wamo/gnu-social
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Validate::uri replaced with filter_var for HTTP[S] URL checks

Browse Source 
Also, a bug in checking the OAuth callback URL for validity was fixed,
where it referenced the wrong variable when going through form data.
This commit is contained in:
Mikael Nordfeldth 2013-10-07 14:46:09 +02:00
parent 2c0790be54
commit 8912cdc7a4
18 changed files with 57 additions and 110 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
actions/apiaccountregister.php
View File

@ -152,9 +152,7 @@ class ApiAccountRegisterAction extends ApiAction
// TRANS: Form validation error displayed when trying to register with an already registered e-mail address. // TRANS: Form validation error displayed when trying to register with an already registered e-mail address.
$this->clientError(_('Email address already exists.'),404,'json'); $this->clientError(_('Email address already exists.'),404,'json');
} else if (!is_null($homepage) && (strlen($homepage) > 0) && } else if (!is_null($homepage) && (strlen($homepage) > 0) &&
!Validate::uri($homepage, !common_valid_http_url($homepage)) {
array('allowed_schemes' =>
array('http', 'https')))) {
// TRANS: Form validation error displayed when trying to register with an invalid homepage URL. // TRANS: Form validation error displayed when trying to register with an invalid homepage URL.
$this->clientError(_('Homepage is not a valid URL.'),404,'json'); $this->clientError(_('Homepage is not a valid URL.'),404,'json');
return; return;

21
actions/apicheckhub.php
View File

@ -45,23 +45,18 @@ class ApiCheckHubAction extends ApiAuthAction
{ {
parent::prepare($args); parent::prepare($args);
$this->url = urldecode($args['url']); $this->url = urldecode($args['url']);
if (!$this->url) { if (empty($this->url)) {
$this->clientError(_('No URL.'), 403, 'json'); $this->clientError(_('No URL.'), 403, 'json');
return; return;
} }
if (!Validate::uri( if (!common_valid_http_url($this->url)) {
$this->url, array(
'allowed_schemes' =>
array('http', 'https')
)
)) {
$this->clientError(_('Invalid URL.'), 403, 'json'); $this->clientError(_('Invalid URL.'), 403, 'json');
return; return;
} }
return true; return true;
} }

12
actions/apigroupcreate.php
View File

@ -165,15 +165,9 @@ class ApiGroupCreateAction extends ApiAuthAction
); );
return false; return false;
} elseif ( } elseif (!is_null($this->homepage)
!is_null($this->homepage) && strlen($this->homepage) > 0
&& strlen($this->homepage) > 0 && !common_valid_http_url($this->homepage)) {
&& !Validate::uri(
$this->homepage, array(
'allowed_schemes' =>
array('http', 'https')
)
)) {
$this->clientError( $this->clientError(
// TRANS: Client error in form for group creation. // TRANS: Client error in form for group creation.
_('Homepage is not a valid URL.'), _('Homepage is not a valid URL.'),

9
actions/apigroupprofileupdate.php
View File

@ -267,13 +267,8 @@ class ApiGroupProfileUpdateAction extends ApiAuthAction
function validateHomepage() function validateHomepage()
{ {
if (!is_null($this->homepage) if (!is_null($this->homepage)
&& (strlen($this->homepage) > 0) && (strlen($this->homepage) > 0)
&& !Validate::uri( && !common_valid_http_url($this->homepage)) {
$this->homepage,
array('allowed_schemes' => array('http', 'https')
)
)
) {
throw new ApiValidationException( throw new ApiValidationException(
// TRANS: API validation exception thrown when homepage URL does not validate. // TRANS: API validation exception thrown when homepage URL does not validate.
_('Homepage is not a valid URL.') _('Homepage is not a valid URL.')

