Merge pull request #8648 from annando/annando/issue8565

Issue 8565: Sanitize input data
2020-05-17 11:40:18 -04:00 · 2020-05-17 11:40:18 -04:00 · 8a96fe6d7f
parent 90b1355555 bc26c980f0
commit 8a96fe6d7f
1 changed files with 9 additions and 0 deletions
--- a/src/Model/GServer.php
+++ b/src/Model/GServer.php
@ -353,6 +353,15 @@ class GServer
 			return;
 		}

+		// Sanitize incoming data, see https://github.com/friendica/friendica/issues/8565
+		$data['subscribe'] = (bool)$data['subscribe'] ?? false;
+
+		if (!$data['subscribe'] || empty($data['scope']) || !in_array(strtolower($data['scope']), ['all', 'tags'])) {
+			$data['scope'] = '';
+			$data['subscribe'] = false;
+			$data['tags'] = [];
+		}
+
 		$gserver = DBA::selectFirst('gserver', ['id', 'relay-subscribe', 'relay-scope'], ['nurl' => Strings::normaliseLink($server_url)]);
 		if (!DBA::isResult($gserver)) {
 			return;