diff options
author | ArthurHoaro <arthur@hoa.ro> | 2017-05-31 17:52:19 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-05-31 17:52:19 +0200 |
commit | ac94db1e36c77d52c316b5fa4e8e36b9d1e38b9e (patch) | |
tree | b235a4ed0e5291d7ad2f008df5bbed4d43200cbe /application/Url.php | |
parent | 268309df5d8110f516940be06e9481d66f3fb5d6 (diff) | |
parent | 86ceea054f5f85157b04473bac5bfb6ff86ca31f (diff) | |
download | Shaarli-ac94db1e36c77d52c316b5fa4e8e36b9d1e38b9e.tar.gz Shaarli-ac94db1e36c77d52c316b5fa4e8e36b9d1e38b9e.tar.zst Shaarli-ac94db1e36c77d52c316b5fa4e8e36b9d1e38b9e.zip |
Merge pull request #880 from ArthurHoaro/hotfix/allowed-protocols
Add a whitelist of protocols for URLs
Diffstat (limited to 'application/Url.php')
-rw-r--r-- | application/Url.php | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/application/Url.php b/application/Url.php index 25a62a8a..b3759377 100644 --- a/application/Url.php +++ b/application/Url.php | |||
@@ -64,6 +64,30 @@ function add_trailing_slash($url) | |||
64 | } | 64 | } |
65 | 65 | ||
66 | /** | 66 | /** |
67 | * Replace not whitelisted protocols by 'http://' from given URL. | ||
68 | * | ||
69 | * @param string $url URL to clean | ||
70 | * @param array $protocols List of allowed protocols (aside from http(s)). | ||
71 | * | ||
72 | * @return string URL with allowed protocol | ||
73 | */ | ||
74 | function whitelist_protocols($url, $protocols) | ||
75 | { | ||
76 | if (startsWith($url, '?') || startsWith($url, '/')) { | ||
77 | return $url; | ||
78 | } | ||
79 | $protocols = array_merge(['http', 'https'], $protocols); | ||
80 | $protocol = preg_match('#^(\w+):/?/?#', $url, $match); | ||
81 | // Protocol not allowed: we remove it and replace it with http | ||
82 | if ($protocol === 1 && ! in_array($match[1], $protocols)) { | ||
83 | $url = str_replace($match[0], 'http://', $url); | ||
84 | } else if ($protocol !== 1) { | ||
85 | $url = 'http://' . $url; | ||
86 | } | ||
87 | return $url; | ||
88 | } | ||
89 | |||
90 | /** | ||
67 | * URL representation and cleanup utilities | 91 | * URL representation and cleanup utilities |
68 | * | 92 | * |
69 | * Form | 93 | * Form |