From 8912cdc7a4acaeaea3b2b323efc86333ffd5ef63 Mon Sep 17 00:00:00 2001 From: Mikael Nordfeldth Date: Mon, 7 Oct 2013 14:46:09 +0200 Subject: [PATCH] Validate::uri replaced with filter_var for HTTP[S] URL checks Also, a bug in checking the OAuth callback URL for validity was fixed, where it referenced the wrong variable when going through form data. --- actions/apiaccountregister.php | 4 +- actions/apicheckhub.php | 21 ++++----- actions/apigroupcreate.php | 12 ++---- actions/apigroupprofileupdate.php | 9 +--- actions/apioauthrequesttoken.php | 2 +- actions/editapplication.php | 43 ++++++++----------- actions/editgroup.php | 4 +- actions/licenseadminpanel.php | 12 ++---- actions/newapplication.php | 21 ++------- actions/newgroup.php | 4 +- actions/profilesettings.php | 2 +- actions/register.php | 4 +- actions/siteadminpanel.php | 4 +- actions/snapshotadminpanel.php | 6 +-- lib/util.php | 8 +++- plugins/Bookmark/actions/bookmarkforurl.php | 2 +- .../actions/profiledetailsettings.php | 5 +-- plugins/OStatus/classes/Ostatus_profile.php | 4 +- 18 files changed, 57 insertions(+), 110 deletions(-) diff --git a/actions/apiaccountregister.php b/actions/apiaccountregister.php index fec536a2c2..7d038b20dc 100644 --- a/actions/apiaccountregister.php +++ b/actions/apiaccountregister.php @@ -152,9 +152,7 @@ class ApiAccountRegisterAction extends ApiAction // TRANS: Form validation error displayed when trying to register with an already registered e-mail address. $this->clientError(_('Email address already exists.'),404,'json'); } else if (!is_null($homepage) && (strlen($homepage) > 0) && - !Validate::uri($homepage, - array('allowed_schemes' => - array('http', 'https')))) { + !common_valid_http_url($homepage)) { // TRANS: Form validation error displayed when trying to register with an invalid homepage URL. $this->clientError(_('Homepage is not a valid URL.'),404,'json'); return; diff --git a/actions/apicheckhub.php b/actions/apicheckhub.php index d59506b667..e32420d3c3 100644 --- a/actions/apicheckhub.php +++ b/actions/apicheckhub.php @@ -45,23 +45,18 @@ class ApiCheckHubAction extends ApiAuthAction { parent::prepare($args); - $this->url = urldecode($args['url']); - - if (!$this->url) { + $this->url = urldecode($args['url']); + + if (empty($this->url)) { $this->clientError(_('No URL.'), 403, 'json'); - return; - } + return; + } - if (!Validate::uri( - $this->url, array( - 'allowed_schemes' => - array('http', 'https') - ) - )) { + if (!common_valid_http_url($this->url)) { $this->clientError(_('Invalid URL.'), 403, 'json'); return; - } - + } + return true; } diff --git a/actions/apigroupcreate.php b/actions/apigroupcreate.php index 6992da9db9..ea23fdf3ba 100644 --- a/actions/apigroupcreate.php +++ b/actions/apigroupcreate.php @@ -165,15 +165,9 @@ class ApiGroupCreateAction extends ApiAuthAction ); return false; - } elseif ( - !is_null($this->homepage) - && strlen($this->homepage) > 0 - && !Validate::uri( - $this->homepage, array( - 'allowed_schemes' => - array('http', 'https') - ) - )) { + } elseif (!is_null($this->homepage) + && strlen($this->homepage) > 0 + && !common_valid_http_url($this->homepage)) { $this->clientError( // TRANS: Client error in form for group creation. _('Homepage is not a valid URL.'), diff --git a/actions/apigroupprofileupdate.php b/actions/apigroupprofileupdate.php index 73b3823e36..05fd3ab57f 100644 --- a/actions/apigroupprofileupdate.php +++ b/actions/apigroupprofileupdate.php @@ -267,13 +267,8 @@ class ApiGroupProfileUpdateAction extends ApiAuthAction function validateHomepage() { if (!is_null($this->homepage) - && (strlen($this->homepage) > 0) - && !Validate::uri( - $this->homepage, - array('allowed_schemes' => array('http', 'https') - ) - ) - ) { + && (strlen($this->homepage) > 0) + && !common_valid_http_url($this->homepage)) { throw new ApiValidationException( // TRANS: API validation exception thrown when homepage URL does not validate. _('Homepage is not a valid URL.') diff --git a/actions/apioauthrequesttoken.php b/actions/apioauthrequesttoken.php index b9346a9e87..324c30d17f 100644 --- a/actions/apioauthrequesttoken.php +++ b/actions/apioauthrequesttoken.php @@ -146,7 +146,7 @@ class ApiOAuthRequestTokenAction extends ApiOAuthAction return true; } else { - return Validate::uri($callback); + return common_valid_http_url($callback); } } } diff --git a/actions/editapplication.php b/actions/editapplication.php index 8c24540c13..00ed397193 100644 --- a/actions/editapplication.php +++ b/actions/editapplication.php @@ -210,12 +210,10 @@ class EditApplicationAction extends Action $this->showForm(_('Source URL is too long.')); return; } elseif ((mb_strlen($source_url) > 0) - && !Validate::uri($source_url, - array('allowed_schemes' => array('http', 'https')))) - { - // TRANS: Validation error shown when providing an invalid source URL in the "Edit application" form. - $this->showForm(_('Source URL is not valid.')); - return; + && !common_valid_http_url($source_url)) { + // TRANS: Validation error shown when providing an invalid source URL in the "Edit application" form. + $this->showForm(_('Source URL is not valid.')); + return; } elseif (empty($organization)) { // TRANS: Validation error shown when not providing an organisation in the "Edit application" form. $this->showForm(_('Organization is required.')); @@ -229,25 +227,20 @@ class EditApplicationAction extends Action $this->showForm(_('Organization homepage is required.')); return; } elseif ((mb_strlen($homepage) > 0) - && !Validate::uri($homepage, - array('allowed_schemes' => array('http', 'https')))) - { - // TRANS: Validation error shown when providing an invalid homepage URL in the "Edit application" form. - $this->showForm(_('Homepage is not a valid URL.')); - return; - } elseif (mb_strlen($callback_url) > 255) { - // TRANS: Validation error shown when providing too long a callback URL in the "Edit application" form. - $this->showForm(_('Callback is too long.')); - return; - } elseif (mb_strlen($callback_url) > 0 - && !Validate::uri($source_url, - array('allowed_schemes' => array('http', 'https')) - )) - { - // TRANS: Validation error shown when providing an invalid callback URL in the "Edit application" form. - $this->showForm(_('Callback URL is not valid.')); - return; - } + && !common_valid_http_url($homepage)) { + // TRANS: Validation error shown when providing an invalid homepage URL in the "Edit application" form. + $this->showForm(_('Homepage is not a valid URL.')); + return; + } elseif (mb_strlen($callback_url) > 255) { + // TRANS: Validation error shown when providing too long a callback URL in the "Edit application" form. + $this->showForm(_('Callback is too long.')); + return; + } elseif (mb_strlen($callback_url) > 0 + && !common_valid_http_url($callback_url)) { + // TRANS: Validation error shown when providing an invalid callback URL in the "Edit application" form. + $this->showForm(_('Callback URL is not valid.')); + return; + } $cur = common_current_user(); diff --git a/actions/editgroup.php b/actions/editgroup.php index 9febab618d..b73f1f13f7 100644 --- a/actions/editgroup.php +++ b/actions/editgroup.php @@ -198,9 +198,7 @@ class EditgroupAction extends GroupAction $this->showForm(_('Not a valid nickname.')); return; } else if (!is_null($homepage) && (strlen($homepage) > 0) && - !Validate::uri($homepage, - array('allowed_schemes' => - array('http', 'https')))) { + !common_valid_http_url($homepage)) { // TRANS: Group edit form validation error. $this->showForm(_('Homepage is not a valid URL.')); return; diff --git a/actions/licenseadminpanel.php b/actions/licenseadminpanel.php index fda7cd4359..a89ffed346 100644 --- a/actions/licenseadminpanel.php +++ b/actions/licenseadminpanel.php @@ -155,18 +155,14 @@ class LicenseadminpanelAction extends AdminPanelAction ); } - // make sure the license URL and license image URL are valid URLs - - $options = array('allowed_schemes' => array('http', 'https')); - // URLs should be set for cc license if ($values['license']['type'] == 'cc') { - if (!Validate::uri($values['license']['url'], $options)) { + if (!common_valid_http_url($values['license']['url'])) { // TRANS: Client error displayed specifying an invalid license URL in the license admin panel. $this->clientError(_('Invalid license URL.')); } - if (!Validate::uri($values['license']['image'], $options)) { + if (!common_valid_http_url($values['license']['image'])) { // TRANS: Client error displayed specifying an invalid license image URL in the license admin panel. $this->clientError(_('Invalid license image URL.')); } @@ -175,7 +171,7 @@ class LicenseadminpanelAction extends AdminPanelAction // can be either blank or a valid URL for private & allrightsreserved if (!empty($values['license']['url'])) { - if (!Validate::uri($values['license']['url'], $options)) { + if (!common_valid_http_url($values['license']['url'])) { // TRANS: Client error displayed specifying an invalid license URL in the license admin panel. $this->clientError(_('License