From 6150bf5ee45417ead8a7177af7e365682f3f9171 Mon Sep 17 00:00:00 2001 From: haszi Date: Wed, 31 Jan 2024 21:23:14 +0100 Subject: [PATCH] Fix url_rewriter.hosts not used for output_add_rewrite_var() If fixes issue where session.trans_sid_hosts used instead of url_rewriter.hosts for output_add_rewrite_var(). Closes GH-13294 --- NEWS | 2 + UPGRADING | 2 + .../url_rewriting_basic1.phpt | 154 +++++++++++++ .../url_rewriting_basic2.phpt | 203 ++++++++++++++++++ .../url_rewriting_basic3.phpt | 196 +++++++++++++++++ ext/standard/url_scanner_ex.re | 10 +- 6 files changed, 563 insertions(+), 4 deletions(-) create mode 100644 ext/standard/tests/general_functions/url_rewriting_basic1.phpt create mode 100644 ext/standard/tests/general_functions/url_rewriting_basic2.phpt create mode 100644 ext/standard/tests/general_functions/url_rewriting_basic3.phpt diff --git a/NEWS b/NEWS index 8c8efd82355..5c1a767b4d3 100644 --- a/NEWS +++ b/NEWS @@ -114,6 +114,8 @@ PHP NEWS - Output: . Clear output handler status flags during handler initialization. (haszi) + . Fixed bug with url_rewriter.hosts not used by output_add_rewrite_var(). + (haszi) - PCRE: . Upgrade bundled pcre2lib to version 10.43. (nielsdos) diff --git a/UPGRADING b/UPGRADING index a75f57c1416..ee9d7985415 100644 --- a/UPGRADING +++ b/UPGRADING @@ -412,6 +412,8 @@ PHP 8.4 UPGRADE NOTES . long2ip() now returns string instead of string|false. . The maximum precision that can be handled by round() has been extended by one digit. + . output_add_rewrite_var() now uses url_rewriter.hosts instead of + session.trans_sid_hosts for selecting hosts that will be rewritten. ======================================== 6. New Functions diff --git a/ext/standard/tests/general_functions/url_rewriting_basic1.phpt b/ext/standard/tests/general_functions/url_rewriting_basic1.phpt new file mode 100644 index 00000000000..4c1f6784dcb --- /dev/null +++ b/ext/standard/tests/general_functions/url_rewriting_basic1.phpt @@ -0,0 +1,154 @@ +--TEST-- +Test session and output_add_rewrite_var() URL-Rewriting independently +--EXTENSIONS-- +session +--INI-- +session.trans_sid_tags="a=href,area=href,frame=src,form=" +url_rewriter.tags="a=href,area=href,frame=src,form=" +--FILE-- + + + + + + + + + + + + + + + + + + +
+
+ +
+
+
+
+ +
+
+
+
+ +
+
+
+
+ +TEST; + +ob_start(); + +ini_set('session.trans_sid_hosts', 'session-trans-sid.com'); +ini_set('url_rewriter.hosts', 'url-rewriter.com'); + +ini_set('session.use_only_cookies', 1); +ini_set('session.use_cookies', 1); +ini_set('session.use_strict_mode', 1); +ini_set('session.use_trans_sid', 0); + +output_add_rewrite_var('', ''); + +echo "URL-Rewriting with output_add_rewrite_var() without transparent session id support\n"; +echo $testTags; + +ob_end_flush(); + + +ini_set('session.use_only_cookies', 0); +ini_set('session.use_cookies', 0); +ini_set('session.use_strict_mode', 0); +ini_set('session.use_trans_sid', 1); + +session_id('testid'); +session_start(); + +echo "\nURL-Rewriting with transparent session id support without output_add_rewrite_var()\n"; +echo $testTags; + +--EXPECT-- +URL-Rewriting with output_add_rewrite_var() without transparent session id support + + + + + + + + + + + + + + + + + + + +
