aboutsummaryrefslogtreecommitdiffhomepage
path: root/application
diff options
context:
space:
mode:
authorArthurHoaro <arthur@hoa.ro>2017-05-31 17:52:19 +0200
committerGitHub <noreply@github.com>2017-05-31 17:52:19 +0200
commitac94db1e36c77d52c316b5fa4e8e36b9d1e38b9e (patch)
treeb235a4ed0e5291d7ad2f008df5bbed4d43200cbe /application
parent268309df5d8110f516940be06e9481d66f3fb5d6 (diff)
parent86ceea054f5f85157b04473bac5bfb6ff86ca31f (diff)
downloadShaarli-ac94db1e36c77d52c316b5fa4e8e36b9d1e38b9e.tar.gz
Shaarli-ac94db1e36c77d52c316b5fa4e8e36b9d1e38b9e.tar.zst
Shaarli-ac94db1e36c77d52c316b5fa4e8e36b9d1e38b9e.zip
Merge pull request #880 from ArthurHoaro/hotfix/allowed-protocols
Add a whitelist of protocols for URLs
Diffstat (limited to 'application')
-rw-r--r--application/Url.php24
-rw-r--r--application/config/ConfigManager.php1
2 files changed, 25 insertions, 0 deletions
diff --git a/application/Url.php b/application/Url.php
index 25a62a8a..b3759377 100644
--- a/application/Url.php
+++ b/application/Url.php
@@ -64,6 +64,30 @@ function add_trailing_slash($url)
64} 64}
65 65
66/** 66/**
67 * Replace not whitelisted protocols by 'http://' from given URL.
68 *
69 * @param string $url URL to clean
70 * @param array $protocols List of allowed protocols (aside from http(s)).
71 *
72 * @return string URL with allowed protocol
73 */
74function whitelist_protocols($url, $protocols)
75{
76 if (startsWith($url, '?') || startsWith($url, '/')) {
77 return $url;
78 }
79 $protocols = array_merge(['http', 'https'], $protocols);
80 $protocol = preg_match('#^(\w+):/?/?#', $url, $match);
81 // Protocol not allowed: we remove it and replace it with http
82 if ($protocol === 1 && ! in_array($match[1], $protocols)) {
83 $url = str_replace($match[0], 'http://', $url);
84 } else if ($protocol !== 1) {
85 $url = 'http://' . $url;
86 }
87 return $url;
88}
89
90/**
67 * URL representation and cleanup utilities 91 * URL representation and cleanup utilities
68 * 92 *
69 * Form 93 * Form
diff --git a/application/config/ConfigManager.php b/application/config/ConfigManager.php
index 86a917fb..8eab26f1 100644
--- a/application/config/ConfigManager.php
+++ b/application/config/ConfigManager.php
@@ -312,6 +312,7 @@ class ConfigManager
312 $this->setEmpty('security.ban_duration', 1800); 312 $this->setEmpty('security.ban_duration', 1800);
313 $this->setEmpty('security.session_protection_disabled', false); 313 $this->setEmpty('security.session_protection_disabled', false);
314 $this->setEmpty('security.open_shaarli', false); 314 $this->setEmpty('security.open_shaarli', false);
315 $this->setEmpty('security.allowed_protocols', ['ftp', 'ftps', 'magnet']);
315 316
316 $this->setEmpty('general.header_link', '?'); 317 $this->setEmpty('general.header_link', '?');
317 $this->setEmpty('general.links_per_page', 20); 318 $this->setEmpty('general.links_per_page', 20);