We are no longer offering accounts on this server. Consider https://gitlab.freedesktop.org/ as a place to host projects.

Commit e1df7639 authored by mattl's avatar mattl

Test URLs against blacklist also on PuSH subscriptions.

parent 839b3e73
...@@ -249,6 +249,15 @@ class BlacklistPlugin extends Plugin ...@@ -249,6 +249,15 @@ class BlacklistPlugin extends Plugin
return true; return true;
} }
public function onUrlBlacklistTest($url)
{
common_debug('Checking URL against blacklist: '._ve($url));
if (!$this->_checkUrl($url)) {
throw new ClientException('Forbidden URL', 403);
}
return true;
}
/** /**
* Helper for checking nicknames * Helper for checking nicknames
* *
......
...@@ -199,7 +199,7 @@ class PushHubAction extends Action ...@@ -199,7 +199,7 @@ class PushHubAction extends Action
/** /**
* Grab and validate a URL from POST parameters. * Grab and validate a URL from POST parameters.
* @throws ClientException for malformed or non-http/https URLs * @throws ClientException for malformed or non-http/https or blacklisted URLs
*/ */
protected function argUrl($arg) protected function argUrl($arg)
{ {
...@@ -207,13 +207,14 @@ class PushHubAction extends Action ...@@ -207,13 +207,14 @@ class PushHubAction extends Action
$params = array('domain_check' => false, // otherwise breaks my local tests :P $params = array('domain_check' => false, // otherwise breaks my local tests :P
'allowed_schemes' => array('http', 'https')); 'allowed_schemes' => array('http', 'https'));
$validate = new Validate(); $validate = new Validate();
if ($validate->uri($url, $params)) { if (!$validate->uri($url, $params)) {
return $url;
} else {
// TRANS: Client exception. // TRANS: Client exception.
// TRANS: %1$s is this argument to the method this exception occurs in, %2$s is a URL. // TRANS: %1$s is this argument to the method this exception occurs in, %2$s is a URL.
throw new ClientException(sprintf(_m('Invalid URL passed for %1$s: "%2$s"'),$arg,$url)); throw new ClientException(sprintf(_m('Invalid URL passed for %1$s: "%2$s"'),$arg,$url));
} }
Event::handle('UrlBlacklistTest', array($url));
return $url;
} }
/** /**
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment