diff options
author | dizzy <diosmosis@users.noreply.github.com> | 2021-06-18 10:14:35 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-06-18 10:14:35 +0300 |
commit | 482cf02b00876f799516036cef52c061136a0954 (patch) | |
tree | b55cc1644958685c4e9dfe3994bc17d05957d7f4 /core | |
parent | 3af87103094fc48699fa656ac6795ec56f5775d2 (diff) |
fix regression in trackingspamprevention and warning in bound parameter checking code (#17683)
* remove testdox
* fix warning if parameters is a single value, not an array
* allow skipping valid host check for hardcoded URLs we know are valid
* print testdox hint in case build takes too long to finish consistently
* move testdox warning to correct boostrap file
* fixing some tests + fix use of Date in bind params
Diffstat (limited to 'core')
-rw-r--r-- | core/DataAccess/Model.php | 4 | ||||
-rw-r--r-- | core/Db.php | 6 | ||||
-rw-r--r-- | core/Http.php | 41 |
3 files changed, 33 insertions, 18 deletions
diff --git a/core/DataAccess/Model.php b/core/DataAccess/Model.php index 40528f60bd..a15cbf337a 100644 --- a/core/DataAccess/Model.php +++ b/core/DataAccess/Model.php @@ -327,8 +327,8 @@ class Model /** @var Period $period */ $dateConditions[] = "(date1 <= ? AND ? <= date2)"; - $bind[] = $period->getDateStart(); - $bind[] = $period->getDateEnd(); + $bind[] = $period->getDateStart()->getDatetime(); + $bind[] = $period->getDateEnd()->getDatetime(); $dateConditionsSql = implode(" OR ", $dateConditions); $periodConditions[] = "(period = 5 AND ($dateConditionsSql))"; diff --git a/core/Db.php b/core/Db.php index 1fd14f439b..09e99b32ce 100644 --- a/core/Db.php +++ b/core/Db.php @@ -817,12 +817,16 @@ class Db Log::debug("Db::%s() executing SQL: %s", $functionName, $sql); } - private static function checkBoundParametersIfInDevMode($sql, $parameters = []) + private static function checkBoundParametersIfInDevMode($sql, $parameters) { if (!Development::isEnabled()) { return; } + if (!is_array($parameters)) { + $parameters = [$parameters]; + } + foreach ($parameters as $index => $parameter) { if ($parameter instanceof Date) { throw new \Exception("Found bound parameter (index = $index) is Date instance which will not work correctly in following SQL: $sql"); diff --git a/core/Http.php b/core/Http.php index 70ead69693..500cfe8e46 100644 --- a/core/Http.php +++ b/core/Http.php @@ -68,6 +68,8 @@ class Http * @param string $httpMethod The HTTP method to use. Defaults to `'GET'`. * @param string $httpUsername HTTP Auth username * @param string $httpPassword HTTP Auth password + * @param bool $checkHostIsAllowed whether we should check if the target host is allowed or not. This should only + * be set to false when using a hardcoded URL. * * @throws Exception if the response cannot be saved to `$destinationPath`, if the HTTP response cannot be sent, * if there are more than 5 redirects or if the request times out. @@ -93,13 +95,16 @@ class Http $getExtendedInfo = false, $httpMethod = 'GET', $httpUsername = null, - $httpPassword = null) + $httpPassword = null, + $checkHostIsAllowed = true) { // create output file $file = self::ensureDestinationDirectoryExists($destinationPath); $acceptLanguage = $acceptLanguage ? 'Accept-Language: ' . $acceptLanguage : ''; - return self::sendHttpRequestBy(self::getTransportMethod(), $aUrl, $timeout, $userAgent, $destinationPath, $file, $followDepth, $acceptLanguage, $acceptInvalidSslCertificate = false, $byteRange, $getExtendedInfo, $httpMethod, $httpUsername, $httpPassword); + return self::sendHttpRequestBy(self::getTransportMethod(), $aUrl, $timeout, $userAgent, $destinationPath, $file, + $followDepth, $acceptLanguage, $acceptInvalidSslCertificate = false, $byteRange, $getExtendedInfo, $httpMethod, + $httpUsername, $httpPassword, null, [], null, $checkHostIsAllowed); } public static function ensureDestinationDirectoryExists($destinationPath) @@ -160,6 +165,8 @@ class Http * @param string $httpPassword HTTP Auth password * @param array|string $requestBody If $httpMethod is 'POST' this may accept an array of variables or a string that needs to be posted * @param array $additionalHeaders List of additional headers to set for the request + * @param bool $checkHostIsAllowed whether we should check if the target host is allowed or not. This should only + * be set to false when using a hardcoded URL. * * @return string|array true (or string/array) on success; false on HTTP response error code (1xx or 4xx) *@throws Exception @@ -181,7 +188,8 @@ class Http $httpPassword = null, $requestBody = null, $additionalHeaders = array(), - $forcePost = null + $forcePost = null, + $checkHostIsAllowed = true ) { if ($followDepth > 5) { throw new Exception('Too many redirects (' . $followDepth . ')'); @@ -212,21 +220,24 @@ class Http )); } - $disallowedHosts = StaticContainer::get('http.blocklist.hosts'); - $isBlocked = false; + if ($checkHostIsAllowed) { + $disallowedHosts = StaticContainer::get('http.blocklist.hosts'); - foreach ($disallowedHosts as $host) { - if (preg_match(self::convertWildcardToPattern($host), $parsedUrl['host']) === 1) { - $isBlocked = true; - break; + $isBlocked = false; + + foreach ($disallowedHosts as $host) { + if (preg_match(self::convertWildcardToPattern($host), $parsedUrl['host']) === 1) { + $isBlocked = true; + break; + } } - } - if ($isBlocked) { - throw new Exception(sprintf( - 'Hostname %s is in list of disallowed hosts', - $parsedUrl['host'] - )); + if ($isBlocked) { + throw new Exception(sprintf( + 'Hostname %s is in list of disallowed hosts', + $parsedUrl['host'] + )); + } } $contentLength = 0; |