Merge pull request phpbb#6588 from marc1706/ticket/17296

[ticket/17296] Reduce complexity of relative paths on adm pages
marc1706 · Mar 19, 2024 · ff96c1a · ff96c1a
2 parents 763c6f6 + b4a343b
commit ff96c1a
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 26 deletions.
diff --git a/phpBB/adm/index.php b/phpBB/adm/index.php
@@ -61,8 +61,8 @@
 	),
 ), $phpbb_admin_path . 'style');
 
-$template->assign_var('T_ASSETS_PATH', $phpbb_root_path . 'assets');
-$template->assign_var('T_TEMPLATE_PATH', $phpbb_admin_path . 'style');
+$template->assign_var('T_ASSETS_PATH', $phpbb_path_helper->update_web_root_path($phpbb_root_path . 'assets'));
+$template->assign_var('T_TEMPLATE_PATH', $phpbb_path_helper->update_web_root_path($phpbb_root_path . 'style'));
 
 // Instantiate new module
 $module = new p_master();

diff --git a/phpBB/phpbb/event/kernel_exception_subscriber.php b/phpBB/phpbb/event/kernel_exception_subscriber.php
@@ -90,12 +90,15 @@ public function on_kernel_exception(GetResponseForExceptionEvent $event)
 		}
 		else if (!$this->debug && $exception instanceof NotFoundHttpException)
 		{
-			// Do not update user session page if it does not exist
-			$this->user->update_session_page = false;
-
 			$message = $this->language->lang('PAGE_NOT_FOUND');
 		}
 
+		// Do not update user session page if it does not exist
+		if ($exception instanceof NotFoundHttpException)
+		{
+			$this->user->update_session_page = false;
+		}
+
 		// Show <strong> text in bold
 		$message = preg_replace('#&lt;(/?strong)&gt;#i', '<$1>', $message);
 

diff --git a/phpBB/phpbb/path_helper.php b/phpBB/phpbb/path_helper.php
@@ -39,6 +39,9 @@ class path_helper
 	/** @var string */
 	protected $web_root_path;
 
+	/** @var bool Flag whether we're in adm path */
+	protected $in_adm_path = false;
+
 	/**
 	* Constructor
 	*
@@ -117,7 +120,13 @@ public function update_web_root_path($path)
 				$path = substr($path, 8);
 			}
 
-			return $this->filesystem->clean_path($web_root_path . $path);
+			$path = $this->filesystem->clean_path($web_root_path . $path);
+
+			// Further clean path if we're in adm
+			if ($this->in_adm_path && strpos($path, $this->phpbb_root_path . $this->adm_relative_path) === 0)
+			{
+				$path = substr($path, strlen($this->phpbb_root_path . $this->adm_relative_path));
+			}
 		}
 
 		return $path;
@@ -181,6 +190,11 @@ public function get_web_root_path()
 			return $this->web_root_path = $this->filesystem->clean_path('./../' . $this->phpbb_root_path);
 		}
 
+		if ($path_info === '/' && defined('ADMIN_START') && preg_match('/\/' . preg_quote($this->adm_relative_path, '/') . 'index\.' . $this->php_ext . '$/', $script_name))
+		{
+			$this->in_adm_path = true;
+		}
+
 		/*
 		* If the path info is empty (single /), then we're not using
 		*	a route like app.php/foo/bar

diff --git a/tests/functional/session_page_update_test.php b/tests/functional/session_page_update_test.php
@@ -17,39 +17,39 @@
 
 class phpbb_functional_session_page_update_test extends phpbb_functional_test_case
 {
-	protected function test_session_page_update()
+	public function setUp(): void
 	{
-		$this->login();
-		$db = $this->get_db();
+		parent::setUp();
+
+		global $db;
 
-		if (!function_exists('utf_clean_string'))
-		{
-			require_once(__DIR__ . '/../../phpBB/includes/utf/utf_tools.php');
-		}
-		if (!function_exists('user_get_id_name'))
-		{
-			require_once(__DIR__ . '/../../phpBB/includes/functions_user.php');
-		}
+		$db = $this->db;
 
-		$user_ids = [];
-		$username = [$this->get_logged_in_user()];
-		user_get_id_name($user_ids, $username);
-		$user_id = (int) $user_ids[0];
+		// Delete previous session info for admin user
+		$sql = 'DELETE FROM ' . SESSIONS_TABLE . ' WHERE session_user_id = 2';
+		$db->sql_query($sql);
+
+		$this->login();
+	}
+
+	public function test_session_page_update()
+	{
+		$db = $this->get_db();
 
 		// Request index page
 		self::request('GET', 'index.php');
 		$this->assertEquals(200, self::$client->getResponse()->getStatus());
 
-		$sql = 'SELECT session_page FROM ' . SESSIONS_TABLE . ' WHERE session_user_id = ' . $user_id . ' ORDER BY session_time DESC';
+		$sql = 'SELECT session_page FROM ' . SESSIONS_TABLE . ' WHERE session_user_id = 2 ORDER BY session_time DESC';
 		$db->sql_query_limit($sql, 1);
-		$this->assertEquals('index.php', $db->sql_fetchfield('session_page'));
+		$this->assertEquals('index.php', $db->sql_fetchfield('session_page'), 'Failed asserting that session_page is index.php for admin user');
 
 		// Request non-existent url
-		self::request('GET', 'nonexistent.jpg');
-		$this->assertEquals(404, self::$client->getResponse()->getStatus());
+		self::request('GET', 'nonexistent.jpg', [], false);
+		$this->assertEquals(404, self::$client->getResponse()->getStatus(), 'Failed asserting that status of non-existent image is 404');
 
 		$db->sql_query_limit($sql, 1);
 		// User page should not be updated to non-existent one
-		$this->assertEquals('index.php', $db->sql_fetchfield('session_page'));
+		$this->assertEquals('index.php', $db->sql_fetchfield('session_page'), 'Failed asserting that session page has not changed after 404');
 	}
 }