From 5ccc0540fd28cc1620ffca10e3aed92319e78794 Mon Sep 17 00:00:00 2001 From: Steve Clay Date: Sun, 31 Mar 2013 21:09:07 -0400 Subject: Fixes #4972: More robust friendly titles implementation --- engine/tests/regression/trac_bugs.php | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) (limited to 'engine/tests/regression/trac_bugs.php') diff --git a/engine/tests/regression/trac_bugs.php b/engine/tests/regression/trac_bugs.php index 691433a41..58444dd39 100644 --- a/engine/tests/regression/trac_bugs.php +++ b/engine/tests/regression/trac_bugs.php @@ -206,21 +206,23 @@ class ElggCoreRegressionBugsTest extends ElggCoreUnitTest { */ public function test_friendly_title() { $cases = array( + // acid test + "B&N > Amazon, OK? 'hey!' $34" + => "b-and-n-greater-than-amazon-ok-bold-hey-34", + // hyphen, underscore and ASCII whitespace replaced by separator, // other non-alphanumeric ASCII removed - "a-a_a a\na\ra\ta\va!a\"a#a\$a%a&a'a(a)a*a+a,a.a/a:a;aa?a@a[a\\a]a^a`a{a|a}a~a" - => "a-a-a-a-a-a-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", - + "a-a_a a\na\ra\ta\va!a\"a#a\$a%a&a'a(a)a*a+a,a.a/a:a;a=a?a@a[a\\a]a^a`a{a|a}a~a" + => "a-a-a-a-a-a-aaaaaaa-and-aaaaaaaaaaaaaaaaaaaaaaa", + // separators trimmed - "-_ hello _-" => "hello", + "-_ hello _-" + => "hello", // accents removed, lower case, other multibyte chars are URL encoded "I\xC3\xB1t\xC3\xABrn\xC3\xA2ti\xC3\xB4n\xC3\xA0liz\xC3\xA6ti\xC3\xB8n, AND \xE6\x97\xA5\xE6\x9C\xAC\xE8\xAA\x9E" // Iñtërnâtiônàlizætiøn, AND 日本語 => 'internationalizaetion-and-%E6%97%A5%E6%9C%AC%E8%AA%9E', - - // some HTML entity replacements - "Me & You" => 'me-and-you', ); // where available, string is converted to NFC before transliteration -- cgit v1.2.3 From 834c4ad0bf82f28949b108eb6c957fde3c18e1ce Mon Sep 17 00:00:00 2001 From: Cash Costello Date: Sat, 20 Apr 2013 11:07:44 -0400 Subject: Fixes #5369 allows ! in urls and adds unit tests --- engine/lib/output.php | 25 ++++++++++------- engine/tests/regression/trac_bugs.php | 52 +++++++++++++++++++++++++++++++++++ 2 files changed, 67 insertions(+), 10 deletions(-) (limited to 'engine/tests/regression/trac_bugs.php') diff --git a/engine/lib/output.php b/engine/lib/output.php index c5a04989b..fe5bbcaaf 100644 --- a/engine/lib/output.php +++ b/engine/lib/output.php @@ -13,28 +13,33 @@ * @param string $text The input string * * @return string The output string with formatted links - **/ + */ function parse_urls($text) { + + // URI specification: http://www.ietf.org/rfc/rfc3986.txt + // This varies from the specification in the following ways: + // * Supports non-ascii characters + // * Does not allow parentheses and single quotes + // * Cuts off commas, exclamation points, and periods off as last character + // @todo this causes problems with // must be in format (no space). // By default htmlawed rewrites tags to this format. // if PHP supported conditional negative lookbehinds we could use this: // $r = preg_replace_callback('/(?"\'\!,]+)/i', - // - // we can put , in the list of excluded char but need to keep . because of domain names. - // it is removed in the callback. - $r = preg_replace_callback('/(?"\'\!,]+)/i', + $r = preg_replace_callback('/(?"\']+)/i', create_function( '$matches', ' $url = $matches[1]; - $period = \'\'; - if (substr($url, -1, 1) == \'.\') { - $period = \'.\'; - $url = trim($url, \'.\'); + $punc = \'\'; + $last = substr($url, -1, 1); + if (in_array($last, array(".", "!", ","))) { + $punc = $last; + $url = rtrim($url, ".!,"); } $urltext = str_replace("/", "/", $url); - return "$urltext$period"; + return "$urltext$punc"; ' ), $text); diff --git a/engine/tests/regression/trac_bugs.php b/engine/tests/regression/trac_bugs.php index 58444dd39..83b78bc6b 100644 --- a/engine/tests/regression/trac_bugs.php +++ b/engine/tests/regression/trac_bugs.php @@ -236,4 +236,56 @@ class ElggCoreRegressionBugsTest extends ElggCoreUnitTest { $this->assertIdentical($expected, $friendly_title); } } + + /** + * Test #5369 -- parse_urls() + * https://github.com/Elgg/Elgg/issues/5369 + */ + public function test_parse_urls() { + + $cases = array( + 'no.link.here' => + 'no.link.here', + 'simple link http://example.org test' => + 'simple link http://example.org test', + 'non-ascii http://ñew.org/ test' => + 'non-ascii http://ñew.org/ test', + + // section 2.1 + 'percent encoded http://example.org/a%20b test' => + 'percent encoded http://example.org/a%20b test', + // section 2.2: skipping single quote and parenthese + 'reserved characters http://example.org/:/?#[]@!$&*+,;= test' => + 'reserved characters http://example.org/:/?#[]@!$&*+,;= test', + // section 2.3 + 'unreserved characters http://example.org/a1-._~ test' => + 'unreserved characters http://example.org/a1-._~ test', + + 'parameters http://example.org/?val[]=1&val[]=2 test' => + 'parameters http://example.org/?val[]=1&val[]=2 test', + 'port http://example.org:80/ test' => + 'port http://example.org:80/ test', + + 'parentheses (http://www.google.com) test' => + 'parentheses (http://www.google.com) test', + 'comma http://elgg.org, test' => + 'comma http://elgg.org, test', + 'period http://elgg.org. test' => + 'period http://elgg.org. test', + 'exclamation http://elgg.org! test' => + 'exclamation http://elgg.org! test', + + 'already anchor twitter test' => + 'already anchor twitter test', + + 'ssl https://example.org/ test' => + 'ssl https://example.org/ test', + 'ftp ftp://example.org/ test' => + 'ftp ftp://example.org/ test', + + ); + foreach ($cases as $input => $output) { + $this->assertEqual($output, parse_urls($input)); + } + } } -- cgit v1.2.3 From 164ff10b46d5917c7ab6ad068abf10e492464691 Mon Sep 17 00:00:00 2001 From: cash Date: Sat, 20 Apr 2013 12:08:27 -0400 Subject: Fixes #5244 adds nofollow to anchor tags created by parse_urls() --- engine/lib/output.php | 2 +- engine/tests/regression/trac_bugs.php | 26 +++++++++++++------------- 2 files changed, 14 insertions(+), 14 deletions(-) (limited to 'engine/tests/regression/trac_bugs.php') diff --git a/engine/lib/output.php b/engine/lib/output.php index fe5bbcaaf..6905b9b71 100644 --- a/engine/lib/output.php +++ b/engine/lib/output.php @@ -39,7 +39,7 @@ function parse_urls($text) { $url = rtrim($url, ".!,"); } $urltext = str_replace("/", "/", $url); - return "$urltext$punc"; + return "$urltext$punc"; ' ), $text); diff --git a/engine/tests/regression/trac_bugs.php b/engine/tests/regression/trac_bugs.php index 83b78bc6b..4de9c306b 100644 --- a/engine/tests/regression/trac_bugs.php +++ b/engine/tests/regression/trac_bugs.php @@ -247,41 +247,41 @@ class ElggCoreRegressionBugsTest extends ElggCoreUnitTest { 'no.link.here' => 'no.link.here', 'simple link http://example.org test' => - 'simple link http://example.org test', + 'simple link http://example.org test', 'non-ascii http://ñew.org/ test' => - 'non-ascii http://ñew.org/ test', + 'non-ascii http://ñew.org/ test', // section 2.1 'percent encoded http://example.org/a%20b test' => - 'percent encoded http://example.org/a%20b test', + 'percent encoded http://example.org/a%20b test', // section 2.2: skipping single quote and parenthese 'reserved characters http://example.org/:/?#[]@!$&*+,;= test' => - 'reserved characters http://example.org/:/?#[]@!$&*+,;= test', + 'reserved characters http://example.org/:/?#[]@!$&*+,;= test', // section 2.3 'unreserved characters http://example.org/a1-._~ test' => - 'unreserved characters http://example.org/a1-._~ test', + 'unreserved characters http://example.org/a1-._~ test', 'parameters http://example.org/?val[]=1&val[]=2 test' => - 'parameters http://example.org/?val[]=1&val[]=2 test', + 'parameters http://example.org/?val[]=1&val[]=2 test', 'port http://example.org:80/ test' => - 'port http://example.org:80/ test', + 'port http://example.org:80/ test', 'parentheses (http://www.google.com) test' => - 'parentheses (http://www.google.com) test', + 'parentheses (http://www.google.com) test', 'comma http://elgg.org, test' => - 'comma http://elgg.org, test', + 'comma http://elgg.org, test', 'period http://elgg.org. test' => - 'period http://elgg.org. test', + 'period http://elgg.org. test', 'exclamation http://elgg.org! test' => - 'exclamation http://elgg.org! test', + 'exclamation http://elgg.org! test', 'already anchor twitter test' => 'already anchor twitter test', 'ssl https://example.org/ test' => - 'ssl https://example.org/ test', + 'ssl https://example.org/ test', 'ftp ftp://example.org/ test' => - 'ftp ftp://example.org/ test', + 'ftp ftp://example.org/ test', ); foreach ($cases as $input => $output) { -- cgit v1.2.3 From cd7922c58f3f2d04b8ca4bcf336ecda2787c821e Mon Sep 17 00:00:00 2001 From: Jeff Tilson Date: Mon, 29 Apr 2013 13:38:42 -0400 Subject: Fixes #2057 (broken internet archive links) --- engine/lib/output.php | 2 +- engine/tests/regression/trac_bugs.php | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) (limited to 'engine/tests/regression/trac_bugs.php') diff --git a/engine/lib/output.php b/engine/lib/output.php index 6905b9b71..5adc01053 100644 --- a/engine/lib/output.php +++ b/engine/lib/output.php @@ -27,7 +27,7 @@ function parse_urls($text) { // By default htmlawed rewrites tags to this format. // if PHP supported conditional negative lookbehinds we could use this: // $r = preg_replace_callback('/(?"\'\!,]+)/i', - $r = preg_replace_callback('/(?"\']+)/i', + $r = preg_replace_callback('/(?"\']+)/i', create_function( '$matches', ' diff --git a/engine/tests/regression/trac_bugs.php b/engine/tests/regression/trac_bugs.php index 4de9c306b..b791dcad3 100644 --- a/engine/tests/regression/trac_bugs.php +++ b/engine/tests/regression/trac_bugs.php @@ -288,4 +288,13 @@ class ElggCoreRegressionBugsTest extends ElggCoreUnitTest { $this->assertEqual($output, parse_urls($input)); } } + + /** + * Test #2057 -- parse_urls() + * https://github.com/Elgg/Elgg/issues/2057 + */ + public function test_archive_url() { + $input = 'google'; + $this->assertEqual($input, parse_urls($input)); + } } -- cgit v1.2.3 From 003439fd46cb5e0dedfabf6e49110b3bdffbefe9 Mon Sep 17 00:00:00 2001 From: Jeff Tilson Date: Mon, 29 Apr 2013 14:06:18 -0400 Subject: Including internet archive url test in existing test_parse_url function --- engine/tests/regression/trac_bugs.php | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) (limited to 'engine/tests/regression/trac_bugs.php') diff --git a/engine/tests/regression/trac_bugs.php b/engine/tests/regression/trac_bugs.php index b791dcad3..cb3f20421 100644 --- a/engine/tests/regression/trac_bugs.php +++ b/engine/tests/regression/trac_bugs.php @@ -282,19 +282,12 @@ class ElggCoreRegressionBugsTest extends ElggCoreUnitTest { 'ssl https://example.org/ test', 'ftp ftp://example.org/ test' => 'ftp ftp://example.org/ test', + 'google' => + 'google' ); foreach ($cases as $input => $output) { $this->assertEqual($output, parse_urls($input)); } } - - /** - * Test #2057 -- parse_urls() - * https://github.com/Elgg/Elgg/issues/2057 - */ - public function test_archive_url() { - $input = 'google'; - $this->assertEqual($input, parse_urls($input)); - } } -- cgit v1.2.3 From f04fdceb5941df31e1ac94f7fb586c2688813da7 Mon Sep 17 00:00:00 2001 From: Jeff Tilson Date: Mon, 29 Apr 2013 14:42:24 -0400 Subject: Adding single quote anchor to parse_url unit test --- engine/tests/regression/trac_bugs.php | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'engine/tests/regression/trac_bugs.php') diff --git a/engine/tests/regression/trac_bugs.php b/engine/tests/regression/trac_bugs.php index cb3f20421..b7654a794 100644 --- a/engine/tests/regression/trac_bugs.php +++ b/engine/tests/regression/trac_bugs.php @@ -282,8 +282,12 @@ class ElggCoreRegressionBugsTest extends ElggCoreUnitTest { 'ssl https://example.org/ test', 'ftp ftp://example.org/ test' => 'ftp ftp://example.org/ test', - 'google' => - 'google' + + 'web archive anchor google' => + 'web archive anchor google', + + 'single quotes already anchor yahoo' => + 'single quotes already anchor yahoo' ); foreach ($cases as $input => $output) { -- cgit v1.2.3 From 6fed48c68bd866149427c63782d5ce4db6ba80c4 Mon Sep 17 00:00:00 2001 From: Steve Clay Date: Mon, 13 May 2013 22:39:42 -0400 Subject: Add test for = lookbehind --- engine/tests/regression/trac_bugs.