From da1888a7fad3be8a42b326e24bd676c92a7e4c51 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sun, 16 Nov 2014 11:09:53 +0100 Subject: [PATCH 1/5] [ticket/security-171] Use type cast helper for json data SECURITY-171 --- phpBB/phpbb/version_helper.php | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/phpBB/phpbb/version_helper.php b/phpBB/phpbb/version_helper.php index c3c3602944..3c5f3efcf2 100644 --- a/phpBB/phpbb/version_helper.php +++ b/phpBB/phpbb/version_helper.php @@ -259,6 +259,13 @@ class version_helper $info = json_decode($info, true); + // Sanitize any data we retrieve from a server + $json_sanitizer = function(&$value, $key) { + $type_cast_helper = new \phpbb\request\type_cast_helper(); + $type_cast_helper->set_var($value, $value, gettype($value), true); + }; + array_walk_recursive($info, $json_sanitizer); + if (empty($info['stable']) && empty($info['unstable'])) { $this->user->add_lang('acp/common'); @@ -266,15 +273,6 @@ class version_helper throw new \RuntimeException($this->user->lang('VERSIONCHECK_FAIL')); } - // Replace & with & on announcement links - foreach ($info as $stability => $branches) - { - foreach ($branches as $branch => $branch_data) - { - $info[$stability][$branch]['announcement'] = (!empty($branch_data['announcement'])) ? str_replace('&', '&', $branch_data['announcement']) : ''; - } - } - $info['stable'] = (empty($info['stable'])) ? array() : $info['stable']; $info['unstable'] = (empty($info['unstable'])) ? $info['stable'] : $info['unstable']; From 34004612acb0c55f1cf86271d5a62c1b396ee829 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sun, 16 Nov 2014 13:09:03 +0100 Subject: [PATCH 2/5] [ticket/security-171] Sanitize data from composer.json SECURITY-171 --- phpBB/phpbb/extension/metadata_manager.php | 34 +++++++++++++++------- tests/extension/metadata_manager_test.php | 1 + tests/mock/metadata_manager.php | 2 ++ 3 files changed, 26 insertions(+), 11 deletions(-) diff --git a/phpBB/phpbb/extension/metadata_manager.php b/phpBB/phpbb/extension/metadata_manager.php index edca8ee1af..a64d88fe39 100644 --- a/phpBB/phpbb/extension/metadata_manager.php +++ b/phpBB/phpbb/extension/metadata_manager.php @@ -177,12 +177,24 @@ class metadata_manager throw new \phpbb\extension\exception($this->user->lang('FILE_JSON_DECODE_ERR', $this->metadata_file)); } + array_walk_recursive($metadata, array($this, 'sanitize_json')); $this->metadata = $metadata; return true; } } + /** + * Sanitize input from JSON array using htmlspecialchars() + * + * @param mixed $value Value of array row + * @param string $key Key of array row + */ + public function sanitize_json(&$value, $key) + { + $value = htmlspecialchars($value); + } + /** * This array handles the cleaning of the array * @@ -337,30 +349,30 @@ class metadata_manager public function output_template_data() { $this->template->assign_vars(array( - 'META_NAME' => htmlspecialchars($this->metadata['name']), - 'META_TYPE' => htmlspecialchars($this->metadata['type']), - 'META_DESCRIPTION' => (isset($this->metadata['description'])) ? htmlspecialchars($this->metadata['description']) : '', + 'META_NAME' => $this->metadata['name'], + 'META_TYPE' => $this->metadata['type'], + 'META_DESCRIPTION' => (isset($this->metadata['description'])) ? $this->metadata['description'] : '', 'META_HOMEPAGE' => (isset($this->metadata['homepage'])) ? $this->metadata['homepage'] : '', - 'META_VERSION' => (isset($this->metadata['version'])) ? htmlspecialchars($this->metadata['version']) : '', - 'META_TIME' => (isset($this->metadata['time'])) ? htmlspecialchars($this->metadata['time']) : '', - 'META_LICENSE' => htmlspecialchars($this->metadata['license']), + 'META_VERSION' => (isset($this->metadata['version'])) ? $this->metadata['version'] : '', + 'META_TIME' => (isset($this->metadata['time'])) ? $this->metadata['time'] : '', + 'META_LICENSE' => $this->metadata['license'], - 'META_REQUIRE_PHP' => (isset($this->metadata['require']['php'])) ? htmlspecialchars($this->metadata['require']['php']) : '', + 'META_REQUIRE_PHP' => (isset($this->metadata['require']['php'])) ? $this->metadata['require']['php'] : '', 'META_REQUIRE_PHP_FAIL' => !