mirror/php-phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-04-21 16:22:22 +02:00
Code Issues Releases Wiki Activity

[ticket/13280] Properly format the current page and add sanitizer to tests

Browse Source 
PHPBB3-13280
This commit is contained in:
Marc Alexander 2014-11-03 16:07:32 +01:00
parent 0e772afb9d
commit 6cc7da0c9c
2 changed files with 18 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
phpBB/phpbb/session.php
View File

@ -43,7 +43,7 @@ class session
// First of all, get the request uri...
$script_name = $symfony_request->getScriptName();
$args = explode('&', $symfony_request->getQueryString());
$args = explode('&', $symfony_request->getQueryString());
// If we are unable to get the script name we use REQUEST_URI as a failover and note it within the page array for easier support...
if (!$script_name)
@ -61,8 +61,8 @@ class session
// Since some browser do not encode correctly we need to do this with some "special" characters...
// " -> %22, ' => %27, < -> %3C, > -> %3E
$find = array('"', "'", '<', '>');
$replace = array('%22', '%27', '%3C', '%3E');
$find = array('"', "'", '<', '>', '&quot;', '&lt;', '&gt;');
$replace = array('%22', '%27', '%3C', '%3E', '%22', '%3C', '%3E');
foreach ($args as $key => $argument)
{

23
tests/security/extract_current_page_test.php
View File

@ -37,16 +37,16 @@ class phpbb_security_extract_current_page_test extends phpbb_security_test_base
));
$symfony_request->expects($this->any())
->method('getScriptName')
->will($this->returnValue($url));
->will($this->returnValue($this->sanitizer($url)));
$symfony_request->expects($this->any())
->method('getQueryString')
->will($this->returnValue($query_string));
->will($this->returnValue($this->sanitizer($query_string)));
$symfony_request->expects($this->any())
->method('getBasePath')
->will($this->returnValue($server['REQUEST_URI']));
$symfony_request->expects($this->any())
$symfony_request->expects($this->sanitizer($this->any()))
->method('getPathInfo')
->will($this->returnValue('/'));
->will($this->returnValue($this->sanitizer('/')));
$result = \phpbb\session::extract_current_page('./');
$label = 'Running extract_current_page on ' . $query_string . ' with PHP_SELF filled.';
@ -65,20 +65,27 @@ class phpbb_security_extract_current_page_test extends phpbb_security_test_base
));
$symfony_request->expects($this->any())
->method('getScriptName')
->will($this->returnValue($url));
->will($this->returnValue($this->sanitizer($url)));
$symfony_request->expects($this->any())
->method('getQueryString')
->will($this->returnValue($query_string));
->will($this->returnValue($this->sanitizer($query_string)));
$symfony_request->expects($this->any())
->method('getBasePath')
->will($this->returnValue($server['REQUEST_URI']));
->will($this->returnValue($this->sanitizer($server['REQUEST_URI'])));
$symfony_request->expects($this->any())
->method('getPathInfo')
->will($this->returnValue('/'));
->will($this->returnValue($this->sanitizer('/')));
$result = \phpbb\session::extract_current_page('./');
$label = 'Running extract_current_page on ' . $query_string . ' with REQUEST_URI filled.';
$this->assertEquals($expected, $result['query_string'], $label);
}
protected function sanitizer($value)
{
$type_cast_helper = new \phpbb\request\type_cast_helper();
$type_cast_helper->set_var($value, $value, gettype($value), true);
return $value;
}
}