Fix information leakage by validating the URL scheme

[tweeper.git] / tweeper.php

diff --git a/tweeper.php b/tweeper.php
index d84094e..87efd60 100644 (file)
--- a/tweeper.php
+++ b/tweeper.php
@@ -89,6 +89,9 @@ class Tweeper {
       CURLOPT_USERAGENT => Tweeper::$userAgent,
     ));
     $contents = curl_exec($ch);
+    if (FALSE === $contents) {
+      trigger_error(curl_error($ch));
+    }
     curl_close($ch);
 
     return $contents;
@@ -111,6 +114,9 @@ class Tweeper {
     ));
     curl_exec($ch);
     $url_info = curl_getinfo($ch);
+    if (FALSE === $url_info) {
+      trigger_error(curl_error($ch));
+    }
     curl_close($ch);
 
     return $url_info;
@@ -121,7 +127,9 @@ class Tweeper {
    */
   public static function generateEnclosure($url) {
     $supported_content_types = array(
+      "application/octet-stream",
       "application/ogg",
+      "application/pdf",
       "audio/aac",
       "audio/mp4",
       "audio/mpeg",
@@ -132,17 +140,14 @@ class Tweeper {
       "audio/x-midi",
       "image/gif",
       "image/jpeg",
+      "image/png",
       "video/avi",
       "video/mp4",
       "video/mpeg",
       "video/ogg",
     );
 
-    // The RSS specification says that the enclosure element URL must be http.
-    // See http://sourceforge.net/p/feedvalidator/bugs/72/
-    $http_url = preg_replace("/^https/", "http", $url);
-
-    $url_info = Tweeper::getUrlInfo($http_url);
+    $url_info = Tweeper::getUrlInfo($url);
 
     $supported = in_array($url_info['content_type'], $supported_content_types);
     if (!$supported) {
@@ -150,15 +155,17 @@ class Tweeper {
       return '';
     }
 
-    $dom = new DomDocument();
+    // The RSS specification says that the enclosure element URL must be http.
+    // See http://sourceforge.net/p/feedvalidator/bugs/72/
+    $http_url = preg_replace("/^https/", "http", $url_info['url']);
+
+    $dom = new DOMDocument();
     $enc = $dom->createElement('enclosure');
-    $enc->setAttribute('url', $url_info['url']);
+    $enc->setAttribute('url', $http_url);
     $enc->setAttribute('length', $url_info['download_content_length']);
     $enc->setAttribute('type', $url_info['content_type']);
 
-    $dom->appendChild($enc);
-
-    return $dom->saveXML($enc);
+    return $enc;
   }
 
   /**
@@ -311,6 +318,12 @@ class Tweeper {
       return NULL;
     }
 
+    $scheme = $url["scheme"];
+    if (!in_array($scheme, array("http", "https"))) {
+      trigger_error("unsupported scheme: $scheme", E_USER_ERROR);
+      return NULL;
+    }
+
     // Strip the leading www. to be more forgiving on input URLs.
     $host = preg_replace('/^www\./', '', $url["host"]);
 
@@ -435,4 +448,8 @@ if (!isset($options['src_url'])) {
 }
 
 $tweeper = new Tweeper($options['generate_enclosure']);
-echo $tweeper->tweep($options['src_url']);
+$output = $tweeper->tweep($options['src_url']);
+if (is_null($output)) {
+  exit(1);
+}
+echo $output;