$this->validate_require_php(), - 'META_REQUIRE_PHPBB' => (isset($this->metadata['extra']['soft-require']['phpbb/phpbb'])) ? htmlspecialchars($this->metadata['extra']['soft-require']['phpbb/phpbb']) : '', + 'META_REQUIRE_PHPBB' => (isset($this->metadata['extra']['soft-require']['phpbb/phpbb'])) ? $this->metadata['extra']['soft-require']['phpbb/phpbb'] : '', 'META_REQUIRE_PHPBB_FAIL' => !$this->validate_require_phpbb(), - 'META_DISPLAY_NAME' => (isset($this->metadata['extra']['display-name'])) ? htmlspecialchars($this->metadata['extra']['display-name']) : '', + 'META_DISPLAY_NAME' => (isset($this->metadata['extra']['display-name'])) ? $this->metadata['extra']['display-name'] : '', )); foreach ($this->metadata['authors'] as $author) { $this->template->assign_block_vars('meta_authors', array( - 'AUTHOR_NAME' => htmlspecialchars($author['name']), + 'AUTHOR_NAME' => $author['name'], 'AUTHOR_EMAIL' => (isset($author['email'])) ? $author['email'] : '', 'AUTHOR_HOMEPAGE' => (isset($author['homepage'])) ? $author['homepage'] : '', - 'AUTHOR_ROLE' => (isset($author['role'])) ? htmlspecialchars($author['role']) : '', + 'AUTHOR_ROLE' => (isset($author['role'])) ? $author['role'] : '', )); } } diff --git a/tests/extension/metadata_manager_test.php b/tests/extension/metadata_manager_test.php index 8e27b39459..fab1d3af3a 100644 --- a/tests/extension/metadata_manager_test.php +++ b/tests/extension/metadata_manager_test.php @@ -123,6 +123,7 @@ class phpbb_extension_metadata_manager_test extends phpbb_database_test_case } $json = json_decode(file_get_contents($this->phpbb_root_path . 'ext/vendor2/foo/composer.json'), true); + array_walk_recursive($json, array($manager, 'sanitize_json')); $this->assertEquals($metadata, $json); } diff --git a/tests/mock/metadata_manager.php b/tests/mock/metadata_manager.php index 16900a0fc1..2443fad560 100644 --- a/tests/mock/metadata_manager.php +++ b/tests/mock/metadata_manager.php @@ -15,11 +15,13 @@ class phpbb_mock_metadata_manager extends \phpbb\extension\metadata_manager { public function set_metadata($metadata) { + array_walk_recursive($metadata, array($this, 'sanitize_json')); $this->metadata = $metadata; } public function merge_metadata($metadata) { + array_walk_recursive($metadata, array($this, 'sanitize_json')); $this->metadata = array_merge($this->metadata, $metadata); } } From 4ee05b1c17fa1be0c911c9d37e106f19b23ebac2 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Mon, 17 Nov 2014 00:33:51 +0100 Subject: [PATCH 3/5] [ticket/security-171] Add tests for retrieved remote data in version_helper SECURITY-171 --- phpBB/phpbb/version_helper.php | 13 +- tests/version/version_helper_remote_test.php | 181 +++++++++++++++++++ 2 files changed, 189 insertions(+), 5 deletions(-) create mode 100644 tests/version/version_helper_remote_test.php diff --git a/phpBB/phpbb/version_helper.php b/phpBB/phpbb/version_helper.php index 3c5f3efcf2..bcc67712e4 100644 --- a/phpBB/phpbb/version_helper.php +++ b/phpBB/phpbb/version_helper.php @@ -260,11 +260,14 @@ class version_helper $info = json_decode($info, true); // Sanitize any data we retrieve from a server - $json_sanitizer = function(&$value, $key) { - $type_cast_helper = new \phpbb\request\type_cast_helper(); - $type_cast_helper->set_var($value, $value, gettype($value), true); - }; - array_walk_recursive($info, $json_sanitizer); + if (!empty($info)) + { + $json_sanitizer = function (&$value, $key) { + $type_cast_helper = new \phpbb\request\type_cast_helper(); + $type_cast_helper->set_var($value, $value, gettype($value), true); + }; + array_walk_recursive($info, $json_sanitizer); + } if (empty($info['stable']) && empty($info['unstable'])) { diff --git a/tests/version/version_helper_remote_test.php b/tests/version/version_helper_remote_test.php new file mode 100644 index 0000000000..8eff1dd520 --- /dev/null +++ b/tests/version/version_helper_remote_test.php @@ -0,0 +1,181 @@ + + * @license GNU General Public License, version 2 (GPL-2.0) + * + * For full copyright and license information, please see + * the docs/CREDITS.txt file. + * + */ + +namespace phpbb; + +class version_helper_remote_test extends \phpbb_test_case +{ + static $remote_data = ''; + protected $cache; + protected $version_helper; + + public function setUp() + { + parent::setUp(); + + global $phpbb_root_path, $phpEx; + + include_once($phpbb_root_path . 