diff --git a/includes/class-wc-download-handler.php b/includes/class-wc-download-handler.php index e0cd94e5c36..e3422560511 100644 --- a/includes/class-wc-download-handler.php +++ b/includes/class-wc-download-handler.php @@ -269,10 +269,9 @@ class WC_Download_Handler { str_replace( 'https:', 'http:', site_url( '/', 'http' ) ) => ABSPATH, ); - $count = 0; - $file_path = str_replace( array_keys( $replacements ), array_values( $replacements ), $file_path, $count ); + $file_path = str_replace( array_keys( $replacements ), array_values( $replacements ), $file_path ); $parsed_file_path = wp_parse_url( $file_path ); - $remote_file = null === $count || 0 === $count; // Remote file only if there were no replacements. + $remote_file = true; // Paths that begin with '//' are always remote URLs. if ( '//' === substr( $file_path, 0, 2 ) ) { @@ -292,7 +291,7 @@ class WC_Download_Handler { $file_path = realpath( WP_CONTENT_DIR . substr( $file_path, 11 ) ); // Check if we have an absolute path. - } elseif ( ( ! isset( $parsed_file_path['scheme'] ) || ! in_array( $parsed_file_path['scheme'], array( 'http', 'https', 'ftp' ), true ) ) && isset( $parsed_file_path['path'] ) ) { + } elseif ( ( ! isset( $parsed_file_path['scheme'] ) || ! in_array( $parsed_file_path['scheme'], array( 'http', 'https', 'ftp' ), true ) ) && isset( $parsed_file_path['path'] ) && file_exists( $parsed_file_path['path'] ) ) { $remote_file = false; $file_path = $parsed_file_path['path']; } diff --git a/includes/class-wc-product-download.php b/includes/class-wc-product-download.php index 03fbba9134b..3b4344bd9be 100644 --- a/includes/class-wc-product-download.php +++ b/includes/class-wc-product-download.php @@ -95,16 +95,22 @@ class WC_Product_Download implements ArrayAccess { * @return boolean */ public function is_allowed_filetype() { - $file_path = $this->get_file(); - $parsed_file_path = WC_Download_Handler::parse_file_path( $file_path ); + $file_path = $this->get_file(); // File types for URL-based files located on the server should get validated. - $is_file_on_server = ! $parsed_file_path['remote_file']; + $is_file_on_server = false; + if ( false !== stripos( $file_path, network_site_url( '/', 'https' ) ) || + false !== stripos( $file_path, network_site_url( '/', 'http' ) ) || + false !== stripos( $file_path, site_url( '/', 'https' ) ) || + false !== stripos( $file_path, site_url( '/', 'http' ) ) + ) { + $is_file_on_server = true; + } if ( ! $is_file_on_server && 'relative' !== $this->get_type_of_file_path() ) { return true; } - return ( ! $is_file_on_server && ! $this->get_file_extension() ) || in_array( $this->get_file_type(), $this->get_allowed_mime_types(), true ); + return ! $this->get_file_extension() || in_array( $this->get_file_type(), $this->get_allowed_mime_types(), true ); } /** @@ -171,10 +177,6 @@ class WC_Product_Download implements ArrayAccess { if ( preg_match( '#^//+(/[^/].+)$#i', $value, $matches ) ) { $value = $matches[1]; } - - $parsed_file_path = WC_Download_Handler::parse_file_path( $value ); - $value = $parsed_file_path['file_path']; - switch ( $this->get_type_of_file_path( $value ) ) { case 'absolute': $this->data['file'] = esc_url_raw( $value ); diff --git a/tests/legacy/unit-tests/customer/functions.php b/tests/legacy/unit-tests/customer/functions.php index 0438c646211..41746df84e0 100644 --- a/tests/legacy/unit-tests/customer/functions.php +++ b/tests/legacy/unit-tests/customer/functions.php @@ -152,7 +152,7 @@ class WC_Tests_Customer_Functions extends WC_Unit_Test_Case { // Test download permissions. $prod_download = new WC_Product_Download(); - $prod_download->set_file( WC_ABSPATH . 'assets/images/help.png' ); + $prod_download->set_file( plugin_dir_url( __FILE__ ) . '/assets/images/help.png' ); $prod_download->set_id( 'download' ); $product = new WC_Product_Simple(); @@ -382,7 +382,7 @@ class WC_Tests_Customer_Functions extends WC_Unit_Test_Case { $customer_id = wc_create_new_customer( 'test@example.com', 'testuser', 'testpassword' ); $prod_download = new WC_Product_Download(); - $prod_download->set_file( WC_ABSPATH . 'assets/images/help.png' ); + $prod_download->set_file( plugin_dir_url( __FILE__ ) . '/assets/images/help.png' ); $prod_download->set_id( 1 ); $product = new WC_Product_Simple(); diff --git a/tests/php/includes/class-wc-product-download-test.php b/tests/php/includes/class-wc-product-download-test.php deleted file mode 100644 index a1c17f39e1c..00000000000 --- a/tests/php/includes/class-wc-product-download-test.php +++ /dev/null @@ -1,50 +0,0 @@ -getMockBuilder( WC_Product_Download::class ) - ->setMethods( array( 'get_file' ) ) - ->getMock(); - } - - /** - * Test when file appears remote but is local. - */ - public function test_is_allowed_filetype_when_file_with_false_query_params() { - $download = $this->get_sut_with_get_file(); - $payload = trailingslashit( site_url( '/' ) ) . 'non_exists/?/../../wp-config.php'; - $download->method( 'get_file' )->willReturn( $payload ); - $this->assertFalse( $download->is_allowed_filetype() ); - } - - /** - * Test when file appears remote, but is local and tries to appear remote by having characters to be stripped by esc_url_raw. - */ - public function test_is_allowed_filetype_when_file_with_quote_and_false_query_params() { - $download = $this->get_sut_with_get_file(); - $payload = trailingslashit( site_url( '/' ) ) . '"non_exists/?/../../foo.php'; - $download->method( 'get_file' )->willReturn( $payload ); - $this->assertFalse( $download->is_allowed_filetype() ); - } - - /** - * Test when file has invalid scheme. - */ - public function test_is_allowed_filetype_when_file_with_url_escapable_scheme() { - $download = $this->get_sut_with_get_file(); - $payload = trailingslashit( site_url( '/' ) ); - $payload = str_replace( 'http', 'http;', $payload ); - $payload = trailingslashit( $payload ) . 'wp-config.php?/../../foo'; // http;//example.com/wp-config.php?/../../foo. - $download->method( 'get_file' )->willReturn( $payload ); - $this->assertFalse( $download->is_allowed_filetype() ); - } -}