+
+ +
+
+
+
+ +
+
+
+
+ +
+
+
+
+ +URL-Rewriting with transparent session id support without output_add_rewrite_var() + + + + + + + + + + + + + + + + + + + +
+
+ +
+
+
+
+ +
+
+
+
+ +
+
+
+
diff --git a/ext/standard/tests/general_functions/url_rewriting_basic2.phpt b/ext/standard/tests/general_functions/url_rewriting_basic2.phpt new file mode 100644 index 00000000000..635383a33c9 --- /dev/null +++ b/ext/standard/tests/general_functions/url_rewriting_basic2.phpt @@ -0,0 +1,203 @@ +--TEST-- +Test output_add_rewrite_var() with and without nested session URL-Rewriting +--EXTENSIONS-- +session +--INI-- +session.trans_sid_tags="a=href,area=href,frame=src,form=" +url_rewriter.tags="a=href,area=href,frame=src,form=" +--FILE-- + + + + + + + + + + + + + + + + + + +
+
+ +
+
+
+
+ +
+
+
+
+ +
+
+
+
+ +TEST; + +ob_start(); + +ini_set('session.trans_sid_hosts', 'session-trans-sid.com'); +ini_set('url_rewriter.hosts', 'url-rewriter.com'); + +ini_set('session.use_only_cookies', 1); +ini_set('session.use_cookies', 1); +ini_set('session.use_strict_mode', 0); +ini_set('session.use_trans_sid', 0); + +output_add_rewrite_var('', ''); + +echo "URL-Rewriting with output_add_rewrite_var() without transparent session id support\n"; +echo $testTags; + +ob_flush(); + +output_reset_rewrite_vars(); + +ini_set('session.use_only_cookies', 0); +ini_set('session.use_cookies', 0); +ini_set('session.use_strict_mode', 0); +ini_set('session.use_trans_sid', 1); + +session_id('testid'); +session_start(); + +output_add_rewrite_var('', ''); + +echo "\nURL-Rewriting with transparent session id support without output_add_rewrite_var()\n"; +echo $testTags; + +ob_end_flush(); + + +output_add_rewrite_var('', ''); + +echo "\nURL-Rewriting with output_add_rewrite_var() without transparent session id support\n"; +echo $testTags; + +--EXPECT-- +URL-Rewriting with output_add_rewrite_var() without transparent session id support + + + + + + + + + + + + + + + + + + + +
+
+ +
+
+
+
+ +
+
+
+
+ +
+
+
+
+ +URL-Rewriting with transparent session id support without output_add_rewrite_var() + + + + + + + + + + + + + + + + + + + +
+
+ +
+
+
+
+ +
+
+
+
+ +
+
+
+
+ +URL-Rewriting with output_add_rewrite_var() without transparent session id support + + + + + + + + + + + + + + + + + + + +
+
+ +
+
+
+
+ +
+
+
+
+ +
+
+
+
diff --git a/ext/standard/tests/general_functions/url_rewriting_basic3.phpt b/ext/standard/tests/general_functions/url_rewriting_basic3.phpt new file mode 100644 index 00000000000..edf41ba4fe2 --- /dev/null +++ b/ext/standard/tests/general_functions/url_rewriting_basic3.phpt @@ -0,0 +1,196 @@ +--TEST-- +Test session URL-Rewriting with and without nested output_add_rewrite_var() +--EXTENSIONS-- +session +--INI-- +session.trans_sid_tags="a=href,area=href,frame=src,form=" +url_rewriter.tags="a=href,area=href,frame=src,form=" +--FILE-- + + + + + + + + + + + + + + + + + + +
+
+ +
+
+
+
+ +
+
+
+
+ +
+
+
+
