mirror/php-phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-07-31 14:00:31 +02:00
Code Issues Releases Wiki Activity

Merge pull request #38 from phpbb/ticket/security/210

Browse Source 
[ticket/security/210] Prevent using IP addresses or ports for remote avatar
This commit is contained in:
Marc Alexander
2017-07-16 11:29:35 +02:00
parent 4ed45c4e12 fa631947f1
commit 0b405a2cdc
3 changed files with 70 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
tests/avatar/manager_test.php
View File

@@ -372,4 +372,59 @@ class phpbb_avatar_manager_test extends \phpbb_database_test_case
'avatar_height' => 0,
), $row);
}
public function data_remote_avatar_url()
{
return array(
array('127.0.0.1:91?foo.jpg', 80, 80, array('AVATAR_URL_INVALID')),
array(gethostbyname('secure.gravatar.com') . '/avatar/55502f40dc8b7c769880b10874abc9d0.jpg', 80, 80, array('AVATAR_URL_INVALID')),
array('secure.gravatar.com/avatar/55502f40dc8b7c769880b10874abc9d0.jpg', 80, 80),
array(gethostbyname('secure.gravatar.com') . ':120/avatar/55502f40dc8b7c769880b10874abc9d0.jpg', 80, 80, array('AVATAR_URL_INVALID')),
array('secure.gravatar.com:80/avatar/55502f40dc8b7c769880b10874abc9d0.jpg', 80, 80, array('AVATAR_URL_INVALID')),
array('secure.gravatar.com:80?55502f40dc8b7c769880b10874abc9d0.jpg', 80, 80, array('AVATAR_URL_INVALID')),
array('secure.gravatar.com?55502f40dc8b7c769880b10874abc9d0.jpg', 80, 80, array('AVATAR_URL_INVALID')), // should be a 404
array('2001:db8:0:0:0:0:2:1/avatar/55502f40dc8b7c769880b10874abc9d0.jpg', 80, 80, array('AVATAR_URL_INVALID')),
array('secure.gravatar.com/2001:db8:0:0:0:0:2:1/avatar/55502f40dc8b7c769880b10874abc9d0.jpg', 80, 80, array('AVATAR_URL_INVALID')),
array('secure.gravatar.com/127.0.0.1:80/avatar/55502f40dc8b7c769880b10874abc9d0.jpg', 80, 80, array('AVATAR_URL_INVALID')),
);
}
/**
* @dataProvider data_remote_avatar_url
*/
public function test_remote_avatar_url($url, $width, $height, $expected_error = array())
{
global $phpbb_root_path, $phpEx;
if (!function_exists('get_preg_expression'))
{
require($phpbb_root_path . 'includes/functions.' . $phpEx);
}
$this->config['server_name'] = 'foobar.com';
/** @var \phpbb\avatar\driver\remote $remote_avatar */
$remote_avatar = $this->manager->get_driver('avatar.driver.remote', false);
$request = new phpbb_mock_request(array(), array(
'avatar_remote_url' => $url,
'avatar_remote_width' => $width,
'avatar_remote_height' => $height,
));
$user = new \phpbb\user('\phpbb\datetime');
$row = array();
$error = array();
$return = $remote_avatar->process_form($request, null, $user, $row, $error);
if (count($expected_error) > 0)
{
$this->assertFalse($return);
}
else
{
$this->assertNotEquals(false, $return);
}
$this->assertSame($expected_error, $error);
}
}