Ticket/13280

phpBB/includes/functions.php

@@ -2397,7 +2397,7 @@ function build_url($strip_vars = false)
 	global $config, $user, $phpbb_path_helper;
 
 	$php_ext = $phpbb_path_helper->get_php_ext();
-	$page = $user->page['page'];
+	$page = str_replace('&', '&', $user->page['page']);
 
 	// We need to be cautious here.
 	// On some situations, the redirect path is an absolute URL, sometimes a relative path

phpBB/phpbb/session.php

@@ -43,7 +43,7 @@ static function extract_current_page($root_path)
 
 		// First of all, get the request uri...
 		$script_name = $symfony_request->getScriptName();
-		$args = explode('&', $symfony_request->getQueryString());
+		$args = explode('&', $symfony_request->getQueryString());
 
 		// If we are unable to get the script name we use REQUEST_URI as a failover and note it within the page array for easier support...
 		if (!$script_name)
@@ -61,8 +61,8 @@ static function extract_current_page($root_path)
 
 		// Since some browser do not encode correctly we need to do this with some "special" characters...
 		// " -> %22, ' => %27, < -> %3C, > -> %3E
-		$find = array('"', "'", '<', '>');
-		$replace = array('%22', '%27', '%3C', '%3E');
+		$find = array('"', "'", '<', '>', '&quot;', '&lt;', '&gt;');
+		$replace = array('%22', '%27', '%3C', '%3E', '%22', '%3C', '%3E');
 
 		foreach ($args as $key => $argument)
 		{

phpBB/phpbb/symfony_request.php

@@ -30,6 +30,11 @@ public function __construct(\phpbb\request\request_interface $phpbb_request)
 			$type_cast_helper->set_var($value, $value, gettype($value), true);
 		};
 
+		// This function is meant for additional handling of server variables
+		$server_sanitizer = function(&$value, $key) {
+			$value = str_replace('&', '&', $value);
+		};
+
 		$get_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::GET);
 		$post_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::POST);
 		$server_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::SERVER);
@@ -41,6 +46,7 @@ public function __construct(\phpbb\request\request_interface $phpbb_request)
 		array_walk_recursive($server_parameters, $sanitizer);
 		array_walk_recursive($files_parameters, $sanitizer);
 		array_walk_recursive($cookie_parameters, $sanitizer);
+		array_walk_recursive($server_parameters, $server_sanitizer);
 
 		parent::__construct($get_parameters, $post_parameters, array(), $cookie_parameters, $files_parameters, $server_parameters);
 	}

tests/functions/build_url_test.php

@@ -69,6 +69,11 @@ public function build_url_test_data()
 				array('f', 'style', 't'),
 				'http://test.phpbb.com/viewtopic.php?',
 			),
+			array(
+				'posting.php?f=2&mode=delete&p=20%22%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E',
+				false,
+				'phpBB/posting.php?f=2&mode=delete&p=20%22%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E',
+			)
 		);
 	}
 
@@ -80,6 +85,7 @@ public function test_build_url($page, $strip_vars, $expected)
 		global $user, $phpbb_root_path;
 
 		$user->page['page'] = $page;
+
 		$output = build_url($strip_vars);
 
 		$this->assertEquals($expected, $output);

tests/security/extract_current_page_test.php

@@ -37,16 +37,16 @@ public function test_query_string_php_self($url, $query_string, $expected)
 		));
 		$symfony_request->expects($this->any())
 			->method('getScriptName')
-			->will($this->returnValue($url));
+			->will($this->returnValue($this->sanitizer($url)));
 		$symfony_request->expects($this->any())
 			->method('getQueryString')
-			->will($this->returnValue($query_string));
+			->will($this->returnValue($this->sanitizer($query_string)));
 		$symfony_request->expects($this->any())
 			->method('getBasePath')
 			->will($this->returnValue($server['REQUEST_URI']));
-		$symfony_request->expects($this->any())
+		$symfony_request->expects($this->sanitizer($this->any()))
 			->method('getPathInfo')
-			->will($this->returnValue('/'));
+			->will($this->returnValue($this->sanitizer('/')));
 		$result = \phpbb\session::extract_current_page('./');
 
 		$label = 'Running extract_current_page on ' . $query_string . ' with PHP_SELF filled.';
@@ -65,20 +65,27 @@ public function test_query_string_request_uri($url, $query_string, $expected)
 		));
 		$symfony_request->expects($this->any())
 			->method('getScriptName')
-			->will($this->returnValue($url));
+			->will($this->returnValue($this->sanitizer($url)));
 		$symfony_request->expects($this->any())
 			->method('getQueryString')
-			->will($this->returnValue($query_string));
+			->will($this->returnValue($this->sanitizer($query_string)));
 		$symfony_request->expects($this->any())
 			->method('getBasePath')
-			->will($this->returnValue($server['REQUEST_URI']));
+			->will($this->returnValue($this->sanitizer($server['REQUEST_URI'])));
 		$symfony_request->expects($this->any())
 			->method('getPathInfo')
-			->will($this->returnValue('/'));
+			->will($this->returnValue($this->sanitizer('/')));
 
 		$result = \phpbb\session::extract_current_page('./');
 
 		$label = 'Running extract_current_page on ' . $query_string . ' with REQUEST_URI filled.';
 		$this->assertEquals($expected, $result['query_string'], $label);
 	}
+
+	protected function sanitizer($value)
+	{
+		$type_cast_helper = new \phpbb\request\type_cast_helper();
+		$type_cast_helper->set_var($value, $value, gettype($value), true);
+		return $value;
+	}
 }