1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-24 06:20:56 +01:00

Reject Phame domains which include a port number

Summary: Via HackerOne. This doesn't actually have any security impact as far as we can tell, but a researcher reported it since it seems suspicious. At a minimum, it could be confusing. Also improve some i18n stuff.

Test Plan: Hit all the error cases, then saved a valid custom domain.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: aran, epriestley

Differential Revision: https://secure.phabricator.com/D8493
This commit is contained in:
epriestley 2014-03-11 15:53:15 -07:00
parent 740757fd9b
commit ad88ff28a1

View file

@ -68,27 +68,42 @@ final class PhameBlog extends PhameDAO
* @return string * @return string
*/ */
public function validateCustomDomain($custom_domain) { public function validateCustomDomain($custom_domain) {
$example_domain = '(e.g. blog.example.com)'; $example_domain = 'blog.example.com';
$valid = '';
// note this "uri" should be pretty busted given the desired input // note this "uri" should be pretty busted given the desired input
// so just use it to test if there's a protocol specified // so just use it to test if there's a protocol specified
$uri = new PhutilURI($custom_domain); $uri = new PhutilURI($custom_domain);
if ($uri->getProtocol()) { if ($uri->getProtocol()) {
return 'Do not specify a protocol, just the domain. '.$example_domain; return pht(
'The custom domain should not include a protocol. Just provide '.
'the bare domain name (for example, "%s").',
$example_domain);
}
if ($uri->getPort()) {
return pht(
'The custom domain should not include a port number. Just provide '.
'the bare domain name (for example, "%s").',
$example_domain);
} }
if (strpos($custom_domain, '/') !== false) { if (strpos($custom_domain, '/') !== false) {
return 'Do not specify a path, just the domain. '.$example_domain; return pht(
'The custom domain should not specify a path (hosting a Phame '.
'blog at a path is currently not supported). Instead, just provide '.
'the bare domain name (for example, "%s").',
$example_domain);
} }
if (strpos($custom_domain, '.') === false) { if (strpos($custom_domain, '.') === false) {
return 'Custom domain must contain at least one dot (.) because '. return pht(
'some browsers fail to set cookies on domains such as '. 'The custom domain should contain at least one dot (.) because '.
'http://example. '.$example_domain; 'some browsers fail to set cookies on domains without a dot. Instead, '.
'use a normal looking domain name like "%s".',
$example_domain);
} }
return $valid; return null;
} }
public function getBloggerPHIDs() { public function getBloggerPHIDs() {