diff --git a/mod/parse_url.php b/mod/parse_url.php index 3b2522ab12..7631a5a710 100644 --- a/mod/parse_url.php +++ b/mod/parse_url.php @@ -9,12 +9,14 @@ * * @see ParseUrl::getSiteinfo() for more information about scraping embeddable content */ + use Friendica\App; use Friendica\Core\Hook; use Friendica\Core\Logger; use Friendica\Core\System; use Friendica\Util\Network; use Friendica\Util\ParseUrl; +use Friendica\Util\Strings; function parse_url_content(App $a) { @@ -25,10 +27,14 @@ function parse_url_content(App $a) $br = "\n"; - if (!empty($_GET['binurl'])) { + if (!empty($_GET['binurl']) && Strings::isHex($_GET['binurl'])) { $url = trim(hex2bin($_GET['binurl'])); - } else { + } elseif (!empty($_GET['url'])) { $url = trim($_GET['url']); + // fallback in case no url is valid + } else { + Logger::info('No url given'); + exit(); } if (!empty($_GET['title'])) { diff --git a/mod/photos.php b/mod/photos.php index 0524845b15..b904abe311 100644 --- a/mod/photos.php +++ b/mod/photos.php @@ -188,6 +188,9 @@ function photos_post(App $a) } if ($a->argc > 3 && $a->argv[2] === 'album') { + if (!Strings::isHex($a->argv[3])) { + $a->internalRedirect('photos/' . $a->data['user']['nickname'] . '/album'); + } $album = hex2bin($a->argv[3]); if ($album === L10n::t('Profile Photos') || $album === 'Contact Photos' || $album === L10n::t('Contact Photos')) { @@ -960,7 +963,7 @@ function photos_content(App $a) return; } - $selname = $datum ? hex2bin($datum) : ''; + $selname = Strings::isHex($datum) ? hex2bin($datum) : ''; $albumselect = ''; @@ -1027,6 +1030,10 @@ function photos_content(App $a) // Display a single photo album if ($datatype === 'album') { + // if $datum is not a valid hex, redirect to the default page + if (!Strings::isHex($datum)) { + $a->internalRedirect('photos/' . $a->data['user']['nickname']. '/album'); + } $album = hex2bin($datum); $total = 0; diff --git a/src/Util/Strings.php b/src/Util/Strings.php index 3f8990d6c1..88dd1d39f8 100644 --- a/src/Util/Strings.php +++ b/src/Util/Strings.php @@ -31,6 +31,18 @@ class Strings return $return; } + /** + * Checks, if the given string is a valid hexadecimal code + * + * @param string $hexCode + * + * @return bool + */ + public static function isHex($hexCode) + { + return !empty($hexCode) ? @preg_match("/^[a-f0-9]{2,}$/i", $hexCode) && !(strlen($hexCode) & 1) : false; + } + /** * @brief This is our primary input filter. * diff --git a/tests/src/Util/StringsTest.php b/tests/src/Util/StringsTest.php index 666b76e57b..f926183108 100644 --- a/tests/src/Util/StringsTest.php +++ b/tests/src/Util/StringsTest.php @@ -82,4 +82,39 @@ class StringsTest extends TestCase $escapedString ); } + + public function dataIsHex() + { + return [ + 'validHex' => [ + 'input' => '90913473615bf00c122ac78338492980', + 'valid' => true, + ], + 'invalidHex' => [ + 'input' => '90913473615bf00c122ac7833849293', + 'valid' => false, + ], + 'emptyHex' => [ + 'input' => '', + 'valid' => false, + ], + 'nullHex' => [ + 'input' => null, + 'valid' => false, + ], + ]; + } + + /** + * Tests if the string is a valid hexadecimal value + * + * @param string $input + * @param bool $valid + * + * @dataProvider dataIsHex + */ + public function testIsHex($input, $valid) + { + $this->assertEquals($valid, Strings::isHex($input)); + } }