makary/phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-07-27 04:18:55 +00:00
Code Issues Projects Releases Packages Wiki Activity

[ticket/13280] Revert "Merge pull request #3107 from marc1706/ticket/13280"

Browse source 
This reverts commit a1b58d05d1, reversing
changes made to 0e772afb9d.

PHPBB3-13280
This commit is contained in:
Tristan Darricau 2014-11-12 10:30:27 +01:00
parent cd6085ebdc
commit 6d533d2f86
4 changed files with 12 additions and 38 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
phpBB/phpbb/session.php
View file

@ -43,7 +43,7 @@ class session
// First of all, get the request uri... // First of all, get the request uri...
$script_name = $symfony_request->getScriptName(); $script_name = $symfony_request->getScriptName();
$args = explode('&', $symfony_request->getQueryString()); $args = explode('&', $symfony_request->getQueryString());
// If we are unable to get the script name we use REQUEST_URI as a failover and note it within the page array for easier support... // If we are unable to get the script name we use REQUEST_URI as a failover and note it within the page array for easier support...
if (!$script_name) if (!$script_name)
@ -61,8 +61,8 @@ class session
// Since some browser do not encode correctly we need to do this with some "special" characters... // Since some browser do not encode correctly we need to do this with some "special" characters...
// " -> %22, ' => %27, < -> %3C, > -> %3E // " -> %22, ' => %27, < -> %3C, > -> %3E
$find = array('"', "'", '<', '>', '&quot;', '&lt;', '&gt;'); $find = array('"', "'", '<', '>');
$replace = array('%22', '%27', '%3C', '%3E', '%22', '%3C', '%3E'); $replace = array('%22', '%27', '%3C', '%3E');
foreach ($args as $key => $argument) foreach ($args as $key => $argument)
{ {

10
phpBB/phpbb/symfony_request.php
View file

@ -30,12 +30,6 @@ class symfony_request extends Request
$type_cast_helper->set_var($value, $value, gettype($value), true); $type_cast_helper->set_var($value, $value, gettype($value), true);
}; };
// This function is meant for additional handling of server variables
$server_sanitizer = function(&$value, $key) use ($sanitizer) {
$sanitizer($value, $key);
$value = str_replace('&amp;', '&', $value);
};
$get_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::GET); $get_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::GET);
$post_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::POST); $post_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::POST);
$server_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::SERVER); $server_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::SERVER);
@ -44,12 +38,10 @@ class symfony_request extends Request
array_walk_recursive($get_parameters, $sanitizer); array_walk_recursive($get_parameters, $sanitizer);
array_walk_recursive($post_parameters, $sanitizer); array_walk_recursive($post_parameters, $sanitizer);
array_walk_recursive($server_parameters, $sanitizer);
array_walk_recursive($files_parameters, $sanitizer); array_walk_recursive($files_parameters, $sanitizer);
array_walk_recursive($cookie_parameters, $sanitizer); array_walk_recursive($cookie_parameters, $sanitizer);
// Run special sanitizer for server superglobal
array_walk_recursive($server_parameters, $server_sanitizer);
parent::__construct($get_parameters, $post_parameters, array(), $cookie_parameters, $files_parameters, $server_parameters); parent::__construct($get_parameters, $post_parameters, array(), $cookie_parameters, $files_parameters, $server_parameters);
} }
} }

6
tests/functions/build_url_test.php
View file

@ -69,11 +69,6 @@ class phpbb_build_url_test extends phpbb_test_case
array('f', 'style', 't'), array('f', 'style', 't'),
'http://test.phpbb.com/viewtopic.php?', 'http://test.phpbb.com/viewtopic.php?',
), ),
array(
'posting.php?f=2&mode=delete&p=20%22%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E',
false,
'phpBB/posting.php?f=2&amp;mode=delete&amp;p=20%22%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E',
)
); );
} }
@ -85,7 +80,6 @@ class phpbb_build_url_test extends phpbb_test_case
global $user, $phpbb_root_path; global $user, $phpbb_root_path;
$user->page['page'] = $page; $user->page['page'] = $page;
$output = build_url($strip_vars); $output = build_url($strip_vars);
$this->assertEquals($expected, $output); $this->assertEquals($expected, $output);

28
tests/security/extract_current_page_test.php
View file

@ -37,16 +37,16 @@ class phpbb_security_extract_current_page_test extends phpbb_security_test_base
)); ));
$symfony_request->expects($this->any()) $symfony_request->expects($this->any())
->method('getScriptName') ->method('getScriptName')
->will($this->returnValue($this->sanitizer($url))); ->will($this->returnValue($url));
$symfony_request->expects($this->any()) $symfony_request->expects($this->any())
->method('getQueryString') ->method('getQueryString')
->will($this->returnValue($this->sanitizer($query_string))); ->will($this->returnValue($query_string));
$symfony_request->expects($this->any()) $symfony_request->expects($this->any())
->method('getBasePath') ->method('getBasePath')
->will($this->returnValue($server['REQUEST_URI'])); ->will($this->returnValue($server['REQUEST_URI']));
$symfony_request->expects($this->sanitizer($this->any())) $symfony_request->expects($this->any())
->method('getPathInfo') ->method('getPathInfo')
->will($this->returnValue($this->sanitizer('/'))); ->will($this->returnValue('/'));
$result = \phpbb\session::extract_current_page('./'); $result = \phpbb\session::extract_current_page('./');
$label = 'Running extract_current_page on ' . $query_string . ' with PHP_SELF filled.'; $label = 'Running extract_current_page on ' . $query_string . ' with PHP_SELF filled.';
@ -65,32 +65,20 @@ class phpbb_security_extract_current_page_test extends phpbb_security_test_base
)); ));
$symfony_request->expects($this->any()) $symfony_request->expects($this->any())
->method('getScriptName') ->method('getScriptName')
->will($this->returnValue($this->sanitizer($url))); ->will($this->returnValue($url));
$symfony_request->expects($this->any()) $symfony_request->expects($this->any())
->method('getQueryString') ->method('getQueryString')
->will($this->returnValue($this->sanitizer($query_string))); ->will($this->returnValue($query_string));
$symfony_request->expects($this->any()) $symfony_request->expects($this->any())
->method('getBasePath') ->method('getBasePath')
->will($this->returnValue($this->sanitizer($server['REQUEST_URI']))); ->will($this->returnValue($server['REQUEST_URI']));
$symfony_request->expects($this->any()) $symfony_request->expects($this->any())
->method('getPathInfo') ->method('getPathInfo')
->will($this->returnValue($this->sanitizer('/'))); ->will($this->returnValue('/'));
$result = \phpbb\session::extract_current_page('./'); $result = \phpbb\session::extract_current_page('./');
$label = 'Running extract_current_page on ' . $query_string . ' with REQUEST_URI filled.'; $label = 'Running extract_current_page on ' . $query_string . ' with REQUEST_URI filled.';
$this->assertEquals($expected, $result['query_string'], $label); $this->assertEquals($expected, $result['query_string'], $label);
} }
protected function sanitizer($value)
{
// Fix for objects passed in phpunit
if (is_object($value))
{
return $value;
}
$type_cast_helper = new \phpbb\request\type_cast_helper();
$type_cast_helper->set_var($value, $value, gettype($value), true);
return str_replace('&amp;', '&', $value);
}
} }