Merge pull request NoiseByNorthwest#265 from NoiseByNorthwest/fix/264

Fix report data access

Author: NoiseByNorthwest

src/php_spx.c

@@ -1038,7 +1038,7 @@ static int http_ui_handler_data(const char * data_dir, const char *relative_path
         if (
             spx_reporter_full_build_metadata_file_name(
                 data_dir,
-                relative_path + strlen(get_report_metadata_uri),
+                relative_path + strlen(get_report_metadata_uri) - 1,
                 file_name,
                 sizeof(file_name)
             ) == NULL
@@ -1055,7 +1055,7 @@ static int http_ui_handler_data(const char * data_dir, const char *relative_path
         if (
             spx_reporter_full_build_file_name(
                 data_dir,
-                relative_path + strlen(get_report_uri),
+                relative_path + strlen(get_report_uri) - 1,
                 file_name,
                 sizeof(file_name)
             ) == NULL

tests/.gitignore

@@ -1,4 +1,5 @@
 *
 !.gitignore
 !*.phpt
-!*.inc
+!*.inc
+!data_dir

tests/data_dir/reportkey.json

@@ -0,0 +1 @@
+bar

tests/data_dir/reportkey.txt.gz

@@ -0,0 +1 @@
+foo

tests/spx_ui_report_access.phpt

@@ -0,0 +1,22 @@
+--TEST--
+UI: URI confinement
+--CGI--
+--INI--
+spx.http_enabled=1
+spx.http_key="dev"
+spx.http_ip_whitelist="127.0.0.1"
+spx.data_dir="{PWD}/data_dir"
+log_errors=on
+--ENV--
+return <<<END
+REMOTE_ADDR=127.0.0.1
+REQUEST_URI=/
+END;
+--GET--
+SPX_KEY=dev&SPX_UI_URI=/data/reports/get/reportkey
+--FILE--
+<?php
+// noop
+?>
+--EXPECT--
+foo

tests/spx_ui_report_metadata_access.phpt

@@ -0,0 +1,22 @@
+--TEST--
+UI: URI confinement
+--CGI--
+--INI--
+spx.http_enabled=1
+spx.http_key="dev"
+spx.http_ip_whitelist="127.0.0.1"
+spx.data_dir="{PWD}/data_dir"
+log_errors=on
+--ENV--
+return <<<END
+REMOTE_ADDR=127.0.0.1
+REQUEST_URI=/
+END;
+--GET--
+SPX_KEY=dev&SPX_UI_URI=/data/reports/metadata/reportkey
+--FILE--
+<?php
+// noop
+?>
+--EXPECT--
+bar