2
actions/apioauthrequesttoken.php
View File

@ -146,7 +146,7 @@ class ApiOAuthRequestTokenAction extends ApiOAuthAction
return true; return true;
} else { } else {
return Validate::uri($callback); return common_valid_http_url($callback);
} }
} }
} }

43
actions/editapplication.php
View File

@ -210,12 +210,10 @@ class EditApplicationAction extends Action
$this->showForm(_('Source URL is too long.')); $this->showForm(_('Source URL is too long.'));
return; return;
} elseif ((mb_strlen($source_url) > 0) } elseif ((mb_strlen($source_url) > 0)
&& !Validate::uri($source_url, && !common_valid_http_url($source_url)) {
array('allowed_schemes' => array('http', 'https')))) // TRANS: Validation error shown when providing an invalid source URL in the "Edit application" form.
{ $this->showForm(_('Source URL is not valid.'));
// TRANS: Validation error shown when providing an invalid source URL in the "Edit application" form. return;
$this->showForm(_('Source URL is not valid.'));
return;
} elseif (empty($organization)) { } elseif (empty($organization)) {
// TRANS: Validation error shown when not providing an organisation in the "Edit application" form. // TRANS: Validation error shown when not providing an organisation in the "Edit application" form.
$this->showForm(_('Organization is required.')); $this->showForm(_('Organization is required.'));
@ -229,25 +227,20 @@ class EditApplicationAction extends Action
$this->showForm(_('Organization homepage is required.')); $this->showForm(_('Organization homepage is required.'));
return; return;
} elseif ((mb_strlen($homepage) > 0) } elseif ((mb_strlen($homepage) > 0)
&& !Validate::uri($homepage, && !common_valid_http_url($homepage)) {
array('allowed_schemes' => array('http', 'https')))) // TRANS: Validation error shown when providing an invalid homepage URL in the "Edit application" form.
{ $this->showForm(_('Homepage is not a valid URL.'));
// TRANS: Validation error shown when providing an invalid homepage URL in the "Edit application" form. return;
$this->showForm(_('Homepage is not a valid URL.')); } elseif (mb_strlen($callback_url) > 255) {
return; // TRANS: Validation error shown when providing too long a callback URL in the "Edit application" form.
} elseif (mb_strlen($callback_url) > 255) { $this->showForm(_('Callback is too long.'));
// TRANS: Validation error shown when providing too long a callback URL in the "Edit application" form. return;
$this->showForm(_('Callback is too long.')); } elseif (mb_strlen($callback_url) > 0
return; && !common_valid_http_url($callback_url)) {
} elseif (mb_strlen($callback_url) > 0 // TRANS: Validation error shown when providing an invalid callback URL in the "Edit application" form.
&& !Validate::uri($source_url, $this->showForm(_('Callback URL is not valid.'));
array('allowed_schemes' => array('http', 'https')) return;
)) }
{
// TRANS: Validation error shown when providing an invalid callback URL in the "Edit application" form.
$this->showForm(_('Callback URL is not valid.'));
return;
}
$cur = common_current_user(); $cur = common_current_user();

4
actions/editgroup.php
View File

@ -198,9 +198,7 @@ class EditgroupAction extends GroupAction
$this->showForm(_('Not a valid nickname.')); $this->showForm(_('Not a valid nickname.'));
return; return;
} else if (!is_null($homepage) && (strlen($homepage) > 0) && } else if (!is_null($homepage) && (strlen($homepage) > 0) &&
!Validate::uri($homepage, !common_valid_http_url($homepage)) {
array('allowed_schemes' =>
array('http', 'https')))) {
// TRANS: Group edit form validation error. // TRANS: Group edit form validation error.
$this->showForm(_('Homepage is not a valid URL.')); $this->showForm(_('Homepage is not a valid URL.'));
return; return;

