feat: sanitize request helper params (#4161)

sanitize request helper params
kaltura · May 31, 2020 · 825ff1c · 825ff1c
1 parent 6bdbd67
commit 825ff1c
Showing 1 changed file with 26 additions and 20 deletions.
diff --git a/modules/KalturaSupport/RequestHelper.php b/modules/KalturaSupport/RequestHelper.php
@@ -7,6 +7,8 @@ class RequestHelper {
 	var $debug = false;
 	var $utility = null;
 
+    var $EXCLUDE_ESCAPED_ATTRIBUTES = array('flashvars');
+
 	/**
 	 * Variables set by the Frame request:
 	 */
@@ -20,7 +22,7 @@ class RequestHelper {
 		'flashvars' => null,
 		'playlist_id' => null,
 		'urid' => null,
-		// Custom service url properties ( only used when wgKalturaAllowIframeRemoteService is set to true ) 
+		// Custom service url properties ( only used when wgKalturaAllowIframeRemoteService is set to true )
 		'ServiceUrl'=> null,
 		'ServiceBase'=>null,
 		'CdnUrl'=> null,
@@ -58,28 +60,32 @@ private function parseRequest(){
 			foreach( $urlParts as $inx => $urlPart ){
 				foreach( $this->urlParameters as $attributeKey => $na){
 					if( $urlPart == $attributeKey && isset( $urlParts[$inx+1] ) ){
-						$_REQUEST[ $attributeKey ] = $urlParts[$inx+1];
+					    $data = $urlParts[$inx+1];
+					    if (!in_array($attributeKey, $this->EXCLUDE_ESCAPED_ATTRIBUTES)) {
+					        $data = htmlspecialchars( $urlParts[$inx+1], ENT_QUOTES );
+					    }
+						$_REQUEST[ $attributeKey ] = $data;
 					}
 				}
 			}
 		}
 
-		// TODO refactor this parameter sanitation  
+		// TODO refactor this parameter sanitation
 		foreach( $this->urlParameters as $attributeKey => $na){
 			if( isset( $_REQUEST[ $attributeKey ] ) ){
 				// set the url parameter and don't let any html in:
 				$this->urlParameters[ $attributeKey ] = $_REQUEST[ $attributeKey ];
 			}
 		}
-		
+
 		// support CORS for IE9 and lower
 		global $HTTP_RAW_POST_DATA;
 		if ( !isset( $HTTP_RAW_POST_DATA ) )
 		{
 			$HTTP_RAW_POST_DATA = file_get_contents( 'php://input' );
 			$HTTP_RAW_POST_DATA = $HTTP_RAW_POST_DATA ? $HTTP_RAW_POST_DATA : array();
 		}
-		
+
 		if ( count($_POST) == 0 && count( $HTTP_RAW_POST_DATA) > 0 ){
 			parse_str($HTTP_RAW_POST_DATA, (
 					html_entity_decode(
@@ -94,7 +100,7 @@ private function parseRequest(){
 			}
 		}
 
-		// string to boolean  
+		// string to boolean
 		foreach( $this->urlParameters as $k=>$v){
 			if( $v == 'false'){
 				$this->urlParameters[$k] = false;
@@ -103,15 +109,15 @@ private function parseRequest(){
 				$this->urlParameters[$k] = true;
 			}
 		}
-		
+
 		if( isset( $this->urlParameters['p'] ) && !isset( $this->urlParameters['wid'] ) ){
-			$this->urlParameters['wid'] = '_' . $this->urlParameters['p'];  
+			$this->urlParameters['wid'] = '_' . $this->urlParameters['p'];
 		}
 
 		if( isset( $this->urlParameters['partner_id'] ) && !isset( $this->urlParameters['wid'] ) ){
-			$this->urlParameters['wid'] = '_' . $this->urlParameters['partner_id'];  
-		}		
-			
+			$this->urlParameters['wid'] = '_' . $this->urlParameters['partner_id'];
+		}
+
 		// Check for debug flag
 		if( isset( $_REQUEST['debug'] ) ){
 			$this->debug = true;
@@ -146,18 +152,18 @@ function set( $key = null, $val = null ) {
 
 	function getServiceConfig( $name ){
 		global $wgKalturaAllowIframeRemoteService;
-		
-		// Check if we allow URL override: 
+
+		// Check if we allow URL override:
 		if(( $wgKalturaAllowIframeRemoteService == true ) || $this->isEmbedServicesEnabled()){
 			// Check for urlParameters
 			if( $this->get( $name ) ){
 				return $this->get( $name );
 			}
 		}
-		
-		// Else use the global config: 
+
+		// Else use the global config:
 		switch( $name ){
-			case 'ServiceUrl' : 
+			case 'ServiceUrl' :
 				global $wgKalturaServiceUrl;
 				return $wgKalturaServiceUrl;
 				break;
@@ -271,8 +277,8 @@ public function getRemoteAddrHeader(){
 			return '';
 		}
 		$ip = null;
-		// Check for x-forward-for and x-real-ip headers 
-		$requestHeaders = getallheaders(); 
+		// Check for x-forward-for and x-real-ip headers
+		$requestHeaders = getallheaders();
 		if( isset( $requestHeaders['X-Forwarded-For'] ) ){
 			$ip = $this->getRealIP( $requestHeaders['X-Forwarded-For'] );
 		}
@@ -343,7 +349,7 @@ private function setKSIfExists() {
 			$this->ks = $ks;
 		}
 	}
-	
+
 	public function hasKS() {
 		global $wgForceCache;
 		return $wgForceCache ? false : isset($this->ks);
@@ -352,4 +358,4 @@ public function hasKS() {
 	public function getKS() {
 		return $this->ks;
 	}
-}
+}