diff options
author | ArthurHoaro <arthur@hoa.ro> | 2017-05-31 17:52:19 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-05-31 17:52:19 +0200 |
commit | ac94db1e36c77d52c316b5fa4e8e36b9d1e38b9e (patch) | |
tree | b235a4ed0e5291d7ad2f008df5bbed4d43200cbe /application | |
parent | 268309df5d8110f516940be06e9481d66f3fb5d6 (diff) | |
parent | 86ceea054f5f85157b04473bac5bfb6ff86ca31f (diff) | |
download | Shaarli-ac94db1e36c77d52c316b5fa4e8e36b9d1e38b9e.tar.gz Shaarli-ac94db1e36c77d52c316b5fa4e8e36b9d1e38b9e.tar.zst Shaarli-ac94db1e36c77d52c316b5fa4e8e36b9d1e38b9e.zip |
Merge pull request #880 from ArthurHoaro/hotfix/allowed-protocols
Add a whitelist of protocols for URLs
Diffstat (limited to 'application')
-rw-r--r-- | application/Url.php | 24 | ||||
-rw-r--r-- | application/config/ConfigManager.php | 1 |
2 files changed, 25 insertions, 0 deletions
diff --git a/application/Url.php b/application/Url.php index 25a62a8a..b3759377 100644 --- a/application/Url.php +++ b/application/Url.php | |||
@@ -64,6 +64,30 @@ function add_trailing_slash($url) | |||
64 | } | 64 | } |
65 | 65 | ||
66 | /** | 66 | /** |
67 | * Replace not whitelisted protocols by 'http://' from given URL. | ||
68 | * | ||
69 | * @param string $url URL to clean | ||
70 | * @param array $protocols List of allowed protocols (aside from http(s)). | ||
71 | * | ||
72 | * @return string URL with allowed protocol | ||
73 | */ | ||
74 | function whitelist_protocols($url, $protocols) | ||
75 | { | ||
76 | if (startsWith($url, '?') || startsWith($url, '/')) { | ||
77 | return $url; | ||
78 | } | ||
79 | $protocols = array_merge(['http', 'https'], $protocols); | ||
80 | $protocol = preg_match('#^(\w+):/?/?#', $url, $match); | ||
81 | // Protocol not allowed: we remove it and replace it with http | ||
82 | if ($protocol === 1 && ! in_array($match[1], $protocols)) { | ||
83 | $url = str_replace($match[0], 'http://', $url); | ||
84 | } else if ($protocol !== 1) { | ||
85 | $url = 'http://' . $url; | ||
86 | } | ||
87 | return $url; | ||
88 | } | ||
89 | |||
90 | /** | ||
67 | * URL representation and cleanup utilities | 91 | * URL representation and cleanup utilities |
68 | * | 92 | * |
69 | * Form | 93 | * Form |
diff --git a/application/config/ConfigManager.php b/application/config/ConfigManager.php index 86a917fb..8eab26f1 100644 --- a/application/config/ConfigManager.php +++ b/application/config/ConfigManager.php | |||
@@ -312,6 +312,7 @@ class ConfigManager | |||
312 | $this->setEmpty('security.ban_duration', 1800); | 312 | $this->setEmpty('security.ban_duration', 1800); |
313 | $this->setEmpty('security.session_protection_disabled', false); | 313 | $this->setEmpty('security.session_protection_disabled', false); |
314 | $this->setEmpty('security.open_shaarli', false); | 314 | $this->setEmpty('security.open_shaarli', false); |
315 | $this->setEmpty('security.allowed_protocols', ['ftp', 'ftps', 'magnet']); | ||
315 | 316 | ||
316 | $this->setEmpty('general.header_link', '?'); | 317 | $this->setEmpty('general.header_link', '?'); |
317 | $this->setEmpty('general.links_per_page', 20); | 318 | $this->setEmpty('general.links_per_page', 20); |