Test URLs against blacklist also on PuSH subscriptions.

2017-04-26 22:41:59 +02:00 · 2017-04-26 22:41:59 +02:00 · e1df763940
commit e1df763940
parent 839b3e7392
2 changed files with 14 additions and 4 deletions
--- a/plugins/Blacklist/BlacklistPlugin.php
+++ b/plugins/Blacklist/BlacklistPlugin.php
@ -249,6 +249,15 @@ class BlacklistPlugin extends Plugin
        return true;
    }

+    public function onUrlBlacklistTest($url)
+    {
+        common_debug('Checking URL against blacklist: '._ve($url));
+        if (!$this->_checkUrl($url)) {
+            throw new ClientException('Forbidden URL', 403);
+        }
+        return true;
+    }
+
    /**
     * Helper for checking nicknames
     *
--- a/plugins/OStatus/actions/pushhub.php
+++ b/plugins/OStatus/actions/pushhub.php
@ -199,7 +199,7 @@ class PushHubAction extends Action

    /**
     * Grab and validate a URL from POST parameters.
-     * @throws ClientException for malformed or non-http/https URLs
+     * @throws ClientException for malformed or non-http/https or blacklisted URLs
     */
    protected function argUrl($arg)
    {
@ -207,13 +207,14 @@ class PushHubAction extends Action
        $params = array('domain_check' => false, // otherwise breaks my local tests :P
                        'allowed_schemes' => array('http', 'https'));
        $validate = new Validate();
-        if ($validate->uri($url, $params)) {
-            return $url;
-        } else {
+        if (!$validate->uri($url, $params)) {
            // TRANS: Client exception.
            // TRANS: %1$s is this argument to the method this exception occurs in, %2$s is a URL.
            throw new ClientException(sprintf(_m('Invalid URL passed for %1$s: "%2$s"'),$arg,$url));
        }
+
+        Event::handle('UrlBlacklistTest', array($url));
+        return $url;
    }

    /**