validate_url: relax requirements for URLs, limit additional port/loopback filtering to fetch_file_contents()
This commit is contained in:
parent
a4525d31b2
commit
4efc3d7b3f
|
@ -238,7 +238,7 @@
|
||||||
$url = ltrim($url, ' ');
|
$url = ltrim($url, ' ');
|
||||||
$url = str_replace(' ', '%20', $url);
|
$url = str_replace(' ', '%20', $url);
|
||||||
|
|
||||||
$url = validate_url($url);
|
$url = validate_url($url, true);
|
||||||
|
|
||||||
if (!$url) return false;
|
if (!$url) return false;
|
||||||
|
|
||||||
|
@ -350,7 +350,7 @@
|
||||||
|
|
||||||
$fetch_effective_url = curl_getinfo($ch, CURLINFO_EFFECTIVE_URL);
|
$fetch_effective_url = curl_getinfo($ch, CURLINFO_EFFECTIVE_URL);
|
||||||
|
|
||||||
if (!validate_url($fetch_effective_url)) {
|
if (!validate_url($fetch_effective_url, true)) {
|
||||||
$fetch_last_error = "URL hostname received after redirection failed to validate.";
|
$fetch_last_error = "URL hostname received after redirection failed to validate.";
|
||||||
|
|
||||||
return false;
|
return false;
|
||||||
|
@ -443,7 +443,7 @@
|
||||||
|
|
||||||
$fetch_effective_url = resolve_redirects($url, $timeout ? $timeout : FILE_FETCH_CONNECT_TIMEOUT);
|
$fetch_effective_url = resolve_redirects($url, $timeout ? $timeout : FILE_FETCH_CONNECT_TIMEOUT);
|
||||||
|
|
||||||
if (!validate_url($fetch_effective_url)) {
|
if (!validate_url($fetch_effective_url, true)) {
|
||||||
$fetch_last_error = "URL hostname received after redirection failed to validate.";
|
$fetch_last_error = "URL hostname received after redirection failed to validate.";
|
||||||
|
|
||||||
return false;
|
return false;
|
||||||
|
@ -1963,7 +1963,8 @@
|
||||||
return $ttrss_version['version'];
|
return $ttrss_version['version'];
|
||||||
}
|
}
|
||||||
|
|
||||||
function validate_url($url) {
|
// extended filtering involves validation for safe ports and loopback
|
||||||
|
function validate_url($url, $extended_filtering = false) {
|
||||||
|
|
||||||
$url = clean($url);
|
$url = clean($url);
|
||||||
|
|
||||||
|
@ -1979,14 +1980,16 @@
|
||||||
if (!$tokens['host'])
|
if (!$tokens['host'])
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
if (!in_array($tokens['port'], [80, 443, '']))
|
if (!in_array($tokens['scheme'], ['http', 'https']))
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
if (!in_array($tokens['scheme'], ['http', 'https']))
|
if ($extended_filtering) {
|
||||||
|
if (!in_array($tokens['port'], [80, 443, '']))
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
if ($tokens['host'] == 'localhost' || $tokens['host'] == '::1' || strpos($tokens['host'], '127.') === 0)
|
if ($tokens['host'] == 'localhost' || $tokens['host'] == '::1' || strpos($tokens['host'], '127.') === 0)
|
||||||
return false;
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
//convert IDNA hostname to punycode if possible
|
//convert IDNA hostname to punycode if possible
|
||||||
if (function_exists("idn_to_ascii")) {
|
if (function_exists("idn_to_ascii")) {
|
||||||
|
|
Loading…
Reference in New Issue