From: Michael <heluecht@pirati.ca>
Date: Sun, 3 Apr 2022 07:21:36 +0000 (+0000)
Subject: Only use and accept valid http links as links to an external resource
X-Git-Url: https://git.mxchange.org/?a=commitdiff_plain;h=029daef997322eac54a7a655e076af7f95016f8b;p=friendica.git

Only use and accept valid http links as links to an external resource
---

diff --git a/src/Model/Item.php b/src/Model/Item.php
index 5047af5986..bf56a72424 100644
--- a/src/Model/Item.php
+++ b/src/Model/Item.php
@@ -3191,6 +3191,12 @@ class Item
 	 */
 	public static function getPlink($item)
 	{
+		if (Network::isValidHttpUrl($item['plink'])) {
+			$plink = $item['plink'];
+		} elseif (Network::isValidHttpUrl($item['uri']) && !Network::isLocalLink($item['uri'])) {
+			$plink = $item['uri'];
+		}
+
 		if (local_user()) {
 			$ret = [
 				'href' => "display/" . $item['guid'],
@@ -3199,14 +3205,14 @@ class Item
 				'orig_title' => DI::l10n()->t('View on separate page'),
 			];
 
-			if (!empty($item['plink'])) {
-				$ret['href'] = DI::baseUrl()->remove($item['plink']);
+			if (!empty($plink)) {
+				$ret['href'] = DI::baseUrl()->remove($plink);
 				$ret['title'] = DI::l10n()->t('Link to source');
 			}
-		} elseif (!empty($item['plink']) && ($item['private'] != self::PRIVATE)) {
+		} elseif (!empty($plink) && ($item['private'] != self::PRIVATE)) {
 			$ret = [
-				'href' => $item['plink'],
-				'orig' => $item['plink'],
+				'href' => $plink,
+				'orig' => $plink,
 				'title' => DI::l10n()->t('Link to source'),
 				'orig_title' => DI::l10n()->t('Link to source'),
 			];
diff --git a/src/Protocol/ActivityPub/Receiver.php b/src/Protocol/ActivityPub/Receiver.php
index 98d40137a9..040104825b 100644
--- a/src/Protocol/ActivityPub/Receiver.php
+++ b/src/Protocol/ActivityPub/Receiver.php
@@ -37,6 +37,7 @@ use Friendica\Protocol\ActivityPub;
 use Friendica\Util\HTTPSignature;
 use Friendica\Util\JsonLD;
 use Friendica\Util\LDSignature;
+use Friendica\Util\Network;
 use Friendica\Util\Strings;
 
 /**
@@ -1533,6 +1534,10 @@ class Receiver
 			}
 		}
 
+		if (!empty($object_data['alternate-url']) && !Network::isValidHttpUrl($object_data['alternate-url'])) {
+			$object_data['alternate-url'] = null;
+		}
+
 		if (in_array($object_data['object_type'], ['as:Audio', 'as:Video'])) {
 			$object_data['alternate-url'] = self::extractAlternateUrl($object['as:url'] ?? []) ?: $object_data['alternate-url'];
 			$object_data['attachments'] = array_merge($object_data['attachments'], self::processAttachmentUrls($object['as:url'] ?? []));
diff --git a/src/Util/Network.php b/src/Util/Network.php
index 7c7269fa8f..492d0ecac7 100644
--- a/src/Util/Network.php
+++ b/src/Util/Network.php
@@ -560,4 +560,15 @@ class Network
 	{
 		return (strpos(Strings::normaliseLink($url), Strings::normaliseLink(DI::baseUrl())) !== false);
 	}
+
+	/**
+	 * Check if the given URL is a valid HTTP/HTTPS URL
+	 *
+	 * @param string $url 
+	 * @return bool 
+	 */
+	public static function isValidHttpUrl(string $url)
+	{
+		return in_array(parse_url($url, PHP_URL_SCHEME), ['http', 'https']) && parse_url($url, PHP_URL_HOST);
+	}
 }