URL must be blank or a valid URL.')); } @@ -184,7 +180,7 @@ class LicenseadminpanelAction extends AdminPanelAction // can be either blank or a valid URL for private & allrightsreserved if (!empty($values['license']['image'])) { - if (!Validate::uri($values['license']['image'], $options)) { + if (!common_valid_http_url($values['license']['image'])) { // TRANS: Client error displayed specifying an invalid license image URL in the license admin panel. $this->clientError(_('License image must be blank or valid URL.')); } diff --git a/actions/newapplication.php b/actions/newapplication.php index a9f3012771..ad71aaad0a 100644 --- a/actions/newapplication.php +++ b/actions/newapplication.php @@ -122,12 +122,7 @@ class NewApplicationAction extends FormAction } elseif (empty($source_url)) { // TRANS: Validation error shown when not providing a source URL in the "New application" form. $this->clientError(_('Source URL is required.')); - } elseif ((strlen($source_url) > 0) - && !Validate::uri( - $source_url, - array('allowed_schemes' => array('http', 'https')) - ) - ) { + } elseif ((strlen($source_url) > 0) && !common_valid_http_url($source_url)) { // TRANS: Validation error shown when providing an invalid source URL in the "New application" form. $this->clientError(_('Source URL is not valid.')); } elseif (empty($organization)) { @@ -139,23 +134,13 @@ class NewApplicationAction extends FormAction } elseif (empty($homepage)) { // TRANS: Form validation error show when an organisation name has not been provided in the new application form. $this->clientError(_('Organization homepage is required.')); - } elseif ((strlen($homepage) > 0) - && !Validate::uri( - $homepage, - array('allowed_schemes' => array('http', 'https')) - ) - ) { + } elseif ((strlen($homepage) > 0) && !common_valid_http_url($homepage)) { // TRANS: Validation error shown when providing an invalid homepage URL in the "New application" form. $this->clientError(_('Homepage is not a valid URL.')); } elseif (mb_strlen($callback_url) > 255) { // TRANS: Validation error shown when providing too long a callback URL in the "New application" form. $this->clientError(_('Callback is too long.')); - } elseif (strlen($callback_url) > 0 - && !Validate::uri( - $source_url, - array('allowed_schemes' => array('http', 'https')) - ) - ) { + } elseif (strlen($callback_url) > 0 && !common_valid_http_url($callback_url)) { // TRANS: Validation error shown when providing an invalid callback URL in the "New application" form. $this->clientError(_('Callback URL is not valid.')); } diff --git a/actions/newgroup.php b/actions/newgroup.php index dd264ce055..a1c58c5c0f 100644 --- a/actions/newgroup.php +++ b/actions/newgroup.php @@ -102,9 +102,7 @@ class NewgroupAction extends FormAction // TRANS: Group create form validation error. throw new ClientException(_('Not a valid nickname.')); } else if (!is_null($homepage) && (strlen($homepage) > 0) && - !Validate::uri($homepage, - array('allowed_schemes' => - array('http', 'https')))) { + !common_valid_http_url($homepage)) { // TRANS: Group create form validation error. throw new ClientException(_('Homepage is not a valid URL.')); } else if (!is_null($fullname) && mb_strlen($fullname) > 255) { diff --git a/actions/profilesettings.php b/actions/profilesettings.php index 2279732c1e..ef62eb9c8f 100644 --- a/actions/profilesettings.php +++ b/actions/profilesettings.php @@ -263,7 +263,7 @@ class ProfilesettingsAction extends SettingsAction $this->showForm(_('Not a valid nickname.')); return; } else if (!is_null($homepage) && (strlen($homepage) > 0) && - !Validate::uri($homepage, array('allowed_schemes' => array('http', 'https')))) { + !common_valid_http_url($homepage)) { // TRANS: Validation error in form for profile settings. $this->showForm(_('Homepage is not a valid URL.')); return; diff --git a/actions/register.php b/actions/register.php index 7a64d3ae58..661936d5af 100644 --- a/actions/register.php +++ b/actions/register.php @@ -215,9 +215,7 @@ class RegisterAction extends Action // TRANS: Form validation error displayed when trying to register with an already registered e-mail address. $this->showForm(_('Email address already exists.')); } else if (!is_null($homepage) && (strlen($homepage) > 0) && - !Validate::uri($homepage, - array('allowed_schemes' => - array('http', 'https')))) { + !common_valid_http_url($homepage)) { // TRANS: Form validation error displayed when trying to register with an invalid homepage URL. $this->showForm(_('Homepage