From 109203d12b0389fbc19491a1b6d35324bf9d78d0 Mon Sep 17 00:00:00 2001
From: Kijin Sung <kijin@kijinsung.com>
Date: Tue, 31 Jul 2018 19:08:02 +0900
Subject: [PATCH] Remove invalid characters from REQUEST_URI

---
 common/framework/url.php         | 3 ++-
 common/legacy.php                | 2 +-
 tests/unit/framework/URLTest.php | 9 ++++++++-
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/common/framework/url.php b/common/framework/url.php
index 3ef79f7e7..7cbf555fa 100644
--- a/common/framework/url.php
+++ b/common/framework/url.php
@@ -18,7 +18,8 @@ class URL
 	 */
 	public static function getCurrentURL(array $changes = array())
 	{
-		$url = self::getCurrentDomainURL(isset($_SERVER['REQUEST_URI']) ? $_SERVER['REQUEST_URI'] : '/');
+		$request_uri = preg_replace('/[<>"]/', '', isset($_SERVER['REQUEST_URI']) ? $_SERVER['REQUEST_URI'] : '/');
+		$url = self::getCurrentDomainURL($request_uri);
 		if (count($changes))
 		{
 			return self::modifyURL($url, $changes);
diff --git a/common/legacy.php b/common/legacy.php
index 1dfa456f7..0f7644065 100644
--- a/common/legacy.php
+++ b/common/legacy.php
@@ -917,7 +917,7 @@ function getScriptPath()
  */
 function getRequestUriByServerEnviroment()
 {
-	return escape($_SERVER['REQUEST_URI']);
+	return preg_replace('/[<>"]/', '', $_SERVER['REQUEST_URI']);
 }
 
 /**
diff --git a/tests/unit/framework/URLTest.php b/tests/unit/framework/URLTest.php
index 22c8c1a38..88f391e59 100644
--- a/tests/unit/framework/URLTest.php
+++ b/tests/unit/framework/URLTest.php
@@ -9,7 +9,7 @@ class URLTest extends \Codeception\TestCase\Test
 		
 		// Getting the current URL
 		$this->assertEquals('https://www.rhymix.org/rhymix/index.php?foo=bar&xe=sucks', Rhymix\Framework\URL::getCurrentURL());
-		
+
 		// Adding items to the query string
 		$this->assertEquals('https://www.rhymix.org/rhymix/index.php?foo=bar&xe=sucks&var=1&arr%5B0%5D=2&arr%5B1%5D=3', Rhymix\Framework\URL::getCurrentURL(array('var' => '1', 'arr' => array(2, 3))));
 		
@@ -22,6 +22,13 @@ class URLTest extends \Codeception\TestCase\Test
 		// Adding and removing parameters at the same time
 		$this->assertEquals('https://www.rhymix.org/rhymix/index.php?xe=sucks&l=ko', Rhymix\Framework\URL::getCurrentURL(array('l' => 'ko', 'foo' => null)));
 		
+		// Removing invalid characters in the current URL
+		$_SERVER['REQUEST_URI'] = '/rhymix/?foo="bar"';
+		$this->assertEquals('https://www.rhymix.org/rhymix/?foo=bar', Rhymix\Framework\URL::getCurrentURL());
+		$_SERVER['REQUEST_URI'] = '/rhymix/?foo=<bar&baz=rhymix>';
+		$this->assertEquals('https://www.rhymix.org/rhymix/?foo=bar&baz=rhymix', Rhymix\Framework\URL::getCurrentURL());
+		$this->assertEquals('https://www.rhymix.org/rhymix/?baz=rhymix&l=ko', Rhymix\Framework\URL::getCurrentURL(array('l' => 'ko', 'foo' => null)));
+		
 		$_SERVER['REQUEST_URI'] = $old_request_uri;
 	}