From c23c3a4f537a13b638dd77399063376b7b1386b8 Mon Sep 17 00:00:00 2001 From: Mikael Nordfeldth Date: Sat, 13 Feb 2016 14:06:05 +0100 Subject: [PATCH] Might as well put a FILTER_SANITIZE_EMAIL there Not that I think we could break out of the directory since we use basename, but you never know... maybe there's a unicode bug in PHP or something. --- socialfy-your-domain/dot-well-known/webfinger/index.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/socialfy-your-domain/dot-well-known/webfinger/index.php b/socialfy-your-domain/dot-well-known/webfinger/index.php index 989b3203be..91071bc4c3 100644 --- a/socialfy-your-domain/dot-well-known/webfinger/index.php +++ b/socialfy-your-domain/dot-well-known/webfinger/index.php @@ -31,6 +31,9 @@ if (mb_strpos($u, 'acct:')===0) { $u = substr($u, 5); } +// Just to be a little bit safer, you know, with all the unicode stuff going on +$u = filter_var($u, FILTER_SANITIZE_EMAIL); + $f = $u . ".xml"; if (file_exists($f)) {