From 8b67de5bc1a83ba90c289f12007ad657dc5ccc6e Mon Sep 17 00:00:00 2001 From: Amir Sarabadani Date: Fri, 16 Jun 2023 00:48:05 +0200 Subject: [PATCH] blocked domains: Make sure users can't bypass the list by using uppercase Added tests too Bug: T337431 Change-Id: Ie3406d0b3c7d82ba44c11865e493375453555664 --- includes/Hooks/Handlers/FilteredActionsHandler.php | 3 ++- tests/phpunit/integration/FilteredActionsHandlerTest.php | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/includes/Hooks/Handlers/FilteredActionsHandler.php b/includes/Hooks/Handlers/FilteredActionsHandler.php index e9a675348..cec3ddf97 100644 --- a/includes/Hooks/Handlers/FilteredActionsHandler.php +++ b/includes/Hooks/Handlers/FilteredActionsHandler.php @@ -213,7 +213,8 @@ class FilteredActionsHandler implements // This saves string search in the large list of blocked domains // making it much faster. $domainString = ''; - foreach ( array_reverse( explode( '.', $parsedUrl['host'] ) ) as $domainPiece ) { + $domainPieces = array_reverse( explode( '.', strtolower( $parsedUrl['host'] ) ) ); + foreach ( $domainPieces as $domainPiece ) { if ( !$domainString ) { $domainString = $domainPiece; } else { diff --git a/tests/phpunit/integration/FilteredActionsHandlerTest.php b/tests/phpunit/integration/FilteredActionsHandlerTest.php index 82238072a..dd2cbbd97 100644 --- a/tests/phpunit/integration/FilteredActionsHandlerTest.php +++ b/tests/phpunit/integration/FilteredActionsHandlerTest.php @@ -72,6 +72,7 @@ class FilteredActionsHandlerTest extends \MediaWikiIntegrationTestCase { 'blocked domain with parameters' => [ 'https://foo.com?foo=bar', false ], 'blocked domain with path and parameters' => [ 'https://foo.com/foo/?foo=bar', false ], 'blocked domain with port' => [ 'https://foo.com:9000', false ], + 'blocked domain as uppercase' => [ 'https://FOO.com', false ], 'unusual protocol' => [ 'ftp://foo.com', false ], 'mailto is special' => [ 'mailto://user@foo.com', false ], 'domain not blocked' => [ 'https://foo.bar.com', true ],