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'engine/tests/regression/trac_bugs.php') diff --git a/engine/tests/regression/trac_bugs.php b/engine/tests/regression/trac_bugs.php index b7654a794..7fdd51c27 100644 --- a/engine/tests/regression/trac_bugs.php +++ b/engine/tests/regression/trac_bugs.php @@ -287,8 +287,10 @@ class ElggCoreRegressionBugsTest extends ElggCoreUnitTest { 'web archive anchor google', 'single quotes already anchor yahoo' => - 'single quotes already anchor yahoo' + 'single quotes already anchor yahoo', + 'unquoted already anchor yahoo' => + 'unquoted already anchor yahoo', ); foreach ($cases as $input => $output) { $this->assertEqual($output, parse_urls($input)); -- cgit v1.2.3 From c7572e614606396617cb1611653f6a759be0a058 Mon Sep 17 00:00:00 2001 From: Paweł Sroka Date: Mon, 27 May 2013 05:17:08 +0200 Subject: Refs #5538 - Added regression test --- engine/tests/regression/trac_bugs.php | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) (limited to 'engine/tests/regression/trac_bugs.php') diff --git a/engine/tests/regression/trac_bugs.php b/engine/tests/regression/trac_bugs.php index 7fdd51c27..180fb5112 100644 --- a/engine/tests/regression/trac_bugs.php +++ b/engine/tests/regression/trac_bugs.php @@ -296,4 +296,34 @@ class ElggCoreRegressionBugsTest extends ElggCoreUnitTest { $this->assertEqual($output, parse_urls($input)); } } + + /** + * Checks if additional select columns does not leak to entity attributes. + * + * https://github.com/Elgg/Elgg/issues/5538 + */ + public function test_sql_selects_leak_to_attributes() { + global $ENTITY_CACHE; + //may not have groups in DB - let's create one + $group = new ElggGroup(); + $group->name = 'test_group'; + $group->access_id = ACCESS_PUBLIC; + $this->assertTrue($group->save() !== false); + + //entity cache interferes with our test + $ENTITY_CACHE = array(); + + foreach (array('site', 'user', 'group', 'object') as $type) { + $entities = elgg_get_entities(array( + 'type' => $type, + 'selects' => array('42 as added_col'), + 'limit' => 1, + )); + $entity = array_shift($entities); + $this->assertTrue($entity instanceof ElggEntity); + $this->assertEqual($entity->added_col, null, "Additional select columns are leaking to attributes for " . get_class($entity)); + } + + $group->delete(); + } } -- cgit v1.2.3 From 371e64beb9d47e0b64ce74d83a8587a73908f7d5 Mon Sep 17 00:00:00 2001 From: cash Date: Tue, 28 May 2013 18:33:55 -0400 Subject: Fixes #5531 removes symbol interpretation from translit class --- engine/classes/ElggTranslit.php | 4 ---- engine/tests/regression/trac_bugs.php | 6 +++--- 2 files changed, 3 insertions(+), 7 deletions(-) (limited to 'engine/tests/regression/trac_bugs.php') diff --git a/engine/classes/ElggTranslit.php b/engine/classes/ElggTranslit.php index 4ae1d2479..b4bf87797 100644 --- a/engine/classes/ElggTranslit.php +++ b/engine/classes/ElggTranslit.php @@ -58,10 +58,6 @@ class ElggTranslit { // currency "\xE2\x82\xAC" /* € */ => ' E ', "\xC2\xA3" /* £ */ => ' GBP ', - - "&" => ' and ', - ">" => ' greater than ', - "<" => ' less than ', )); // remove all ASCII except 0-9a-zA-Z, hyphen, underscore, and whitespace diff --git a/engine/tests/regression/trac_bugs.php b/engine/tests/regression/trac_bugs.php index 7fdd51c27..051aa8d1b 100644 --- a/engine/tests/regression/trac_bugs.php +++ b/engine/tests/regression/trac_bugs.php @@ -208,12 +208,12 @@ class ElggCoreRegressionBugsTest extends ElggCoreUnitTest { $cases = array( // acid test "B&N > Amazon, OK? 'hey!' $34" - => "b-and-n-greater-than-amazon-ok-bold-hey-34", + => "bn-amazon-ok-bold-hey-34", // hyphen, underscore and ASCII whitespace replaced by separator, // other non-alphanumeric ASCII removed - "a-a_a a\na\ra\ta\va!a\"a#a\$a%a&a'a(a)a*a+a,a.a/a:a;a=a?a@a[a\\a]a^a`a{a|a}a~a" - => "a-a-a-a-a-a-aaaaaaa-and-aaaaaaaaaaaaaaaaaaaaaaa", + "a-a_a a\na\ra\ta\va!a\"a#a\$a%aa'a(a)a*a+a,a.a/a:a;a=a?a@a[a\\a]a^a`a{a|a}a~a" + => "a-a-a-a-a-a-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", // separators trimmed "-_ hello _-" -- cgit v1.2.3 From 2e979f75cd625c42ac5251140a3e7a797108f669 Mon Sep 17 00:00:00 2001 From: Steve Clay Date: Sat, 1 Jun 2013 21:51:32 -0400 Subject: Add filtering for site entities, faster filtering --- engine/classes/ElggAttributeLoader.php | 30 ++++++++++++++++++++++++++++- engine/tests/regression/trac_bugs.php | 35 ++++++++++++++++++---------------- 2 files changed, 48 insertions(+), 17 deletions(-) (limited to 'engine/tests/regression/trac_bugs.php') diff --git a/engine/classes/ElggAttributeLoader.php b/engine/classes/ElggAttributeLoader.php index b91e4b88a..0b770da75 100644 --- a/engine/classes/ElggAttributeLoader.php +++ b/engine/classes/ElggAttributeLoader.php @@ -24,7 +24,7 @@ class ElggAttributeLoader { 'time_created', 'time_updated', 'last_action', - 'enabled' + 'enabled', ); /** @@ -200,6 +200,8 @@ class ElggAttributeLoader { // saved, these are stored w/ type "site", but with no sites_entity row. These // are probably only created in the unit tests. // @todo Don't save vanilla ElggEntities with type "site" + + $row = $this->filterAddedColumns($row); $row['guid'] = (int) $row['guid']; return $row; } @@ -209,6 +211,8 @@ class ElggAttributeLoader { } } + $row = $this->filterAddedColumns($row); + // Note: If there are still missing attributes, we're running on a 1.7 or earlier schema. We let // this pass so the upgrades can run. @@ -217,4 +221,28 @@ class ElggAttributeLoader { return $row; } + + /** + * Filter out keys returned by the query which should not appear in the entity's attributes + * + * @param array $row All columns from the query + * @return array Columns acceptable for the entity's attributes + */ + protected function filterAddedColumns($row) { + // make an array with keys as acceptable attribute names + $acceptable_attrs = self::$primary_attr_names; + array_splice($acceptable_attrs, count($acceptable_attrs), 0, $this->secondary_attr_names); + $acceptable_attrs = array_combine($acceptable_attrs, $acceptable_attrs); + + // @todo remove these when #4584 is in place + $acceptable_attrs['tables_split'] = true; + $acceptable_attrs['tables_loaded'] = true; + + foreach ($row as $key => $val) { + if (!isset($acceptable_attrs[$key])) { + unset($row[$key]); + } + } + return $row; + } } diff --git a/engine/tests/regression/trac_bugs.php b/engine/tests/regression/trac_bugs.php index 180fb5112..d7bb20f3b 100644 --- a/engine/tests/regression/trac_bugs.php +++ b/engine/tests/regression/trac_bugs.php @@ -297,31 +297,34 @@ class ElggCoreRegressionBugsTest extends ElggCoreUnitTest { } } - /** - * Checks if additional select columns does not leak to entity attributes. - * - * https://github.com/Elgg/Elgg/issues/5538 - */ - public function test_sql_selects_leak_to_attributes() { + /** + * Ensure additional select columns do not end up in entity attributes. + * + * https://github.com/Elgg/Elgg/issues/5538 + */ + public function test_extra_columns_dont_appear_in_attributes() { global $ENTITY_CACHE; - //may not have groups in DB - let's create one + + // may not have groups in DB - let's create one $group = new ElggGroup(); $group->name = 'test_group'; - $group->access_id = ACCESS_PUBLIC; - $this->assertTrue($group->save() !== false); + $group->access_id = ACCESS_PUBLIC; + $this->assertTrue($group->save() !== false); - //entity cache interferes with our test + // entity cache interferes with our test $ENTITY_CACHE = array(); foreach (array('site', 'user', 'group', 'object') as $type) { $entities = elgg_get_entities(array( - 'type' => $type, - 'selects' => array('42 as added_col'), - 'limit' => 1, + 'type' => $type, + 'selects' => array('1 as _nonexistent_test_column'), + 'limit' => 1, )); - $entity = array_shift($entities); - $this->assertTrue($entity instanceof ElggEntity); - $this->assertEqual($entity->added_col, null, "Additional select columns are leaking to attributes for " . get_class($entity)); + if (!$this->assertTrue($entities, "Query for '$type' did not return an entity.")) { + continue; + } + $entity = $entities[0]; + $this->assertNull($entity->_nonexistent_test_column, "Additional select columns are leaking to attributes for '$type'"); } $group->delete(); -- cgit v1.2.3 From 9892692deefdb06d9e7176c72fc5780ab79e3a7d Mon Sep 17 00:00:00 2001 From: Brett Profitt Date: Tue, 9 Jul 2013 12:13:17 -0400 Subject: Fixes #5706. Allowing parens in URIs if not last character. --- engine/lib/output.php | 8 ++++---- engine/tests/regression/trac_bugs.php | 3 +++ 2 files changed, 7 insertions(+), 4 deletions(-) (limited to 'engine/tests/regression/trac_bugs.php') diff --git a/engine/lib/output.php b/engine/lib/output.php index 5adc01053..6172a5c8d 100644 --- a/engine/lib/output.php +++ b/engine/lib/output.php @@ -27,16 +27,16 @@ function parse_urls($text) { // By default htmlawed rewrites tags to this format. // if PHP supported conditional negative lookbehinds we could use this: // $r = preg_replace_callback('/(?"\'\!,]+)/i', - $r = preg_replace_callback('/(?"\']+)/i', + $r = preg_replace_callback('/(?"\']+)/i', create_function( '$matches', ' $url = $matches[1]; - $punc = \'\'; + $punc = ""; $last = substr($url, -1, 1); - if (in_array($last, array(".", "!", ","))) { + if (in_array($last, array(".", "!", ",", "(", ")"))) { $punc = $last; - $url = rtrim($url, ".!,"); + $url = rtrim($url, ".!,()"); } $urltext = str_replace("/", "/", $url); return "$urltext$punc"; diff --git a/engine/tests/regression/trac_bugs.php b/engine/tests/regression/trac_bugs.php index 5730830bb..f173b5b9f 100644 --- a/engine/tests/regression/trac_bugs.php +++ b/engine/tests/regression/trac_bugs.php @@ -291,6 +291,9 @@ class ElggCoreRegressionBugsTest extends ElggCoreUnitTest { 'unquoted already anchor yahoo' => 'unquoted already anchor yahoo', + + 'parens in uri http://thedailywtf.com/Articles/A-(Long-Overdue)-BuildMaster-Introduction.aspx' => + 'parens in uri http://thedailywtf.com/Articles/A-(Long-Overdue)-BuildMaster-Introduction.aspx' ); foreach ($cases as $input => $output) { $this->assertEqual($output, parse_urls($input)); -- cgit v1.2.3 From 424eff09557bf5e0cee7f0c1a717b3992d2e82ac Mon Sep 17 00:00:00 2001 From: Jerome Bakker Date: Wed, 23 Oct 2013 15:35:05 +0200 Subject: replaced all references to trac.elgg.org to the correct GitHub issues --- documentation/info/manifest.xml | 2 +- engine/classes/ElggAttributeLoader.php | 12 ++++++------ engine/classes/ElggEntity.php | 12 ++++++------ engine/lib/database.php | 12 ++++++------ engine/lib/entities.php | 2 +- engine/lib/upgrade.php | 2 +- engine/lib/upgrades/2010033101.php | 2 +- ...012041801-1.8.3-multiple_user_tokens-852225f7fd89f6c5.php | 2 +- engine/lib/views.php | 2 +- engine/tests/api/helpers.php | 2 +- engine/tests/api/metadata.php | 2 +- engine/tests/api/plugins.php | 4 ++-- engine/tests/objects/entities.php | 2 +- engine/tests/objects/objects.php | 2 +- engine/tests/regression/trac_bugs.php | 10 +++++----- engine/tests/test_files/plugin_18/manifest.xml | 2 +- mod/search/README.txt | 2 +- upgrade.php | 2 +- views/default/js/elgg.php | 2 +- 19 files changed, 39 insertions(+), 39 deletions(-) (limited to 'engine/tests/regression/trac_bugs.php') diff --git a/documentation/info/manifest.xml b/documentation/info/manifest.xml index 494158481..4fd4be8ce 100644 --- a/documentation/info/manifest.xml +++ b/documentation/info/manifest.xml @@ -7,7 +7,7 @@ This is a longer, more interesting description of my plugin, its features, and other important information. http://www.elgg.org/ https://github.com/Elgg/Elgg - http://trac.elgg.org + https://github.com/Elgg/Elgg/issues http://elgg.org/supporter.php (C) Elgg 2011 GNU General Public License version 2 diff --git a/engine/classes/ElggAttributeLoader.php b/engine/classes/ElggAttributeLoader.php index 0b770da75..ffc80b02d 100644 --- a/engine/classes/ElggAttributeLoader.php +++ b/engine/classes/ElggAttributeLoader.php @@ -4,7 +4,7 @@ * Loads ElggEntity attributes from DB or validates those passed in via constructor * * @access private - * + * * @package Elgg.Core * @subpackage DataModel */ @@ -69,7 +69,7 @@ class ElggAttributeLoader { /** * Constructor - * + * * @param string $class class of object being loaded * @param string $required_type entity type this is being used to populate * @param array $initialized_attrs attributes after initializeAttributes() has been run @@ -94,7 +94,7 @@ class ElggAttributeLoader { /** * Get primary attributes missing that are missing - * + * * @param stdClass $row Database row * @return array */ @@ -104,7 +104,7 @@ class ElggAttributeLoader { /** * Get secondary attributes that are missing - * + * * @param stdClass $row Database row * @return array */ @@ -114,7 +114,7 @@ class ElggAttributeLoader { /** * Check that the type is correct - * + * * @param stdClass $row Database row * @return void * @throws InvalidClassException @@ -216,7 +216,7 @@ class ElggAttributeLoader { // Note: If there are still missing attributes, we're running on a 1.7 or earlier schema. We let // this pass so the upgrades can run. - // guid needs to be an int http://trac.elgg.org/ticket/4111 + // guid needs to be an int https://github.com/elgg/elgg/issues/4111 $row['guid'] = (int) $row['guid']; return $row; diff --git a/engine/classes/ElggEntity.php b/engine/classes/ElggEntity.php index dd1c7c114..a563f6fad 100644 --- a/engine/classes/ElggEntity.php +++ b/engine/classes/ElggEntity.php @@ -24,7 +24,7 @@ * * @package Elgg.Core * @subpackage DataModel.Entities - * + * * @property string $type object, user, group, or site (read-only after save) * @property string $subtype Further clarifies the nature of the entity (read-only after save) * @property int $guid The unique identifier for this entity (read only) @@ -352,8 +352,8 @@ abstract class ElggEntity extends ElggData implements 'limit' => 0 ); // @todo in 1.9 make this return false if can't add metadata - // http://trac.elgg.org/ticket/4520 - // + // https://github.com/elgg/elgg/issues/4520 + // // need to remove access restrictions right now to delete // because this is the expected behavior $ia = elgg_set_ignore_access(true); @@ -379,7 +379,7 @@ abstract class ElggEntity extends ElggData implements // unsaved entity. store in temp array // returning single entries instead of an array of 1 element is decided in // getMetaData(), just like pulling from the db. - // + // // if overwrite, delete first if (!$multiple || !isset($this->temp_metadata[$name])) { $this->temp_metadata[$name] = array(); @@ -964,7 +964,7 @@ abstract class ElggEntity extends ElggData implements * * @tip Can be overridden by registering for the permissions_check:comment, * plugin hook. - * + * * @param int $user_guid User guid (default is logged in user) * * @return bool @@ -1365,7 +1365,7 @@ abstract class ElggEntity extends ElggData implements $this->attributes['tables_loaded']++; } - // guid needs to be an int http://trac.elgg.org/ticket/4111 + // guid needs to be an int https://github.com/elgg/elgg/issues/4111 $this->attributes['guid'] = (int)$this->attributes['guid']; // Cache object handle diff --git a/engine/lib/database.php b/engine/lib/database.php index 37dfb8f8d..a7949788d 100644 --- a/engine/lib/database.php +++ b/engine/lib/database.php @@ -129,7 +129,7 @@ function establish_db_link($dblinkname = "readwrite") { // Set up cache if global not initialized and query cache not turned off if ((!$DB_QUERY_CACHE) && (!$db_cache_off)) { // @todo if we keep this cache in 1.9, expose the size as a config parameter - $DB_QUERY_CACHE = new ElggLRUCache(200); + $DB_QUERY_CACHE = new ElggLRUCache(200); } } @@ -399,14 +399,14 @@ function elgg_query_runner($query, $callback = null, $single = false) { // Since we want to cache results of running the callback, we need to // need to namespace the query with the callback and single result request. - // http://trac.elgg.org/ticket/4049 + // https://github.com/elgg/elgg/issues/4049 $hash = (string)$callback . (int)$single . $query; // Is cached? if ($DB_QUERY_CACHE) { if (isset($DB_QUERY_CACHE[$hash])) { elgg_log("DB query $query results returned from cache (hash: $hash)", 'NOTICE'); - return $DB_QUERY_CACHE[$hash]; + return $DB_QUERY_CACHE[$hash]; } } @@ -524,7 +524,7 @@ function delete_data($query) { /** * Invalidate the query cache - * + * * @access private */ function _elgg_invalidate_query_cache() { @@ -533,7 +533,7 @@ function _elgg_invalidate_query_cache() { $DB_QUERY_CACHE->clear(); elgg_log("Query cache invalidated", 'NOTICE'); } elseif ($DB_QUERY_CACHE) { - // In case someone sets the cache to an array and primes it with data + // In case someone sets the cache to an array and primes it with data $DB_QUERY_CACHE = array(); elgg_log("Query cache invalidated", 'NOTICE'); } @@ -668,7 +668,7 @@ function run_sql_script($scriptlocation) { /** * Format a query string for logging - * + * * @param string $query Query string * @return string * @access private diff --git a/engine/lib/entities.php b/engine/lib/entities.php index 997db79d2..4fcf1c657 100644 --- a/engine/lib/entities.php +++ b/engine/lib/entities.php @@ -791,7 +791,7 @@ function get_entity($guid) { if ($shared_cache) { $cached_entity = $shared_cache->load($guid); - // @todo store ACLs in memcache http://trac.elgg.org/ticket/3018#comment:3 + // @todo store ACLs in memcache https://github.com/elgg/elgg/issues/3018#issuecomment-13662617 if ($cached_entity) { // @todo use ACL and cached entity access_id to determine if user can see it return $cached_entity; diff --git a/engine/lib/upgrade.php b/engine/lib/upgrade.php index 0cc1e64dc..158ec9ec1 100644 --- a/engine/lib/upgrade.php +++ b/engine/lib/upgrade.php @@ -245,7 +245,7 @@ function version_upgrade() { // No version number? Oh snap...this is an upgrade from a clean installation < 1.7. // Run all upgrades without error reporting and hope for the best. - // See http://trac.elgg.org/elgg/ticket/1432 for more. + // See https://github.com/elgg/elgg/issues/1432 for more. $quiet = !