Only use and accept valid http links as links to an external resource

diff --git a/src/Model/Item.php b/src/Model/Item.php
index 5047af5986da9e6209eb4ea28305c36b50c26748..bf56a72424599dab8b09e75c5a38055c13703d6e 100644 (file)
--- a/src/Model/Item.php
+++ b/src/Model/Item.php
@@ -3191,6 +3191,12 @@ class Item
         */
        public static function getPlink($item)
        {
+               if (Network::isValidHttpUrl($item['plink'])) {
+                       $plink = $item['plink'];
+               } elseif (Network::isValidHttpUrl($item['uri']) && !Network::isLocalLink($item['uri'])) {
+                       $plink = $item['uri'];
+               }
+
                if (local_user()) {
                        $ret = [
                                'href' => "display/" . $item['guid'],
@@ -3199,14 +3205,14 @@ class Item
                                'orig_title' => DI::l10n()->t('View on separate page'),
                        ];
 
-                       if (!empty($item['plink'])) {
-                               $ret['href'] = DI::baseUrl()->remove($item['plink']);
+                       if (!empty($plink)) {
+                               $ret['href'] = DI::baseUrl()->remove($plink);
                                $ret['title'] = DI::l10n()->t('Link to source');
                        }
-               } elseif (!empty($item['plink']) && ($item['private'] != self::PRIVATE)) {
+               } elseif (!empty($plink) && ($item['private'] != self::PRIVATE)) {
                        $ret = [
-                               'href' => $item['plink'],
-                               'orig' => $item['plink'],
+                               'href' => $plink,
+                               'orig' => $plink,
                                'title' => DI::l10n()->t('Link to source'),
                                'orig_title' => DI::l10n()->t('Link to source'),
                        ];

diff --git a/src/Protocol/ActivityPub/Receiver.php b/src/Protocol/ActivityPub/Receiver.php
index 98d40137a9f8a1179eeea2d8260ed890e5ee8bb5..040104825b7619ed1f7f2b6c45c28cd2787c2c97 100644 (file)
--- a/src/Protocol/ActivityPub/Receiver.php
+++ b/src/Protocol/ActivityPub/Receiver.php
@@ -37,6 +37,7 @@ use Friendica\Protocol\ActivityPub;
 use Friendica\Util\HTTPSignature;
 use Friendica\Util\JsonLD;
 use Friendica\Util\LDSignature;
+use Friendica\Util\Network;
 use Friendica\Util\Strings;
 
 /**
@@ -1533,6 +1534,10 @@ class Receiver
                        }
                }
 
+               if (!empty($object_data['alternate-url']) && !Network::isValidHttpUrl($object_data['alternate-url'])) {
+                       $object_data['alternate-url'] = null;
+               }
+
                if (in_array($object_data['object_type'], ['as:Audio', 'as:Video'])) {
                        $object_data['alternate-url'] = self::extractAlternateUrl($object['as:url'] ?? []) ?: $object_data['alternate-url'];
                        $object_data['attachments'] = array_merge($object_data['attachments'], self::processAttachmentUrls($object['as:url'] ?? []));

diff --git a/src/Util/Network.php b/src/Util/Network.php
index 7c7269fa8f7b2f0cfcc63d08b97afee09a6d4525..492d0ecac7293c604f5a908298ddd5b15835fa4f 100644 (file)
--- a/src/Util/Network.php
+++ b/src/Util/Network.php
@@ -560,4 +560,15 @@ class Network
        {
                return (strpos(Strings::normaliseLink($url), Strings::normaliseLink(DI::baseUrl())) !== false);
        }
+
+       /**
+        * Check if the given URL is a valid HTTP/HTTPS URL
+        *
+        * @param string $url 
+        * @return bool 
+        */
+       public static function isValidHttpUrl(string $url)
+       {
+               return in_array(parse_url($url, PHP_URL_SCHEME), ['http', 'https']) && parse_url($url, PHP_URL_HOST);
+       }
 }