Validate::uri replaced with filter_var for HTTP[S] URL checks
Also, a bug in checking the OAuth callback URL for validity was fixed, where it referenced the wrong variable when going through form data.
This commit is contained in:
parent
2c0790be54
commit
8912cdc7a4
|
@ -152,9 +152,7 @@ class ApiAccountRegisterAction extends ApiAction
|
||||||
// TRANS: Form validation error displayed when trying to register with an already registered e-mail address.
|
// TRANS: Form validation error displayed when trying to register with an already registered e-mail address.
|
||||||
$this->clientError(_('Email address already exists.'),404,'json');
|
$this->clientError(_('Email address already exists.'),404,'json');
|
||||||
} else if (!is_null($homepage) && (strlen($homepage) > 0) &&
|
} else if (!is_null($homepage) && (strlen($homepage) > 0) &&
|
||||||
!Validate::uri($homepage,
|
!common_valid_http_url($homepage)) {
|
||||||
array('allowed_schemes' =>
|
|
||||||
array('http', 'https')))) {
|
|
||||||
// TRANS: Form validation error displayed when trying to register with an invalid homepage URL.
|
// TRANS: Form validation error displayed when trying to register with an invalid homepage URL.
|
||||||
$this->clientError(_('Homepage is not a valid URL.'),404,'json');
|
$this->clientError(_('Homepage is not a valid URL.'),404,'json');
|
||||||
return;
|
return;
|
||||||
|
|
|
@ -47,17 +47,12 @@ class ApiCheckHubAction extends ApiAuthAction
|
||||||
|
|
||||||
$this->url = urldecode($args['url']);
|
$this->url = urldecode($args['url']);
|
||||||
|
|
||||||
if (!$this->url) {
|
if (empty($this->url)) {
|
||||||
$this->clientError(_('No URL.'), 403, 'json');
|
$this->clientError(_('No URL.'), 403, 'json');
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!Validate::uri(
|
if (!common_valid_http_url($this->url)) {
|
||||||
$this->url, array(
|
|
||||||
'allowed_schemes' =>
|
|
||||||
array('http', 'https')
|
|
||||||
)
|
|
||||||
)) {
|
|
||||||
$this->clientError(_('Invalid URL.'), 403, 'json');
|
$this->clientError(_('Invalid URL.'), 403, 'json');
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
|
@ -165,15 +165,9 @@ class ApiGroupCreateAction extends ApiAuthAction
|
||||||
);
|
);
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
} elseif (
|
} elseif (!is_null($this->homepage)
|
||||||
!is_null($this->homepage)
|
|
||||||
&& strlen($this->homepage) > 0
|
&& strlen($this->homepage) > 0
|
||||||
&& !Validate::uri(
|
&& !common_valid_http_url($this->homepage)) {
|
||||||
$this->homepage, array(
|
|
||||||
'allowed_schemes' =>
|
|
||||||
array('http', 'https')
|
|
||||||
)
|
|
||||||
)) {
|
|
||||||
$this->clientError(
|
$this->clientError(
|
||||||
// TRANS: Client error in form for group creation.
|
// TRANS: Client error in form for group creation.
|
||||||
_('Homepage is not a valid URL.'),
|
_('Homepage is not a valid URL.'),
|
||||||
|
|
|
@ -268,12 +268,7 @@ class ApiGroupProfileUpdateAction extends ApiAuthAction
|
||||||
{
|
{
|
||||||
if (!is_null($this->homepage)
|
if (!is_null($this->homepage)
|
||||||
&& (strlen($this->homepage) > 0)
|
&& (strlen($this->homepage) > 0)
|
||||||
&& !Validate::uri(
|
&& !common_valid_http_url($this->homepage)) {
|
||||||
$this->homepage,
|
|
||||||
array('allowed_schemes' => array('http', 'https')
|
|
||||||
)
|
|
||||||
)
|
|
||||||
) {
|
|
||||||
throw new ApiValidationException(
|
throw new ApiValidationException(
|
||||||
// TRANS: API validation exception thrown when homepage URL does not validate.
