Skip to content

Commit

Permalink
Merge branch '4.12' into 4.13
Browse files Browse the repository at this point in the history
  • Loading branch information
GuySartorelli committed Apr 25, 2023
2 parents 3d03a93 + c2733a3 commit 908b6f2
Show file tree
Hide file tree
Showing 5 changed files with 79 additions and 23 deletions.
5 changes: 3 additions & 2 deletions src/Control/Director.php
Original file line number Diff line number Diff line change
Expand Up @@ -825,10 +825,11 @@ public static function is_absolute_url($url)
return (
// Base check for existence of a host on a compliant URL
parse_url($url ?? '', PHP_URL_HOST)
// Check for more than one leading slash without a protocol.
// Check for more than one leading slash (forward or backward) without a protocol.
// While not a RFC compliant absolute URL, it is completed to a valid URL by some browsers,
// and hence a potential security risk. Single leading slashes are not an issue though.
|| preg_match('%^\s*/{2,}%', $url ?? '')
// Note: Need 4 backslashes to have a single non-escaped backslash for regex.
|| preg_match('%^\s*(\\\\|/){2,}%', $url ?? '')
|| (
// If a colon is found, check if it's part of a valid scheme definition
// (meaning its not preceded by a slash).
Expand Down
24 changes: 13 additions & 11 deletions src/Forms/GridField/GridFieldPrintButton.php
Original file line number Diff line number Diff line change
Expand Up @@ -228,21 +228,23 @@ public function generatePrintData(GridField $gridField)

/** @var DataObject $item */
foreach ($items->limit(null) as $item) {
$itemRow = new ArrayList();
if (!$item->hasMethod('canView') || $item->canView()) {
$itemRow = new ArrayList();

foreach ($printColumns as $field => $label) {
$value = $gridFieldColumnsComponent
? strip_tags($gridFieldColumnsComponent->getColumnContent($gridField, $item, $field))
: $gridField->getDataFieldValue($item, $field);
foreach ($printColumns as $field => $label) {
$value = $gridFieldColumnsComponent
? strip_tags($gridFieldColumnsComponent->getColumnContent($gridField, $item, $field))
: $gridField->getDataFieldValue($item, $field);

$itemRow->push(new ArrayData([
"CellString" => $value,
]));
}

$itemRow->push(new ArrayData([
"CellString" => $value,
$itemRows->push(new ArrayData([
"ItemRow" => $itemRow
]));
}

$itemRows->push(new ArrayData([
"ItemRow" => $itemRow
]));
if ($item->hasMethod('destroy')) {
$item->destroy();
}
Expand Down
50 changes: 42 additions & 8 deletions tests/php/Control/DirectorTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -233,6 +233,9 @@ public function provideAbsolutePaths()
public function testIsAbsoluteUrl()
{
$this->assertTrue(Director::is_absolute_url('http://test.com/testpage'));
$this->assertTrue(Director::is_absolute_url('https:/\\test.com'));
$this->assertTrue(Director::is_absolute_url('https:\\/test.com'));
$this->assertTrue(Director::is_absolute_url('https:\\\\test.com'));
$this->assertTrue(Director::is_absolute_url('ftp://test.com'));
$this->assertFalse(Director::is_absolute_url('test.com/testpage'));
$this->assertFalse(Director::is_absolute_url('/relative'));
Expand All @@ -242,6 +245,11 @@ public function testIsAbsoluteUrl()
$this->assertTrue(Director::is_absolute_url("https://test.com/?url=http://foo.com"));
$this->assertTrue(Director::is_absolute_url("trickparseurl:http://test.com"));
$this->assertTrue(Director::is_absolute_url('//test.com'));
$this->assertTrue(Director::is_absolute_url('\\/\\/test.com'));
$this->assertTrue(Director::is_absolute_url('\/\/test.com'));
$this->assertTrue(Director::is_absolute_url('/\\test.com'));
$this->assertTrue(Director::is_absolute_url('\\\\test.com'));
$this->assertFalse(Director::is_absolute_url('\\test.com'));
$this->assertTrue(Director::is_absolute_url('/////test.com'));
$this->assertTrue(Director::is_absolute_url(' ///test.com'));
$this->assertTrue(Director::is_absolute_url('http:test.com'));
Expand All @@ -259,8 +267,17 @@ public function testIsRelativeUrl()
{
$this->assertFalse(Director::is_relative_url('http://test.com'));
$this->assertFalse(Director::is_relative_url('https://test.com'));
$this->assertFalse(Director::is_relative_url('https:/\\test.com'));
$this->assertFalse(Director::is_relative_url('https:\\/test.com'));
$this->assertFalse(Director::is_relative_url('https:\\\\test.com'));
$this->assertFalse(Director::is_relative_url(' https://test.com/testpage '));
$this->assertTrue(Director::is_relative_url('test.com/testpage'));
$this->assertFalse(Director::is_relative_url('//test.com'));
$this->assertFalse(Director::is_relative_url('\\/\\/test.com'));
$this->assertFalse(Director::is_relative_url('\/\/test.com'));
$this->assertFalse(Director::is_relative_url('/\\test.com'));
$this->assertFalse(Director::is_relative_url('\\\\test.com'));
$this->assertTrue(Director::is_relative_url('\\test.com'));
$this->assertFalse(Director::is_relative_url('ftp://test.com'));
$this->assertTrue(Director::is_relative_url('/relative'));
$this->assertTrue(Director::is_relative_url('relative'));
Expand Down Expand Up @@ -402,17 +419,34 @@ public function testMakeRelative($baseURL, $requestURL, $relativeURL)
);
}