$dbversion; // Note: Database upgrades are deprecated as of 1.8. Use code upgrades. See #1433 diff --git a/engine/lib/upgrades/2010033101.php b/engine/lib/upgrades/2010033101.php index 0bffee001..4779295fd 100644 --- a/engine/lib/upgrades/2010033101.php +++ b/engine/lib/upgrades/2010033101.php @@ -1,7 +1,7 @@ container_guid); diff --git a/engine/tests/api/helpers.php b/engine/tests/api/helpers.php index 10216140f..414fb4145 100644 --- a/engine/tests/api/helpers.php +++ b/engine/tests/api/helpers.php @@ -519,7 +519,7 @@ class ElggCoreHelpersTest extends ElggCoreUnitTest { $this->assertIdentical($elements_sorted_string, $test_elements); } - // see http://trac.elgg.org/ticket/4288 + // see https://github.com/elgg/elgg/issues/4288 public function testElggBatchIncOffset() { // normal increment $options = array( diff --git a/engine/tests/api/metadata.php b/engine/tests/api/metadata.php index 0862341c1..d23510c6a 100644 --- a/engine/tests/api/metadata.php +++ b/engine/tests/api/metadata.php @@ -139,7 +139,7 @@ class ElggCoreMetadataAPITest extends ElggCoreUnitTest { // Make sure metadata with multiple values is correctly deleted when re-written // by another user - // http://trac.elgg.org/ticket/2776 + // https://github.com/elgg/elgg/issues/2776 public function test_elgg_metadata_multiple_values() { $u1 = new ElggUser(); $u1->username = rand(); diff --git a/engine/tests/api/plugins.php b/engine/tests/api/plugins.php index 114f3991b..d0f111c48 100644 --- a/engine/tests/api/plugins.php +++ b/engine/tests/api/plugins.php @@ -69,7 +69,7 @@ class ElggCorePluginsAPITest extends ElggCoreUnitTest { 'description' => 'A longer, more interesting description.', 'website' => 'http://www.elgg.org/', 'repository' => 'https://github.com/Elgg/Elgg', - 'bugtracker' => 'http://trac.elgg.org', + 'bugtracker' => 'https://github.com/elgg/elgg/issues', 'donations' => 'http://elgg.org/supporter.php', 'copyright' => '(C) Elgg Foundation 2011', 'license' => 'GNU General Public License version 2', @@ -174,7 +174,7 @@ class ElggCorePluginsAPITest extends ElggCoreUnitTest { } public function testElggPluginManifestGetBugtracker() { - $this->assertEqual($this->manifest18->getBugTrackerURL(), 'http://trac.elgg.org'); + $this->assertEqual($this->manifest18->getBugTrackerURL(), 'https://github.com/elgg/elgg/issues'); $this->assertEqual($this->manifest17->getBugTrackerURL(), ''); } diff --git a/engine/tests/objects/entities.php b/engine/tests/objects/entities.php index 248b85c9e..bac72079e 100644 --- a/engine/tests/objects/entities.php +++ b/engine/tests/objects/entities.php @@ -271,7 +271,7 @@ class ElggCoreEntityTest extends ElggCoreUnitTest { $this->save_entity(); // test deleting incorrectly - // @link http://trac.elgg.org/ticket/2273 + // @link https://github.com/elgg/elgg/issues/2273 $this->assertNull($this->entity->deleteMetadata('impotent')); $this->assertEqual($this->entity->important, 'indeed!'); diff --git a/engine/tests/objects/objects.php b/engine/tests/objects/objects.php index 915594e0a..263ab2414 100644 --- a/engine/tests/objects/objects.php +++ b/engine/tests/objects/objects.php @@ -194,7 +194,7 @@ class ElggCoreObjectTest extends ElggCoreUnitTest { $old = elgg_set_ignore_access(true); } - // see http://trac.elgg.org/ticket/1196 + // see https://github.com/elgg/elgg/issues/1196 public function testElggEntityRecursiveDisableWhenLoggedOut() { $e1 = new ElggObject(); $e1->access_id = ACCESS_PUBLIC; diff --git a/engine/tests/regression/trac_bugs.php b/engine/tests/regression/trac_bugs.php index f173b5b9f..9372b0855 100644 --- a/engine/tests/regression/trac_bugs.php +++ b/engine/tests/regression/trac_bugs.php @@ -201,8 +201,8 @@ class ElggCoreRegressionBugsTest extends ElggCoreUnitTest { } /** - * http://trac.elgg.org/ticket/3210 - Don't remove -s in friendly titles - * http://trac.elgg.org/ticket/2276 - improve char encoding + * https://github.com/elgg/elgg/issues/3210 - Don't remove -s in friendly titles + * https://github.com/elgg/elgg/issues/2276 - improve char encoding */ public function test_friendly_title() { $cases = array( @@ -216,7 +216,7 @@ class ElggCoreRegressionBugsTest extends ElggCoreUnitTest { => "a-a-a-a-a-a-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", // separators trimmed - "-_ hello _-" + "-_ hello _-" => "hello", // accents removed, lower case, other multibyte chars are URL encoded @@ -286,7 +286,7 @@ class ElggCoreRegressionBugsTest extends ElggCoreUnitTest { 'web archive anchor google' => 'web archive anchor google', - 'single quotes already anchor yahoo' => + 'single quotes already anchor yahoo' => 'single quotes already anchor yahoo', 'unquoted already anchor yahoo' => @@ -302,7 +302,7 @@ class ElggCoreRegressionBugsTest extends ElggCoreUnitTest { /** * Ensure additional select columns do not end up in entity attributes. - * + * * https://github.com/Elgg/Elgg/issues/5538 */ public function test_extra_columns_dont_appear_in_attributes() { diff --git a/engine/tests/test_files/plugin_18/manifest.xml b/engine/tests/test_files/plugin_18/manifest.xml index 5d788616a..c8b407511 100644 --- a/engine/tests/test_files/plugin_18/manifest.xml +++ b/engine/tests/test_files/plugin_18/manifest.xml @@ -7,7 +7,7 @@ A longer, more interesting description. http://www.elgg.org/ https://github.com/Elgg/Elgg - http://trac.elgg.org + https://github.com/elgg/elgg/issues http://elgg.org/supporter.php (C) Elgg Foundation 2011 GNU General Public License version 2 diff --git a/mod/search/README.txt b/mod/search/README.txt index 98a002dd5..ac5930e5f 100644 --- a/mod/search/README.txt +++ b/mod/search/README.txt @@ -273,4 +273,4 @@ MySQL's fulltext engine returns *ZERO* rows if more than 50% of the rows searched match. The default search hooks for users and groups ignore subtypes. -See [trac ticket 1499](http://trac.elgg.org/elgg/ticket/1499) +See [GitHub issue 1499](https://github.com/elgg/elgg/issues/1499) diff --git a/upgrade.php b/upgrade.php index c5f158c61..d07b2a1da 100644 --- a/upgrade.php +++ b/upgrade.php @@ -46,7 +46,7 @@ if (get_input('upgrade') == 'upgrade') { } else { // if upgrading from < 1.8.0, check for the core view 'welcome' and bail if it's found. - // see http://trac.elgg.org/ticket/3064 + // see https://github.com/elgg/elgg/issues/3064 // we're not checking the view itself because it's likely themes will override this view. // we're only concerned with core files. $welcome = dirname(__FILE__) . '/views/default/welcome.php'; diff --git a/views/default/js/elgg.php b/views/default/js/elgg.php index 6fe03484d..c3b56e398 100644 --- a/views/default/js/elgg.php +++ b/views/default/js/elgg.php @@ -43,7 +43,7 @@ $libs = array( foreach ($libs as $file) { include("{$CONFIG->path}js/lib/$file.js"); - // putting a