/**
*
* @param string $URI URI we're tryiug to match
* @param string $OptionString String we're trying to match in.
* @param array $args Future use.
* @return false - no match, otherwise match URI.
*/
public static function IsURIInOptionString($URI, $OptionString, $args = array())
{
$return = -1;
$OptionURLArray = wpCSPclass::CleanPolicyOptionText($OptionString);
// No URI to check therefore no match possible.
if (empty($URI) || empty($OptionURLArray)) {
$return = false;
}
// Does the URL include a scheme?
$URI = trim($URI);
if (strpos($URI, ":") === false) {
$URLPathDirectory = "";
if (strpos($URI, "/") !== false) {
$URLPathDirectory = substr($URI, strpos($URI, "/"));
$URI = substr($URI, 0, strpos($URI, "/"));
}
$URIParts = array('scheme' => '', 'host' => $URI, 'path' => $URLPathDirectory);
} else {
$URIParts = parse_url($URI);
if ($URIParts === false) {
return false;
}
}
// For matching against anything with a wildcard - remove the subdomain.
$URIHostnameWildcard = substr($URIParts['host'], strpos($URIParts['host'], "."));
// Split the path into path and file.
if (substr($URIParts['path'], -1) == '/') {
$URLPathDirectory = $URIParts['path'];
$URLPathFile = '';
} else {
$URLPathDirectory = substr($URIParts['path'], 0, strrpos($URIParts['path'], "/") + 1);
$URLPathFile = substr($URIParts['path'], strrpos($URIParts['path'], "/") + 1);
}
// Quick search for special options!
if ($return === -1) {
foreach ($OptionURLArray as $key => $OptionURL) {
// Empty option - ignore.
if (empty($OptionURL)) {
continue;
}
// Find out the options parts.
$OptionURL = trim($OptionURL);
if ($OptionURL == "'self'") {
$OptionURL = site_url();
}
if (strpos($OptionURL, ":") === false) {
$OptionURLPathDirectory = "";
if (strpos($OptionURL, "/") !== false) {
$OptionURLPathDirectory = substr($OptionURL, strpos($OptionURL, "/"));
$OptionURL = substr($OptionURL, 0, strpos($OptionURL, "/"));
}
$OptionURLParts = array('scheme' => '', 'host' => $OptionURL, 'path' => $OptionURLPathDirectory);
} else {
$OptionURLParts = parse_url($OptionURL);
if ($OptionURLParts === false) {
continue;
}
}
if (substr($OptionURLParts['path'], -1) == '/') {
$OptionURLPathDirectory = $OptionURLParts['path'];
$OptionURLPathFile = '';
} else {
$OptionURLPathDirectory = substr($OptionURLParts['path'], 0, strrpos($OptionURLParts['path'], "/") + 1);
$OptionURLPathFile = substr($OptionURLParts['path'], strrpos($OptionURLParts['path'], "/") + 1);
}
// * matched everything!
if ($OptionURL == "*") {
if ($URIParts['scheme'] != 'blob' && $URIParts['scheme'] != 'data' && $URIParts['scheme'] != 'filesystem') {
$return = true;
}
} elseif (substr($OptionURL, -1, 1) == ':') {
if (substr($OptionURL, 0, -1) == $URIParts['scheme']) {
$return = true;
}
} elseif ($OptionURL == "'unsafe-inline'") {
} elseif ($OptionURL == "'unsafe-eval'") {
} elseif ($OptionURL == "'none'") {
$return = false;
} else {
// Does the option have a scheme to check?
if (strpos($OptionURL, ":") !== false) {
// If the host name starts with a '*' then remvoe subdomain and check against the other url minus the subdomain
if (substr($OptionURL, 0, 1) == '*') {
if (substr($OptionURLParts['host'], strpos($OptionURLParts['host'], ".")) != $URIHostnameWildcard) {
continue;
}
} elseif ($OptionURLParts['host'] != $URIParts['host'] || $OptionURLParts['scheme'] != $URIParts['scheme']) {
continue;
}
} elseif (substr($OptionURL, 0, 1) == '*') {
if (substr($OptionURLParts['host'], strpos($OptionURLParts['host'], ".")) != $URIHostnameWildcard) {
continue;
}
} elseif ($OptionURL != $URIParts['host']) {
continue;
}
if (!empty($OptionURLPathDirectory)) {
if ($OptionURLPathDirectory !== $URLPathDirectory) {
continue;
}
if (!empty($OptionURLPathFile)) {
if ($OptionURLPathFile !== $URLPathFile) {
continue;
}
}
}
$return = true;
}
// Did something set something this time around? Then stop checking options.
