From 029daef997322eac54a7a655e076af7f95016f8b Mon Sep 17 00:00:00 2001 From: Michael Date: Sun, 3 Apr 2022 07:21:36 +0000 Subject: [PATCH 1/2] Only use and accept valid http links as links to an external resource --- src/Model/Item.php | 16 +++++++++++----- src/Protocol/ActivityPub/Receiver.php | 5 +++++ src/Util/Network.php | 11 +++++++++++ 3 files changed, 27 insertions(+), 5 deletions(-) diff --git a/src/Model/Item.php b/src/Model/Item.php index 5047af5986..bf56a72424 100644 --- a/src/Model/Item.php +++ b/src/Model/Item.php @@ -3191,6 +3191,12 @@ class Item */ public static function getPlink($item) { + if (Network::isValidHttpUrl($item['plink'])) { + $plink = $item['plink']; + } elseif (Network::isValidHttpUrl($item['uri']) && !Network::isLocalLink($item['uri'])) { + $plink = $item['uri']; + } + if (local_user()) { $ret = [ 'href' => "display/" . $item['guid'], @@ -3199,14 +3205,14 @@ class Item 'orig_title' => DI::l10n()->t('View on separate page'), ]; - if (!empty($item['plink'])) { - $ret['href'] = DI::baseUrl()->remove($item['plink']); + if (!empty($plink)) { + $ret['href'] = DI::baseUrl()->remove($plink); $ret['title'] = DI::l10n()->t('Link to source'); } - } elseif (!empty($item['plink']) && ($item['private'] != self::PRIVATE)) { + } elseif (!empty($plink) && ($item['private'] != self::PRIVATE)) { $ret = [ - 'href' => $item['plink'], - 'orig' => $item['plink'], + 'href' => $plink, + 'orig' => $plink, 'title' => DI::l10n()->t('Link to source'), 'orig_title' => DI::l10n()->t('Link to source'), ]; diff --git a/src/Protocol/ActivityPub/Receiver.php b/src/Protocol/ActivityPub/Receiver.php index 98d40137a9..040104825b 100644 --- a/src/Protocol/ActivityPub/Receiver.php +++ b/src/Protocol/ActivityPub/Receiver.php @@ -37,6 +37,7 @@ use Friendica\Protocol\ActivityPub; use Friendica\Util\HTTPSignature; use Friendica\Util\JsonLD; use Friendica\Util\LDSignature; +use Friendica\Util\Network; use Friendica\Util\Strings; /** @@ -1533,6 +1534,10 @@ class Receiver } } + if (!empty($object_data['alternate-url']) && !Network::isValidHttpUrl($object_data['alternate-url'])) { + $object_data['alternate-url'] = null; + } + if (in_array($object_data['object_type'], ['as:Audio', 'as:Video'])) { $object_data['alternate-url'] = self::extractAlternateUrl($object['as:url'] ?? []) ?: $object_data['alternate-url']; $object_data['attachments'] = array_merge($object_data['attachments'], self::processAttachmentUrls($object['as:url'] ?? [])); diff --git a/src/Util/Network.php b/src/Util/Network.php index 7c7269fa8f..492d0ecac7 100644 --- a/src/Util/Network.php +++ b/src/Util/Network.php @@ -560,4 +560,15 @@ class Network { return (strpos(Strings::normaliseLink($url), Strings::normaliseLink(DI::baseUrl())) !== false); } + + /** + * Check if the given URL is a valid HTTP/HTTPS URL + * + * @param string $url + * @return bool + */ + public static function isValidHttpUrl(string $url) + { + return in_array(parse_url($url, PHP_URL_SCHEME), ['http', 'https']) && parse_url($url, PHP_URL_HOST); + } } From 5290f0cd512ee42ff2bce35e3ede0b0ca01e24e4 Mon Sep 17 00:00:00 2001 From: Michael Date: Sun, 3 Apr 2022 07:31:42 +0000 Subject: [PATCH 2/2] Improved handling of invalid links --- src/Util/Network.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/Util/Network.php b/src/Util/Network.php index 492d0ecac7..7e72404287 100644 --- a/src/Util/Network.php +++ b/src/Util/Network.php @@ -569,6 +569,7 @@ class Network */ public static function isValidHttpUrl(string $url) { - return in_array(parse_url($url, PHP_URL_SCHEME), ['http', 'https']) && parse_url($url, PHP_URL_HOST); + $scheme = parse_url($url, PHP_URL_SCHEME); + return !empty($scheme) && in_array($scheme, ['http', 'https']) && parse_url($url, PHP_URL_HOST); } }