Gen::includeClass('PntValidationException', 'pnt/secu');
/** Http request validator. Logs validation warnings for bad input. Returns only valid input.
* Unlike ValueValidator, who expects the characters to be encoded in ValueValidator::getInternalCharset,
* this validator expects characters to be encoded as in the http request.
* StringConverter may convert from the request encoding to the internal encoding
* (but by default it does no conversion of character encoding)
* In this default implementation:
* - keys are validated to hold only alphanumeric character, dasches and underscores
* - Http header values are validated to hold visible ASCII characters. Some are validated to a
* specific character whitelist or preg pattern
* - PHP_AUTH_USER and 'PHP_AUTH_PW characters are expected to be valid (like with ISO-8859-1) #
* - requestData and cookies: all characters are expected to be valid (like with ISO-8859-1) #
* - other server variable are not validated. They are expected to come from http server settings
* or other reliable sources.
* # To be overridden on subclass HttpValidator to validate/sanitize input using other character set(s)
* like UTF-8, as this implementarion will NOT adapt automatically to a change in StringConverter::getLabelCharset
* May be overridden to do (more) sanitization.
* Unlike the OWASP ESAPI SafeRequest class this class does not do canonalization and
* does not explcitly use mbstrings functions. Its behavior with multi byte strings has not been tested
* and may be different depending on ini settings for mbstring.func_overload and mbstring.encoding_translation
* This class does not delegate to ValueValidator because ValueValidator must work with the
* character set it defines in ::getInternalCharset and return user error messages,
* while most of the validations here are specific to ASCII and the error messages are for logging
* to be evaluated later by the application administrator.
* @package pnt/web
class PntHttpRequest {
public $serverVarValidationFatal; //value set overrides constructor parameter
public $gpcValidationFatal; //value set overrides constructor parameter
public $pcre_backtrack_limit = 100000; //default limit
//language dependent strings, may be overridden on HttpValidator
public $tooShort = 'too short';
public $tooLong = 'too long';
public $tooLow = 'too low';
public $tooHigh = 'too high';
public $invalid = 'invalid';
public $serverVarValidationFailed = 'Server variable validation failed for';
public $gpcValidationFailed = 'Gpc validation failed for';
/** result of ::validateServerVars kept as a context for ::validateGpc */
public $serverVars;
public $cookies;
public $get;
public $post;
* preg and char patterns @copyright 2007-2010 The OWASP Foundation as part of the
* OWASP Enterprise Security API (ESAPI) (SafeRequest class)
* @author jah <jah@jahboite.co.uk>
* @license http://www.opensource.org/licenses/bsd-license.php New BSD license
* @version SVN: espi4php-1.0a
* @link http://www.owasp.org/index.php/ESAPI
* LICENSE: These patterns are subject to the New BSD license. You should read
* and accept the LICENSE before you use, modify, and/or redistribute this software.
//pattern delimiters and D added by MetaClass
public $serverPatterns = array(
'REQUEST_METHOD' => '~^(GET|HEAD|POST|TRACE|OPTIONS|PUT|DELETE)$~D' //PUT|DELETE added by MetaClass for restful web services
, 'AUTH_TYPE' => '~^([dD][iI][gG][eE][sS][tT]|[bB][aA][sS][iI][cC])$~D'
, 'REMOTE_HOST' => '~^((?:(?:[0-9a-zA-Z][0-9a-zA-Z\-]{0,61}[0-9a-zA-Z])\.)*[a-zA-Z]{2,4}|[0-9a-zA-Z][0-9a-zA-Z\-]{0,61}[0-9a-zA-Z])$~D'
public $ipV4Pattern = '~^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$~D';
//generic preg character class pieces, backslashes for escaping added by MetaClass
public $httpCookieNamePat = '\\-_'; // \\- added by MetaClass because errors are too frequent and do not seem malicious
public $headerNameCp = '\\-_'; //actually $_SERVER has no names with -
public $headerValueCp = '!"#$%&\'()*+,\\-./\\\\;:<=>?@[\\]\\^_`{|}\\~ '; //"\t" added in constructor //basically all visible ASCII characters and tab
//generic preg character class pieces, backslashes for escaping added by MetaClass
public $serverCps = array(
'QUERY_STRING' => ' &()*+,\\-./;:=?_%!'
//% added by metaclass so that url encoded octets can get through
//! added by metaclass because js encodeURIComponent does not encode it
// , 'HTTP_HOST' => '\\-._' //strange, there is a specific pattern too, to look up in saferequest
, 'REMOTE_USER' => '!#$%&\'*+\\-.\\^_`|\\~'
, 'SCRIPT_NAME' => '!$%&\'()*+\\-,./:=@_\\~' //and REQUEST_URI with '?' added
public $filePathCp = ' !#$%&\'()+,-./=@[\\]\\^_`{}\\~\\\\'; //PATH_TRANSLATED
//modified by MetaClass to require eventual sign to be at the start
public $integerPattern = '/^(\\+|\\-)?[0-9]+$/'; //CONTENT_LENGTH
public $minLengths = array(
, 'SCRIPT_NAME' => 1
public $maxLengths = array(
'AUTH_TYPE' => 6
, 'CONTENT_TYPE' => 4096
, 'PATH_INFO' => 4096
, 'QUERY_STRING' => 4096
, 'REMOTE_HOST' => 255
, 'REMOTE_USER' => 255
, 'SERVER_NAME' => 255
, 'REMOTE_ADDR' => 15
, 'SERVER_ADDR' => 15
public $maxValues = array(
'CONTENT_LENGTH' => 2147483647 //PHP_INT_MAX on 32 bits
, 'SERVER_PORT' => 65535
* the rest of this file is copyright (c) MetaClass, 2012 */
public $sessionIdCp = ',\-'; //to be overridden if non-standard session ids are used
public $logger;
public $gpcCharset;
public $nullChar;
public $validServerVars;
public $error;