12
actions/licenseadminpanel.php
View File

@ -155,18 +155,14 @@ class LicenseadminpanelAction extends AdminPanelAction
); );
} }
// make sure the license URL and license image URL are valid URLs
$options = array('allowed_schemes' => array('http', 'https'));
// URLs should be set for cc license // URLs should be set for cc license
if ($values['license']['type'] == 'cc') { if ($values['license']['type'] == 'cc') {
if (!Validate::uri($values['license']['url'], $options)) { if (!common_valid_http_url($values['license']['url'])) {
// TRANS: Client error displayed specifying an invalid license URL in the license admin panel. // TRANS: Client error displayed specifying an invalid license URL in the license admin panel.
$this->clientError(_('Invalid license URL.')); $this->clientError(_('Invalid license URL.'));
} }
if (!Validate::uri($values['license']['image'], $options)) { if (!common_valid_http_url($values['license']['image'])) {
// TRANS: Client error displayed specifying an invalid license image URL in the license admin panel. // TRANS: Client error displayed specifying an invalid license image URL in the license admin panel.
$this->clientError(_('Invalid license image URL.')); $this->clientError(_('Invalid license image URL.'));
} }
@ -175,7 +171,7 @@ class LicenseadminpanelAction extends AdminPanelAction
// can be either blank or a valid URL for private & allrightsreserved // can be either blank or a valid URL for private & allrightsreserved
if (!empty($values['license']['url'])) { if (!empty($values['license']['url'])) {
if (!Validate::uri($values['license']['url'], $options)) { if (!common_valid_http_url($values['license']['url'])) {
// TRANS: Client error displayed specifying an invalid license URL in the license admin panel. // TRANS: Client error displayed specifying an invalid license URL in the license admin panel.
$this->clientError(_('License URL must be blank or a valid URL.')); $this->clientError(_('License URL must be blank or a valid URL.'));
} }
@ -184,7 +180,7 @@ class LicenseadminpanelAction extends AdminPanelAction
// can be either blank or a valid URL for private & allrightsreserved // can be either blank or a valid URL for private & allrightsreserved
if (!empty($values['license']['image'])) { if (!empty($values['license']['image'])) {
if (!Validate::uri($values['license']['image'], $options)) { if (!common_valid_http_url($values['license']['image'])) {
// TRANS: Client error displayed specifying an invalid license image URL in the license admin panel. // TRANS: Client error displayed specifying an invalid license image URL in the license admin panel.
$this->clientError(_('License image must be blank or valid URL.')); $this->clientError(_('License image must be blank or valid URL.'));
} }

21
actions/newapplication.php
View File

@ -122,12 +122,7 @@ class NewApplicationAction extends FormAction
} elseif (empty($source_url)) { } elseif (empty($source_url)) {
// TRANS: Validation error shown when not providing a source URL in the "New application" form. // TRANS: Validation error shown when not providing a source URL in the "New application" form.
$this->clientError(_('Source URL is required.')); $this->clientError(_('Source URL is required.'));
} elseif ((strlen($source_url) > 0) } elseif ((strlen($source_url) > 0) && !common_valid_http_url($source_url)) {
&& !Validate::uri(
$source_url,
array('allowed_schemes' => array('http', 'https'))
)
) {
// TRANS: Validation error shown when providing an invalid source URL in the "New application" form. // TRANS: Validation error shown when providing an invalid source URL in the "New application" form.
$this->clientError(_('Source URL is not valid.')); $this->clientError(_('Source URL is not valid.'));
} elseif (empty($organization)) { } elseif (empty($organization)) {
@ -139,23 +134,13 @@ class NewApplicationAction extends FormAction
} elseif (empty($homepage)) { } elseif (empty($homepage)) {
// TRANS: Form validation error show when an organisation name has not been provided in the new application form. // TRANS: Form validation error show when an organisation name has not been provided in the new application form.
$this->clientError(_('Organization homepage is required.')); $this->clientError(_('Organization homepage is required.'));
} elseif ((strlen($homepage) > 0) } elseif ((strlen($homepage) > 0) && !common_valid_http_url($homepage)) {
&& !Validate::uri(
$homepage,
array('allowed_schemes' => array('http', 'https'))
)
) {
// TRANS: Validation error shown when providing an invalid homepage URL in the "New application" form. // TRANS: Validation error shown when providing an invalid homepage URL in the "New application" form.
$this->clientError(_('Homepage is not a valid URL.')); $this->clientError(_('Homepage is not a valid URL.'));
} elseif (mb_strlen($callback_url) > 255) { } elseif (mb_strlen($callback_url) > 255) {
// TRANS: Validation error shown when providing too long a callback URL in the "New application" form. // TRANS: Validation error shown when providing too long a callback URL in the "New application" form.
$this->clientError(_('Callback is too long.')); $this->clientError(_('Callback is too long.'));
} elseif (strlen($callback_url) > 0 } elseif (strlen($callback_url) > 0 && !common_valid_http_url($callback_url)) {
&& !Validate::uri(
$source_url,
array('allowed_schemes' => array('http', 'https'))
)
) {
// TRANS: Validation error shown when providing an invalid callback URL in the "New application" form. // TRANS: Validation error shown when providing an invalid callback URL in the "New application" form.
$this->clientError(_('Callback URL is not valid.')); $this->clientError(_('Callback URL is not valid.'));
} }

