/** * * @param string $URI URI we're tryiug to match * @param string $OptionString String we're trying to match in. * @param array $args Future use. * @return false - no match, otherwise match URI. */ public static function IsURIInOptionString($URI, $OptionString, $args = array()) { $return = -1; $OptionURLArray = wpCSPclass::CleanPolicyOptionText($OptionString); // No URI to check therefore no match possible. if (empty($URI) || empty($OptionURLArray)) { $return = false; } // Does the URL include a scheme? $URI = trim($URI); if (strpos($URI, ":") === false) { $URLPathDirectory = ""; if (strpos($URI, "/") !== false) { $URLPathDirectory = substr($URI, strpos($URI, "/")); $URI = substr($URI, 0, strpos($URI, "/")); } $URIParts = array('scheme' => '', 'host' => $URI, 'path' => $URLPathDirectory); } else { $URIParts = parse_url($URI); if ($URIParts === false) { return false; } } // For matching against anything with a wildcard - remove the subdomain. $URIHostnameWildcard = substr($URIParts['host'], strpos($URIParts['host'], ".")); // Split the path into path and file. if (substr($URIParts['path'], -1) == '/') { $URLPathDirectory = $URIParts['path']; $URLPathFile = ''; } else { $URLPathDirectory = substr($URIParts['path'], 0, strrpos($URIParts['path'], "/") + 1); $URLPathFile = substr($URIParts['path'], strrpos($URIParts['path'], "/") + 1); } // Quick search for special options! if ($return === -1) { foreach ($OptionURLArray as $key => $OptionURL) { // Empty option - ignore. if (empty($OptionURL)) { continue; } // Find out the options parts. $OptionURL = trim($OptionURL); if ($OptionURL == "'self'") { $OptionURL = site_url(); } if (strpos($OptionURL, ":") === false) { $OptionURLPathDirectory = ""; if (strpos($OptionURL, "/") !== false) { $OptionURLPathDirectory = substr($OptionURL, strpos($OptionURL, "/")); $OptionURL = substr($OptionURL, 0, strpos($OptionURL, "/")); } $OptionURLParts = array('scheme' => '', 'host' => $OptionURL, 'path' => $OptionURLPathDirectory); } else { $OptionURLParts = parse_url($OptionURL); if ($OptionURLParts === false) { continue; } } if (substr($OptionURLParts['path'], -1) == '/') { $OptionURLPathDirectory = $OptionURLParts['path']; $OptionURLPathFile = ''; } else { $OptionURLPathDirectory = substr($OptionURLParts['path'], 0, strrpos($OptionURLParts['path'], "/") + 1); $OptionURLPathFile = substr($OptionURLParts['path'], strrpos($OptionURLParts['path'], "/") + 1); } // * matched everything! if ($OptionURL == "*") { if ($URIParts['scheme'] != 'blob' && $URIParts['scheme'] != 'data' && $URIParts['scheme'] != 'filesystem') { $return = true; } } elseif (substr($OptionURL, -1, 1) == ':') { if (substr($OptionURL, 0, -1) == $URIParts['scheme']) { $return = true; } } elseif ($OptionURL == "'unsafe-inline'") { } elseif ($OptionURL == "'unsafe-eval'") { } elseif ($OptionURL == "'none'") { $return = false; } else { // Does the option have a scheme to check? if (strpos($OptionURL, ":") !== false) { // If the host name starts with a '*' then remvoe subdomain and check against the other url minus the subdomain if (substr($OptionURL, 0, 1) == '*') { if (substr($OptionURLParts['host'], strpos($OptionURLParts['host'], ".")) != $URIHostnameWildcard) { continue; } } elseif ($OptionURLParts['host'] != $URIParts['host'] || $OptionURLParts['scheme'] != $URIParts['scheme']) { continue; } } elseif (substr($OptionURL, 0, 1) == '*') { if (substr($OptionURLParts['host'], strpos($OptionURLParts['host'], ".")) != $URIHostnameWildcard) { continue; } } elseif ($OptionURL != $URIParts['host']) { continue; } if (!empty($OptionURLPathDirectory)) { if ($OptionURLPathDirectory !== $URLPathDirectory) { continue; } if (!empty($OptionURLPathFile)) { if ($OptionURLPathFile !== $URLPathFile) { continue; } } } $return = true; } // Did something set something this time around? Then stop checking options. if ($return !== -1) { break; } } } if ($return === -1) { $return = false; } return $return; }
