[phpwiki-checkins] SF.net SVN: phpwiki:[10011] trunk

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Revision: 10011
          http://sourceforge.net/p/phpwiki/code/10011
Author:   vargenau
Date:     2017-05-24 18:19:28 +0000 (Wed, 24 May 2017)
Log Message:
-----------
Make function IsSafeURL more strict

Modified Paths:
--------------
    trunk/lib/stdlib.php
    trunk/pgsrc/ReleaseNotes

Modified: trunk/lib/stdlib.php
===================================================================

--- trunk/lib/stdlib.php	2017-05-24 18:05:08 UTC (rev 10010)
+++ trunk/lib/stdlib.php	2017-05-24 18:19:28 UTC (rev 10011)
@@ -29,7 +29,7 @@
     AbsoluteURL ($url)
     IconForLink ($protocol_or_url)
     PossiblyGlueIconToText($proto_or_url, $text)
-    IsSafeURL($url)
+    IsSafeURL($url, $http_only)
     LinkURL ($url, $linktext)
     LinkImage ($url, $alt)
     ImgObject ($img, $url)
@@ -346,16 +346,26 @@
 }
 
 /**
- * Determines if the url passed to function is safe, by detecting if the characters
- * '<', '>', or '"' are present.
- * Check against their urlencoded values also.
+ * Determines if the url passed to function is safe
+ * 1) By detecting if the characters '<', '>', or '"' are present.
+ *    Check against their urlencoded values also.
+ * 2) By checking the URL syntax is valid
  *
- * @param string $url URL to check for unsafe characters.
- * @return bool True if safe, false else.
+ * @param string $url URL to check
+ * @param bool $http_only if true, accept only http and https URLs
+ * @return bool true if safe, false else.
  */
-function IsSafeURL($url)
+function IsSafeURL($url, $http_only = true)
 {
-    return !preg_match('/([<>"])|(%3C)|(%3E)|(%22)/', $url);
+    if (preg_match('/([<>"])|(%3C)|(%3E)|(%22)/', $url) || (filter_var($url, FILTER_VALIDATE_URL) === false)) {
+        return false;
+    }
+    if ($http_only) {
+        $scheme = parse_url($url, PHP_URL_SCHEME);
+        return ($scheme == 'http') || ($scheme == 'https');
+    } else {
+        return true;
+    }
 }
 
 /**
@@ -368,7 +378,7 @@
 function LinkURL($url, $linktext = '')
 {
     // FIXME: Is this needed (or sufficient?)
-    if (!IsSafeURL($url)) {
+    if (!IsSafeURL($url, false)) {
         $link = HTML::span(array('class' => 'error'), _('Bad URL'));
         return $link;
     } else {

Modified: trunk/pgsrc/ReleaseNotes
===================================================================
--- trunk/pgsrc/ReleaseNotes	2017-05-24 18:05:08 UTC (rev 10010)
+++ trunk/pgsrc/ReleaseNotes	2017-05-24 18:19:28 UTC (rev 10011)
@@ -1,4 +1,4 @@
-Date: Tue, 23 May 2017 11:26:59 +0000
+Date: Wed, 24 May 2017 19:26:59 +0000
 Mime-Version: 1.0 (Produced by PhpWiki 1.6.0)
 Content-Type: application/x-phpwiki;
   pagename=ReleaseNotes;
@@ -27,6 +27,7 @@
 * Better is_localhost() function (allow IPv6, allow Windows IIS). Patch by Thierry Nabeth.
 * Remove Fusionforge-specific files (g view.php wikiadmin.php wikilist.php)
 * Bugs:
+** Make function IsSafeURL more strict
 ** Make XHTML ZIP Snapshot work again (broken since ~PhpWiki 1.5.3)
 ** It was possible to rename a page to a name with illegal characters, like ~[~]
 ** Remove wrong calls to setTightness in ##lib/~InlineParser.php## (bug reported by Harold Hallikainen)

This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.



