From 204904441a373db335375e973f78b9e8b2741867 Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Wed, 11 Jun 2014 23:34:51 +0200
Subject: [PATCH 1/4] [ticket/9801] Allow display of page outside board
 directory on viewonline

Until now, the preg_match didn't take into account that a page might be
outside the board directory. After this change, the regular expression will
allow preceding dots and slashes. Paths like ../../test.php will be allowed.
The page will be unknown in viewonline.php and it will revert to index.php as
current page. However, the core.viewonline_overwrite_location event will
receive proper info of the page the user is on right now allowing a listener
to change the info that is being displayed.

PHPBB3-9801
---
 phpBB/viewonline.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/phpBB/viewonline.php b/phpBB/viewonline.php
index 43b5f7f001..69e63faa86 100644
--- a/phpBB/viewonline.php
+++ b/phpBB/viewonline.php
@@ -213,7 +213,7 @@ while ($row = $db->sql_fetchrow($result))
 		continue;
 	}
 
-	preg_match('#^([a-z0-9/_-]+)#i', $row['session_page'], $on_page);
+	preg_match('#^([./\\]*+[a-z0-9/_-]+)#i', $row['session_page'], $on_page);
 	if (!sizeof($on_page))
 	{
 		$on_page[1] = '';

From 277e9a7a850165b002901926838d6cee1bec0f57 Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Tue, 24 Jun 2014 18:49:31 +0200
Subject: [PATCH 2/4] [ticket/9801] Add viewonline_helper service to allow
 proper testing

The viewonline_helper service can and will be extended in the future which
will allow us to also test the viewonline page better.

PHPBB3-9801
---
 phpBB/config/services.yml         |  3 +++
 phpBB/phpbb/viewonline_helper.php | 37 +++++++++++++++++++++++++++
 phpBB/viewonline.php              |  7 ++----
 tests/viewonline/helper_test.php  | 42 +++++++++++++++++++++++++++++++
 4 files changed, 84 insertions(+), 5 deletions(-)
 create mode 100644 phpBB/phpbb/viewonline_helper.php
 create mode 100644 tests/viewonline/helper_test.php

diff --git a/phpBB/config/services.yml b/phpBB/config/services.yml
index 3743daa075..5dc537f5e1 100644
--- a/phpBB/config/services.yml
+++ b/phpBB/config/services.yml
@@ -355,3 +355,6 @@ services:
             - @cache
             - @config
             - @user
+
+    viewonline_helper:
+        class: phpbb\viewonline_helper
diff --git a/phpBB/phpbb/viewonline_helper.php b/phpBB/phpbb/viewonline_helper.php
new file mode 100644
index 0000000000..3aafbb2baf
--- /dev/null
+++ b/phpBB/phpbb/viewonline_helper.php
@@ -0,0 +1,37 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb;
+
+/**
+ * Class to handle viewonline related tasks
+ */
+class viewonline_helper
+{
+	/**
+	 * Get user page
+	 *
+	 * @param string $session_page User's session page
+	 * @return array Match array filled by preg_match()
+	 */
+	public function get_user_page($session_page)
+	{
+		preg_match('#^([./\\]*+[a-z0-9/_-]+)#i', $session_page, $on_page);
+		if (!sizeof($on_page))
+		{
+			$on_page[1] = '';
+		}
+
+		return $on_page;
+	}
+}
diff --git a/phpBB/viewonline.php b/phpBB/viewonline.php
index 69e63faa86..82f990c2a2 100644
--- a/phpBB/viewonline.php
+++ b/phpBB/viewonline.php
@@ -44,6 +44,7 @@ if (!$auth->acl_gets('u_viewprofile', 'a_user', 'a_useradd', 'a_userdel'))
 }
 
 $pagination = $phpbb_container->get('pagination');
+$viewonline_helper = $phpbb_container->get('viewonline_helper');
 
