From 13b59af1ffd0af652ba0ce3bc3f2594fc448fdb5 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Mon, 3 Nov 2014 17:14:18 +0100 Subject: [PATCH] [ticket/13280] Add additional sanitizer for ampersands in server superglobal PHPBB3-13280 --- phpBB/includes/functions.php | 3 +-- phpBB/phpbb/symfony_request.php | 6 ++++++ tests/functions/build_url_test.php | 15 +++++++-------- 3 files changed, 14 insertions(+), 10 deletions(-) diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 56363ed5c0..dc195cebb6 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -2397,8 +2397,7 @@ function build_url($strip_vars = false) global $config, $user, $phpbb_path_helper; $php_ext = $phpbb_path_helper->get_php_ext(); - // Change page back to expected format - $page = str_replace('&', '&', urldecode($user->page['page'])); + $page = str_replace('&', '&', $user->page['page']); // We need to be cautious here. // On some situations, the redirect path is an absolute URL, sometimes a relative path diff --git a/phpBB/phpbb/symfony_request.php b/phpBB/phpbb/symfony_request.php index ad949a35f2..4d357a5c56 100644 --- a/phpBB/phpbb/symfony_request.php +++ b/phpBB/phpbb/symfony_request.php @@ -30,6 +30,11 @@ class symfony_request extends Request $type_cast_helper->set_var($value, $value, gettype($value), true); }; + // This function is meant for additional handling of server variables + $server_sanitizer = function(&$value, $key) { + $value = str_replace('&', '&', $value); + }; + $get_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::GET); $post_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::POST); $server_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::SERVER); @@ -41,6 +46,7 @@ class symfony_request extends Request array_walk_recursive($server_parameters, $sanitizer); array_walk_recursive($files_parameters, $sanitizer); array_walk_recursive($cookie_parameters, $sanitizer); + array_walk_recursive($server_parameters, $server_sanitizer); parent::__construct($get_parameters, $post_parameters, array(), $cookie_parameters, $files_parameters, $server_parameters); } diff --git a/tests/functions/build_url_test.php b/tests/functions/build_url_test.php index df178f277e..5cfd1300de 100644 --- a/tests/functions/build_url_test.php +++ b/tests/functions/build_url_test.php @@ -69,6 +69,11 @@ class phpbb_build_url_test extends phpbb_test_case array('f', 'style', 't'), 'http://test.phpbb.com/viewtopic.php?', ), + array( + 'posting.php?f=2&mode=delete&p=20%22%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E', + false, + 'phpBB/posting.php?f=2&mode=delete&p=20%22%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E', + ) ); } @@ -79,16 +84,10 @@ class phpbb_build_url_test extends phpbb_test_case { global $user, $phpbb_root_path; - $user->page['page'] = str_replace('%2F', '/', urlencode($this->sanitizer($page))); + $user->page['page'] = $page; + $output = build_url($strip_vars); $this->assertEquals($expected, $output); } - - protected function sanitizer($value) - { - $type_cast_helper = new \phpbb\request\type_cast_helper(); - $type_cast_helper->set_var($value, $value, gettype($value), true); - return $value; - } }