Page MenuHomePhabricator

wfExpandUrl should expand ".." path segments
Closed, ResolvedPublic

Description

Author: GICodeWarrior

Description:
This section of the RFC explains how it is done.
http://tools.ietf.org/html/rfc3986#section-5.2.4

For example, "/a/b/c/./../../g" becomes "/a/g".

This is important for security reasons where you need to limit URLs to a certain prefix.


Version: 1.20.x
Severity: normal

Details

Reference
bz32168

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 11:58 PM
bzimport set Reference to bz32168.
bzimport added a subscriber: Unknown Object (MLST).

There's already a @fixme on the function asking for just that :)

(In reply to comment #0)

This section of the RFC explains how it is done.
http://tools.ietf.org/html/rfc3986#section-5.2.4

For example, "/a/b/c/./../../g" becomes "/a/g".

We do accept patches!

(In reply to comment #1)

There's already a @fixme on the function asking for just that :)

Ignore me. Per IRC discussion at the time, I was misreading the @todo and how it relates to this bug (actually, they don't relate at all)

GICodeWarrior wrote:

(In reply to comment #2)

We do accept patches!

I do intend to implement this. I just wanted to file a bug so people could comment on it. ;-)

GICodeWarrior wrote:

First step (wfRemoveDotSegments) is in r102587.

GICodeWarrior wrote:

r103199 and r103208 finish this off.

Dereckson subscribed.

There is apparently a last step: integrate wfAssembleUrl with wfExpandUrl:

includes/GlobalFunctions.php
/** 
 * This function will reassemble a URL parsed with wfParseURL.  This is useful 
 * if you need to edit part of a URL and put it back together. 
 * 
 * This is the basic structure used (brackets contain keys for $urlParts): 
 * [scheme][delimiter][user]:[pass]@[host]:[port][path]?[query]#[fragment] 
 * 
 * @todo Need to integrate this into wfExpandUrl (see T34168) 
 * 
 * @since 1.19 
 * @param array $urlParts URL parts, as output from wfParseUrl 
 * @return string URL assembled from its component parts 
 */ 
function wfAssembleUrl( $urlParts ) {
...
}
matmarex subscribed.

This looks like it was fixed in 2011.