From a0a665ea459fe96a0006766cc0d0b25e5cd258df Mon Sep 17 00:00:00 2001 From: Thomas Müller Date: Mon, 25 Nov 2013 14:21:51 +0100 Subject: handle duplicate slashes in case of reverse proxy configuration --- tests/lib/request.php | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) (limited to 'tests/lib/request.php') diff --git a/tests/lib/request.php b/tests/lib/request.php index 2b2094a612d..d7ccb2146d4 100644 --- a/tests/lib/request.php +++ b/tests/lib/request.php @@ -23,4 +23,24 @@ class Test_Request extends PHPUnit_Framework_TestCase { $scriptName = OC_Request::scriptName(); $this->assertEquals('/domain.tld/ownCloud/tests/lib/request.php', $scriptName); } + + /** + * @dataProvider rawPathInfoProvider + * @param $expected + * @param $requestUri + * @param $scriptName + */ + public function testRawPathInfo($expected, $requestUri, $scriptName) { + $_SERVER['REQUEST_URI'] = $requestUri; + $_SERVER['SCRIPT_NAME'] = $scriptName; + $rawPathInfo = OC_Request::getRawPathInfo(); + $this->assertEquals($expected, $rawPathInfo); + } + + function rawPathInfoProvider() { + return array( + array('/core/ajax/translations.php', '/index.php/core/ajax/translations.php', '/index.php'), + array('/core/ajax/translations.php', '//index.php/core/ajax/translations.php', '/index.php'), + ); + } } -- cgit v1.2.3 From b9fed935b455d06ef943c562093c87171b71e4fc Mon Sep 17 00:00:00 2001 From: Thomas Müller Date: Mon, 25 Nov 2013 14:42:34 +0100 Subject: in case uri and script name don't match we better throw an exception --- lib/private/request.php | 12 ++++++++++-- tests/lib/request.php | 22 ++++++++++++++++++++++ 2 files changed, 32 insertions(+), 2 deletions(-) (limited to 'tests/lib/request.php') diff --git a/lib/private/request.php b/lib/private/request.php index 9cf09ac7343..7a75bf25208 100755 --- a/lib/private/request.php +++ b/lib/private/request.php @@ -138,8 +138,16 @@ class OC_Request { public static function getRawPathInfo() { $requestUri = $_SERVER['REQUEST_URI']; // remove too many leading slashes - can be caused by reverse proxy configuration - $requestUri = '/' . ltrim($requestUri, '/'); - $path_info = substr($requestUri, strlen($_SERVER['SCRIPT_NAME'])); + if (strpos($requestUri, '/') === 0) { + $requestUri = '/' . ltrim($requestUri, '/'); + } + + $scriptName = $_SERVER['SCRIPT_NAME']; + // in case uri and script name don't match we better throw an exception + if (strpos($requestUri, $scriptName) !== 0) { + throw new Exception("REQUEST_URI($requestUri) does not start with the SCRIPT_NAME($scriptName)"); + } + $path_info = substr($requestUri, strlen($scriptName)); // Remove the query string from REQUEST_URI if ($pos = strpos($path_info, '?')) { $path_info = substr($path_info, 0, $pos); diff --git a/tests/lib/request.php b/tests/lib/request.php index d7ccb2146d4..a740751f060 100644 --- a/tests/lib/request.php +++ b/tests/lib/request.php @@ -39,8 +39,30 @@ class Test_Request extends PHPUnit_Framework_TestCase { function rawPathInfoProvider() { return array( + array('/core/ajax/translations.php', 'index.php/core/ajax/translations.php', 'index.php'), array('/core/ajax/translations.php', '/index.php/core/ajax/translations.php', '/index.php'), array('/core/ajax/translations.php', '//index.php/core/ajax/translations.php', '/index.php'), ); } + + /** + * @dataProvider rawPathInfoThrowsExceptionProvider + * @expectedException Exception + * + * @param $requestUri + * @param $scriptName + */ + public function testRawPathInfoThrowsException($requestUri, $scriptName) { + $_SERVER['REQUEST_URI'] = $requestUri; + $_SERVER['SCRIPT_NAME'] = $scriptName; + OC_Request::getRawPathInfo(); + } + + function rawPathInfoThrowsExceptionProvider() { + return array( + array('core/ajax/translations.php', '/index.php'), + array('/core/ajax/translations.php', '/index.php'), + array('//core/ajax/translations.php', '/index.php'), + ); + } } -- cgit v1.2.3