[UTIL] Sanitise instead of validate in common_copy_args()

And remove common_validate_utf8() which is now unused.
2020-09-15 14:53:35 +03:00 · 2020-09-15 14:53:35 +03:00 · 22f6d3ce14
commit 22f6d3ce14
parent 9e94b7f145
2 changed files with 14 additions and 34 deletions
--- a/lib/util/util.php
+++ b/lib/util/util.php
@ -1234,27 +1234,6 @@ function common_shorten_links($text, $always = false, User $user=null)
    }
 }

-/**
- * Very basic stripping of invalid UTF-8 input text.
- *
- * @param string $str
- * @return mixed string or null if invalid input
- *
- * @todo ideally we should drop bad chars, and maybe do some of the checks
- *       from common_xml_safe_str. But we can't strip newlines, etc.
- * @todo Unicode normalization might also be useful, but not needed now.
- */
-function common_validate_utf8($str)
-{
-    // preg_replace will return NULL on invalid UTF-8 input.
-    //
-    // Note: empty regex //u also caused NULL return on some
-    // production machines, but none of our test machines.
-    //
-    // This should be replaced with a more reliable check.
-    return preg_replace('/\x00/u', '', $str);
-}
-
 /**
 * Make sure an arbitrary string is safe for output in XML as a single line.
 *
@ -2200,26 +2179,25 @@ function common_config_append($main, $sub, $value)

 /**
 * Pull arguments from a GET/POST/REQUEST array with first-level input checks:
- * strips "magic quotes" slashes if necessary, and kills invalid UTF-8 strings.
+ * strips "magic quotes" slashes if necessary,
+ * and replaces invalid in UTF-8 sequences with question marks.
 *
 * @param array $from
 * @return array
 */
-function common_copy_args($from)
+function common_copy_args(array $from): array
 {
-    $to = [];
    $strip = get_magic_quotes_gpc();
-    foreach ($from as $k => $v) {
+    return array_map(function ($v) use ($strip) {
        if (is_array($v)) {
-            $to[$k] = common_copy_args($v);
+            return common_copy_args($v);
        } else {
            if ($strip) {
                $v = stripslashes($v);
            }
-            $to[$k] = strval(common_validate_utf8($v));
+            return mb_scrub($v);
        }
-    }
-    return $to;
+    }, $from);
 }

 /**
--- a/public/index.php
+++ b/public/index.php
@ -305,14 +305,16 @@ function main()
    // If the site is private, and they're not on one of the "public"
    // parts of the site, redirect to login

-    if (!$user && common_config('site', 'private')
+    if (
+        is_null($user)
+        && common_config('site', 'private')
        && !isLoginAction($action)
        && !preg_match('/rss$/', $action)
-        && $action != 'robotstxt'
-        && !preg_match('/^Api/', $action)) {
-
+        && $action !== 'robotstxt'
+        && !preg_match('/^Api/', $action)
+    ) {
        // set returnto
-        $rargs =& common_copy_args($args);
+        $rargs = common_copy_args($args);
        unset($rargs['action']);
        if (common_config('site', 'fancy')) {
            unset($rargs['p']);