is not a valid URL.')); return; diff --git a/actions/siteadminpanel.php b/actions/siteadminpanel.php index bc96a6d73e..40c9a841b3 100644 --- a/actions/siteadminpanel.php +++ b/actions/siteadminpanel.php @@ -156,13 +156,13 @@ class SiteadminpanelAction extends AdminPanelAction // Validate logos if (!empty($values['site']['logo']) && - !Validate::uri($values['site']['logo'], array('allowed_schemes' => array('http', 'https')))) { + !common_valid_http_url($values['site']['logo'])) { // TRANS: Client error displayed when a logo URL is not valid. $this->clientError(_('Invalid logo URL.')); } if (!empty($values['site']['ssllogo']) && - !Validate::uri($values['site']['ssllogo'], array('allowed_schemes' => array('https')))) { + !common_valid_http_url($values['site']['ssllogo'], true)) { // TRANS: Client error displayed when a SSL logo URL is invalid. $this->clientError(_('Invalid SSL logo URL.')); } diff --git a/actions/snapshotadminpanel.php b/actions/snapshotadminpanel.php index 751b1acd1e..214b3d648b 100644 --- a/actions/snapshotadminpanel.php +++ b/actions/snapshotadminpanel.php @@ -135,11 +135,7 @@ class SnapshotadminpanelAction extends AdminPanelAction // Validate report URL if (!is_null($values['snapshot']['reporturl']) - && !Validate::uri( - $values['snapshot']['reporturl'], - array('allowed_schemes' => array('http', 'https') - ) - )) { + && !common_valid_http_url($values['snapshot']['reporturl'])) { // TRANS: Client error displayed on admin panel for snapshots when providing an invalid report URL. $this->clientError(_('Invalid snapshot report URL.')); } diff --git a/lib/util.php b/lib/util.php index fdd678abdb..8c6ff6718a 100644 --- a/lib/util.php +++ b/lib/util.php @@ -1720,9 +1720,13 @@ function common_log_objstring(&$object) return $objstring; } -function common_valid_http_url($url) +function common_valid_http_url($url, $secure=false) { - return Validate::uri($url, array('allowed_schemes' => array('http', 'https'))); + // If $secure is true, only allow https URLs to pass + // (if false, we use '?' in 'https?' to say the 's' is optional) + $regex = $secure ? '/^https$/' : '/^https?$/'; + return filter_var($url, FILTER_VALIDATE_URL) + && preg_match($regex, parse_url($url, PHP_URL_SCHEME)); } function common_valid_tag($tag) diff --git a/plugins/Bookmark/actions/bookmarkforurl.php b/plugins/Bookmark/actions/bookmarkforurl.php index 8eb02e64a0..5eac33b11b 100644 --- a/plugins/Bookmark/actions/bookmarkforurl.php +++ b/plugins/Bookmark/actions/bookmarkforurl.php @@ -74,7 +74,7 @@ class BookmarkforurlAction extends Action throw new ClientException(_('URL is required.'), 400); } - if (!Validate::uri($this->url, array('allowed_schemes' => array('http', 'https')))) { + if (!common_valid_http_url($this->url)) { throw new ClientException(_('Invalid URL.'), 400); } diff --git a/plugins/ExtendedProfile/actions/profiledetailsettings.php b/plugins/ExtendedProfile/actions/profiledetailsettings.php index 1cf7003473..016dad39ef 100644 --- a/plugins/ExtendedProfile/actions/profiledetailsettings.php +++ b/plugins/ExtendedProfile/actions/profiledetailsettings.php @@ -267,10 +267,7 @@ class ProfileDetailSettingsAction extends ProfileSettingsAction $this->removeAll($user, 'website'); $i = 0; foreach($sites as $site) { - if (!empty($site['value']) && !Validate::uri( - $site['value'], - array('allowed_schemes' => array('http', 'https'))) - ) { + if (!empty($site['value']) && !common_valid_http_url($site['value'])) { // TRANS: Exception thrown when entering an invalid URL. // TRANS: %s is the invalid URL. throw new Exception(sprintf(_m('Invalid URL: %s.'), $site['value'])); diff --git a/plugins/OStatus/classes/Ostatus_profile.php b/plugins/OStatus/classes/Ostatus_profile.php index 7fefba758e..4b81de92d8 100644 --- a/plugins/OStatus/classes/Ostatus_profile.php +++ b/plugins/OStatus/classes/Ostatus_profile.php @@ -1323,7 +1323,7 @@ class Ostatus_profile extends Managed_DataObject } if ($url) { $opts = array('allowed_schemes' => array('http', 'https')); - if (Validate::uri($url, $opts)) { + if (common_valid_http_url($url)) { return $url; } } @@ -1615,7 +1615,7 @@ class Ostatus_profile extends Managed_DataObject $profile->profileurl = $object->link; } else if (array_key_exists('profileurl', $hints)) { $profile->profileurl = $hints['profileurl']; - } else if (Validate::uri($object->id, array('allowed_schemes' => array('http', 'https')))) { + } else if (common_valid_http_url($object->id)) { $profile->profileurl = $object->id; }