diff --git a/includes/class-wc-download-handler.php b/includes/class-wc-download-handler.php index e3422560511..e0cd94e5c36 100644 --- a/includes/class-wc-download-handler.php +++ b/includes/class-wc-download-handler.php @@ -269,9 +269,10 @@ class WC_Download_Handler { str_replace( 'https:', 'http:', site_url( '/', 'http' ) ) => ABSPATH, ); - $file_path = str_replace( array_keys( $replacements ), array_values( $replacements ), $file_path ); + $count = 0; + $file_path = str_replace( array_keys( $replacements ), array_values( $replacements ), $file_path, $count ); $parsed_file_path = wp_parse_url( $file_path ); - $remote_file = true; + $remote_file = null === $count || 0 === $count; // Remote file only if there were no replacements. // Paths that begin with '//' are always remote URLs. if ( '//' === substr( $file_path, 0, 2 ) ) { @@ -291,7 +292,7 @@ class WC_Download_Handler { $file_path = realpath( WP_CONTENT_DIR . substr( $file_path, 11 ) ); // Check if we have an absolute path. - } elseif ( ( ! isset( $parsed_file_path['scheme'] ) || ! in_array( $parsed_file_path['scheme'], array( 'http', 'https', 'ftp' ), true ) ) && isset( $parsed_file_path['path'] ) && file_exists( $parsed_file_path['path'] ) ) { + } elseif ( ( ! isset( $parsed_file_path['scheme'] ) || ! in_array( $parsed_file_path['scheme'], array( 'http', 'https', 'ftp' ), true ) ) && isset( $parsed_file_path['path'] ) ) { $remote_file = false; $file_path = $parsed_file_path['path']; } diff --git a/includes/class-wc-product-download.php b/includes/class-wc-product-download.php index 3b4344bd9be..03fbba9134b 100644 --- a/includes/class-wc-product-download.php +++ b/includes/class-wc-product-download.php @@ -95,22 +95,16 @@ class WC_Product_Download implements ArrayAccess { * @return boolean */ public function is_allowed_filetype() { - $file_path = $this->get_file(); + $file_path = $this->get_file(); + $parsed_file_path = WC_Download_Handler::parse_file_path( $file_path ); // File types for URL-based files located on the server should get validated. - $is_file_on_server = false; - if ( false !== stripos( $file_path, network_site_url( '/', 'https' ) ) || - false !== stripos( $file_path, network_site_url( '/', 'http' ) ) || - false !== stripos( $file_path, site_url( '/', 'https' ) ) || - false !== stripos( $file_path, site_url( '/', 'http' ) ) - ) { - $is_file_on_server = true; - } + $is_file_on_server = ! $parsed_file_path['remote_file']; if ( ! $is_file_on_server && 'relative' !== $this->get_type_of_file_path() ) { return true; } - return ! $this->get_file_extension() || in_array( $this->get_file_type(), $this->get_allowed_mime_types(), true ); + return ( ! $is_file_on_server && ! $this->get_file_extension() ) || in_array( $this->get_file_type(), $this->get_allowed_mime_types(), true ); } /** @@ -177,6 +171,10 @@ class WC_Product_Download implements ArrayAccess { if ( preg_match( '#^//+(/[^/].+)$#i', $value, $matches ) ) { $value = $matches[1]; } + + $parsed_file_path = WC_Download_Handler::parse_file_path( $value ); + $value = $parsed_file_path['file_path']; + switch ( $this->get_type_of_file_path( $value ) ) { case 'absolute': $this->data['file'] = esc_url_raw( $value ); diff --git a/tests/legacy/unit-tests/customer/functions.php b/tests/legacy/unit-tests/customer/functions.php index 41746df84e0..0438c646211 100644 --- a/tests/legacy/unit-tests/customer/functions.php +++ b/tests/legacy/unit-tests/customer/functions.php @@ -152,7 +152,7 @@ class WC_Tests_Customer_Functions extends WC_Unit_Test_Case { // Test download permissions. $prod_download = new WC_Product_Download(); - $prod_download->set_file( plugin_dir_url( __FILE__ ) . '/assets/images/help.png' ); + $prod_download->set_file( WC_ABSPATH . 'assets/images/help.png' ); $prod_download->set_id( 'download' ); $product = new WC_Product_Simple(); @@ -382,7 +382,7 @@ class WC_Tests_Customer_Functions extends WC_Unit_Test_Case { $customer_id = wc_create_new_customer( 'test@example.com', 'testuser', 'testpassword' ); $prod_download = new WC_Product_Download(); - $prod_download->set_file( plugin_dir_url( __FILE__ ) . '/assets/images/help.png' ); + $prod_download->set_file( WC_ABSPATH . 'assets/images/help.png' ); $prod_download->set_id( 1 ); $product = new WC_Product_Simple(); diff --git a/tests/php/includes/class-wc-product-download-test.php b/tests/php/includes/class-wc-product-download-test.php new file mode 100644 index 00000000000..a1c17f39e1c --- /dev/null +++ b/tests/php/includes/class-wc-product-download-test.php @@ -0,0 +1,50 @@ +getMockBuilder( WC_Product_Download::class ) + ->setMethods( array( 'get_file' ) ) + ->getMock(); + } + + /** + * Test when file appears remote but is local. + */ + public function test_is_allowed_filetype_when_file_with_false_query_params() { + $download = $this->get_sut_with_get_file(); + $payload = trailingslashit( site_url( '/' ) ) . 'non_exists/?/../../wp-config.php'; + $download->method( 'get_file' )->willReturn( $payload ); + $this->assertFalse( $download->is_allowed_filetype() ); + } + + /** + * Test when file appears remote, but is local and tries to appear remote by having characters to be stripped by esc_url_raw. + */ + public function test_is_allowed_filetype_when_file_with_quote_and_false_query_params() { + $download = $this->get_sut_with_get_file(); + $payload = trailingslashit( site_url( '/' ) ) . '"non_exists/?/../../foo.php'; + $download->method( 'get_file' )->willReturn( $payload ); + $this->assertFalse( $download->is_allowed_filetype() ); + } + + /** + * Test when file has invalid scheme. + */ + public function test_is_allowed_filetype_when_file_with_url_escapable_scheme() { + $download = $this->get_sut_with_get_file(); + $payload = trailingslashit( site_url( '/' ) ); + $payload = str_replace( 'http', 'http;', $payload ); + $payload = trailingslashit( $payload ) . 'wp-config.php?/../../foo'; // http;//example.com/wp-config.php?/../../foo. + $download->method( 'get_file' )->willReturn( $payload ); + $this->assertFalse( $download->is_allowed_filetype() ); + } +}