From 132916e3a525b582579b1d88f679a0ac88772851 Mon Sep 17 00:00:00 2001
From: Osma Suominen <osma.suominen@helsinki.fi>
Date: Tue, 26 Apr 2022 13:55:02 +0300
Subject: [PATCH 1/4] More comprehensive tests for Request->getLangUrl method

---
 tests/RequestTest.php | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/tests/RequestTest.php b/tests/RequestTest.php
index c8e75897a..d81385079 100644
--- a/tests/RequestTest.php
+++ b/tests/RequestTest.php
@@ -186,6 +186,16 @@ public function testGetLangUrlNoParamVocab() {
     $this->assertEquals("myvocab/en/", $langurl);
   }
 
+  /**
+   * @covers Request::getLangUrl
+   */
+  public function testGetLangUrlNoParamVocabIndex() {
+    $this->request->setServerConstant('SCRIPT_NAME', '/Skosmos/index.php');
+    $this->request->setServerConstant('REQUEST_URI', '/Skosmos/myvocab/en/index');
+    $langurl = $this->request->getLangUrl();
+    $this->assertEquals("myvocab/en/index", $langurl);
+  }
+
   /**
    * @covers Request::getLangUrl
    */
@@ -208,4 +218,15 @@ public function testGetLangUrlNewLangVocab() {
     $this->assertEquals("myvocab/sv/", $langurl);
   }
 
+  /**
+   * @covers Request::getLangUrl
+   */
+  public function testGetLangUrlNewLangVocabIndex() {
+    $this->request->setServerConstant('SCRIPT_NAME', '/Skosmos/index.php');
+    $this->request->setServerConstant('REQUEST_URI', '/Skosmos/myvocab/en/index');
+    $this->request->setLang('en');
+    $langurl = $this->request->getLangUrl("sv");
+    $this->assertEquals("myvocab/sv/index", $langurl);
+  }
+
 }

From 91bed66175764645d983aeacc7669a1ff2ebcf39 Mon Sep 17 00:00:00 2001
From: Osma Suominen <osma.suominen@helsinki.fi>
Date: Tue, 26 Apr 2022 14:09:17 +0300
Subject: [PATCH 2/4] Sanitize special characters when generating URLs for
 language switcher. Fixes #1289

---
 model/Request.php     |  5 ++++-
 tests/RequestTest.php | 11 +++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/model/Request.php b/model/Request.php
index 28da72b48..e345c03e5 100644
--- a/model/Request.php
+++ b/model/Request.php
@@ -179,10 +179,13 @@ public function getRequestUri()
      */
     public function getLangUrl($newlang=null)
     {
-        $langurl = substr(str_replace(str_replace('/index.php', '', $this->getServerConstant('SCRIPT_NAME')), '', $this->getServerConstant('REQUEST_URI')), 1);
+        $script_name = str_replace('/index.php', '', $this->getServerConstant('SCRIPT_NAME'));
+        $langurl = substr(str_replace($script_name, '', $this->getServerConstant('REQUEST_URI')), 1);
         if ($newlang !== null) {
             $langurl = preg_replace("#^(.*/)?{$this->lang}/#", "$1{$newlang}/", $langurl);
         }
+        // make sure that the resulting URL doesn't contain suspicious characters
+        $langurl = preg_replace("#[^a-zA-Z0-9-/]#", "", $langurl);
         return $langurl;
     }
 
diff --git a/tests/RequestTest.php b/tests/RequestTest.php
index d81385079..4885b20ac 100644
--- a/tests/RequestTest.php
+++ b/tests/RequestTest.php
@@ -229,4 +229,15 @@ public function testGetLangUrlNewLangVocabIndex() {
     $this->assertEquals("myvocab/sv/index", $langurl);
   }
 
+  /**
+   * @covers Request::getLangUrl
+   */
+  public function testGetLangUrlSanitizeSpecialChars() {
+    $this->request->setServerConstant('SCRIPT_NAME', '/Skosmos/index.php');
+    $this->request->setServerConstant('REQUEST_URI', '/Skosmos/http://example.com');
+    $this->request->setLang('en');
+    $langurl = $this->request->getLangUrl();
+    $this->assertEquals("http//examplecom", $langurl);
+  }
+
 }

From 2932952c8bde75c831809188a3ae167ebda97939 Mon Sep 17 00:00:00 2001
From: Osma Suominen <osma.suominen@helsinki.fi>
Date: Tue, 26 Apr 2022 14:20:12 +0300
Subject: [PATCH 3/4] fix regex syntax

---
 model/Request.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/model/Request.php b/model/Request.php
index e345c03e5..acdfa9c0f 100644
--- a/model/Request.php
+++ b/model/Request.php
@@ -185,7 +185,7 @@ public function getLangUrl($newlang=null)
             $langurl = preg_replace("#^(.*/)?{$this->lang}/#", "$1{$newlang}/", $langurl);
         }
         // make sure that the resulting URL doesn't contain suspicious characters
-        $langurl = preg_replace("#[^a-zA-Z0-9-/]#", "", $langurl);
+        $langurl = preg_replace("#[^a-zA-Z0-9/-]#", "", $langurl);
         return $langurl;
     }
 

From fe9e356489efc0eebaad94de78e772eacfe2c499 Mon Sep 17 00:00:00 2001
From: Osma Suominen <osma.suominen@helsinki.fi>
Date: Tue, 26 Apr 2022 14:31:58 +0300
Subject: [PATCH 4/4] only disallow colons in strings returned by getLangUrl

---
 model/Request.php     | 4 ++--
 tests/RequestTest.php | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/model/Request.php b/model/Request.php
index acdfa9c0f..e05439699 100644
--- a/model/Request.php
+++ b/model/Request.php
@@ -184,8 +184,8 @@ public function getLangUrl($newlang=null)
         if ($newlang !== null) {
             $langurl = preg_replace("#^(.*/)?{$this->lang}/#", "$1{$newlang}/", $langurl);
         }
-        // make sure that the resulting URL doesn't contain suspicious characters
-        $langurl = preg_replace("#[^a-zA-Z0-9/-]#", "", $langurl);
+        // make sure that the resulting URL isn't interpreted as an absolute URL
+        $langurl = str_replace(":", "", $langurl);
         return $langurl;
     }
 
diff --git a/tests/RequestTest.php b/tests/RequestTest.php
index 4885b20ac..10e7654f8 100644
--- a/tests/RequestTest.php
+++ b/tests/RequestTest.php
@@ -237,7 +237,7 @@ public function testGetLangUrlSanitizeSpecialChars() {
     $this->request->setServerConstant('REQUEST_URI', '/Skosmos/http://example.com');
     $this->request->setLang('en');
     $langurl = $this->request->getLangUrl();
-    $this->assertEquals("http//examplecom", $langurl);
+    $this->assertEquals("http//example.com", $langurl);
   }
 
 }