provide allow list of friend sites for education/corporate environments,
pattern matchable
This commit is contained in:
parent
2c96ad7739
commit
38fde6672e
2 changed files with 50 additions and 5 deletions
44
boot.php
44
boot.php
|
@ -782,16 +782,54 @@ function get_uid() {
|
|||
}}
|
||||
|
||||
if(! function_exists('validate_url')) {
|
||||
function validate_url($url) {
|
||||
function validate_url(&$url) {
|
||||
if(substr($url,0,4) != 'http')
|
||||
$url = 'http://' . $url;
|
||||
$h = parse_url($url);
|
||||
|
||||
if(! $h)
|
||||
if(! $h) {
|
||||
return false;
|
||||
if(! checkdnsrr($h['host'], 'ANY'))
|
||||
}
|
||||
if(! checkdnsrr($h['host'], 'ANY')) {
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}}
|
||||
|
||||
if(! function_exists('allowed_url')) {
|
||||
function allowed_url($url) {
|
||||
|
||||
$h = parse_url($url);
|
||||
|
||||
if(! $h) {
|
||||
return false;
|
||||
}
|
||||
|
||||
$str_allowed = get_config('system','allowed_sites');
|
||||
if(! $str_allowed)
|
||||
return true;
|
||||
|
||||
$found = false;
|
||||
|
||||
$host = strtolower($h['host']);
|
||||
|
||||
// always allow our own site
|
||||
|
||||
if($host == strtolower($_SERVER['SERVER_NAME']))
|
||||
return true;
|
||||
|
||||
$fnmatch = function_exists('fnmatch');
|
||||
$allowed = explode(',',$str_allowed);
|
||||
|
||||
if(count($allowed)) {
|
||||
foreach($allowed as $a) {
|
||||
$pat = strtolower(trim($a));
|
||||
if(($fnmatch && fnmatch($pat,$host)) || ($pat == $host)) {
|
||||
$found = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
return $found;
|
||||
}}
|
||||
|
||||
|
|
|
@ -134,7 +134,7 @@ function dfrn_request_post(&$a) {
|
|||
|
||||
// invalid/bogus request
|
||||
|
||||
notice( t("Unrecoverable protocol error.") . EOL );
|
||||
notice( t('Unrecoverable protocol error.') . EOL );
|
||||
goaway($a->get_baseurl());
|
||||
return; // NOTREACHED
|
||||
}
|
||||
|
@ -220,6 +220,13 @@ function dfrn_request_post(&$a) {
|
|||
return; // NOTREACHED
|
||||
}
|
||||
|
||||
if(! allowed_url($url)) {
|
||||
notice( t('Disallowed profile URL.') . EOL);
|
||||
goaway($a->get_baseurl() . '/' . $a->cmd);
|
||||
return; // NOTREACHED
|
||||
}
|
||||
|
||||
|
||||
require_once('Scrape.php');
|
||||
|
||||
$parms = scrape_dfrn($url);
|
||||
|
@ -301,7 +308,7 @@ function dfrn_request_post(&$a) {
|
|||
// This notice will only be seen by the requestor if the requestor and requestee are on the same server.
|
||||
|
||||
if(! $failed)
|
||||
notice( t("Your introduction has been sent.") . EOL );
|
||||
notice( t('Your introduction has been sent.') . EOL );
|
||||
|
||||
// "Homecoming" - send the requestor back to their site to record the introduction.
|
||||
|
||||
|
|
Loading…
Reference in a new issue