|
// TRANS: API validation exception thrown when homepage URL does not validate.
|
||||||
_('Homepage is not a valid URL.')
|
_('Homepage is not a valid URL.')
|
||||||
|
|
|
@ -146,7 +146,7 @@ class ApiOAuthRequestTokenAction extends ApiOAuthAction
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
} else {
|
} else {
|
||||||
return Validate::uri($callback);
|
return common_valid_http_url($callback);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -210,9 +210,7 @@ class EditApplicationAction extends Action
|
||||||
$this->showForm(_('Source URL is too long.'));
|
$this->showForm(_('Source URL is too long.'));
|
||||||
return;
|
return;
|
||||||
} elseif ((mb_strlen($source_url) > 0)
|
} elseif ((mb_strlen($source_url) > 0)
|
||||||
&& !Validate::uri($source_url,
|
&& !common_valid_http_url($source_url)) {
|
||||||
array('allowed_schemes' => array('http', 'https'))))
|
|
||||||
{
|
|
||||||
// TRANS: Validation error shown when providing an invalid source URL in the "Edit application" form.
|
// TRANS: Validation error shown when providing an invalid source URL in the "Edit application" form.
|
||||||
$this->showForm(_('Source URL is not valid.'));
|
$this->showForm(_('Source URL is not valid.'));
|
||||||
return;
|
return;
|
||||||
|
@ -229,9 +227,7 @@ class EditApplicationAction extends Action
|
||||||
$this->showForm(_('Organization homepage is required.'));
|
$this->showForm(_('Organization homepage is required.'));
|
||||||
return;
|
return;
|
||||||
} elseif ((mb_strlen($homepage) > 0)
|
} elseif ((mb_strlen($homepage) > 0)
|
||||||
&& !Validate::uri($homepage,
|
&& !common_valid_http_url($homepage)) {
|
||||||
array('allowed_schemes' => array('http', 'https'))))
|
|
||||||
{
|
|
||||||
// TRANS: Validation error shown when providing an invalid homepage URL in the "Edit application" form.
|
// TRANS: Validation error shown when providing an invalid homepage URL in the "Edit application" form.
|
||||||
$this->showForm(_('Homepage is not a valid URL.'));
|
$this->showForm(_('Homepage is not a valid URL.'));
|
||||||
return;
|
return;
|
||||||
|
@ -240,10 +236,7 @@ class EditApplicationAction extends Action
|
||||||
$this->showForm(_('Callback is too long.'));
|
$this->showForm(_('Callback is too long.'));
|
||||||
return;
|
return;
|
||||||
} elseif (mb_strlen($callback_url) > 0
|
} elseif (mb_strlen($callback_url) > 0
|
||||||
&& !Validate::uri($source_url,
|
&& !common_valid_http_url($callback_url)) {
|
||||||
array('allowed_schemes' => array('http', 'https'))
|
|
||||||
))
|
|
||||||
{
|
|
||||||
// TRANS: Validation error shown when providing an invalid callback URL in the "Edit application" form.
|
// TRANS: Validation error shown when providing an invalid callback URL in the "Edit application" form.
|
||||||
$this->showForm(_('Callback URL is not valid.'));
|
$this->showForm(_('Callback URL is not valid.'));
|
||||||
return;
|
return;
|
||||||
|
|
|
@ -198,9 +198,7 @@ class EditgroupAction extends GroupAction
|
||||||
$this->showForm(_('Not a valid nickname.'));
|
$this->showForm(_('Not a valid nickname.'));
|
||||||
return;
|
return;
|
||||||
} else if (!is_null($homepage) && (strlen($homepage) > 0) &&
|
} else if (!is_null($homepage) && (strlen($homepage) > 0) &&
|
||||||
!Validate::uri($homepage,
|
!common_valid_http_url($homepage)) {
|
||||||
array('allowed_schemes' =>
|
|
||||||
array('http', 'https')))) {
|
|
||||||
// TRANS: Group edit form validation error.
|
// TRANS: Group edit form validation error.
