diff options
author | Lukas Fleischer <lfleischer@archlinux.org> | 2017-11-05 08:48:25 +0100 |
---|---|---|
committer | Lukas Fleischer <lfleischer@archlinux.org> | 2017-11-05 08:55:24 +0100 |
commit | 4efba18f8688431fae58ae1b826b80f95957aec8 (patch) | |
tree | ec3d330eaec591c08fa0431c81b93c99ed357128 /web/lib | |
parent | c859e371b0b94bb7ac2db7f7dfaf742a4a1fc6d9 (diff) | |
download | aur-4efba18f8688431fae58ae1b826b80f95957aec8.tar.gz aur-4efba18f8688431fae58ae1b826b80f95957aec8.tar.xz |
Only allow valid HTTP(s) URLs as home page
The home page specified in the account settings is converted to a
clickable link on the user's profile. Make sure it is a valid URL which
uses the http or https scheme.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Diffstat (limited to 'web/lib')
-rw-r--r-- | web/lib/acctfuncs.inc.php | 4 | ||||
-rw-r--r-- | web/lib/aur.inc.php | 20 |
2 files changed, 24 insertions, 0 deletions
diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index bdcaaa82..b8d9dc54 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -162,6 +162,10 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$P="",$C="" $error = __("The email address is invalid."); } + if (!$error && !valid_homepage($HP)) { + $error = __("The home page is invalid, please specify the full HTTP(s) URL."); + } + if (!$error && $K != '' && !valid_pgp_fingerprint($K)) { $error = __("The PGP key fingerprint is invalid."); } diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php index 6cd04515..feb4006b 100644 --- a/web/lib/aur.inc.php +++ b/web/lib/aur.inc.php @@ -151,6 +151,26 @@ function valid_email($addy) { } /** + * Verify that a given URL is valid and uses the HTTP(s) protocol + * + * @param string $url URL of the home page to be validated + * + * @return bool True if URL passes validity checks, false otherwise + */ +function valid_homepage($url) { + if (filter_var($url, FILTER_VALIDATE_URL) === false) { + return false; + } + + $url_components = parse_url($url); + if (!in_array($url_components['scheme'], array('http', 'https'))) { + return false; + } + + return true; +} + +/** * Generate a unique session ID * * @return string MD5 hash of the concatenated user IP, random number, and current time |