Fix information leakage by validating the URL scheme

[tweeper.git] / tweeper.php

diff --git a/tweeper.php b/tweeper.php
index 0955a11..87efd60 100644 (file)
--- a/tweeper.php
+++ b/tweeper.php
@@ -318,6 +318,12 @@ class Tweeper {
       return NULL;
     }
 
+    $scheme = $url["scheme"];
+    if (!in_array($scheme, array("http", "https"))) {
+      trigger_error("unsupported scheme: $scheme", E_USER_ERROR);
+      return NULL;
+    }
+
     // Strip the leading www. to be more forgiving on input URLs.
     $host = preg_replace('/^www\./', '', $url["host"]);