'includes/functions.' . $phpEx); + + $config = new \phpbb\config\config(array( + 'version' => '3.1.0', + )); + $container = new \phpbb_mock_container_builder(); + $db = new \phpbb\db\driver\factory($container); + $this->cache = $this->getMock('\phpbb\cache\service', array('get'), array(new \phpbb\cache\driver\null(), $config, $db, '../../', 'php')); + $this->cache->expects($this->any()) + ->method('get') + ->with($this->anything()) + ->will($this->returnValue(false)); + + $this->version_helper = new \phpbb\version_helper( + $this->cache, + $config, + new \phpbb\user('\phpbb\datetime') + ); + $this->user = new \phpbb\user('\phpbb\datetime'); + $this->user->add_lang('acp/common'); + } + + public function provider_get_versions() + { + return array( + array('', false), + array('foobar', false), + array('{ + "stable": { + "1.0": { + "current": "1.0.1", + "download": "https://www.phpbb.com/customise/db/download/104136", + "announcement": "https://www.phpbb.com/customise/db/extension/boardrules/", + "eol": null, + "security": false + } + } +}', true, array ( + 'stable' => array ( + '1.0' => array ( + 'current' => '1.0.1', + 'download' => 'https://www.phpbb.com/customise/db/download/104136', + 'announcement' => 'https://www.phpbb.com/customise/db/extension/boardrules/', + 'eol' => NULL, + 'security' => false, + ), + ), + 'unstable' => array ( + '1.0' => array ( + 'current' => '1.0.1', + 'download' => 'https://www.phpbb.com/customise/db/download/104136', + 'announcement' => 'https://www.phpbb.com/customise/db/extension/boardrules/', + 'eol' => NULL, + 'security' => false, + ), + ), + )), + array('{ + "foobar": { + "1.0": { + "current": "1.0.1", + "download": "https://www.phpbb.com/customise/db/download/104136", + "announcement": "https://www.phpbb.com/customise/db/extension/boardrules/", + "eol": null, + "security": false + } + } +}', false), + array('{ + "stable": { + "1.0": { + "current": "1.0.1", + "download": "https://www.phpbb.com/customise/db/download/104136", + "announcement": "https://www.phpbb.com/customise/db/extension/boardrules/", + "eol": "", + "security": "" + } + } +}', true, array ( + 'stable' => array ( + '1.0' => array ( + 'current' => '1.0.1<script>alert(\'foo\');</script>', + 'download' => 'https://www.phpbb.com/customise/db/download/104136<script>alert(\'foo\');</script>', + 'announcement' => 'https://www.phpbb.com/customise/db/extension/boardrules/<script>alert(\'foo\');</script>', + 'eol' => '<script>alert(\'foo\');</script>', + 'security' => '<script>alert(\'foo\');</script>', + ), + ), + 'unstable' => array ( + '1.0' => array ( + 'current' => '1.0.1<script>alert(\'foo\');</script>', + 'download' => 'https://www.phpbb.com/customise/db/download/104136<script>alert(\'foo\');</script>', + 'announcement' => 'https://www.phpbb.com/customise/db/extension/boardrules/<script>alert(\'foo\');</script>', + 'eol' => '<script>alert(\'foo\');</script>', + 'security' => '<script>alert(\'foo\');</script>', + ), + ), + )), + array('{ + "unstable": { + "1.0": { + "current": "1.0.1", + "download": "https://www.phpbb.com/customise/db/download/104136", + "announcement": "https://www.phpbb.com/customise/db/extension/boardrules/", + "eol": "", + "security": "" + } + } +}', true, array ( + 'unstable' => array ( + '1.0' => array ( + 'current' => '1.0.1<script>alert(\'foo\');</script>', + 'download' => 'https://www.phpbb.com/customise/db/download/104136<script>alert(\'foo\');</script>', + 'announcement' => 'https://www.phpbb.com/customise/db/extension/boardrules/<script>alert(\'foo\');</script>', + 'eol' => '<script>alert(\'foo\');</script>', + 'security' => '<script>alert(\'foo\');</script>', + ), + ), + 'stable' => array(), + )), + ); + } + + /** + * @dataProvider provider_get_versions + */ + public function test_get_versions($input, $valid_data, $expected_return = '') + { + self::$remote_data = $input; + + if (!