mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-19 12:00:55 +01:00
Reject Phame domains which include a port number
Summary: Via HackerOne. This doesn't actually have any security impact as far as we can tell, but a researcher reported it since it seems suspicious. At a minimum, it could be confusing. Also improve some i18n stuff. Test Plan: Hit all the error cases, then saved a valid custom domain. Reviewers: btrahan Reviewed By: btrahan Subscribers: aran, epriestley Differential Revision: https://secure.phabricator.com/D8493
This commit is contained in:
parent
740757fd9b
commit
ad88ff28a1
1 changed files with 23 additions and 8 deletions
|
@ -68,27 +68,42 @@ final class PhameBlog extends PhameDAO
|
|||
* @return string
|
||||
*/
|
||||
public function validateCustomDomain($custom_domain) {
|
||||
$example_domain = '(e.g. blog.example.com)';
|
||||
$valid = '';
|
||||
$example_domain = 'blog.example.com';
|
||||
|
||||
// note this "uri" should be pretty busted given the desired input
|
||||
// so just use it to test if there's a protocol specified
|
||||
$uri = new PhutilURI($custom_domain);
|
||||
if ($uri->getProtocol()) {
|
||||
return 'Do not specify a protocol, just the domain. '.$example_domain;
|
||||
return pht(
|
||||
'The custom domain should not include a protocol. Just provide '.
|
||||
'the bare domain name (for example, "%s").',
|
||||
$example_domain);
|
||||
}
|
||||
|
||||
if ($uri->getPort()) {
|
||||
return pht(
|
||||
'The custom domain should not include a port number. Just provide '.
|
||||
'the bare domain name (for example, "%s").',
|
||||
$example_domain);
|
||||
}
|
||||
|
||||
if (strpos($custom_domain, '/') !== false) {
|
||||
return 'Do not specify a path, just the domain. '.$example_domain;
|
||||
return pht(
|
||||
'The custom domain should not specify a path (hosting a Phame '.
|
||||
'blog at a path is currently not supported). Instead, just provide '.
|
||||
'the bare domain name (for example, "%s").',
|
||||
$example_domain);
|
||||
}
|
||||
|
||||
if (strpos($custom_domain, '.') === false) {
|
||||
return 'Custom domain must contain at least one dot (.) because '.
|
||||
'some browsers fail to set cookies on domains such as '.
|
||||
'http://example. '.$example_domain;
|
||||
return pht(
|
||||
'The custom domain should contain at least one dot (.) because '.
|
||||
'some browsers fail to set cookies on domains without a dot. Instead, '.
|
||||
'use a normal looking domain name like "%s".',
|
||||
$example_domain);
|
||||
}
|
||||
|
||||
return $valid;
|
||||
return null;
|
||||
}
|
||||
|
||||
public function getBloggerPHIDs() {
|
||||
|
|
Loading…
Reference in a new issue