makary/phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-06-28 14:18:52 +00:00
Code Issues Projects Releases Packages Wiki Activity

[ticket/security-171] Sanitize data from composer.json

Browse source 
SECURITY-171
This commit is contained in:
Marc Alexander 2014-11-16 13:09:03 +01:00
parent da1888a7fa
commit 34004612ac
3 changed files with 26 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
phpBB/phpbb/extension/metadata_manager.php
View file

@ -177,12 +177,24 @@ class metadata_manager
throw new \phpbb\extension\exception($this->user->lang('FILE_JSON_DECODE_ERR', $this->metadata_file)); throw new \phpbb\extension\exception($this->user->lang('FILE_JSON_DECODE_ERR', $this->metadata_file));
} }
array_walk_recursive($metadata, array($this, 'sanitize_json'));
$this->metadata = $metadata; $this->metadata = $metadata;
return true; return true;
} }
} }
/**
* Sanitize input from JSON array using htmlspecialchars()
*
* @param mixed $value Value of array row
* @param string $key Key of array row
*/
public function sanitize_json(&$value, $key)
{
$value = htmlspecialchars($value);
}
/** /**
* This array handles the cleaning of the array * This array handles the cleaning of the array
* *
@ -337,30 +349,30 @@ class metadata_manager
public function output_template_data() public function output_template_data()
{ {
$this->template->assign_vars(array( $this->template->assign_vars(array(
'META_NAME' => htmlspecialchars($this->metadata['name']), 'META_NAME' => $this->metadata['name'],
'META_TYPE' => htmlspecialchars($this->metadata['type']), 'META_TYPE' => $this->metadata['type'],
'META_DESCRIPTION' => (isset($this->metadata['description'])) ? htmlspecialchars($this->metadata['description']) : '', 'META_DESCRIPTION' => (isset($this->metadata['description'])) ? $this->metadata['description'] : '',
'META_HOMEPAGE' => (isset($this->metadata['homepage'])) ? $this->metadata['homepage'] : '', 'META_HOMEPAGE' => (isset($this->metadata['homepage'])) ? $this->metadata['homepage'] : '',
'META_VERSION' => (isset($this->metadata['version'])) ? htmlspecialchars($this->metadata['version']) : '', 'META_VERSION' => (isset($this->metadata['version'])) ? $this->metadata['version'] : '',
'META_TIME' => (isset($this->metadata['time'])) ? htmlspecialchars($this->metadata['time']) : '', 'META_TIME' => (isset($this->metadata['time'])) ? $this->metadata['time'] : '',
'META_LICENSE' => htmlspecialchars($this->metadata['license']), 'META_LICENSE' => $this->metadata['license'],
'META_REQUIRE_PHP' => (isset($this->metadata['require']['php'])) ? htmlspecialchars($this->metadata['require']['php']) : '', 'META_REQUIRE_PHP' => (isset($this->metadata['require']['php'])) ? $this->metadata['require']['php'] : '',
'META_REQUIRE_PHP_FAIL' => !$this->validate_require_php(), 'META_REQUIRE_PHP_FAIL' => !$this->validate_require_php(),
'META_REQUIRE_PHPBB' => (isset($this->metadata['extra']['soft-require']['phpbb/phpbb'])) ? htmlspecialchars($this->metadata['extra']['soft-require']['phpbb/phpbb']) : '', 'META_REQUIRE_PHPBB' => (isset($this->metadata['extra']['soft-require']['phpbb/phpbb'])) ? $this->metadata['extra']['soft-require']['phpbb/phpbb'] : '',
'META_REQUIRE_PHPBB_FAIL' => !$this->validate_require_phpbb(), 'META_REQUIRE_PHPBB_FAIL' => !$this->validate_require_phpbb(),
'META_DISPLAY_NAME' => (isset($this->metadata['extra']['display-name'])) ? htmlspecialchars($this->metadata['extra']['display-name']) : '', 'META_DISPLAY_NAME' => (isset($this->metadata['extra']['display-name'])) ? $this->metadata['extra']['display-name'] : '',
)); ));
foreach ($this->metadata['authors'] as $author) foreach ($this->metadata['authors'] as $author)
{ {
$this->template->assign_block_vars('meta_authors', array( $this->template->assign_block_vars('meta_authors', array(
'AUTHOR_NAME' => htmlspecialchars($author['name']), 'AUTHOR_NAME' => $author['name'],
'AUTHOR_EMAIL' => (isset($author['email'])) ? $author['email'] : '', 'AUTHOR_EMAIL' => (isset($author['email'])) ? $author['email'] : '',
'AUTHOR_HOMEPAGE' => (isset($author['homepage'])) ? $author['homepage'] : '', 'AUTHOR_HOMEPAGE' => (isset($author['homepage'])) ? $author['homepage'] : '',
'AUTHOR_ROLE' => (isset($author['role'])) ? htmlspecialchars($author['role']) : '', 'AUTHOR_ROLE' => (isset($author['role'])) ? $author['role'] : '',
)); ));
} }
} }

1
tests/extension/metadata_manager_test.php
View file

@ -123,6 +123,7 @@ class phpbb_extension_metadata_manager_test extends phpbb_database_test_case
} }
$json = json_decode(file_get_contents($this->phpbb_root_path . 'ext/vendor2/foo/composer.json'), true); $json = json_decode(file_get_contents($this->phpbb_root_path . 'ext/vendor2/foo/composer.json'), true);
array_walk_recursive($json, array($manager, 'sanitize_json'));
$this->assertEquals($metadata, $json); $this->assertEquals($metadata, $json);
} }

2
tests/mock/metadata_manager.php
View file

@ -15,11 +15,13 @@ class phpbb_mock_metadata_manager extends \phpbb\extension\metadata_manager
{ {
public function set_metadata($metadata) public function set_metadata($metadata)
{ {
array_walk_recursive($metadata, array($this, 'sanitize_json'));
$this->metadata = $metadata; $this->metadata = $metadata;
} }
public function merge_metadata($metadata) public function merge_metadata($metadata)
{ {
array_walk_recursive($metadata, array($this, 'sanitize_json'));
$this->metadata = array_merge($this->metadata, $metadata); $this->metadata = array_merge($this->metadata, $metadata);
} }
} }