From: Brian Wolff Date: Sun, 6 Mar 2011 02:43:24 +0000 (+0000) Subject: (bug 27854) Http::isValidURI is way to lax. This is a much simplified regex that... X-Git-Tag: 1.31.0-rc.0~31615 X-Git-Url: https://git.cyclocoop.org/%7B%24www_url%7Dadmin/compta/banques/ajouter.php?a=commitdiff_plain;h=65eaa9dae1ebf60beda857a9fa5688035c137f65;p=lhc%2Fweb%2Fwiklou.git (bug 27854) Http::isValidURI is way to lax. This is a much simplified regex that accepts a subset of the previous regex, but also accepts ftps because both cURL and php support it. It no longer accepts thing like 'foo http://bar bax' which was my main concern Note the previous regex kind of looks more restrictive, but is not since saying "anything not containing a space optionally followed by anything not containing a bunch of characters including a space" is the same as saying anything with no spaces. See also r83296. This obviously doesn't catch all cases, but I personally think its sufficient. At the very least it is a very significant improvement over the previous version that caught almost nothing. --- diff --git a/RELEASE-NOTES b/RELEASE-NOTES index a60248dc4b..aeeb169d7d 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -161,6 +161,7 @@ PHP if you have not done so prior to upgrading MediaWiki. incorrect revision ID is passed. * Trim the form field for uploading by url to remove extra spaces which could cause confusing error messages. +* (bug 27854) Http::isValidURI is way too lax. === API changes in 1.18 === * (bug 26339) Throw warning when truncating an overlarge API result diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php index 3b08cfd57a..8db3e4fbd1 100644 --- a/includes/HttpFunctions.php +++ b/includes/HttpFunctions.php @@ -117,16 +117,17 @@ class Http { } /** - * Checks that the given URI is a valid one + * Checks that the given URI is a valid one. Hardcoding the + * protocols, because we only want protocols that both cURL + * and php support. * * @param $uri Mixed: URI to check for validity * @returns Boolean */ public static function isValidURI( $uri ) { return preg_match( - '/(ftp|http|https):\/\/(\w+:{0,1}\w*@)?(\S+)(:[0-9]+)?(\/|\/([\w#!:.?+=&%@!\-\/]))?/', - $uri, - $matches + '/^(f|ht)tps?:\/\/[^\/\s]\S*$/D', + $uri ); } }