+ +TEST; + +ob_start(); + +ini_set('session.trans_sid_hosts', 'session-trans-sid.com'); +ini_set('url_rewriter.hosts', 'url-rewriter.com'); + +ini_set('session.use_only_cookies', 0); +ini_set('session.use_cookies', 0); +ini_set('session.use_strict_mode', 0); +ini_set('session.use_trans_sid', 1); + +session_id('testid'); +session_start(); + +echo "URL-Rewriting with transparent session id support without output_add_rewrite_var()\n"; +echo $testTags; + +ob_flush(); + + +output_add_rewrite_var('', ''); + +echo "\nURL-Rewriting with transparent session id support and output_add_rewrite_var()\n"; +echo $testTags; + +ob_end_flush(); +output_reset_rewrite_vars(); + + +output_add_rewrite_var('', ''); + +echo "\nURL-Rewriting with transparent session id support without output_add_rewrite_var()\n"; +echo $testTags; + +--EXPECT-- +URL-Rewriting with transparent session id support without output_add_rewrite_var() + + + + + + + + + + + + + + + + + + + +
+
+ +
+
+
+
+ +
+
+
+
+ +
+
+
+
+ +URL-Rewriting with transparent session id support and output_add_rewrite_var() + + + + + + + + + + + + + + + + + + + +
+
+ +
+
+
+
+ +
+
+
+
+ +
+
+
+
+ +URL-Rewriting with transparent session id support without output_add_rewrite_var() + + + + + + + + + + + + + + + + + + + +
+
+ +
+
+
+
+ +
+
+
+
+ +
+
+
+
diff --git a/ext/standard/url_scanner_ex.re b/ext/standard/url_scanner_ex.re index 8e5b43467fc..7a709d2c850 100644 --- a/ext/standard/url_scanner_ex.re +++ b/ext/standard/url_scanner_ex.re @@ -180,7 +180,7 @@ alphadash = ([a-zA-Z] | "-"); #define YYLIMIT q #define YYMARKER r -static inline void append_modified_url(smart_str *url, smart_str *dest, smart_str *url_app, const char *separator) +static inline void append_modified_url(smart_str *url, smart_str *dest, smart_str *url_app, const char *separator, int type) { php_url *url_parts; @@ -212,7 +212,8 @@ static inline void append_modified_url(smart_str *url, smart_str *dest, smart_st /* Check host whitelist. If it's not listed, do nothing. */ if (url_parts->host) { zend_string *tmp = zend_string_tolower(url_parts->host); - if (!zend_hash_exists(&BG(url_adapt_session_hosts_ht), tmp)) { + HashTable *allowed_hosts = type ? &BG(url_adapt_session_hosts_ht) : &BG(url_adapt_output_hosts_ht); + if (!zend_hash_exists(allowed_hosts, tmp)) { zend_string_release_ex(tmp, 0); smart_str_append_smart_str(dest, url); php_url_free(url_parts); @@ -305,7 +306,7 @@ static inline void tag_arg(url_adapt_state_ex_t *ctx, char quotes, char type) smart_str_appendc(&ctx->result, type); } if (f) { - append_modified_url(&ctx->val, &ctx->result, &ctx->url_app, PG(arg_separator).output); + append_modified_url(&ctx->val, &ctx->result, &ctx->url_app, PG(arg_separator).output, ctx->type); } else { smart_str_append_smart_str(&ctx->result, &ctx->val); } @@ -606,7 +607,7 @@ PHPAPI char *php_url_scanner_adapt_single_url(const char *url, size_t urllen, co smart_str_appends(&url_app, value); } - append_modified_url(&surl, &buf, &url_app, PG(arg_separator).output); + append_modified_url(&surl, &buf, &url_app, PG(arg_separator).output, 1); smart_str_0(&buf); if (newlen) *newlen = ZSTR_LEN(buf.s); @@ -747,6 +748,7 @@ static inline int php_url_scanner_add_var_impl(const char *name, size_t name_len php_url_scanner_ex_activate(type); php_output_start_internal(ZEND_STRL("URL-Rewriter"), handler, 0, PHP_OUTPUT_HANDLER_STDFLAGS); url_state->active = 1; + url_state->type = type; } if (url_state->url_app.s && ZSTR_LEN(url_state->url_app.s) != 0) {