Browse Source

* sanitize: never rewrite relative links to our own prefix

* use Config::get_self_url() instead of get_self_url_prefix() in a bunch
of places
master
Andrew Dolgov 1 year ago
parent
commit
70adfd4a74
  1. 2
      classes/diskcache.php
  2. 12
      classes/handler/public.php
  3. 2
      classes/opml.php
  4. 6
      classes/pluginhost.php
  5. 2
      classes/pref/feeds.php
  6. 6
      classes/rpc.php
  7. 4
      classes/sanitizer.php
  8. 2
      include/functions.php
  9. 2
      plugins/bookmarklets/init.php

2
classes/diskcache.php

@ -273,7 +273,7 @@ class DiskCache {
}
public function get_url($filename) {
return get_self_url_prefix() . "/public.php?op=cached&file=" . basename($this->dir) . "/" . basename($filename);
return Config::get_self_url() . "/public.php?op=cached&file=" . basename($this->dir) . "/" . basename($filename);
}
// check for locally cached (media) URLs and rewrite to local versions

12
classes/handler/public.php

@ -64,7 +64,7 @@ class Handler_Public extends Handler {
$feed_site_url = $qfh_ret[2];
/* $last_error = $qfh_ret[3]; */
$feed_self_url = get_self_url_prefix() .
$feed_self_url = Config::get_self_url() .
"/public.php?op=rss&id=$feed&key=" .
Feeds::_get_access_key($feed, false, $owner_uid);
@ -177,10 +177,8 @@ class Handler_Public extends Handler {
$feed['title'] = $feed_title;
$feed['feed_url'] = $feed_self_url;
$feed['self_url'] = get_self_url_prefix();
$feed['articles'] = array();
$feed['self_url'] = Config::get_self_url();
$feed['articles'] = [];
while ($line = $result->fetch()) {
@ -403,7 +401,7 @@ class Handler_Public extends Handler {
if ($_REQUEST['return'] && mb_strpos($return, Config::get(Config::SELF_URL_PATH)) === 0) {
header("Location: " . clean($_REQUEST['return']));
} else {
header("Location: " . get_self_url_prefix());
header("Location: " . Config::get_self_url());
}
}
}
@ -780,7 +778,7 @@ class Handler_Public extends Handler {
$timestamp = date("Y-m-d", strtotime($timestamp));
return "tag:" . parse_url(get_self_url_prefix(), PHP_URL_HOST) . ",$timestamp:/$id";
return "tag:" . parse_url(Config::get_self_url(), PHP_URL_HOST) . ",$timestamp:/$id";
}
// this should be used very carefully because this endpoint is exposed to unauthenticated users

2
classes/opml.php

@ -635,7 +635,7 @@ class OPML extends Handler_Protected {
}
static function get_publish_url(){
return get_self_url_prefix() .
return Config::get_self_url() .
"/public.php?op=publishOpml&key=" .
Feeds::_get_access_key('OPML:Publish', false, $_SESSION["uid"]);
}

6
classes/pluginhost.php

@ -609,7 +609,7 @@ class PluginHost {
// handled by classes/pluginhandler.php, requires valid session
function get_method_url(Plugin $sender, string $method, $params = []) {
return get_self_url_prefix() . "/backend.php?" .
return Config::get_self_url() . "/backend.php?" .
http_build_query(
array_merge(
[
@ -622,7 +622,7 @@ class PluginHost {
// shortcut syntax (disabled for now)
/* function get_method_url(Plugin $sender, string $method, $params) {
return get_self_url_prefix() . "/backend.php?" .
return Config::get_self_url() . "/backend.php?" .
http_build_query(
array_merge(
[
@ -634,7 +634,7 @@ class PluginHost {
// WARNING: endpoint in public.php, exposed to unauthenticated users
function get_public_method_url(Plugin $sender, string $method, $params = []) {
if ($sender->is_public_method($method)) {
return get_self_url_prefix() . "/public.php?" .
return Config::get_self_url() . "/public.php?" .
http_build_query(
array_merge(
[

2
classes/pref/feeds.php

@ -1278,7 +1278,7 @@ class Pref_Feeds extends Handler_Protected {
$is_cat = clean($_REQUEST['is_cat']) == "true";
$search = clean($_REQUEST['search']);
$link = get_self_url_prefix() . "/public.php?" . http_build_query([
$link = Config::get_self_url() . "/public.php?" . http_build_query([
'op' => 'rss',
'id' => $feed_id,
'is_cat' => (int)$is_cat,

6
classes/rpc.php

@ -175,7 +175,7 @@ class RPC extends Handler_Protected {
$error_params = [];
$client_scheme = parse_url($client_location, PHP_URL_SCHEME);
$server_scheme = parse_url(get_self_url_prefix(), PHP_URL_SCHEME);
$server_scheme = parse_url(Config::get_self_url(), PHP_URL_SCHEME);
if (get_schema_version() != SCHEMA_VERSION) {
$error = Errors::E_SCHEMA_MISMATCH;
@ -183,7 +183,7 @@ class RPC extends Handler_Protected {
$error = Errors::E_URL_SCHEME_MISMATCH;
$error_params["client_scheme"] = $client_scheme;
$error_params["server_scheme"] = $server_scheme;
$error_params["self_url_path"] = get_self_url_prefix();
$error_params["self_url_path"] = Config::get_self_url();
}
if ($error == Errors::E_SUCCESS) {
@ -463,7 +463,7 @@ class RPC extends Handler_Protected {
$max_feed_id = $row["mid"];
$num_feeds = $row["nf"];
$params["self_url_prefix"] = get_self_url_prefix();
$params["self_url_prefix"] = Config::get_self_url();
$params["max_feed_id"] = (int) $max_feed_id;
$params["num_feeds"] = (int) $num_feeds;
$params["hotkeys"] = $this->get_hotkeys_map();

4
classes/sanitizer.php

@ -64,7 +64,9 @@ class Sanitizer {
$doc->loadHTML('<?xml encoding="UTF-8">' . $res);
$xpath = new DOMXPath($doc);
$rewrite_base_url = $site_url ? $site_url : get_self_url_prefix();
// is it a good idea to possibly rewrite urls to our own prefix?
// $rewrite_base_url = $site_url ? $site_url : Config::get_self_url();
$rewrite_base_url = $site_url ? $site_url : "http://domain.invalid/";
$entries = $xpath->query('(//a[@href]|//img[@src]|//source[@srcset|@src])');

2
include/functions.php

@ -217,7 +217,7 @@
}
// this returns Config::SELF_URL_PATH sans ending slash
/** function is @deprecated */
/** function is @deprecated by Config::get_self_url() */
function get_self_url_prefix() {
return Config::get_self_url();
}

2
plugins/bookmarklets/init.php

@ -146,7 +146,7 @@ class Bookmarklets extends Plugin {
if ($feed_id) {
?>
<form method='GET' action="<?= htmlspecialchars(get_self_url_prefix() . "/prefs.php") ?>">
<form method='GET' action="<?= htmlspecialchars(Config::get_self_url() . "/prefs.php") ?>">
<input type='hidden' name='tab' value='feeds'>
<input type='hidden' name='method' value='editfeed'>
<input type='hidden' name='methodparam' value="<?= $feed_id ?>">

Loading…
Cancel
Save