 $sort_key_text = array('a' => $user->lang['SORT_USERNAME'], 'b' => $user->lang['SORT_JOINED'], 'c' => $user->lang['SORT_LOCATION']);
 $sort_key_sql = array('a' => 'u.username_clean', 'b' => 's.session_time', 'c' => 's.session_page');
@@ -213,11 +214,7 @@ while ($row = $db->sql_fetchrow($result))
 		continue;
 	}
 
-	preg_match('#^([./\\]*+[a-z0-9/_-]+)#i', $row['session_page'], $on_page);
-	if (!sizeof($on_page))
-	{
-		$on_page[1] = '';
-	}
+	$on_page = $viewonline_helper->get_user_page($row['session_page']);
 
 	switch ($on_page[1])
 	{
diff --git a/tests/viewonline/helper_test.php b/tests/viewonline/helper_test.php
new file mode 100644
index 0000000000..e4950bb51a
--- /dev/null
+++ b/tests/viewonline/helper_test.php
@@ -0,0 +1,42 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+class phpbb_viewonline_helper_test extends phpbb_test_case
+{
+	public function setUp()
+	{
+		parent::setUp();
+
+		$this->viewonline_helper = new \phpbb\viewonline_helper();
+	}
+
+	public function session_pages_data()
+	{
+		return array(
+			array('index.php', 'index.php'),
+			array('foobar/test.php', 'foobar/test.php'),
+			array('', ''),
+			array('../index.php', '../index.php'),
+		);
+	}
+
+	/**
+	* @dataProvider session_pages_data
+	*/
+	public function test_get_user_page($expected, $session_page)
+	{
+		$on_page = $this->viewonline_helper->get_user_page($session_page);
+		$this->assertArrayHasKey(1, $on_page);
+		$this->assertSame($expected, $on_page[1]);
+	}
+}

From eb9321c3a1d2223ef2dc25671b6abbdd8b2df8ef Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Thu, 26 Jun 2014 12:29:54 +0200
Subject: [PATCH 3/4] [ticket/9801] Remove spaces before * in docblock

PHPBB3-9801
---
 phpBB/phpbb/viewonline_helper.php | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/phpBB/phpbb/viewonline_helper.php b/phpBB/phpbb/viewonline_helper.php
index 3aafbb2baf..32b7e55f00 100644
--- a/phpBB/phpbb/viewonline_helper.php
+++ b/phpBB/phpbb/viewonline_helper.php
@@ -14,16 +14,16 @@
 namespace phpbb;
 
 /**
- * Class to handle viewonline related tasks
- */
+* Class to handle viewonline related tasks
+*/
 class viewonline_helper
 {
 	/**
-	 * Get user page
-	 *
-	 * @param string $session_page User's session page
-	 * @return array Match array filled by preg_match()
-	 */
+	* Get user page
+	*
+	* @param string $session_page User's session page
+	* @return array Match array filled by preg_match()
+	*/
 	public function get_user_page($session_page)
 	{
 		preg_match('#^([./\\]*+[a-z0-9/_-]+)#i', $session_page, $on_page);

From 330f21ab7605a4c327b68af630be5eaef5e2cd88 Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Mon, 30 Jun 2014 21:36:11 +0200
Subject: [PATCH 4/4] [ticket/9801] Use empty instead of sizeof

PHPBB3-9801
---
 phpBB/phpbb/viewonline_helper.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/phpBB/phpbb/viewonline_helper.php b/phpBB/phpbb/viewonline_helper.php
index 32b7e55f00..3fc33119a3 100644
--- a/phpBB/phpbb/viewonline_helper.php
+++ b/phpBB/phpbb/viewonline_helper.php
@@ -27,7 +27,7 @@ class viewonline_helper
 	public function get_user_page($session_page)
 	{
 		preg_match('#^([./\\]*+[a-z0-9/_-]+)#i', $session_page, $on_page);
-		if (!sizeof($on_page))
+		if (empty($on_page))
 		{
 			$on_page[1] = '';
 		}