$valid_data) + { + try { + $return = $this->version_helper->get_versions(); + } catch (\RuntimeException $e) { + $this->assertEquals((string)$e->getMessage(), $this->user->lang('VERSIONCHECK_FAIL')); + } + } + else + { + $return = $this->version_helper->get_versions(); + } + + $this->assertEquals($expected_return, $return); + } +} + +/** + * Mock function for get_remote_file() + */ +function get_remote_file($host, $path, $file, $errstr, $errno) +{ + return \phpbb\version_helper_remote_test::$remote_data; +} From f648fe88d5bb2a6661d008724f255bb6df2799ca Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Fri, 21 Nov 2014 23:49:54 +0100 Subject: [PATCH 4/5] [ticket/security-171] Modify tests for new file_downloader class SECURITY-171 --- tests/mock/file_downloader.php | 27 ++++++++++++++++++++ tests/version/version_helper_remote_test.php | 16 +++--------- 2 files changed, 31 insertions(+), 12 deletions(-) create mode 100644 tests/mock/file_downloader.php diff --git a/tests/mock/file_downloader.php b/tests/mock/file_downloader.php new file mode 100644 index 0000000000..d8951cebf6 --- /dev/null +++ b/tests/mock/file_downloader.php @@ -0,0 +1,27 @@ + +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. +* +*/ + +class phpbb_mock_file_downloader extends \phpbb\file_downloader +{ + public $data; + + public function set($data) + { + $this->data = $data; + } + + public function get($host, $directory, $filename, $port = 80, $timeout = 6) + { + return $this->data; + } +} diff --git a/tests/version/version_helper_remote_test.php b/tests/version/version_helper_remote_test.php index 8eff1dd520..23634cdf0a 100644 --- a/tests/version/version_helper_remote_test.php +++ b/tests/version/version_helper_remote_test.php @@ -11,11 +11,9 @@ * */ -namespace phpbb; - class version_helper_remote_test extends \phpbb_test_case { - static $remote_data = ''; + protected $file_downloader; protected $cache; protected $version_helper; @@ -37,10 +35,12 @@ class version_helper_remote_test extends \phpbb_test_case ->method('get') ->with($this->anything()) ->will($this->returnValue(false)); + $this->file_downloader = new phpbb_mock_file_downloader(); $this->version_helper = new \phpbb\version_helper( $this->cache, $config, + $this->file_downloader, new \phpbb\user('\phpbb\datetime') ); $this->user = new \phpbb\user('\phpbb\datetime'); @@ -153,7 +153,7 @@ class version_helper_remote_test extends \phpbb_test_case */ public function test_get_versions($input, $valid_data, $expected_return = '') { - self::$remote_data = $input; + $this->file_downloader->set($input);; if (!$valid_data) { @@ -171,11 +171,3 @@ class version_helper_remote_test extends \phpbb_test_case $this->assertEquals($expected_return, $return); } } - -/** - * Mock function for get_remote_file() - */ -function get_remote_file($host, $path, $file, $errstr, $errno) -{ - return \phpbb\version_helper_remote_test::$remote_data; -} From 0f06b88ee7aa508ea44704f2973ce1e57f9accf2 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sat, 22 Nov 2014 15:48:09 +0100 Subject: [PATCH 5/5] [ticket/security-171] Remove duplicate semicolon from tests SECURITY-171 --- tests/version/version_helper_remote_test.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/version/version_helper_remote_test.php b/tests/version/version_helper_remote_test.php index 23634cdf0a..65ae7646b9 100644 --- a/tests/version/version_helper_remote_test.php +++ b/tests/version/version_helper_remote_test.php @@ -153,7 +153,7 @@ class version_helper_remote_test extends \phpbb_test_case */ public function test_get_versions($input, $valid_data, $expected_return = '') { - $this->file_downloader->set($input);; + $this->file_downloader->set($input); if (!$valid_data) {