|
||||||
$this->showForm(_('Homepage is not a valid URL.'));
|
$this->showForm(_('Homepage is not a valid URL.'));
|
||||||
return;
|
return;
|
||||||
|
|
|
@ -155,18 +155,14 @@ class LicenseadminpanelAction extends AdminPanelAction
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
// make sure the license URL and license image URL are valid URLs
|
|
||||||
|
|
||||||
$options = array('allowed_schemes' => array('http', 'https'));
|
|
||||||
|
|
||||||
// URLs should be set for cc license
|
// URLs should be set for cc license
|
||||||
|
|
||||||
if ($values['license']['type'] == 'cc') {
|
if ($values['license']['type'] == 'cc') {
|
||||||
if (!Validate::uri($values['license']['url'], $options)) {
|
if (!common_valid_http_url($values['license']['url'])) {
|
||||||
// TRANS: Client error displayed specifying an invalid license URL in the license admin panel.
|
// TRANS: Client error displayed specifying an invalid license URL in the license admin panel.
|
||||||
$this->clientError(_('Invalid license URL.'));
|
$this->clientError(_('Invalid license URL.'));
|
||||||
}
|
}
|
||||||
if (!Validate::uri($values['license']['image'], $options)) {
|
if (!common_valid_http_url($values['license']['image'])) {
|
||||||
// TRANS: Client error displayed specifying an invalid license image URL in the license admin panel.
|
// TRANS: Client error displayed specifying an invalid license image URL in the license admin panel.
|
||||||
$this->clientError(_('Invalid license image URL.'));
|
$this->clientError(_('Invalid license image URL.'));
|
||||||
}
|
}
|
||||||
|
@ -175,7 +171,7 @@ class LicenseadminpanelAction extends AdminPanelAction
|
||||||
// can be either blank or a valid URL for private & allrightsreserved
|
// can be either blank or a valid URL for private & allrightsreserved
|
||||||
|
|
||||||
if (!empty($values['license']['url'])) {
|
if (!empty($values['license']['url'])) {
|
||||||
if (!Validate::uri($values['license']['url'], $options)) {
|
if (!common_valid_http_url($values['license']['url'])) {
|
||||||
// TRANS: Client error displayed specifying an invalid license URL in the license admin panel.
|
// TRANS: Client error displayed specifying an invalid license URL in the license admin panel.
|
||||||
$this->clientError(_('License URL must be blank or a valid URL.'));
|
$this->clientError(_('License URL must be blank or a valid URL.'));
|
||||||
}
|
}
|
||||||
|
@ -184,7 +180,7 @@ class LicenseadminpanelAction extends AdminPanelAction
|
||||||
// can be either blank or a valid URL for private & allrightsreserved
|
// can be either blank or a valid URL for private & allrightsreserved
|
||||||
|
|
||||||
if (!empty($values['license']['image'])) {
|
if (!empty($values['license']['image'])) {
|
||||||
if (!Validate::uri($values['license']['image'], $options)) {
|
if (!common_valid_http_url($values['license']['image'])) {
|
||||||
// TRANS: Client error displayed specifying an invalid license image URL in the license admin panel.
|
// TRANS: Client error displayed specifying an invalid license image URL in the license admin panel.
|
||||||
$this->clientError(_('License image must be blank or valid URL.'));
|
$this->clientError(_('License image must be blank or valid URL.'));
|
||||||
}
|
}
|
||||||
|
|
|
@ -122,12 +122,7 @@ class NewApplicationAction extends FormAction
|
||||||
} elseif (empty($source_url)) {
|
} elseif (empty($source_url)) {
|
||||||
// TRANS: Validation error shown when not providing a source URL in the "New application" form.
|
// TRANS: Validation error shown when not providing a source URL in the "New application" form.
|
||||||
$this->clientError(_('Source URL is required.'));
|
$this->clientError(_('Source URL is required.'));
|
||||||
} elseif ((strlen($source_url) > 0)
|
} elseif ((strlen($source_url) > 0) && !common_valid_http_url($source_url)) {
|
||||||
&& !Validate::uri(
|
|
||||||
$source_url,
|
|
||||||
array('allowed_schemes' => array('http', 'https'))
|
|
||||||
)
|
|
||||||
) {
|
|
||||||
// TRANS: Validation error shown when providing an invalid source URL in the "New application" form.
