aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMikael Nordfeldth <mmn@hethane.se>2017-04-26 22:41:59 +0200
committerMikael Nordfeldth <mmn@hethane.se>2017-04-26 22:43:16 +0200
commite1df763940b3067ed06a8588ea3a309e6f655341 (patch)
treeb81d317978f00c9dc3e19f5aff544ed935ccb11a
parent839b3e7392ac584980a68852e1645b32df4156b7 (diff)
downloadgnu-social-e1df763940b3067ed06a8588ea3a309e6f655341.tar
gnu-social-e1df763940b3067ed06a8588ea3a309e6f655341.zip
Test URLs against blacklist also on PuSH subscriptions.
-rw-r--r--plugins/Blacklist/BlacklistPlugin.php9
-rw-r--r--plugins/OStatus/actions/pushhub.php9
2 files changed, 14 insertions, 4 deletions
diff --git a/plugins/Blacklist/BlacklistPlugin.php b/plugins/Blacklist/BlacklistPlugin.php
index bad89f2457..9c73377508 100644
--- a/plugins/Blacklist/BlacklistPlugin.php
+++ b/plugins/Blacklist/BlacklistPlugin.php
@@ -249,6 +249,15 @@ class BlacklistPlugin extends Plugin
return true;
}
+ public function onUrlBlacklistTest($url)
+ {
+ common_debug('Checking URL against blacklist: '._ve($url));
+ if (!$this->_checkUrl($url)) {
+ throw new ClientException('Forbidden URL', 403);
+ }
+ return true;
+ }
+
/**
* Helper for checking nicknames
*
diff --git a/plugins/OStatus/actions/pushhub.php b/plugins/OStatus/actions/pushhub.php
index be8076b75e..6dc22706c3 100644
--- a/plugins/OStatus/actions/pushhub.php
+++ b/plugins/OStatus/actions/pushhub.php
@@ -199,7 +199,7 @@ class PushHubAction extends Action
/**
* Grab and validate a URL from POST parameters.
- * @throws ClientException for malformed or non-http/https URLs
+ * @throws ClientException for malformed or non-http/https or blacklisted URLs
*/
protected function argUrl($arg)
{
@@ -207,13 +207,14 @@ class PushHubAction extends Action
$params = array('domain_check' => false, // otherwise breaks my local tests :P
'allowed_schemes' => array('http', 'https'));
$validate = new Validate();
- if ($validate->uri($url, $params)) {
- return $url;
- } else {
+ if (!$validate->uri($url, $params)) {
// TRANS: Client exception.
// TRANS: %1$s is this argument to the method this exception occurs in, %2$s is a URL.
throw new ClientException(sprintf(_m('Invalid URL passed for %1$s: "%2$s"'),$arg,$url));
}
+
+ Event::handle('UrlBlacklistTest', array($url));
+ return $url;
}
/**