diff options
| -rw-r--r-- | phpBB/includes/functions.php | 2 | ||||
| -rw-r--r-- | phpBB/phpbb/path_helper.php | 23 | ||||
| -rw-r--r-- | tests/path_helper/web_root_path_test.php | 23 |
3 files changed, 47 insertions, 1 deletions
diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 4c9c3323f7..aea13f7679 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -2777,7 +2777,7 @@ function redirect($url, $return = false, $disable_cd_check = false) $url = (!empty($dir) ? $dir . '/' : '') . $url; $url = generate_board_url() . '/' . $url; } - $url = $phpbb_filesystem->clean_path($url); + $url = $phpbb_path_helper->clean_url($url);; } } diff --git a/phpBB/phpbb/path_helper.php b/phpBB/phpbb/path_helper.php index f6587fa101..cd4c20bb7d 100644 --- a/phpBB/phpbb/path_helper.php +++ b/phpBB/phpbb/path_helper.php @@ -207,4 +207,27 @@ class path_helper return generate_board_url() . $url; } + + /** + * Eliminates useless . and .. components from specified URL + * + * @param string $url URL to clean + * + * @return string Cleaned URL + */ + public function clean_url($url) + { + $delimiter_position = strpos($url, '://'); + // URL should contain :// but it shouldn't start with it. + // Do not clean URLs that do not fit these constraints. + if (empty($delimiter_position)) + { + return $url; + } + $scheme = substr($url, 0, $delimiter_position) . '://'; + // Add length of URL delimiter to position + $path = substr($url, $delimiter_position + 3); + + return $scheme . $this->filesystem->clean_path($path); + } } diff --git a/tests/path_helper/web_root_path_test.php b/tests/path_helper/web_root_path_test.php index 2e1a37e02b..2c22511402 100644 --- a/tests/path_helper/web_root_path_test.php +++ b/tests/path_helper/web_root_path_test.php @@ -146,4 +146,27 @@ class phpbb_path_helper_web_root_path_test extends phpbb_test_case $this->assertEquals($expected, $path_helper->update_web_root_path($input, $symfony_request)); } + + public function clean_url_data() + { + return array( + array('', ''), + array('://', '://'), + array('http://', 'http://'), + array('http://one/two/three', 'http://one/two/three'), + array('http://../one/two', 'http://../one/two'), + array('http://one/../two/three', 'http://two/three'), + array('http://one/two/../three', 'http://one/three'), + array('http://one/two/../../three', 'http://three'), + array('http://one/two/../../../three', 'http://../three'), + ); + } + + /** + * @dataProvider clean_url_data + */ + public function test_clean_url($input, $expected) + { + $this->assertEquals($expected, $this->path_helper->clean_url($input)); + } } |