in case uri and script name don't match we better throw an exception

author Thomas Müller <thomas.mueller@tmit.eu>

Mon, 25 Nov 2013 13:42:34 +0000 (14:42 +0100)

committer Thomas Müller <thomas.mueller@tmit.eu>

Mon, 25 Nov 2013 16:42:20 +0000 (17:42 +0100)
author Thomas Müller <thomas.mueller@tmit.eu>
Mon, 25 Nov 2013 13:42:34 +0000 (14:42 +0100)
committer Thomas Müller <thomas.mueller@tmit.eu>
Mon, 25 Nov 2013 16:42:20 +0000 (17:42 +0100)
diff --git a/lib/request.php b/lib/request.php

index dbdd21fbf7b09c689ccc8aff27c06d9202141aa3..770ccd5bdb24eba414feb653c73bcbd8fd575567 100755 (executable)
--- a/lib/request.php
+++ b/lib/request.php
@@ -137,8 +137,16 @@ class OC_Request {
         public static function getRawPathInfo() {
                 $requestUri = $_SERVER['REQUEST_URI'];
                 // remove too many leading slashes - can be caused by reverse proxy configuration
-               $requestUri = '/' . ltrim($requestUri, '/');
-               $path_info = substr($requestUri, strlen($_SERVER['SCRIPT_NAME']));
+               if (strpos($requestUri, '/') === 0) {
+                       $requestUri = '/' . ltrim($requestUri, '/');
+               }
+
+               $scriptName = $_SERVER['SCRIPT_NAME'];
+               // in case uri and script name don't match we better throw an exception
+               if (strpos($requestUri, $scriptName) !== 0) {
+                       throw new Exception("REQUEST_URI($requestUri) does not start with the SCRIPT_NAME($scriptName)");
+               }
+               $path_info = substr($requestUri, strlen($scriptName));
                 // Remove the query string from REQUEST_URI
                 if ($pos = strpos($path_info, '?')) {
                         $path_info = substr($path_info, 0, $pos);
diff --git a/tests/lib/request.php b/tests/lib/request.php

index d7ccb2146d43fb562e5b1f2c52af97709ea57842..a740751f060df22f4191a13d4b735eea0e496319 100644 (file)
--- a/tests/lib/request.php
+++ b/tests/lib/request.php
@@ -39,8 +39,30 @@ class Test_Request extends PHPUnit_Framework_TestCase {
  
         function rawPathInfoProvider() {
                 return array(
+                       array('/core/ajax/translations.php', 'index.php/core/ajax/translations.php', 'index.php'),
                         array('/core/ajax/translations.php', '/index.php/core/ajax/translations.php', '/index.php'),
                         array('/core/ajax/translations.php', '//index.php/core/ajax/translations.php', '/index.php'),
                 );
         }
+
+       /**
+        * @dataProvider rawPathInfoThrowsExceptionProvider
+        * @expectedException Exception
+        *
+        * @param $requestUri
+        * @param $scriptName
+        */
+       public function testRawPathInfoThrowsException($requestUri, $scriptName) {
+               $_SERVER['REQUEST_URI'] = $requestUri;
+               $_SERVER['SCRIPT_NAME'] = $scriptName;
+               OC_Request::getRawPathInfo();
+       }
+
+       function rawPathInfoThrowsExceptionProvider() {
+               return array(
+                       array('core/ajax/translations.php', '/index.php'),
+                       array('/core/ajax/translations.php', '/index.php'),
+                       array('//core/ajax/translations.php', '/index.php'),
+               );
+       }
  }
author	Thomas Müller <thomas.mueller@tmit.eu>
	Mon, 25 Nov 2013 13:42:34 +0000 (14:42 +0100)
committer	Thomas Müller <thomas.mueller@tmit.eu>
	Mon, 25 Nov 2013 16:42:20 +0000 (17:42 +0100)
lib/request.php		patch \| blob \| history
tests/lib/request.php		patch \| blob \| history