if ($return !== -1) {
break;
}
}
}
if ($return === -1) {
$return = false;
}
return $return;
}
/**
* checks the URL checker, see if its reading the ignored URLs correctly.
*/
private static function TestURLChecker()
{
$return = array();
// Testing various ways of checking for errors in option arrays
// array( BlockedURI, OptionString, ExpectedTestResult )
// where BlockedURI is emulating the issue we received from the browser.
// and OptionString is emulating the options entered by the user.
// ExpectedTestResult is what we expect to receive back from the routine.
// True indicates the routine should find a match, and false not a match.
$TestArray = array(array('data:', 'data:', true), array('http:', 'http:', true), array('https:', 'https:', true), array('data:', 'http:', false), array('data:', 'https:', false), array('http:', 'data:', false), array('https:', 'data:', false), array('data:urlencoded 64 dsdsdsddsd', 'data:', true), array('http://www.example.com', 'http:', true), array('https://www.example.com', 'https:', true), array('data:urlencoded 64 dsdsdsddsd', 'http:', false), array('http://www.example.com', 'https:', false), array('https://www.example.com', 'data:', false), array(site_url(), "'self'", true), array(site_url(), "data:", false), array(site_url(), "http://www.example.com", false), array(site_url(), "https://www.example.com", false), array(site_url(), "www.example.com", false), array(site_url(), "*.example.com", false), array('http://www.example.com', "http://www.example.com", true), array('http://www.example.com', "https://www.example.com", false), array('www.example.com', "https://www.example.com", false), array('www.example.com', "http://www.example.com", false), array('www.example.com', "www.example.com", true), array('http://www.example.com/test/url', "http://www.example.com", true), array('http://www.example.com/test/url', "https://www.example.com", false), array('http://www.example.com/test/url', "www.example.com", true), array('www.example.com/test/url', "https://www.example.com", false), array('www.example.com/test/url', "http://www.example.com", false), array('www.example.com/test/url', "www.example.com", true), array('http://www.example.com', "www.example.com", true), array('http://www.example.com', "*.example.com", true), array('https://www.example.com', "www.example.com", true), array('https://www.example.com', "*.example.com", true), array('ssss://www.example.com', "www.example.com", true), array('ssss://www.example.com', "*.example.com", true), array('http://www.example.com', "*example.com", false), array('https://www.example.com', "*example.com", false), array('ssss://www.example.com', "*example.com", false), array('http://www.example.com', ".example.com", false), array('https://www.example.com', ".example.com", false), array('ssss://www.example.com', ".example.com", false), array('http://www.example.com', "example.com", false), array('https://www.example.com', "example.com", false), array('ssss://www.example.com', "example.com", false), array('http://www.example.com/test/url', "www.example.com", true), array('http://www.example.com/test/url', "*.example.com", true), array('https://www.example.com/test/url', "www.example.com", true), array('https://www.example.com/test/url', "*.example.com", true), array('ssss://www.example.com/test/url', "www.example.com", true), array('ssss://www.example.com/test/url', "*.example.com", true), array('http://www.example.com/test/url', "*example.com", false), array('https://www.example.com/test/url', "*example.com", false), array('ssss://www.example.com/test/url', "*example.com", false), array('http://www.example.com/test/url', ".example.com", false), array('https://www.example.com/test/url', ".example.com", false), array('ssss://www.example.com/test/url', ".example.com", false), array('http://www.example.com/test/url', "example.com", false), array('https://www.example.com/test/url', "example.com", false), array('ssss://www.example.com/test/url', "example.com", false), array('http://www.example.com', "www.notexample.com", false), array('http://www.example.com', "*.notexample.com", false), array('https://www.example