public function SeckitExportController::export in Security Kit 8
Same name and namespace in other branches
- 2.x src/Controller/SeckitExportController.php \Drupal\seckit\Controller\SeckitExportController::export()
Reports CSP violations.
1 string reference to 'SeckitExportController::export'
File
- src/
Controller/ SeckitExportController.php, line 46
Class
- SeckitExportController
- Example page controller.
Namespace
Drupal\seckit\ControllerCode
public function export() {
// Only allow POST data with Content-Type application/csp-report
// or application/json (the latter to support older user agents).
// n.b. The CSP spec (1.0, 1.1) mandates this Content-Type header/value.
// n.b. Content-Length is optional, so we don't check it.
// @TODO replace with custom access checker?
if (empty($_SERVER['CONTENT_TYPE']) || empty($_SERVER['REQUEST_METHOD'])) {
throw new NotFoundHttpException();
}
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
throw new NotFoundHttpException();
}
$pattern = '~^application/(csp-report|json)\\h*(;|$)~';
if (!preg_match($pattern, $_SERVER['CONTENT_TYPE'])) {
throw new NotFoundHttpException();
}
// Get and parse report.
$reports = file_get_contents('php://input');
$reports = json_decode($reports);
if (!is_object($reports)) {
throw new NotFoundHttpException();
}
// Log the report data.
foreach ($reports as $report) {
if (!isset($report->{'violated-directive'})) {
continue;
}
$info = [
'@directive' => $report->{'violated-directive'},
'@blocked_uri' => $report->{'blocked-uri'},
'@data' => print_r($report, TRUE),
];
$this->logger
->warning('CSP: Directive @directive violated.<br /> Blocked URI: @blocked_uri.<br /> <pre>Data: @data</pre>', $info);
}
return new Response();
}