diff options
| -rw-r--r-- | phpBB/config/services.yml | 2 | ||||
| -rw-r--r-- | phpBB/phpbb/viewonline_helper.php | 19 | ||||
| -rw-r--r-- | tests/viewonline/helper_test.php | 14 |
3 files changed, 29 insertions, 6 deletions
diff --git a/phpBB/config/services.yml b/phpBB/config/services.yml index a7e708d492..a44d2e1aed 100644 --- a/phpBB/config/services.yml +++ b/phpBB/config/services.yml @@ -364,3 +364,5 @@ services: viewonline_helper: class: phpbb\viewonline_helper + arguments: + - @filesystem diff --git a/phpBB/phpbb/viewonline_helper.php b/phpBB/phpbb/viewonline_helper.php index 3fc33119a3..b722f9d911 100644 --- a/phpBB/phpbb/viewonline_helper.php +++ b/phpBB/phpbb/viewonline_helper.php @@ -18,6 +18,17 @@ namespace phpbb; */ class viewonline_helper { + /** @var \phpbb\filesystem */ + protected $filesystem; + + /** + * @param \phpbb\filesystem $filesystem + */ + public function __construct(\phpbb\filesystem $filesystem) + { + $this->filesystem = $filesystem; + } + /** * Get user page * @@ -26,7 +37,13 @@ class viewonline_helper */ public function get_user_page($session_page) { - preg_match('#^([./\\]*+[a-z0-9/_-]+)#i', $session_page, $on_page); + $session_page = $this->filesystem->clean_path($session_page); + if (strpos($session_page, './') === 0) + { + $session_page = substr($session_page, 2); + } + + preg_match('#^((\.\./)*([a-z0-9/_-]+))#i', $session_page, $on_page); if (empty($on_page)) { $on_page[1] = ''; diff --git a/tests/viewonline/helper_test.php b/tests/viewonline/helper_test.php index e4950bb51a..bbbed59de7 100644 --- a/tests/viewonline/helper_test.php +++ b/tests/viewonline/helper_test.php @@ -17,23 +17,27 @@ class phpbb_viewonline_helper_test extends phpbb_test_case { parent::setUp(); - $this->viewonline_helper = new \phpbb\viewonline_helper(); + $this->viewonline_helper = new \phpbb\viewonline_helper(new \phpbb\filesystem()); } public function session_pages_data() { return array( - array('index.php', 'index.php'), - array('foobar/test.php', 'foobar/test.php'), + array('index.php', 'index'), + array('foobar/test.php', 'foobar/test'), array('', ''), - array('../index.php', '../index.php'), + array('./../../index.php', '../../index'), + array('../subdir/index.php', '../subdir/index'), + array('../index.php', '../index'), + array('././index.php', 'index'), + array('./index.php', 'index'), ); } /** * @dataProvider session_pages_data */ - public function test_get_user_page($expected, $session_page) + public function test_get_user_page($session_page, $expected) { $on_page = $this->viewonline_helper->get_user_page($session_page); $this->assertArrayHasKey(1, $on_page); |