From 25ede208fe5b99eae6580f708fd1c23b4183620b Mon Sep 17 00:00:00 2001
From: Cerdic <cedric@yterium.com>
Date: Mon, 6 Nov 2023 16:02:41 +0100
Subject: [PATCH] =?UTF-8?q?fix:=20eviter=20un=20risque=20d'incoherence=20e?=
=?UTF-8?q?ntre=20le=20nettoyage=20des=20variables=20dans=20le=20contexte?=
=?UTF-8?q?=20des=20cache=20et=20le=20nettoyage=20des=20urls=20self()=20ut?=
=?UTF-8?q?ilis=C3=A9e=20par=20la=20pagination,=20notamment=20en=20cas=20d?=
=?UTF-8?q?e=20personalisation?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Refs: securite#4848
---
ecrire/inc/utils.php | 32 ++++++++++++++++++++++++++------
ecrire/public/assembler.php | 19 ++++++++++++-------
2 files changed, 38 insertions(+), 13 deletions(-)
diff --git a/ecrire/inc/utils.php b/ecrire/inc/utils.php
index edf970ad1f..50f6931622 100644
--- a/ecrire/inc/utils.php
+++ b/ecrire/inc/utils.php
@@ -719,21 +719,41 @@ function nettoyer_uri($reset = null) {
* Nettoie une request_uri des paramètres var_xxx
*
* Attention, la regexp doit suivre _CONTEXTE_IGNORE_VARIABLES défini au début de public/assembler.php
+ * @uses _CONTEXTE_IGNORE_LISTE_VARIABLES
*
* @param string $request_uri
* @return string
*/
function nettoyer_uri_var($request_uri) {
+ static $preg_nettoyer;
+ if (!defined('_CONTEXTE_IGNORE_LISTE_VARIABLES')) {
+ define('_CONTEXTE_IGNORE_LISTE_VARIABLES', ['^var_', '^PHPSESSID$', '^fbclid$', '^utm_']);
+ }
+ if (empty($preg_nettoyer)) {
+ $preg_nettoyer_vars = _CONTEXTE_IGNORE_LISTE_VARIABLES;
+ foreach ($preg_nettoyer_vars as &$var) {
+ if (str_starts_with($var, '^')) {
+ $var = substr($var, 1);
+ } else {
+ $var = '[^=&]*' . $var;
+ }
+ if (str_ends_with($var, '$')) {
+ $var = substr($var, 0, -1);
+ } else {
+ $var .= '[^=&]*';
+ }
+ }
+ $preg_nettoyer = ',([?&])(' . implode('|', $preg_nettoyer_vars) . ')=[^&]*(&|$),i';
+ }
+ if (empty($request_uri)) {
+ return $request_uri;
+ }
$uri1 = $request_uri;
do {
$uri = $uri1;
- $uri1 = preg_replace(
- ',([?&])(var_[^=&]*|PHPSESSID|fbclid|utm_[^=&]*)=[^&]*(&|$),i',
- '\1',
- $uri
- );
+ $uri1 = preg_replace($preg_nettoyer, '\1', $uri);
} while ($uri <> $uri1);
- return preg_replace(',[?&]$,', '', $uri1);
+ return rtrim($uri1, '?&');
}
diff --git a/ecrire/public/assembler.php b/ecrire/public/assembler.php
index fe63c686a9..fd7ec82ea5 100644
--- a/ecrire/public/assembler.php
+++ b/ecrire/public/assembler.php
@@ -22,11 +22,6 @@ if (!defined('_ECRIRE_INC_VERSION')) {
return;
}
-// En cas de modification, il faut aussi actualiser la regexp de nettoyer_uri_var() dans inc/utils.php
-if (!defined('_CONTEXTE_IGNORE_VARIABLES')) {
- define('_CONTEXTE_IGNORE_VARIABLES', '/(^var_|^PHPSESSID$|^fbclid$|^utm_)/');
-}
-
function assembler($fond, string $connect = '') {
$chemin_cache = null;
@@ -193,6 +188,9 @@ function assembler($fond, string $connect = '') {
/**
* Calcul le contexte de la page
*
+ * @uses _CONTEXTE_IGNORE_LISTE_VARIABLES
+ * @see nettoyer_uri_var()
+ *
* lors du calcul d'une page spip etablit le contexte a partir
* des variables $_GET et $_POST, purgees des fausses variables var_*
*
@@ -203,15 +201,22 @@ function assembler($fond, string $connect = '') {
* @return array Un tableau du contexte de la page
*/
function calculer_contexte() {
+ static $preg_ignore_variables;
+ if (empty($preg_ignore_variables)) {
+ if (!defined('_CONTEXTE_IGNORE_LISTE_VARIABLES')) {
+ nettoyer_uri_var('');
+ }
+ $preg_ignore_variables = '/(' . implode('|',_CONTEXTE_IGNORE_LISTE_VARIABLES) . ')/';
+ }
$contexte = [];
foreach ($_GET as $var => $val) {
- if (!preg_match(_CONTEXTE_IGNORE_VARIABLES, $var)) {
+ if (!preg_match($preg_ignore_variables, $var)) {
$contexte[$var] = $val;
}
}
foreach ($_POST as $var => $val) {
- if (!preg_match(_CONTEXTE_IGNORE_VARIABLES, $var)) {
+ if (!preg_match($preg_ignore_variables, $var)) {
$contexte[$var] = $val;
}
}
--
GitLab