/**
* Mostly tested by {@link testIsRelativeUrl()},
* just adding the host name matching aspect here.
*/
public function testIsSiteUrl()
{
$this->assertFalse(Director::is_site_url("http://test.com"));
$this->assertFalse(Director::is_site_url('http://test.com'));
$this->assertTrue(Director::is_site_url('/relative-path'));
$this->assertTrue(Director::is_site_url('relative-path'));
$this->assertTrue(Director::is_site_url(Director::absoluteBaseURL()));
$this->assertFalse(Director::is_site_url("http://test.com?url=" . Director::absoluteBaseURL()));
$this->assertFalse(Director::is_site_url("http://test.com?url=" . urlencode(Director::absoluteBaseURL() ?? '')));
$this->assertFalse(Director::is_site_url("//test.com?url=" . Director::absoluteBaseURL()));
$this->assertFalse(Director::is_site_url('http://test.com?url=' . Director::absoluteBaseURL()));
$this->assertFalse(Director::is_site_url('http://test.com?url=' . urlencode(Director::absoluteBaseURL() ?? '')));
$this->assertFalse(Director::is_site_url('http:\\\\test.com'));
$this->assertFalse(Director::is_site_url('http:\\\\test.com?url=' . Director::absoluteBaseURL()));
$this->assertFalse(Director::is_site_url('http:\\\\test.com?url=' . urlencode(Director::absoluteBaseURL() ?? '')));
$this->assertFalse(Director::is_site_url('http:\\/test.com'));
$this->assertFalse(Director::is_site_url('http:\\/test.com?url=' . Director::absoluteBaseURL()));
$this->assertFalse(Director::is_site_url('http:\\/test.com?url=' . urlencode(Director::absoluteBaseURL() ?? '')));
$this->assertFalse(Director::is_site_url('//test.com'));
$this->assertFalse(Director::is_site_url('//test.com?url=' . Director::absoluteBaseURL()));
$this->assertFalse(Director::is_site_url('\\/\\/test.com'));
$this->assertFalse(Director::is_site_url('\\/\\/test.com?url=' . Director::absoluteBaseURL()));
$this->assertFalse(Director::is_site_url('\/\/test.com'));
$this->assertFalse(Director::is_site_url('\/\/test.com?url=' . Director::absoluteBaseURL()));
$this->assertFalse(Director::is_site_url('\\/test.com'));
$this->assertFalse(Director::is_site_url('\\/test.com?url=' . Director::absoluteBaseURL()));
$this->assertFalse(Director::is_site_url('/\\test.com'));
$this->assertFalse(Director::is_site_url('/\\test.com?url=' . Director::absoluteBaseURL()));
$this->assertFalse(Director::is_site_url('\\\\test.com'));
$this->assertFalse(Director::is_site_url('\\\\test.com?url=' . Director::absoluteBaseURL()));
$this->assertTrue(Director::is_site_url('\\test.com'));
$this->assertTrue(Director::is_site_url('\\test.com?url=' . Director::absoluteBaseURL()));
$this->assertFalse(Director::is_site_url('http://google.com\@test.com'));
$this->assertFalse(Director::is_site_url('http://google.com/@test.com'));
$this->assertFalse(Director::is_site_url('http://google.com:pass\@test.com'));
Expand Down
16 changes: 14 additions & 2 deletions tests/php/Forms/GridField/GridFieldPrintButtonTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,19 @@ protected function setUp(): void
}

public function testLimit()
{
$this->assertEquals(42, $this->getTestableRows()->count());
}

public function testCanViewIsRespected()
{
$orig = TestObject::$canView;
TestObject::$canView = false;
$this->assertEquals(0, $this->getTestableRows()->count());
TestObject::$canView = $orig;
}

private function getTestableRows()
{
$list = TestObject::get();

Expand All @@ -48,7 +61,6 @@ public function testLimit()

// Printed data should ignore pagination limit
$printData = $button->generatePrintData($gridField);
$rows = $printData->ItemRows;
$this->assertEquals(42, $rows->count());
return $printData->ItemRows;
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -12,4 +12,11 @@ class TestObject extends DataObject implements TestOnly
private static $db = [
'Name' => 'Varchar'
];

public static bool $canView = true;

public function canView($member = null)
{
return static::$canView;
}
}

0 comments on commit 908b6f2

Please sign in to comment.