From ae86eb7812f5ececb966733dbe92fcd78f0e7292 Mon Sep 17 00:00:00 2001 From: nathangray Date: Fri, 11 Jun 2021 10:02:36 -0600 Subject: [PATCH] * Api: Prevent invalid customfield names --- api/src/Storage/Customfields.php | 2 ++ api/tests/Storage/CustomfieldsTest.php | 42 ++++++++++++++++++++++++++ 2 files changed, 44 insertions(+) diff --git a/api/src/Storage/Customfields.php b/api/src/Storage/Customfields.php index 26e64361be..82d3b61d9f 100755 --- a/api/src/Storage/Customfields.php +++ b/api/src/Storage/Customfields.php @@ -382,6 +382,8 @@ class Customfields implements \IteratorAggregate // Add new one in for numbering if(!$cf['id']) { + // Make sure name is safe + $cf['name'] = str_replace(array(">", "<", '"', "&"), "", $cf['name']); $cfs[$cf['name']] = $cf; } diff --git a/api/tests/Storage/CustomfieldsTest.php b/api/tests/Storage/CustomfieldsTest.php index e8dae9c06d..3f0976a2f0 100644 --- a/api/tests/Storage/CustomfieldsTest.php +++ b/api/tests/Storage/CustomfieldsTest.php @@ -34,6 +34,18 @@ class CustomfieldsTest extends LoggedInTest 'private' => array() ); + public function tearDown(): void + { + // Clean + $fields = Customfields::get(self::APP); + foreach($this->customfields as $field_name) + { + unset($fields[$field_name]); + } + Customfields::save(self::APP, $fields); + parent::tearDown(); + } + protected function assertPreConditions() : void { parent::assertPreConditions(); @@ -48,6 +60,7 @@ class CustomfieldsTest extends LoggedInTest { // Create $field = $this->simple_field; + $this->customfields[] = $field['name']; Customfields::update($field); @@ -240,6 +253,34 @@ class CustomfieldsTest extends LoggedInTest $this->assertCount(1, $options); } + /** + * Certain characters (&, ", etc.) will break our XML templates. + * Make sure they get stripped out. + */ + public function testInvalidName() + { + // Create + $field = $this->simple_field; + $this->customfields[] = $invalid_name = $field['name'] = ' & "TEST"'; + $this->customfields[] = $valid_name = 'Invalid TEST'; + + Customfields::update($field); + + // Check + $fields = Customfields::get(self::APP); + + $this->assertArrayNotHasKey($invalid_name, $fields, "Invalid customfield name was allowed"); + $this->assertArrayHasKey($valid_name, $fields, "Invalid customfield name was not corrected"); + + $saved_field = $fields[$valid_name]; + + $this->assertEquals($valid_name, $saved_field['name'], "Invalid customfield name was allowed"); + + // Clean + unset($fields[$invalid_name], $fields[$saved_field['name']]); + Customfields::save(self::APP, $fields); + } + protected function create_private_field() { // Create field @@ -249,6 +290,7 @@ class CustomfieldsTest extends LoggedInTest 'private' => array($GLOBALS['egw_info']['user']['account_id']) ) ); + $this->customfields[] = $field['name']; Customfields::update($field); return $field;