Validate OStatus avatar URL before fetching.

diff --git a/plugins/OStatus/classes/Ostatus_profile.php b/plugins/OStatus/classes/Ostatus_profile.php
index e77c8f7e920fce19736c3ffb9af4bdb2cca7a3e8..e0e0223b8f950cd4382104790b1f489a54cd910a 100644 (file)
--- a/plugins/OStatus/classes/Ostatus_profile.php
+++ b/plugins/OStatus/classes/Ostatus_profile.php
@@ -839,8 +839,8 @@ class Ostatus_profile extends Memcached_DataObject
     }
 
     /**
-     *
      * Download and update given avatar image
+     *
      * @param string $url
      * @throws Exception in various failure cases
      */
@@ -850,6 +850,9 @@ class Ostatus_profile extends Memcached_DataObject
             // We've already got this one.
             return;
         }
+        if (!common_valid_http_url($url)) {
+            throw new ServerException(_m("Invalid avatar URL %s"), $url);
+        }
 
         if ($this->isGroup()) {
             $self = $this->localGroup();