public $append_whitelist = array(); // fill this array as domain_whitelist to add more trusted sources
public $check_whitelist = false; // security/abuse precaution
+ public $domain_blacklist = array();
+ public $check_blacklist = false;
+
protected $imgData = array();
// these should be declared protected everywhere
return true;
}
- $this->checkWhitelist($file->getUrl());
+ if (!$this->checkWhiteList($file->getUrl()) ||
+ !$this->checkBlackList($file->getUrl())) {
+ return true;
+ }
// First we download the file to memory and test whether it's actually an image file
- $imgData = HTTPClient::quickGet($file->getUrl());
- common_debug(sprintf('Downloading remote file id==%u with URL: %s', $file->id, $file->getUrl()));
+ common_debug(sprintf('Downloading remote file id==%u with URL: %s', $file->getID(), _ve($file->getUrl())));
+ try {
+ $imgData = HTTPClient::quickGet($file->getUrl());
+ } catch (HTTP_Request2_ConnectionException $e) {
+ common_log(LOG_ERR, __CLASS__.': quickGet on URL: '._ve($file->getUrl()).' threw exception: '.$e->getMessage());
+ return true;
+ }
$info = @getimagesizefromstring($imgData);
if ($info === false) {
throw new UnsupportedMediaException(_('Remote file format was not identified as an image.'), $file->getUrl());
$file->width = $info[0]; // array indexes documented on php.net:
$file->height = $info[1]; // https://php.net/manual/en/function.getimagesize.php
// Throws exception on failure.
- $file->updateWithKeys($orig, 'id');
+ $file->updateWithKeys($orig);
}
// Get rid of the file from memory
unset($imgData);
}
/**
- * @return boolean false on no check made, provider name on success
- * @throws ServerException if check is made but fails
+ * @return boolean true if given url passes blacklist check
*/
- protected function checkWhitelist($url)
+ protected function checkBlackList($url)
{
- if (!$this->check_whitelist) {
- return false; // indicates "no check made"
+ if (!$this->check_blacklist) {
+ return true;
+ }
+ $host = parse_url($url, PHP_URL_HOST);
+ foreach ($this->domain_blacklist as $regex => $provider) {
+ if (preg_match("/$regex/", $host)) {
+ return false;
+ }
}
+ return true;
+ }
+
+ /***
+ * @return boolean true if given url passes whitelist check
+ */
+ protected function checkWhiteList($url)
+ {
+ if (!$this->check_whitelist) {
+ return true;
+ }
$host = parse_url($url, PHP_URL_HOST);
foreach ($this->domain_whitelist as $regex => $provider) {
if (preg_match("/$regex/", $host)) {
- return $provider; // we trust this source, return provider name
+ return true;
}
}
- throw new ServerException(sprintf(_('Domain not in remote source whitelist: %s'), $host));
+ return false;
}
public function onPluginVersion(array &$versions)