 ++++---- 3 files changed, 10 insertions(+), 18 deletions(-) diff --git a/system/HTTP/CLIRequest.php b/system/HTTP/CLIRequest.php index b8db857fce54..fcc2a51389d2 100644 --- a/system/HTTP/CLIRequest.php +++ b/system/HTTP/CLIRequest.php @@ -15,8 +15,6 @@ use RuntimeException; /** - * Class CLIRequest - * * Represents a request from the command-line. Provides additional * tools to interact with that request since CLI requests are not * static like HTTP requests might be. @@ -172,17 +170,17 @@ protected function parseCommand() if ($optionValue) { $optionValue = false; } else { - $this->segments[] = filter_var($arg, FILTER_SANITIZE_STRING); + $this->segments[] = esc(strip_tags($arg)); } continue; } - $arg = filter_var(ltrim($arg, '-'), FILTER_SANITIZE_STRING); + $arg = esc(strip_tags(ltrim($arg, '-'))); $value = null; if (isset($args[$i + 1]) && mb_strpos($args[$i + 1], '-') !== 0) { - $value = filter_var($args[$i + 1], FILTER_SANITIZE_STRING); + $value = esc(strip_tags($args[$i + 1])); $optionValue = true; } diff --git a/system/HTTP/CURLRequest.php b/system/HTTP/CURLRequest.php index 3be8214d42b4..cb723c31adff 100644 --- a/system/HTTP/CURLRequest.php +++ b/system/HTTP/CURLRequest.php @@ -16,10 +16,7 @@ use InvalidArgumentException; /** - * Class OutgoingRequest - * - * A lightweight HTTP client for sending synchronous HTTP requests - * via cURL. + * A lightweight HTTP client for sending synchronous HTTP requests via cURL. */ class CURLRequest extends Request { @@ -84,10 +81,7 @@ class CURLRequest extends Request public function __construct(App $config, URI $uri, ?ResponseInterface $response = null, array $options = []) { if (! function_exists('curl_version')) { - // we won't see this during travis-CI - // @codeCoverageIgnoreStart - throw HTTPException::forMissingCurl(); - // @codeCoverageIgnoreEnd + throw HTTPException::forMissingCurl(); // @codeCoverageIgnore } parent::__construct($config); @@ -110,7 +104,7 @@ public function request($method, string $url, array $options = []): ResponseInte $url = $this->prepareURL($url); - $method = filter_var($method, FILTER_SANITIZE_STRING); + $method = esc(strip_tags($method)); $this->send($method, $url); diff --git a/system/Router/RouteCollection.php b/system/Router/RouteCollection.php index 1dcbfe9f590d..15a2d3d79e3e 100644 --- a/system/Router/RouteCollection.php +++ b/system/Router/RouteCollection.php @@ -19,8 +19,6 @@ use InvalidArgumentException; /** - * Class RouteCollection - * * @todo Implement nested resource routing (See CakePHP) */ class RouteCollection implements RouteCollectionInterface @@ -663,10 +661,11 @@ public function resource(string $name, ?array $options = null): RouteCollectionI // resources are sent to, we need to have a new name // to store the values in. $newName = implode('\\', array_map('ucfirst', explode('/', $name))); + // If a new controller is specified, then we replace the // $name value with the name of the new controller. if (isset($options['controller'])) { - $newName = ucfirst(filter_var($options['controller'], FILTER_SANITIZE_STRING)); + $newName = ucfirst(esc(strip_tags($options['controller']))); } // In order to allow customization of allowed id values @@ -756,10 +755,11 @@ public function presenter(string $name, ?array $options = null): RouteCollection // resources are sent to, we need to have a new name // to store the values in. $newName = implode('\\', array_map('ucfirst', explode('/', $name))); + // If a new controller is specified, then we replace the // $name value with the name of the new controller. if (isset($options['controller'])) { - $newName = ucfirst(filter_var($options['controller'], FILTER_SANITIZE_STRING)); + $newName = ucfirst(esc(strip_tags($options['controller']))); } // In order to allow customization of allowed id values