|
// TRANS: Validation error shown when providing an invalid source URL in the "New application" form.
|
||||||
$this->clientError(_('Source URL is not valid.'));
|
$this->clientError(_('Source URL is not valid.'));
|
||||||
} elseif (empty($organization)) {
|
} elseif (empty($organization)) {
|
||||||
|
@ -139,23 +134,13 @@ class NewApplicationAction extends FormAction
|
||||||
} elseif (empty($homepage)) {
|
} elseif (empty($homepage)) {
|
||||||
// TRANS: Form validation error show when an organisation name has not been provided in the new application form.
|
// TRANS: Form validation error show when an organisation name has not been provided in the new application form.
|
||||||
$this->clientError(_('Organization homepage is required.'));
|
$this->clientError(_('Organization homepage is required.'));
|
||||||
} elseif ((strlen($homepage) > 0)
|
} elseif ((strlen($homepage) > 0) && !common_valid_http_url($homepage)) {
|
||||||
&& !Validate::uri(
|
|
||||||
$homepage,
|
|
||||||
array('allowed_schemes' => array('http', 'https'))
|
|
||||||
)
|
|
||||||
) {
|
|
||||||
// TRANS: Validation error shown when providing an invalid homepage URL in the "New application" form.
|
// TRANS: Validation error shown when providing an invalid homepage URL in the "New application" form.
|
||||||
$this->clientError(_('Homepage is not a valid URL.'));
|
$this->clientError(_('Homepage is not a valid URL.'));
|
||||||
} elseif (mb_strlen($callback_url) > 255) {
|
} elseif (mb_strlen($callback_url) > 255) {
|
||||||
// TRANS: Validation error shown when providing too long a callback URL in the "New application" form.
|
// TRANS: Validation error shown when providing too long a callback URL in the "New application" form.
|
||||||
$this->clientError(_('Callback is too long.'));
|
$this->clientError(_('Callback is too long.'));
|
||||||
} elseif (strlen($callback_url) > 0
|
} elseif (strlen($callback_url) > 0 && !common_valid_http_url($callback_url)) {
|
||||||
&& !Validate::uri(
|
|
||||||
$source_url,
|
|
||||||
array('allowed_schemes' => array('http', 'https'))
|
|
||||||
)
|
|
||||||
) {
|
|
||||||
// TRANS: Validation error shown when providing an invalid callback URL in the "New application" form.
|
// TRANS: Validation error shown when providing an invalid callback URL in the "New application" form.
|
||||||
$this->clientError(_('Callback URL is not valid.'));
|
$this->clientError(_('Callback URL is not valid.'));
|
||||||
}
|
}
|
||||||
|
|
|
@ -102,9 +102,7 @@ class NewgroupAction extends FormAction
|
||||||
// TRANS: Group create form validation error.
|
// TRANS: Group create form validation error.
|
||||||
throw new ClientException(_('Not a valid nickname.'));
|
throw new ClientException(_('Not a valid nickname.'));
|
||||||
} else if (!is_null($homepage) && (strlen($homepage) > 0) &&
|
} else if (!is_null($homepage) && (strlen($homepage) > 0) &&
|
||||||
!Validate::uri($homepage,
|
!common_valid_http_url($homepage)) {
|
||||||
array('allowed_schemes' =>
|
|
||||||
array('http', 'https')))) {
|
|
||||||
// TRANS: Group create form validation error.
|
// TRANS: Group create form validation error.
