projects
/
tweeper.git
/ blobdiff
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Fix information leakage by validating the URL scheme
[tweeper.git]
/
tweeper.php
diff --git
a/tweeper.php
b/tweeper.php
index
0955a11
..
87efd60
100644
(file)
--- a/
tweeper.php
+++ b/
tweeper.php
@@
-318,6
+318,12
@@
class Tweeper {
return NULL;
}
return NULL;
}
+ $scheme = $url["scheme"];
+ if (!in_array($scheme, array("http", "https"))) {
+ trigger_error("unsupported scheme: $scheme", E_USER_ERROR);
+ return NULL;
+ }
+
// Strip the leading www. to be more forgiving on input URLs.
$host = preg_replace('/^www\./', '', $url["host"]);
// Strip the leading www. to be more forgiving on input URLs.
$host = preg_replace('/^www\./', '', $url["host"]);