Merge pull request #11390 from annando/plink

Only use and accept valid http links as links to an external resource
This commit is contained in:
Hypolite Petovan 2022-04-04 10:58:37 -04:00 committed by GitHub
commit 8ab477320a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 28 additions and 5 deletions

View File

@ -3191,6 +3191,12 @@ class Item
*/ */
public static function getPlink($item) public static function getPlink($item)
{ {
if (Network::isValidHttpUrl($item['plink'])) {
$plink = $item['plink'];
} elseif (Network::isValidHttpUrl($item['uri']) && !Network::isLocalLink($item['uri'])) {
$plink = $item['uri'];
}
if (local_user()) { if (local_user()) {
$ret = [ $ret = [
'href' => "display/" . $item['guid'], 'href' => "display/" . $item['guid'],
@ -3199,14 +3205,14 @@ class Item
'orig_title' => DI::l10n()->t('View on separate page'), 'orig_title' => DI::l10n()->t('View on separate page'),
]; ];
if (!empty($item['plink'])) { if (!empty($plink)) {
$ret['href'] = DI::baseUrl()->remove($item['plink']); $ret['href'] = DI::baseUrl()->remove($plink);
$ret['title'] = DI::l10n()->t('Link to source'); $ret['title'] = DI::l10n()->t('Link to source');
} }
} elseif (!empty($item['plink']) && ($item['private'] != self::PRIVATE)) { } elseif (!empty($plink) && ($item['private'] != self::PRIVATE)) {
$ret = [ $ret = [
'href' => $item['plink'], 'href' => $plink,
'orig' => $item['plink'], 'orig' => $plink,
'title' => DI::l10n()->t('Link to source'), 'title' => DI::l10n()->t('Link to source'),
'orig_title' => DI::l10n()->t('Link to source'), 'orig_title' => DI::l10n()->t('Link to source'),
]; ];

View File

@ -37,6 +37,7 @@ use Friendica\Protocol\ActivityPub;
use Friendica\Util\HTTPSignature; use Friendica\Util\HTTPSignature;
use Friendica\Util\JsonLD; use Friendica\Util\JsonLD;
use Friendica\Util\LDSignature; use Friendica\Util\LDSignature;
use Friendica\Util\Network;
use Friendica\Util\Strings; use Friendica\Util\Strings;
/** /**
@ -1533,6 +1534,10 @@ class Receiver
} }
} }
if (!empty($object_data['alternate-url']) && !Network::isValidHttpUrl($object_data['alternate-url'])) {
$object_data['alternate-url'] = null;
}
if (in_array($object_data['object_type'], ['as:Audio', 'as:Video'])) { if (in_array($object_data['object_type'], ['as:Audio', 'as:Video'])) {
$object_data['alternate-url'] = self::extractAlternateUrl($object['as:url'] ?? []) ?: $object_data['alternate-url']; $object_data['alternate-url'] = self::extractAlternateUrl($object['as:url'] ?? []) ?: $object_data['alternate-url'];
$object_data['attachments'] = array_merge($object_data['attachments'], self::processAttachmentUrls($object['as:url'] ?? [])); $object_data['attachments'] = array_merge($object_data['attachments'], self::processAttachmentUrls($object['as:url'] ?? []));

View File

@ -560,4 +560,16 @@ class Network
{ {
return (strpos(Strings::normaliseLink($url), Strings::normaliseLink(DI::baseUrl())) !== false); return (strpos(Strings::normaliseLink($url), Strings::normaliseLink(DI::baseUrl())) !== false);
} }
/**
* Check if the given URL is a valid HTTP/HTTPS URL
*
* @param string $url
* @return bool
*/
public static function isValidHttpUrl(string $url)
{
$scheme = parse_url($url, PHP_URL_SCHEME);
return !empty($scheme) && in_array($scheme, ['http', 'https']) && parse_url($url, PHP_URL_HOST);
}
} }