|
||||||
throw new ClientException(_('Homepage is not a valid URL.'));
|
throw new ClientException(_('Homepage is not a valid URL.'));
|
||||||
} else if (!is_null($fullname) && mb_strlen($fullname) > 255) {
|
} else if (!is_null($fullname) && mb_strlen($fullname) > 255) {
|
||||||
|
|
|
@ -263,7 +263,7 @@ class ProfilesettingsAction extends SettingsAction
|
||||||
$this->showForm(_('Not a valid nickname.'));
|
$this->showForm(_('Not a valid nickname.'));
|
||||||
return;
|
return;
|
||||||
} else if (!is_null($homepage) && (strlen($homepage) > 0) &&
|
} else if (!is_null($homepage) && (strlen($homepage) > 0) &&
|
||||||
!Validate::uri($homepage, array('allowed_schemes' => array('http', 'https')))) {
|
!common_valid_http_url($homepage)) {
|
||||||
// TRANS: Validation error in form for profile settings.
|
// TRANS: Validation error in form for profile settings.
|
||||||
$this->showForm(_('Homepage is not a valid URL.'));
|
$this->showForm(_('Homepage is not a valid URL.'));
|
||||||
return;
|
return;
|
||||||
|
|
|
@ -215,9 +215,7 @@ class RegisterAction extends Action
|
||||||
// TRANS: Form validation error displayed when trying to register with an already registered e-mail address.
|
// TRANS: Form validation error displayed when trying to register with an already registered e-mail address.
|
||||||
$this->showForm(_('Email address already exists.'));
|
$this->showForm(_('Email address already exists.'));
|
||||||
} else if (!is_null($homepage) && (strlen($homepage) > 0) &&
|
} else if (!is_null($homepage) && (strlen($homepage) > 0) &&
|
||||||
!Validate::uri($homepage,
|
!common_valid_http_url($homepage)) {
|
||||||
array('allowed_schemes' =>
|
|
||||||
array('http', 'https')))) {
|
|
||||||
// TRANS: Form validation error displayed when trying to register with an invalid homepage URL.
|
// TRANS: Form validation error displayed when trying to register with an invalid homepage URL.
|
||||||
$this->showForm(_('Homepage is not a valid URL.'));
|
$this->showForm(_('Homepage is not a valid URL.'));
|
||||||
return;
|
return;
|
||||||
|
|
|
@ -156,13 +156,13 @@ class SiteadminpanelAction extends AdminPanelAction
|
||||||
|
|
||||||
// Validate logos
|
// Validate logos
|
||||||
if (!empty($values['site']['logo']) &&
|
if (!empty($values['site']['logo']) &&
|
||||||
!Validate::uri($values['site']['logo'], array('allowed_schemes' => array('http', 'https')))) {
|
!common_valid_http_url($values['site']['logo'])) {
|
||||||
// TRANS: Client error displayed when a logo URL is not valid.
|
// TRANS: Client error displayed when a logo URL is not valid.
|
||||||
$this->clientError(_('Invalid logo URL.'));
|
$this->clientError(_('Invalid logo URL.'));
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!empty($values['site']['ssllogo']) &&
|
if (!empty($values['site']['ssllogo']) &&
|
||||||
!Validate::uri($values['site']['ssllogo'], array('allowed_schemes' => array('https')))) {
|
!common_valid_http_url($values['site']['ssllogo'], true)) {
|
||||||
// TRANS: Client error displayed when a SSL logo URL is invalid.
|
// TRANS: Client error displayed when a SSL logo URL is invalid.
|
||||||
$this->clientError(_('Invalid SSL logo URL.'));
|
$this->clientError(_('Invalid SSL logo URL.'));
|
||||||
}
|
}
|
||||||
|
|
|
@ -135,11 +135,7 @@ class SnapshotadminpanelAction extends AdminPanelAction
|
||||||
// Validate report URL
|
// Validate report URL
|
||||||
|
|
||||||
if (!is_null($values['snapshot']['reporturl'])
|
if (!is_null($values['snapshot']['reporturl'])
|
||||||
&& !Validate::uri(
|
&& !common_valid_http_url($values['snapshot']['reporturl'])) {
|
||||||
$values['snapshot']['reporturl'],
|
|
||||||
array('allowed_schemes' => array('http', 'https')
|
|
||||||
)
|
|
||||||
)) {
|
|
||||||
// TRANS: Client error displayed on admin panel for snapshots when providing an invalid report URL.
