GH-224 Do not accept protos other than http & https

mdziekon · Jul 1, 2022 · 15f6915 · 15f6915
1 parent a53dce5
commit 15f6915
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 5 deletions.
diff --git a/modules/settings/utils/helpers/url.helper.php b/modules/settings/utils/helpers/url.helper.php
@@ -7,25 +7,42 @@
  */
 function hasHttpProtocol($url) {
     return (
-        strstr($url, 'http://') !== false ||
-        strstr($url, 'https://') !== false
+        strpos($url, 'http://') === 0 ||
+        strpos($url, 'https://') === 0
     );
 }
 
 /**
  * @param string $url
  */
 function hasWWWPart($url) {
-    return (strstr($url, 'www.') !== false);
+    return (strpos($url, 'www.') === 0);
+}
+
+/**
+ * @param string $url
+ */
+function hasProtoSeparator($url) {
+    return (strpos($url, '://') !== false);
 }
 
 /**
  * @param string $url
  */
 function isExternalUrl($url) {
+    return hasProtoSeparator($url);
+}
+
+/**
+ * @param string $url
+ */
+function isValidExternalUrl($url) {
     return (
-        hasHttpProtocol($url) ||
-        hasWWWPart($url)
+        hasProtoSeparator($url) &&
+        (
+            hasHttpProtocol($url) ||
+            hasWWWPart($url)
+        )
     );
 }
 

diff --git a/settings.php b/settings.php
@@ -308,6 +308,10 @@ function isInputKeyChecked($input, $key) {
                     $_POST['use_skin'] = '';
                 }
             } else {
+                if (!Settings\Utils\Helpers\isValidExternalUrl($SkinPath)) {
+                    $SkinPath = '';
+                }
+
                 if (
                     !Settings\Utils\Helpers\hasHttpProtocol($SkinPath) &&
                     Settings\Utils\Helpers\hasWWWPart($SkinPath)
@@ -346,6 +350,10 @@ function isInputKeyChecked($input, $key) {
                 strip_tags(trim($_POST['avatar_path']))
             );
 
+            if (!Settings\Utils\Helpers\isValidExternalUrl($AvatarPath)) {
+                $AvatarPath = '';
+            }
+
             if (
                 !Settings\Utils\Helpers\hasHttpProtocol($AvatarPath) &&
                 Settings\Utils\Helpers\hasWWWPart($AvatarPath)