new line between the files to address http://trac.elgg.org/ticket/3081 + // putting a new line between the files to address https://github.com/elgg/elgg/issues/3081 echo "\n"; } -- cgit v1.2.3 From 0deb80da1e82af55bf8d7500d09b36225ddd7927 Mon Sep 17 00:00:00 2001 From: Jerome Bakker Date: Wed, 23 Oct 2013 16:03:08 +0200 Subject: found some more references to trac --- engine/lib/elgglib.php | 4 ++-- engine/lib/views.php | 4 ++-- engine/tests/objects/users.php | 2 +- engine/tests/regression/trac_bugs.php | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) (limited to 'engine/tests/regression/trac_bugs.php') diff --git a/engine/lib/elgglib.php b/engine/lib/elgglib.php index b5ef7e572..c95e0c28c 100644 --- a/engine/lib/elgglib.php +++ b/engine/lib/elgglib.php @@ -1350,7 +1350,7 @@ function full_url() { "" : (":" . $_SERVER["SERVER_PORT"]); // This is here to prevent XSS in poorly written browsers used by 80% of the population. - // {@trac [5813]} + // https://github.com/Elgg/Elgg/commit/0c947e80f512cb0a482b1864fd0a6965c8a0cd4a $quotes = array('\'', '"'); $encoded = array('%27', '%22'); @@ -2249,7 +2249,7 @@ function elgg_api_test($hook, $type, $value, $params) { * * @warning ACCESS_DEFAULT is a place holder for the input/access view. Do not * use it when saving an entity. - * + * * @var int */ define('ACCESS_DEFAULT', -1); diff --git a/engine/lib/views.php b/engine/lib/views.php index dc69395c6..fff3581cf 100644 --- a/engine/lib/views.php +++ b/engine/lib/views.php @@ -369,7 +369,7 @@ function elgg_view_exists($view, $viewtype = '', $recurse = true) { * view, $view_name plugin hook. * * @warning Any variables in $_SESSION will override passed vars - * upon name collision. See {@trac #2124}. + * upon name collision. See https://github.com/Elgg/Elgg/issues/2124 * * @param string $view The name and location of the view to use * @param array $vars Variables to pass to the view. @@ -795,7 +795,7 @@ function elgg_view_menu($menu_name, array $vars = array()) { * - bool 'full_view' Whether to show a full or condensed view. * * @tip This function can automatically appends annotations to entities if in full - * view and a handler is registered for the entity:annotate. See {@trac 964} and + * view and a handler is registered for the entity:annotate. See https://github.com/Elgg/Elgg/issues/964 and * {@link elgg_view_entity_annotations()}. * * @param ElggEntity $entity The entity to display diff --git a/engine/tests/objects/users.php b/engine/tests/objects/users.php index 7d2ef6961..8a1033ac4 100644 --- a/engine/tests/objects/users.php +++ b/engine/tests/objects/users.php @@ -145,7 +145,7 @@ class ElggCoreUserTest extends ElggCoreUnitTest { } public function testElggUserNameCache() { - // Trac #1305 + // issue https://github.com/elgg/elgg/issues/1305 // very unlikely a user would have this username $name = (string)time(); diff --git a/engine/tests/regression/trac_bugs.php b/engine/tests/regression/trac_bugs.php index 9372b0855..f823825ab 100644 --- a/engine/tests/regression/trac_bugs.php +++ b/engine/tests/regression/trac_bugs.php @@ -1,7 +1,7 @@ Date: Sun, 27 Oct 2013 12:17:05 +0100 Subject: Refs #5952 - Added test --- engine/tests/regression/trac_bugs.php | 41 +++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) (limited to 'engine/tests/regression/trac_bugs.php') diff --git a/engine/tests/regression/trac_bugs.php b/engine/tests/regression/trac_bugs.php index f823825ab..ef1348cf6 100644 --- a/engine/tests/regression/trac_bugs.php +++ b/engine/tests/regression/trac_bugs.php @@ -332,4 +332,45 @@ class ElggCoreRegressionBugsTest extends ElggCoreUnitTest { $group->delete(); } + + /** + * Ensure that ElggBatch doesn't go into infinite loop when disabling annotations recursively when show hidden is enabled. + * + * https://github.com/Elgg/Elgg/issues/5952 + */ + public function test_disabling_annotations_infinite_loop() { + + //let's have some entity + $group = new ElggGroup(); + $group->name = 'test_group'; + $group->access_id = ACCESS_PUBLIC; + $this->assertTrue($group->save() !== false); + + $total = 51; + //add some annotations + for ($cnt = 0; $cnt < $total; $cnt++) { + $group->annotate('test_annotation', 'value_' . $total); + } + + //disable them + $show_hidden = access_get_show_hidden_status(); + access_show_hidden_entities(true); + $options = array( + 'guid' => $group->guid, + 'limit' => $total, //using strict limit to avoid real infinite loop and just see ElggBatch limiting on it before finishing the work + ); + elgg_disable_annotations($options); + access_show_hidden_entities($show_hidden); + + //confirm all being disabled + $annotations = $group->getAnnotations(array( + 'limit' => $total, + )); + foreach ($annotations as $annotation) { + $this->assertTrue($annotation->enabled == 'no'); + } + + //delete group and annotations + $group->delete(); + } } -- cgit v1.2.3 From d53447f7e6b3277f3249d9a70e56ec01a90c3a60 Mon Sep 17 00:00:00 2001 From: Steve Clay Date: Thu, 11 Jul 2013 13:24:01 -0400 Subject: Disable loading external entities during XML parsing --- engine/classes/ElggAutoP.php | 14 ++++++++++++++ engine/classes/ElggXMLElement.php | 8 ++++++-- engine/tests/regression/trac_bugs.php | 10 ++++++++++ engine/tests/test_files/xxe/external_entity.txt | 1 + engine/tests/test_files/xxe/request.xml | 8 ++++++++ 5 files changed, 39 insertions(+), 2 deletions(-) create mode 100644 engine/tests/test_files/xxe/external_entity.txt create mode 100644 engine/tests/test_files/xxe/request.xml (limited to 'engine/tests/regression/trac_bugs.php') diff --git a/engine/classes/ElggAutoP.php b/engine/classes/ElggAutoP.php index 71536c433..05842d1b2 100644 --- a/engine/classes/ElggAutoP.php +++ b/engine/classes/ElggAutoP.php @@ -110,12 +110,19 @@ class ElggAutoP { // http://www.php.net/manual/en/domdocument.loadhtml.php#95463 libxml_use_internal_errors(true); + // Do not load entities. May be unnecessary, better safe than sorry + $disable_load_entities = libxml_disable_entity_loader(true); + if (!