projects
/
tweeper.git
/ blobdiff
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Fix information leakage by validating the URL scheme
[tweeper.git]
/
tweeper.php
diff --git
a/tweeper.php
b/tweeper.php
index
fc3a3ef
..
87efd60
100644
(file)
--- a/
tweeper.php
+++ b/
tweeper.php
@@
-89,6
+89,9
@@
class Tweeper {
CURLOPT_USERAGENT => Tweeper::$userAgent,
));
$contents = curl_exec($ch);
CURLOPT_USERAGENT => Tweeper::$userAgent,
));
$contents = curl_exec($ch);
+ if (FALSE === $contents) {
+ trigger_error(curl_error($ch));
+ }
curl_close($ch);
return $contents;
curl_close($ch);
return $contents;
@@
-111,6
+114,9
@@
class Tweeper {
));
curl_exec($ch);
$url_info = curl_getinfo($ch);
));
curl_exec($ch);
$url_info = curl_getinfo($ch);
+ if (FALSE === $url_info) {
+ trigger_error(curl_error($ch));
+ }
curl_close($ch);
return $url_info;
curl_close($ch);
return $url_info;
@@
-312,6
+318,12
@@
class Tweeper {
return NULL;
}
return NULL;
}
+ $scheme = $url["scheme"];
+ if (!in_array($scheme, array("http", "https"))) {
+ trigger_error("unsupported scheme: $scheme", E_USER_ERROR);
+ return NULL;
+ }
+
// Strip the leading www. to be more forgiving on input URLs.
$host = preg_replace('/^www\./', '', $url["host"]);
// Strip the leading www. to be more forgiving on input URLs.
$host = preg_replace('/^www\./', '', $url["host"]);
@@
-436,4
+448,8
@@
if (!isset($options['src_url'])) {
}
$tweeper = new Tweeper($options['generate_enclosure']);
}
$tweeper = new Tweeper($options['generate_enclosure']);
-echo $tweeper->tweep($options['src_url']);
+$output = $tweeper->tweep($options['src_url']);
+if (is_null($output)) {
+ exit(1);
+}
+echo $output;