From e1df763940b3067ed06a8588ea3a309e6f655341 Mon Sep 17 00:00:00 2001 From: Mikael Nordfeldth Date: Wed, 26 Apr 2017 22:41:59 +0200 Subject: [PATCH] Test URLs against blacklist also on PuSH subscriptions. --- plugins/Blacklist/BlacklistPlugin.php | 9 +++++++++ plugins/OStatus/actions/pushhub.php | 9 +++++---- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/plugins/Blacklist/BlacklistPlugin.php b/plugins/Blacklist/BlacklistPlugin.php index bad89f2457..9c73377508 100644 --- a/plugins/Blacklist/BlacklistPlugin.php +++ b/plugins/Blacklist/BlacklistPlugin.php @@ -249,6 +249,15 @@ class BlacklistPlugin extends Plugin return true; } + public function onUrlBlacklistTest($url) + { + common_debug('Checking URL against blacklist: '._ve($url)); + if (!$this->_checkUrl($url)) { + throw new ClientException('Forbidden URL', 403); + } + return true; + } + /** * Helper for checking nicknames * diff --git a/plugins/OStatus/actions/pushhub.php b/plugins/OStatus/actions/pushhub.php index be8076b75e..6dc22706c3 100644 --- a/plugins/OStatus/actions/pushhub.php +++ b/plugins/OStatus/actions/pushhub.php @@ -199,7 +199,7 @@ class PushHubAction extends Action /** * Grab and validate a URL from POST parameters. - * @throws ClientException for malformed or non-http/https URLs + * @throws ClientException for malformed or non-http/https or blacklisted URLs */ protected function argUrl($arg) { @@ -207,13 +207,14 @@ class PushHubAction extends Action $params = array('domain_check' => false, // otherwise breaks my local tests :P 'allowed_schemes' => array('http', 'https')); $validate = new Validate(); - if ($validate->uri($url, $params)) { - return $url; - } else { + if (!$validate->uri($url, $params)) { // TRANS: Client exception. // TRANS: %1$s is this argument to the method this exception occurs in, %2$s is a URL. throw new ClientException(sprintf(_m('Invalid URL passed for %1$s: "%2$s"'),$arg,$url)); } + + Event::handle('UrlBlacklistTest', array($url)); + return $url; } /** -- 2.39.5