From 3de540d1d101ee376ce6e50969aea2482a87b202 Mon Sep 17 00:00:00 2001 From: Philipp Holzer Date: Wed, 29 May 2019 20:28:25 +0200 Subject: [PATCH 1/5] Adding hexadecimal check for photos see https://github.com/friendica/friendica/issues/6917#issuecomment-492798238 --- mod/photos.php | 4 ++++ src/Util/Strings.php | 12 ++++++++++++ 2 files changed, 16 insertions(+) diff --git a/mod/photos.php b/mod/photos.php index b18c06e2a..6a84e6138 100644 --- a/mod/photos.php +++ b/mod/photos.php @@ -1027,6 +1027,10 @@ function photos_content(App $a) // Display a single photo album if ($datatype === 'album') { + // if $datum is not a valid hex, redirect to the default page + if (!Strings::isHex($datum)) { + $a->internalRedirect(); + } $album = hex2bin($datum); $total = 0; diff --git a/src/Util/Strings.php b/src/Util/Strings.php index 3f8990d6c..14fbde899 100644 --- a/src/Util/Strings.php +++ b/src/Util/Strings.php @@ -31,6 +31,18 @@ class Strings return $return; } + /** + * Checks, if the given string is a valid hexadecimal code + * + * @param string $hexCode + * + * @return bool + */ + public static function isHex($hexCode) + { + return @preg_match("/^[a-f0-9]{2,}$/i", $hexCode) && !(strlen($hexCode) & 1); + } + /** * @brief This is our primary input filter. * From 392137b433a477b1aeda016e867c26d95fbbe2dd Mon Sep 17 00:00:00 2001 From: Philipp Holzer Date: Wed, 29 May 2019 20:32:16 +0200 Subject: [PATCH 2/5] Adding hexadecimal check for parse_rul see https://github.com/friendica/friendica/issues/6917#issuecomment-475461338 --- mod/parse_url.php | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/mod/parse_url.php b/mod/parse_url.php index 3b2522ab1..f4fb2d06a 100644 --- a/mod/parse_url.php +++ b/mod/parse_url.php @@ -9,12 +9,14 @@ * * @see ParseUrl::getSiteinfo() for more information about scraping embeddable content */ + use Friendica\App; use Friendica\Core\Hook; use Friendica\Core\Logger; use Friendica\Core\System; use Friendica\Util\Network; use Friendica\Util\ParseUrl; +use Friendica\Util\Strings; function parse_url_content(App $a) { @@ -25,10 +27,13 @@ function parse_url_content(App $a) $br = "\n"; - if (!empty($_GET['binurl'])) { + if (!empty($_GET['binurl']) && Strings::isHex($_GET['binurl'])) { $url = trim(hex2bin($_GET['binurl'])); - } else { + } elseif (!empty($_GET['url'])) { $url = trim($_GET['url']); + // fallback in case no url is valid + } else { + $a->internalRedirect(); } if (!empty($_GET['title'])) { From 4c5dd9f47c538e70ae4348b74948c83d91ab6ff4 Mon Sep 17 00:00:00 2001 From: Philipp Holzer Date: Thu, 30 May 2019 10:30:15 +0200 Subject: [PATCH 3/5] Add more Strings::isHex() checks to photos --- mod/photos.php | 5 ++++- src/Util/Strings.php | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/mod/photos.php b/mod/photos.php index 6a84e6138..07693742c 100644 --- a/mod/photos.php +++ b/mod/photos.php @@ -188,6 +188,9 @@ function photos_post(App $a) } if ($a->argc > 3 && $a->argv[2] === 'album') { + if (!Strings::isHex($a->argv[3])) { + $a->internalRedirect(); + } $album = hex2bin($a->argv[3]); if ($album === L10n::t('Profile Photos') || $album === 'Contact Photos' || $album === L10n::t('Contact Photos')) { @@ -960,7 +963,7 @@ function photos_content(App $a) return; } - $selname = $datum ? hex2bin($datum) : ''; + $selname = Strings::isHex($datum) ? hex2bin($datum) : ''; $albumselect = ''; diff --git a/src/Util/Strings.php b/src/Util/Strings.php index 14fbde899..88dd1d39f 100644 --- a/src/Util/Strings.php +++ b/src/Util/Strings.php @@ -40,7 +40,7 @@ class Strings */ public static function isHex($hexCode) { - return @preg_match("/^[a-f0-9]{2,}$/i", $hexCode) && !(strlen($hexCode) & 1); + return !empty($hexCode) ? @preg_match("/^[a-f0-9]{2,}$/i", $hexCode) && !(strlen($hexCode) & 1) : false; } /** From 0115329dc6a21366905fca494874c77269b507d5 Mon Sep 17 00:00:00 2001 From: Philipp Holzer Date: Thu, 30 May 2019 12:26:29 +0200 Subject: [PATCH 4/5] Add test for Strings::isHex() --- tests/src/Util/StringsTest.php | 35 ++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/tests/src/Util/StringsTest.php b/tests/src/Util/StringsTest.php index 666b76e57..f92618310 100644 --- a/tests/src/Util/StringsTest.php +++ b/tests/src/Util/StringsTest.php @@ -82,4 +82,39 @@ class StringsTest extends TestCase $escapedString ); } + + public function dataIsHex() + { + return [ + 'validHex' => [ + 'input' => '90913473615bf00c122ac78338492980', + 'valid' => true, + ], + 'invalidHex' => [ + 'input' => '90913473615bf00c122ac7833849293', + 'valid' => false, + ], + 'emptyHex' => [ + 'input' => '', + 'valid' => false, + ], + 'nullHex' => [ + 'input' => null, + 'valid' => false, + ], + ]; + } + + /** + * Tests if the string is a valid hexadecimal value + * + * @param string $input + * @param bool $valid + * + * @dataProvider dataIsHex + */ + public function testIsHex($input, $valid) + { + $this->assertEquals($valid, Strings::isHex($input)); + } } From 03ca26f0c438446bd3747c50893970171dfff8cd Mon Sep 17 00:00:00 2001 From: Philipp Holzer Date: Thu, 30 May 2019 13:45:39 +0200 Subject: [PATCH 5/5] Change fallback logic --- mod/parse_url.php | 3 ++- mod/photos.php | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/mod/parse_url.php b/mod/parse_url.php index f4fb2d06a..7631a5a71 100644 --- a/mod/parse_url.php +++ b/mod/parse_url.php @@ -33,7 +33,8 @@ function parse_url_content(App $a) $url = trim($_GET['url']); // fallback in case no url is valid } else { - $a->internalRedirect(); + Logger::info('No url given'); + exit(); } if (!empty($_GET['title'])) { diff --git a/mod/photos.php b/mod/photos.php index 07693742c..5dcb21a9d 100644 --- a/mod/photos.php +++ b/mod/photos.php @@ -189,7 +189,7 @@ function photos_post(App $a) if ($a->argc > 3 && $a->argv[2] === 'album') { if (!Strings::isHex($a->argv[3])) { - $a->internalRedirect(); + $a->internalRedirect('photos/' . $a->data['user']['nickname'] . '/album'); } $album = hex2bin($a->argv[3]); @@ -1032,7 +1032,7 @@ function photos_content(App $a) if ($datatype === 'album') { // if $datum is not a valid hex, redirect to the default page if (!Strings::isHex($datum)) { - $a->internalRedirect(); + $a->internalRedirect('photos/' . $a->data['user']['nickname']. '/album'); } $album = hex2bin($datum);