4
actions/newgroup.php
View File

@ -102,9 +102,7 @@ class NewgroupAction extends FormAction
// TRANS: Group create form validation error. // TRANS: Group create form validation error.
throw new ClientException(_('Not a valid nickname.')); throw new ClientException(_('Not a valid nickname.'));
} else if (!is_null($homepage) && (strlen($homepage) > 0) && } else if (!is_null($homepage) && (strlen($homepage) > 0) &&
!Validate::uri($homepage, !common_valid_http_url($homepage)) {
array('allowed_schemes' =>
array('http', 'https')))) {
// TRANS: Group create form validation error. // TRANS: Group create form validation error.
throw new ClientException(_('Homepage is not a valid URL.')); throw new ClientException(_('Homepage is not a valid URL.'));
} else if (!is_null($fullname) && mb_strlen($fullname) > 255) { } else if (!is_null($fullname) && mb_strlen($fullname) > 255) {

2
actions/profilesettings.php
View File

@ -263,7 +263,7 @@ class ProfilesettingsAction extends SettingsAction
$this->showForm(_('Not a valid nickname.')); $this->showForm(_('Not a valid nickname.'));
return; return;
} else if (!is_null($homepage) && (strlen($homepage) > 0) && } else if (!is_null($homepage) && (strlen($homepage) > 0) &&
!Validate::uri($homepage, array('allowed_schemes' => array('http', 'https')))) { !common_valid_http_url($homepage)) {
// TRANS: Validation error in form for profile settings. // TRANS: Validation error in form for profile settings.
$this->showForm(_('Homepage is not a valid URL.')); $this->showForm(_('Homepage is not a valid URL.'));
return; return;

4
actions/register.php
View File

@ -215,9 +215,7 @@ class RegisterAction extends Action
// TRANS: Form validation error displayed when trying to register with an already registered e-mail address. // TRANS: Form validation error displayed when trying to register with an already registered e-mail address.
$this->showForm(_('Email address already exists.')); $this->showForm(_('Email address already exists.'));
} else if (!is_null($homepage) && (strlen($homepage) > 0) && } else if (!is_null($homepage) && (strlen($homepage) > 0) &&
!Validate::uri($homepage, !common_valid_http_url($homepage)) {
array('allowed_schemes' =>
array('http', 'https')))) {
// TRANS: Form validation error displayed when trying to register with an invalid homepage URL. // TRANS: Form validation error displayed when trying to register with an invalid homepage URL.
$this->showForm(_('Homepage is not a valid URL.')); $this->showForm(_('Homepage is not a valid URL.'));
return; return;

4
actions/siteadminpanel.php
View File

@ -156,13 +156,13 @@ class SiteadminpanelAction extends AdminPanelAction
// Validate logos // Validate logos
if (!empty($values['site']['logo']) && if (!empty($values['site']['logo']) &&
!Validate::uri($values['site']['logo'], array('allowed_schemes' => array('http', 'https')))) { !common_valid_http_url($values['site']['logo'])) {
// TRANS: Client error displayed when a logo URL is not valid. // TRANS: Client error displayed when a logo URL is not valid.
$this->clientError(_('Invalid logo URL.')); $this->clientError(_('Invalid logo URL.'));
} }
if (!empty($values['site']['ssllogo']) && if (!empty($values['site']['ssllogo']) &&
!Validate::uri($values['site']['ssllogo'], array('allowed_schemes' => array('https')))) { !common_valid_http_url($values['site']['ssllogo'], true)) {
// TRANS: Client error displayed when a SSL logo URL is invalid. // TRANS: Client error displayed when a SSL logo URL is invalid.
$this->clientError(_('Invalid SSL logo URL.')); $this->clientError(_('Invalid SSL logo URL.'));
} }

