[2/2] Only allow valid HTTP(s) URLs as home page

Message ID 20171105075706.11615-2-lfleischer@archlinux.org
State Accepted, archived
Headers show
Series
  • [1/2] Set X-Frame-Options to DENY for all pages
Related show

Commit Message

Lukas Fleischer Nov. 5, 2017, 7:57 a.m. UTC
The home page specified in the account settings is converted to a
clickable link on the user's profile. Make sure it is a valid URL which
uses the http or https scheme.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
---
 web/lib/acctfuncs.inc.php |  4 ++++
 web/lib/aur.inc.php       | 20 ++++++++++++++++++++
 2 files changed, 24 insertions(+)

Patch

diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php
index bdcaaa8..b8d9dc5 100644
--- a/web/lib/acctfuncs.inc.php
+++ b/web/lib/acctfuncs.inc.php
@@ -162,6 +162,10 @@  function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$P="",$C=""
 		$error = __("The email address is invalid.");
 	}
 
+	if (!$error && !valid_homepage($HP)) {
+		$error = __("The home page is invalid, please specify the full HTTP(s) URL.");
+	}
+
 	if (!$error && $K != '' && !valid_pgp_fingerprint($K)) {
 		$error = __("The PGP key fingerprint is invalid.");
 	}
diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php
index 6cd0451..feb4006 100644
--- a/web/lib/aur.inc.php
+++ b/web/lib/aur.inc.php
@@ -150,6 +150,26 @@  function valid_email($addy) {
 	return true;
 }
 
+/**
+ * Verify that a given URL is valid and uses the HTTP(s) protocol
+ *
+ * @param string $url URL of the home page to be validated
+ *
+ * @return bool True if URL passes validity checks, false otherwise
+ */
+function valid_homepage($url) {
+	if (filter_var($url, FILTER_VALIDATE_URL) === false) {
+		return false;
+	}
+
+	$url_components = parse_url($url);
+	if (!in_array($url_components['scheme'], array('http', 'https'))) {
+		return false;
+	}
+
+	return true;
+}
+
 /**
  * Generate a unique session ID
  *