From d2707dd055538298bd3ccced73ddcfb08d353986 Mon Sep 17 00:00:00 2001
From: Florian Pritz <bluewind@xinu.at>
Date: Fri, 12 May 2017 21:50:05 +0200
Subject: Catch incorrect POST parameters (array vs string)

Signed-off-by: Florian Pritz <bluewind@xinu.at>
---
 application/core/MY_Input.php | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 application/core/MY_Input.php

(limited to 'application/core')

diff --git a/application/core/MY_Input.php b/application/core/MY_Input.php
new file mode 100644
index 000000000..ef7af5528
--- /dev/null
+++ b/application/core/MY_Input.php
@@ -0,0 +1,34 @@
+<?php
+/*
+ * Copyright 2017 Florian "Bluewind" Pritz <bluewind@server-speed.net>
+ *
+ * Licensed under AGPLv3
+ * (see COPYING for full license text)
+ *
+ */
+
+class MY_Input extends CI_Input {
+	public function post($key = null, $xss_clean = false) {
+		$ret = parent::post($key, $xss_clean);
+		if (is_array($ret) || is_object($ret)) {
+			$data = [
+				"key" => $key,
+				"ret" => $ret
+			];
+			if (preg_match("/^[a-zA-Z0-9_\.-]+$/", $key)) {
+				throw new \exceptions\UserInputException("input/invalid-form-field", "Invalid input in field $key", $data);
+			} else {
+				throw new \exceptions\UserInputException("input/invalid-form-field", "Invalid input", $data);
+			}
+		}
+		return $ret;
+	}
+
+	public function post_array($key) {
+		$ret = parent::post($key);
+		if (!is_array($ret)) {
+			throw new \exceptions\UserInputException("input/invalid-form-field", "Invalid input", $data);
+		}
+		return $ret;
+	}
+}
-- 
cgit v1.2.3-24-g4f1b