|
// TRANS: Client error displayed on admin panel for snapshots when providing an invalid report URL.
|
||||||
$this->clientError(_('Invalid snapshot report URL.'));
|
$this->clientError(_('Invalid snapshot report URL.'));
|
||||||
}
|
}
|
||||||
|
|
|
@ -1720,9 +1720,13 @@ function common_log_objstring(&$object)
|
||||||
return $objstring;
|
return $objstring;
|
||||||
}
|
}
|
||||||
|
|
||||||
function common_valid_http_url($url)
|
function common_valid_http_url($url, $secure=false)
|
||||||
{
|
{
|
||||||
return Validate::uri($url, array('allowed_schemes' => array('http', 'https')));
|
// If $secure is true, only allow https URLs to pass
|
||||||
|
// (if false, we use '?' in 'https?' to say the 's' is optional)
|
||||||
|
$regex = $secure ? '/^https$/' : '/^https?$/';
|
||||||
|
return filter_var($url, FILTER_VALIDATE_URL)
|
||||||
|
&& preg_match($regex, parse_url($url, PHP_URL_SCHEME));
|
||||||
}
|
}
|
||||||
|
|
||||||
function common_valid_tag($tag)
|
function common_valid_tag($tag)
|
||||||
|
|
|
@ -74,7 +74,7 @@ class BookmarkforurlAction extends Action
|
||||||
throw new ClientException(_('URL is required.'), 400);
|
throw new ClientException(_('URL is required.'), 400);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!Validate::uri($this->url, array('allowed_schemes' => array('http', 'https')))) {
|
if (!common_valid_http_url($this->url)) {
|
||||||
throw new ClientException(_('Invalid URL.'), 400);
|
throw new ClientException(_('Invalid URL.'), 400);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -267,10 +267,7 @@ class ProfileDetailSettingsAction extends ProfileSettingsAction
|
||||||
$this->removeAll($user, 'website');
|
$this->removeAll($user, 'website');
|
||||||
$i = 0;
|
$i = 0;
|
||||||
foreach($sites as $site) {
|
foreach($sites as $site) {
|
||||||
if (!empty($site['value']) && !Validate::uri(
|
if (!empty($site['value']) && !common_valid_http_url($site['value'])) {
|
||||||
$site['value'],
|
|
||||||
array('allowed_schemes' => array('http', 'https')))
|
|
||||||
) {
|
|
||||||
// TRANS: Exception thrown when entering an invalid URL.
|
// TRANS: Exception thrown when entering an invalid URL.
|
||||||
// TRANS: %s is the invalid URL.
|
// TRANS: %s is the invalid URL.
|
||||||
throw new Exception(sprintf(_m('Invalid URL: %s.'), $site['value']));
|
throw new Exception(sprintf(_m('Invalid URL: %s.'), $site['value']));
|
||||||
|
|
|
@ -1323,7 +1323,7 @@ class Ostatus_profile extends Managed_DataObject
|
||||||
}
|
}
|
||||||
if ($url) {
|
if ($url) {
|
||||||
$opts = array('allowed_schemes' => array('http', 'https'));
|
$opts = array('allowed_schemes' => array('http', 'https'));
|
||||||
if (Validate::uri($url, $opts)) {
|
if (common_valid_http_url($url)) {
|
||||||
return $url;
|
return $url;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -1615,7 +1615,7 @@ class Ostatus_profile extends Managed_DataObject
|
||||||
$profile->profileurl = $object->link;
|
$profile->profileurl = $object->link;
|
||||||
} else if (array_key_exists('profileurl', $hints)) {
|
} else if (array_key_exists('profileurl', $hints)) {
|
||||||
$profile->profileurl = $hints['profileurl'];
|
$profile->profileurl = $hints['profileurl'];
|
||||||
} else if (Validate::uri($object->id, array('allowed_schemes' => array('http', 'https')))) {
|
} else if (common_valid_http_url($object->id)) {
|
||||||
$profile->profileurl = $object->id;
|
$profile->profileurl = $object->id;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user