Test URLs against blacklist also on PuSH subscriptions.

This commit is contained in:
Mikael Nordfeldth 2017-04-26 22:41:59 +02:00
parent 839b3e7392
commit e1df763940
2 changed files with 14 additions and 4 deletions

View File

@ -249,6 +249,15 @@ class BlacklistPlugin extends Plugin
return true; return true;
} }
public function onUrlBlacklistTest($url)
{
common_debug('Checking URL against blacklist: '._ve($url));
if (!$this->_checkUrl($url)) {
throw new ClientException('Forbidden URL', 403);
}
return true;
}
/** /**
* Helper for checking nicknames * Helper for checking nicknames
* *

View File

@ -199,7 +199,7 @@ class PushHubAction extends Action
/** /**
* Grab and validate a URL from POST parameters. * Grab and validate a URL from POST parameters.
* @throws ClientException for malformed or non-http/https URLs * @throws ClientException for malformed or non-http/https or blacklisted URLs
*/ */
protected function argUrl($arg) protected function argUrl($arg)
{ {
@ -207,13 +207,14 @@ class PushHubAction extends Action
$params = array('domain_check' => false, // otherwise breaks my local tests :P $params = array('domain_check' => false, // otherwise breaks my local tests :P
'allowed_schemes' => array('http', 'https')); 'allowed_schemes' => array('http', 'https'));
$validate = new Validate(); $validate = new Validate();
if ($validate->uri($url, $params)) { if (!$validate->uri($url, $params)) {
return $url;
} else {
// TRANS: Client exception. // TRANS: Client exception.
// TRANS: %1$s is this argument to the method this exception occurs in, %2$s is a URL. // TRANS: %1$s is this argument to the method this exception occurs in, %2$s is a URL.
throw new ClientException(sprintf(_m('Invalid URL passed for %1$s: "%2$s"'),$arg,$url)); throw new ClientException(sprintf(_m('Invalid URL passed for %1$s: "%2$s"'),$arg,$url));
} }
Event::handle('UrlBlacklistTest', array($url));
return $url;
} }
/** /**