opdavies/drupalcampbristol
Archived
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update to Drupal 8.2.3. For more information, see https://www.drupal.org/project/drupal/releases/8.2.3

Browse source
This commit is contained in:
Pantheon Automation 2016-11-16 12:26:40 -08:00 committed by Greg Anderson
parent 507b45a0ed
commit 0a95b8440e
19 changed files with 300 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

26
core/modules/system/src/MachineNameController.php
View file

@ -4,7 +4,9 @@ namespace Drupal\system;
use Drupal\Component\Transliteration\TransliterationInterface;
use Drupal\Component\Utility\Unicode;
use Drupal\Core\Access\CsrfTokenGenerator;
use Drupal\Core\DependencyInjection\ContainerInjectionInterface;
use Symfony\Component\HttpFoundation\File\Exception\AccessDeniedException;
use Symfony\Component\HttpFoundation\JsonResponse;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\DependencyInjection\ContainerInterface;
@ -21,14 +23,24 @@ class MachineNameController implements ContainerInjectionInterface {
*/
protected $transliteration;
/**
* The token generator.
*
* @var \Drupal\Core\Access\CsrfTokenGenerator
*/
protected $tokenGenerator;
/**
* Constructs a MachineNameController object.
*
* @param \Drupal\Component\Transliteration\TransliterationInterface $transliteration
* The transliteration helper.
* @param \Drupal\Core\Access\CsrfTokenGenerator $token_generator
* The token generator.
*/
public function __construct(TransliterationInterface $transliteration) {
public function __construct(TransliterationInterface $transliteration, CsrfTokenGenerator $token_generator) {
$this->transliteration = $transliteration;
$this->tokenGenerator = $token_generator;
}
/**
@ -36,7 +48,8 @@ class MachineNameController implements ContainerInjectionInterface {
*/
public static function create(ContainerInterface $container) {
return new static(
$container->get('transliteration')
$container->get('transliteration'),
$container->get('csrf_token')
);
}
@ -54,6 +67,7 @@ class MachineNameController implements ContainerInjectionInterface {
$text = $request->query->get('text');
$langcode = $request->query->get('langcode');
$replace_pattern = $request->query->get('replace_pattern');
$replace_token = $request->query->get('replace_token');
$replace = $request->query->get('replace');
$lowercase = $request->query->get('lowercase');
@ -61,7 +75,15 @@ class MachineNameController implements ContainerInjectionInterface {
if ($lowercase) {
$transliterated = Unicode::strtolower($transliterated);
}
if (isset($replace_pattern) && isset($replace)) {
if (!isset($replace_token)) {
throw new AccessDeniedException("Missing 'replace_token' query parameter.");
}
elseif (!$this->tokenGenerator->validate($replace_token, $replace_pattern)) {
throw new AccessDeniedException("Invalid 'replace_token' query parameter.");
}
// Quote the pattern delimiter and remove null characters to avoid the e
// or other modifiers being injected.
$transliterated = preg_replace('@' . strtr($replace_pattern, ['@' => '\@', chr(0) => '']) . '@', $replace, $transliterated);