Add filetype checking for all files located on the server

This commit is contained in:
claudiulodro 2018-09-18 12:28:46 -07:00
parent 989230f2b9
commit 441fe32f0b
2 changed files with 155 additions and 1 deletions

View File

@ -87,7 +87,19 @@ class WC_Product_Download implements ArrayAccess {
* @return boolean
*/
public function is_allowed_filetype() {
if ( 'relative' !== $this->get_type_of_file_path() ) {
$file_url = $this->get_file();
// File types for URL-based files located on the server should get validated.
$is_file_on_server = false;
if ( false !== stripos( $file_url, network_site_url( '/', 'https' ) ) ||
false !== stripos( $file_url, network_site_url( '/', 'https' ) ) ||
false !== stripos( $file_url, site_url( '/', 'https' ) ) ||
false !== stripos( $file_url, site_url( '/', 'http' ) )
) {
$is_file_on_server = true;
}
if ( ! $is_file_on_server && 'relative' !== $this->get_type_of_file_path() ) {
return true;
}
return ! $this->get_file_extension() || in_array( $this->get_file_type(), $this->get_allowed_mime_types(), true );

View File

@ -0,0 +1,142 @@
<?php
/**
* Unit tests for the product download class.
*
* @package WooCommerce\Tests\Product
*/
/**
* WC_Product_Download tests.
*
* @package WooCommerce\Tests\Product
* @since 3.4.6
*/
class WC_Tests_Product_Download extends WC_Unit_Test_Case {
/**
* Test the setters and getters.
*
* @since 3.4.6
*/
public function test_setters_getters() {
$download = new WC_Product_Download();
$download->set_id( 'testid' );
$download->set_name( 'Test Name' );
$download->set_file( 'http://example.com/file.jpg' );
$this->assertEquals( 'testid', $download->get_id() );
$this->assertEquals( 'Test Name', $download->get_name() );
$this->assertEquals( 'http://example.com/file.jpg', $download->get_file() );
}
/**
* Test the get_allowed_mime_types method.
*
* @since 3.4.6
*/
public function test_get_allowed_mime_types() {
$download = new WC_Product_Download();
$this->assertEquals( get_allowed_mime_types(), $download->get_allowed_mime_types() );
}
/**
* Test the get_type_of_file_path method.
*
* @since 3.4.6
*/
public function test_get_type_of_file_path() {
$download = new WC_Product_Download();
$this->assertEquals( 'absolute', $download->get_type_of_file_path( 'http://example.com/file.jpg' ) );
$this->assertEquals( 'absolute', $download->get_type_of_file_path( site_url( '/wp-content/uploads/test.jpg' ) ) );
$this->assertEquals( 'relative', $download->get_type_of_file_path( trailingslashit( WP_PLUGIN_DIR ) . 'woocommerce/assets/images/help.png' ) );
$this->assertEquals( 'shortcode', $download->get_type_of_file_path( '[s3 bucket ="" file=""]' ) );
}
/**
* Test the get_file_type method.
*
* @since 3.4.6
*/
public function test_get_file_type() {
$download = new WC_Product_Download();
$download->set_file( 'http://example.com/file.jpg' );
$this->assertEquals( 'image/jpeg', $download->get_file_type() );
$download->set_file( 'http://example.com/file.php' );
$this->assertEquals( '', $download->get_file_type() );
$download->set_file( 'http://example.com/file.php?ext=jpg' );
$this->assertEquals( '', $download->get_file_type() );
$download->set_file( site_url( '/wp-content/plugins/woocommerce/assets/images/help.png' ) );
$this->assertEquals( 'image/png', $download->get_file_type() );
$download->set_file( site_url( '/wp-content/plugins/woocommerce/woocommerce.php' ) );
$this->assertEquals( '', $download->get_file_type() );
$download->set_file( trailingslashit( WP_PLUGIN_DIR ) . 'woocommerce/assets/images/help.png' );
$this->assertEquals( 'image/png', $download->get_file_type() );
$download->set_file( trailingslashit( WP_PLUGIN_DIR ) . 'woocommerce/woocommerce.php' );
$this->assertEquals( false, $download->get_file_type() );
}
/**
* Test the get_file_extension method.
*
* @since 3.4.6
*/
public function test_get_file_extension() {
$download = new WC_Product_Download();
$download->set_file( 'http://example.com/file.jpg' );
$this->assertEquals( 'jpg', $download->get_file_extension() );
$download->set_file( 'http://example.com/file.php' );
$this->assertEquals( 'php', $download->get_file_extension() );
$download->set_file( 'http://example.com/file.php?ext=jpg' );
$this->assertEquals( 'php', $download->get_file_extension() );
$download->set_file( site_url( '/wp-content/plugins/woocommerce/assets/images/help.png' ) );
$this->assertEquals( 'png', $download->get_file_extension() );
$download->set_file( site_url( '/wp-content/plugins/woocommerce/woocommerce.php' ) );
$this->assertEquals( 'php', $download->get_file_extension() );
$download->set_file( trailingslashit( WP_PLUGIN_DIR ) . 'woocommerce/assets/images/help.png' );
$this->assertEquals( 'png', $download->get_file_extension() );
$download->set_file( trailingslashit( WP_PLUGIN_DIR ) . 'woocommerce/woocommerce.php' );
$this->assertEquals( 'php', $download->get_file_extension() );
}
/**
* Test the is_allowed_filetype method.
*
* @since 3.4.6
*/
public function test_is_allowed_filetype() {
$download = new WC_Product_Download();
$download->set_file( 'http://example.com/file.jpg' );
$this->assertEquals( true, $download->is_allowed_filetype() );
$download->set_file( 'http://example.com/file.php' );
$this->assertEquals( true, $download->is_allowed_filetype() );
$download->set_file( site_url( '/wp-content/plugins/woocommerce/assets/images/help.png' ) );
$this->assertEquals( true, $download->is_allowed_filetype() );
$download->set_file( site_url( '/wp-content/plugins/woocommerce/woocommerce.php' ) );
$this->assertEquals( false, $download->is_allowed_filetype() );
$download->set_file( trailingslashit( WP_PLUGIN_DIR ) . 'woocommerce/assets/images/help.png' );
$this->assertEquals( true, $download->is_allowed_filetype() );
$download->set_file( trailingslashit( WP_PLUGIN_DIR ) . 'woocommerce/woocommerce.php' );
$this->assertEquals( false, $download->is_allowed_filetype() );
}
}