6
actions/snapshotadminpanel.php
View File

@ -135,11 +135,7 @@ class SnapshotadminpanelAction extends AdminPanelAction
// Validate report URL // Validate report URL
if (!is_null($values['snapshot']['reporturl']) if (!is_null($values['snapshot']['reporturl'])
&& !Validate::uri( && !common_valid_http_url($values['snapshot']['reporturl'])) {
$values['snapshot']['reporturl'],
array('allowed_schemes' => array('http', 'https')
)
)) {
// TRANS: Client error displayed on admin panel for snapshots when providing an invalid report URL. // TRANS: Client error displayed on admin panel for snapshots when providing an invalid report URL.
$this->clientError(_('Invalid snapshot report URL.')); $this->clientError(_('Invalid snapshot report URL.'));
} }

8
lib/util.php
View File

@ -1720,9 +1720,13 @@ function common_log_objstring(&$object)
return $objstring; return $objstring;
} }
function common_valid_http_url($url) function common_valid_http_url($url, $secure=false)
{ {
return Validate::uri($url, array('allowed_schemes' => array('http', 'https'))); // If $secure is true, only allow https URLs to pass
// (if false, we use '?' in 'https?' to say the 's' is optional)
$regex = $secure ? '/^https$/' : '/^https?$/';
return filter_var($url, FILTER_VALIDATE_URL)
&& preg_match($regex, parse_url($url, PHP_URL_SCHEME));
} }
function common_valid_tag($tag) function common_valid_tag($tag)

2
plugins/Bookmark/actions/bookmarkforurl.php
View File

@ -74,7 +74,7 @@ class BookmarkforurlAction extends Action
throw new ClientException(_('URL is required.'), 400); throw new ClientException(_('URL is required.'), 400);
} }
if (!Validate::uri($this->url, array('allowed_schemes' => array('http', 'https')))) { if (!common_valid_http_url($this->url)) {
throw new ClientException(_('Invalid URL.'), 400); throw new ClientException(_('Invalid URL.'), 400);
} }

5
plugins/ExtendedProfile/actions/profiledetailsettings.php
View File

@ -267,10 +267,7 @@ class ProfileDetailSettingsAction extends ProfileSettingsAction
$this->removeAll($user, 'website'); $this->removeAll($user, 'website');
$i = 0; $i = 0;
foreach($sites as $site) { foreach($sites as $site) {
if (!empty($site['value']) && !Validate::uri( if (!empty($site['value']) && !common_valid_http_url($site['value'])) {
$site['value'],
array('allowed_schemes' => array('http', 'https')))
) {
// TRANS: Exception thrown when entering an invalid URL. // TRANS: Exception thrown when entering an invalid URL.
// TRANS: %s is the invalid URL. // TRANS: %s is the invalid URL.
throw new Exception(sprintf(_m('Invalid URL: %s.'), $site['value'])); throw new Exception(sprintf(_m('Invalid URL: %s.'), $site['value']));

4
plugins/OStatus/classes/Ostatus_profile.php
View File

@ -1323,7 +1323,7 @@ class Ostatus_profile extends Managed_DataObject
} }
if ($url) { if ($url) {
$opts = array('allowed_schemes' => array('http', 'https')); $opts = array('allowed_schemes' => array('http', 'https'));
if (Validate::uri($url, $opts)) { if (common_valid_http_url($url)) {
return $url; return $url;
} }
} }
@ -1615,7 +1615,7 @@ class Ostatus_profile extends Managed_DataObject
$profile->profileurl = $object->link; $profile->profileurl = $object->link;
} else if (array_key_exists('profileurl', $hints)) { } else if (array_key_exists('profileurl', $hints)) {
$profile->profileurl = $hints['profileurl']; $profile->profileurl = $hints['profileurl'];
} else if (Validate::uri($object->id, array('allowed_schemes' => array('http', 'https')))) { } else if (common_valid_http_url($object->id)) {
$profile->profileurl = $object->id; $profile->profileurl = $object->id;
} }