$this->_doc->loadHTML("{$html}" . "")) { + + libxml_disable_entity_loader($disable_load_entities); return false; } + libxml_disable_entity_loader($disable_load_entities); + $this->_xpath = new DOMXPath($this->_doc); // start processing recursively at the BODY element $nodeList = $this->_xpath->query('//body[1]'); @@ -135,9 +142,16 @@ class ElggAutoP { // re-parse so we can handle new AUTOP elements + // Do not load entities. May be unnecessary, better safe than sorry + $disable_load_entities = libxml_disable_entity_loader(true); + if (!$this->_doc->loadHTML($html)) { + libxml_disable_entity_loader($disable_load_entities); return false; } + + libxml_disable_entity_loader($disable_load_entities); + // must re-create XPath object after DOM load $this->_xpath = new DOMXPath($this->_doc); diff --git a/engine/classes/ElggXMLElement.php b/engine/classes/ElggXMLElement.php index 6f2633e25..cbd3fc5ce 100644 --- a/engine/classes/ElggXMLElement.php +++ b/engine/classes/ElggXMLElement.php @@ -20,7 +20,12 @@ class ElggXMLElement { if ($xml instanceof SimpleXMLElement) { $this->_element = $xml; } else { + // do not load entities + $disable_load_entities = libxml_disable_entity_loader(true); + $this->_element = new SimpleXMLElement($xml); + + libxml_disable_entity_loader($disable_load_entities); } } @@ -123,5 +128,4 @@ class ElggXMLElement { } return false; } - -} \ No newline at end of file +} diff --git a/engine/tests/regression/trac_bugs.php b/engine/tests/regression/trac_bugs.php index ef1348cf6..e6773c8af 100644 --- a/engine/tests/regression/trac_bugs.php +++ b/engine/tests/regression/trac_bugs.php @@ -373,4 +373,14 @@ class ElggCoreRegressionBugsTest extends ElggCoreUnitTest { //delete group and annotations $group->delete(); } + + public function test_ElggXMLElement_does_not_load_external_entities() { + $payload = file_get_contents(dirname(dirname(__FILE__)) . '/test_files/xxe/request.xml'); + $payload = sprintf($payload, 'file://' . realpath(dirname(dirname(__FILE__)) . '/test_files/xxe/external_entity.txt')); + + $el = new ElggXMLElement($payload); + $chidren = $el->getChildren(); + $content = $chidren[0]->getContent(); + $this->assertNoPattern('/secret/', $content); + } } diff --git a/engine/tests/test_files/xxe/external_entity.txt b/engine/tests/test_files/xxe/external_entity.txt new file mode 100644 index 000000000..536aca34d --- /dev/null +++ b/engine/tests/test_files/xxe/external_entity.txt @@ -0,0 +1 @@ +secret \ No newline at end of file diff --git a/engine/tests/test_files/xxe/request.xml b/engine/tests/test_files/xxe/request.xml new file mode 100644 index 000000000..4390f9db2 --- /dev/null +++ b/engine/tests/test_files/xxe/request.xml @@ -0,0 +1,8 @@ + + + +]> + + test&xxe;test + -- cgit v1.2.3 From 6eec301f33ff3e618d591d429de7edf30277e972 Mon Sep 17 00:00:00 2001 From: Paweł Sroka Date: Tue, 23 Jul 2013 08:28:30 +0200 Subject: Enhanced test --- engine/tests/regression/trac_bugs.php | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) (limited to 'engine/tests/regression/trac_bugs.php') diff --git a/engine/tests/regression/trac_bugs.php b/engine/tests/regression/trac_bugs.php index e6773c8af..ea39253df 100644 --- a/engine/tests/regression/trac_bugs.php +++ b/engine/tests/regression/trac_bugs.php @@ -375,12 +375,26 @@ class ElggCoreRegressionBugsTest extends ElggCoreUnitTest { } public function test_ElggXMLElement_does_not_load_external_entities() { + $elLast = libxml_disable_entity_loader(false); + $payload = file_get_contents(dirname(dirname(__FILE__)) . '/test_files/xxe/request.xml'); - $payload = sprintf($payload, 'file://' . realpath(dirname(dirname(__FILE__)) . '/test_files/xxe/external_entity.txt')); + $path = realpath(dirname(dirname(__FILE__)) . '/test_files/xxe/external_entity.txt'); + $path = str_replace('\\', '/', $path); + if ($path[0] != '/') { + $path = '/' . $path; + } + $path = 'file://' . $path; + $payload = sprintf($payload, $path); $el = new ElggXMLElement($payload); $chidren = $el->getChildren(); $content = $chidren[0]->getContent(); $this->assertNoPattern('/secret/', $content); + + //make sure the test is valid + $element = new SimpleXMLElement($payload); + $this->assertPattern('/secret/', (string)$element->methodName); + + libxml_disable_entity_loader($elLast); } } -- cgit v1.2.3 From 7cacdc8bc26c98a58dc8986acfd911d6542608af Mon Sep 17 00:00:00 2001 From: Steve Clay Date: Wed, 31 Jul 2013 13:34:55 -0400 Subject: Emit notice if XXE can't be tested and skip test --- engine/tests/regression/trac_bugs.php | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) (limited to 'engine/tests/regression/trac_bugs.php') diff --git a/engine/tests/regression/trac_bugs.php b/engine/tests/regression/trac_bugs.php index ea39253df..689275661 100644 --- a/engine/tests/regression/trac_bugs.php +++ b/engine/tests/regression/trac_bugs.php @@ -377,6 +377,7 @@ class ElggCoreRegressionBugsTest extends ElggCoreUnitTest { public function test_ElggXMLElement_does_not_load_external_entities() { $elLast = libxml_disable_entity_loader(false); + // build payload that should trigger loading of external entity $payload = file_get_contents(dirname(dirname(__FILE__)) . '/test_files/xxe/request.xml'); $path = realpath(dirname(dirname(__FILE__)) . '/test_files/xxe/external_entity.txt'); $path = str_replace('\\', '/', $path); @@ -384,16 +385,20 @@ class ElggCoreRegressionBugsTest extends ElggCoreUnitTest { $path = '/' . $path; } $path = 'file://' . $path; - $payload = sprintf($payload, $path); + $payload = sprintf($payload, $path); - $el = new ElggXMLElement($payload); - $chidren = $el->getChildren(); - $content = $chidren[0]->getContent(); - $this->assertNoPattern('/secret/', $content); - - //make sure the test is valid + // make sure we can actually this in this environment $element = new SimpleXMLElement($payload); - $this->assertPattern('/secret/', (string)$element->methodName); + $can_load_entity = preg_match('/secret/', (string)$element->methodName); + + $this->skipUnless($can_load_entity, "XXE vulnerability cannot be tested on this system"); + + if ($can_load_entity) { + $el = new ElggXMLElement($payload); + $chidren = $el->getChildren(); + $content = $chidren[0]->getContent(); + $this->assertNoPattern('/secret/', $content); + } libxml_disable_entity_loader($elLast); } -- cgit v1.2.3