.com', "www.notexample.com", false), array('https://www.example.com', "*.notexample.com", false), array('ssss://www.example.com', "www.notexample.com", false), array('ssss://www.example.com', "*.notexample.com", false), array('http://www.example.com/path/to/file/', "*.notexample.com", false), array('https://www.example.com/path/to/file/', "www.notexample.com", false), array('http://www.example.com/path/to/file/', "*.example.com", true), array('https://www.example.com/path/to/file/', "www.example.com", true), array('http://www.example.com/path/to/file/', "*.example.com/path/", false), array('https://www.example.com/path/to/file/', "www.example.com/path/", false), array('http://www.example.com/path/to/file/', "*.example.com/path/to", false), array('https://www.example.com/path/to/file/', "www.example.com/path/to", false), array('http://www.example.com/path/to/file/', "*.example.com/path/to/file/", true), array('https://www.example.com/path/to/file/', "www.example.com/path/to/file/", true), array('http://www.example.com/path/to/file/thefile.php', "*.notexample.com", false), array('https://www.example.com/path/to/file/thefile.php', "www.notexample.com", false), array('http://www.example.com/path/to/file/thefile.php', "*.example.com", true), array('https://www.example.com/path/to/file/thefile.php', "www.example.com", true), array('https://www.example.com/path/to/file/thefile.php', "http://www.example.com", false), array('https://www.example.com/path/to/file/thefile.php', "https://www.example.com", true), array('http://www.example.com/path/to/file/thefile.php', "*.example.com/path/", false), array('https://www.example.com/path/to/file/thefile.php', "www.example.com/path/", false), array('https://www.example.com/path/to/file/thefile.php', "http://www.example.com/path/", false), array('https://www.example.com/path/to/file/thefile.php', "https://www.example.com/path/", false), array('http://www.example.com/path/to/file/thefile.php', "*.example.com/path/to", false), array('https://www.example.com/path/to/file/thefile.php', "www.example.com/path/to", false), array('https://www.example.com/path/to/file/thefile.php', "http://www.example.com/path/to", false), array('http://www.example.com/path/to/file/thefile.php', "*.example.com/path/to/file/", true), array('https://www.example.com/path/to/file/thefile.php', "www.example.com/path/to/file/", true), array('https://www.example.com/path/to/file/thefile.php', "http://www.example.com/path/to/file/", false), array('https://www.example.com/path/to/file/thefile.php', "https://www.example.com/path/to/file/", true), array('http://www.example.com/path/to/file/thefile.php', "*.example.com/path/to/file/thefile.php", true), array('https://www.example.com/path/to/file/thefile.php', "www.example.com/path/to/file/thefile.php", true), array('https://www.example.com/path/to/file/thefile.php', "http://www.example.com/path/to/file/thefile.php", false), array('https://www.example.com/path/to/file/thefile.php', "https://www.example.com/path/to/file/thefile.php", true), array('', "*.notexample.com", false), array('', "", false), array('http://www.example.com', "", false), array('http://www.example.com', "none", false), array('http://www.example.com', "'none'", false), array("'none'", "'none'", false), array('data:urlencoded 64 dsdsdsddsd', '*', false), array('http://www.example.com', '*', true), array('https://www.example.com', '*', true));
foreach ($TestArray as $Test) {
$return[] = "------------ Starting test:" . print_r($Test, true);
$ret = wpCSPclass::IsURIInOptionString($Test[0], $Test[1]);
if ($ret !== $Test[2]) {
$return[] = "****** failed test:" . print_r($Test, true);
$return[] = "returned:" . print_r($ret, true);
break;
}
}
// Test end to end including logging.
$CSPViolation = array('csp-report' => array('effective-directive' => 'img-src', 'blocked-uri' => 'http://b.wallyworld.zzzz'));
if (wpCSPclass::LogPolicyViolation($CSPViolation) === false) {
$return[] = "Should be logging b.wallyworld.zzzz as it is not blocked by ignored urls<br>\n ;";
}
$return[] = "Finished tests with no issues.<br>\n";
return "<li>" . implode("</li><li>", $return) . "</li>";
}
