mirror/php-phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-02-23 11:28:33 +01:00
Code Issues Releases Wiki Activity

[ticket/11997] Allow redirects to parent folders like previously

Browse Source 
Redirects to parent folders were possible with the previous redirect function.
This change will allow these redirects again.

PHPBB3-11997
This commit is contained in:
Marc Alexander 2013-12-21 16:31:20 +01:00
parent 15913fdf79
commit 235d2069e0
3 changed files with 10 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
phpBB/includes/functions.php
View File

@ -2653,7 +2653,7 @@ function generate_board_url($without_script_path = false)
*/
function redirect($url, $return = false, $disable_cd_check = false)
{
global $db, $cache, $config, $user, $phpbb_root_path, $phpbb_filesystem, $phpbb_path_helper;
global $db, $cache, $config, $user, $phpbb_root_path, $phpbb_filesystem, $phpbb_path_helper, $phpEx;
$failover_flag = false;
@ -2696,14 +2696,15 @@ function redirect($url, $return = false, $disable_cd_check = false)
// Relative uri
$pathinfo = pathinfo($url);
// Also treat URLs that have a non-existing basename
if (!$disable_cd_check && (!file_exists($pathinfo['dirname'] . '/') || !file_exists($pathinfo['basename'])))
// Also treat URLs that have a non-existing basename and fit
// controller style URLs
if (!$disable_cd_check && (!file_exists($pathinfo['dirname'] . '/') || (!file_exists($url) && preg_match('/^[\.]?+[\/]?+(?:app\.php)?+[a-zA-Z0-9\/]/', $url))))
{
$url = str_replace('../', '', $url);
$pathinfo = pathinfo($url);
// Also treat URLs that have a non-existing basename
if (!file_exists($pathinfo['dirname'] . '/') || !file_exists($pathinfo['basename']))
if (!file_exists($pathinfo['dirname'] . '/') || (!file_exists($url) && preg_match('/^[\.]?+[\/]?+(?:app\.php)?+[a-zA-Z0-9\/]/', $url)))
{
// fallback to "last known user page"
// at least this way we know the user does not leave the phpBB root

4
tests/functional/extension_controller_test.php
View File

@ -132,7 +132,9 @@ class phpbb_functional_extension_controller_test extends phpbb_functional_test_c
$row_num = str_replace('redirect_expected_', '', $redirect);
$this->assertContains($filesystem->clean_path(self::$root_url) . $crawler->filter('#redirect_expected_' . $row_num)->text(), $crawler->filter('#redirect_' . $row_num)->text());
$redirect = $crawler->filter('#redirect_' . $row_num)->text();
$redirect = substr($redirect, 0, strpos($redirect, 'sid') - 1);
$this->assertContains($crawler->filter('#redirect_expected_' . $row_num)->text(), $redirect);
}
$this->phpbb_extension_manager->purge('foo/bar');

4
tests/security/redirect_test.php
View File

@ -38,9 +38,9 @@ class phpbb_security_redirect_test extends phpbb_security_test_base
array('./foobar', false, false, 'http://localhost/phpBB/foobar'),
array('foo/bar', false, false, 'http://localhost/phpBB/foo/bar'),
array('./foo/bar', false, false, 'http://localhost/phpBB/foo/bar'),
array('./../index.php', false, false, 'http://localhost/phpBB/index.php'),
array('./../index.php', false, false, 'http://localhost/index.php'),
array('./../index.php', true, false, 'http://localhost/index.php'),
array('../index.php', false, false, 'http://localhost/phpBB/index.php'),
array('../index.php', false, false, 'http://localhost/index.php'),
array('../index.php', true, false, 'http://localhost/index.php'),
array('./index.php', false, false, 'http://localhost/phpBB/index.php'),
);