Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ticket/13280] Properly format the current page and add sanitizer to tests #3107

Merged
merged 6 commits into from Nov 7, 2014
@@ -43,7 +43,7 @@ static function extract_current_page($root_path)

// First of all, get the request uri...
$script_name = $symfony_request->getScriptName();
$args = explode('&', $symfony_request->getQueryString());
$args = explode('&', $symfony_request->getQueryString());

// If we are unable to get the script name we use REQUEST_URI as a failover and note it within the page array for easier support...
if (!$script_name)
@@ -61,8 +61,8 @@ static function extract_current_page($root_path)

// Since some browser do not encode correctly we need to do this with some "special" characters...
// " -> %22, ' => %27, < -> %3C, > -> %3E
$find = array('"', "'", '<', '>');
$replace = array('%22', '%27', '%3C', '%3E');
$find = array('"', "'", '<', '>', '&quot;', '&lt;', '&gt;');
$replace = array('%22', '%27', '%3C', '%3E', '%22', '%3C', '%3E');

foreach ($args as $key => $argument)
{
@@ -30,6 +30,12 @@ public function __construct(\phpbb\request\request_interface $phpbb_request)
$type_cast_helper->set_var($value, $value, gettype($value), true);
};

// This function is meant for additional handling of server variables
$server_sanitizer = function(&$value, $key) use ($sanitizer) {
$sanitizer($value, $key);
$value = str_replace('&amp;', '&', $value);
};

$get_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::GET);
$post_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::POST);
$server_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::SERVER);
@@ -38,10 +44,12 @@ public function __construct(\phpbb\request\request_interface $phpbb_request)

array_walk_recursive($get_parameters, $sanitizer);
array_walk_recursive($post_parameters, $sanitizer);
array_walk_recursive($server_parameters, $sanitizer);
array_walk_recursive($files_parameters, $sanitizer);
array_walk_recursive($cookie_parameters, $sanitizer);

// Run special sanitizer for server superglobal
array_walk_recursive($server_parameters, $server_sanitizer);

parent::__construct($get_parameters, $post_parameters, array(), $cookie_parameters, $files_parameters, $server_parameters);
}
}
@@ -69,6 +69,11 @@ public function build_url_test_data()
array('f', 'style', 't'),
'http://test.phpbb.com/viewtopic.php?',
),
array(
'posting.php?f=2&mode=delete&p=20%22%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E',
false,
'phpBB/posting.php?f=2&amp;mode=delete&amp;p=20%22%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E',
)
);
}

@@ -80,6 +85,7 @@ public function test_build_url($page, $strip_vars, $expected)
global $user, $phpbb_root_path;

$user->page['page'] = $page;

$output = build_url($strip_vars);

$this->assertEquals($expected, $output);
@@ -37,16 +37,16 @@ public function test_query_string_php_self($url, $query_string, $expected)
));
$symfony_request->expects($this->any())
->method('getScriptName')
->will($this->returnValue($url));
->will($this->returnValue($this->sanitizer($url)));
$symfony_request->expects($this->any())
->method('getQueryString')
->will($this->returnValue($query_string));
->will($this->returnValue($this->sanitizer($query_string)));
$symfony_request->expects($this->any())
->method('getBasePath')
->will($this->returnValue($server['REQUEST_URI']));
$symfony_request->expects($this->any())
$symfony_request->expects($this->sanitizer($this->any()))
->method('getPathInfo')
->will($this->returnValue('/'));
->will($this->returnValue($this->sanitizer('/')));
$result = \phpbb\session::extract_current_page('./');

$label = 'Running extract_current_page on ' . $query_string . ' with PHP_SELF filled.';
@@ -65,20 +65,32 @@ public function test_query_string_request_uri($url, $query_string, $expected)
));
$symfony_request->expects($this->any())
->method('getScriptName')
->will($this->returnValue($url));
->will($this->returnValue($this->sanitizer($url)));
$symfony_request->expects($this->any())
->method('getQueryString')
->will($this->returnValue($query_string));
->will($this->returnValue($this->sanitizer($query_string)));
$symfony_request->expects($this->any())
->method('getBasePath')
->will($this->returnValue($server['REQUEST_URI']));
->will($this->returnValue($this->sanitizer($server['REQUEST_URI'])));
$symfony_request->expects($this->any())
->method('getPathInfo')
->will($this->returnValue('/'));
->will($this->returnValue($this->sanitizer('/')));

$result = \phpbb\session::extract_current_page('./');

$label = 'Running extract_current_page on ' . $query_string . ' with REQUEST_URI filled.';
$this->assertEquals($expected, $result['query_string'], $label);
}

protected function sanitizer($value)
{
// Fix for objects passed in phpunit
if (is_object($value))
{
return $value;
}
$type_cast_helper = new \phpbb\request\type_cast_helper();
$type_cast_helper->set_var($value, $value, gettype($value), true);
return str_replace('&amp;', '&', $value);
}
}
ProTip! Use n and p to navigate between commits in a pull request.
You can’t perform that action at this time.