/** * checks the URL checker, see if its reading the ignored URLs correctly. */ private static function TestURLChecker() { $return = array(); // Testing various ways of checking for errors in option arrays // array( BlockedURI, OptionString, ExpectedTestResult ) // where BlockedURI is emulating the issue we received from the browser. // and OptionString is emulating the options entered by the user. // ExpectedTestResult is what we expect to receive back from the routine. // True indicates the routine should find a match, and false not a match. $TestArray = array(array('data:', 'data:', true), array('http:', 'http:', true), array('https:', 'https:', true), array('data:', 'http:', false), array('data:', 'https:', false), array('http:', 'data:', false), array('https:', 'data:', false), array('data:urlencoded 64 dsdsdsddsd', 'data:', true), array('http://www.example.com', 'http:', true), array('https://www.example.com', 'https:', true), array('data:urlencoded 64 dsdsdsddsd', 'http:', false), array('http://www.example.com', 'https:', false), array('https://www.example.com', 'data:', false), array(site_url(), "'self'", true), array(site_url(), "data:", false), array(site_url(), "http://www.example.com", false), array(site_url(), "https://www.example.com", false), array(site_url(), "www.example.com", false), array(site_url(), "*.example.com", false), array('http://www.example.com', "http://www.example.com", true), array('http://www.example.com', "https://www.example.com", false), array('www.example.com', "https://www.example.com", false), array('www.example.com', "http://www.example.com", false), array('www.example.com', "www.example.com", true), array('http://www.example.com/test/url', "http://www.example.com", true), array('http://www.example.com/test/url', "https://www.example.com", false), array('http://www.example.com/test/url', "www.example.com", true), array('www.example.com/test/url', "https://www.example.com", false), array('www.example.com/test/url', "http://www.example.com", false), array('www.example.com/test/url', "www.example.com", true), array('http://www.example.com', "www.example.com", true), array('http://www.example.com', "*.example.com", true), array('https://www.example.com', "www.example.com", true), array('https://www.example.com', "*.example.com", true), array('ssss://www.example.com', "www.example.com", true), array('ssss://www.example.com', "*.example.com", true), array('http://www.example.com', "*example.com", false), array('https://www.example.com', "*example.com", false), array('ssss://www.example.com', "*example.com", false), array('http://www.example.com', ".example.com", false), array('https://www.example.com', ".example.com", false), array('ssss://www.example.com', ".example.com", false), array('http://www.example.com', "example.com", false), array('https://www.example.com', "example.com", false), array('ssss://www.example.com', "example.com", false), array('http://www.example.com/test/url', "www.example.com", true), array('http://www.example.com/test/url', "*.example.com", true), array('https://www.example.com/test/url', "www.example.com", true), array('https://www.example.com/test/url', "*.example.com", true), array('ssss://www.example.com/test/url', "www.example.com", true), array('ssss://www.example.com/test/url', "*.example.com", true), array('http://www.example.com/test/url', "*example.com", false), array('https://www.example.com/test/url', "*example.com", false), array('ssss://www.example.com/test/url', "*example.com", false), array('http://www.example.com/test/url', ".example.com", false), array('https://www.example.com/test/url', ".example.com", false), array('ssss://www.example.com/test/url', ".example.com", false), array('http://www.example.com/test/url', "example.com", false), array('https://www.example.com/test/url', "example.com", false), array('ssss://www.example.com/test/url', "example.com", false), array('http://www.example.com', "www.notexample.com", false), array('http://www.example.com', "*.notexample.com", false), array('https://www.example.com', "www.notexample.com", false), array('https://www.example.com', "*.notexample.com", false), array('ssss://www.example.com', "www.notexample.com", false), array('ssss://www.example.com', "*.notexample.com", false), array('http://www.example.com/path/to/file/', "*.notexample.com", false), array('https://www.example.com/path/to/file/', "www.notexample.com", false), array('http://www.example.com/path/to/file/', "*.example.com", true), array('https://www.example.com/path/to/file/', "www.example.com", true), array('http://www.example.com/path/to/file/', "*.example.com/path/", false), array('https://www.example.com/path/to/file/', "www.example.com/path/", false), array('http://www.example.com/path/to/file/', "*.example.com/path/to", false), array('https://www.example.com/path/to/file/', "www.example.com/path/to", false), array('http://www.example.com/path/to/file/', "*.example.com/path/to/file/", true), array('https://www.example.com/path/to/file/', "www.example.com/path/to/file/", true), array('http://www.example.com/path/to/file/thefile.php', "*.notexample.com", false), array('https://www.example.com/path/to/file/thefile.php', "www.notexample.com", false), array('http://www.example.com/path/to/file/thefile.php', "*.example.com", true), array('https://www.example.com/path/to/file/thefile.php', "www.example.com", true), array('https://www.example.com/path/to/file/thefile.php', "http://www.example.com", false), array('https://www.example.com/path/to/file/thefile.php', "https://www.example.com", true), array('http://www.example.com/path/to/file/thefile.php', "*.example.com/path/", false), array('https://www.example.com/path/to/file/thefile.php', "www.example.com/path/", false), array('https://www.example.com/path/to/file/thefile.php', "http://www.example.com/path/", false), array('https://www.example.com/path/to/file/thefile.php', "https://www.example.com/path/", false), array('http://www.example.com/path/to/file/thefile.php', "*.example.com/path/to", false), array('https://www.example.com/path/to/file/thefile.php', "www.example.com/path/to", false), array('https://www.example.com/path/to/file/thefile.php', "http://www.example.com/path/to", false), array('http://www.example.com/path/to/file/thefile.php', "*.example.com/path/to/file/", true), array('https://www.example.com/path/to/file/thefile.php', "www.example.com/path/to/file/", true), array('https://www.example.com/path/to/file/thefile.php', "http://www.example.com/path/to/file/", false), array('https://www.example.com/path/to/file/thefile.php', "https://www.example.com/path/to/file/", true), array('http://www.example.com/path/to/file/thefile.php', "*.example.com/path/to/file/thefile.php", true), array('https://www.example.com/path/to/file/thefile.php', "www.example.com/path/to/file/thefile.php", true), array('https://www.example.com/path/to/file/thefile.php', "http://www.example.com/path/to/file/thefile.php", false), array('https://www.example.com/path/to/file/thefile.php', "https://www.example.com/path/to/file/thefile.php", true), array('', "*.notexample.com", false), array('', "", false), array('http://www.example.com', "", false), array('http://www.example.com', "none", false), array('http://www.example.com', "'none'", false), array("'none'", "'none'", false), array('data:urlencoded 64 dsdsdsddsd', '*', false), array('http://www.example.com', '*', true), array('https://www.example.com', '*', true)); foreach ($TestArray as $Test) { $return[] = "------------ Starting test:" . print_r($Test, true); $ret = wpCSPclass::IsURIInOptionString($Test[0], $Test[1]); if ($ret !== $Test[2]) { $return[] = "****** failed test:" . print_r($Test, true); $return[] = "returned:" . print_r($ret, true); break; } } // Test end to end including logging. $CSPViolation = array('csp-report' => array('effective-directive' => 'img-src', 'blocked-uri' => 'http://b.wallyworld.zzzz')); if (wpCSPclass::LogPolicyViolation($CSPViolation) === false) { $return[] = "Should be logging b.wallyworld.zzzz as it is not blocked by ignored urls<br>\n ;"; } $return[] = "Finished tests with no issues.<br>\n"; return "<li>" . implode("</li><li>", $return) . "</li>"; }