mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-23 22:10:55 +01:00
Reject Phame domains which include a port number
Summary: Via HackerOne. This doesn't actually have any security impact as far as we can tell, but a researcher reported it since it seems suspicious. At a minimum, it could be confusing. Also improve some i18n stuff. Test Plan: Hit all the error cases, then saved a valid custom domain. Reviewers: btrahan Reviewed By: btrahan Subscribers: aran, epriestley Differential Revision: https://secure.phabricator.com/D8493
This commit is contained in:
parent
740757fd9b
commit
ad88ff28a1
1 changed files with 23 additions and 8 deletions
|
@ -68,27 +68,42 @@ final class PhameBlog extends PhameDAO
|
||||||
* @return string
|
* @return string
|
||||||
*/
|
*/
|
||||||
public function validateCustomDomain($custom_domain) {
|
public function validateCustomDomain($custom_domain) {
|
||||||
$example_domain = '(e.g. blog.example.com)';
|
$example_domain = 'blog.example.com';
|
||||||
$valid = '';
|
|
||||||
|
|
||||||
// note this "uri" should be pretty busted given the desired input
|
// note this "uri" should be pretty busted given the desired input
|
||||||
// so just use it to test if there's a protocol specified
|
// so just use it to test if there's a protocol specified
|
||||||
$uri = new PhutilURI($custom_domain);
|
$uri = new PhutilURI($custom_domain);
|
||||||
if ($uri->getProtocol()) {
|
if ($uri->getProtocol()) {
|
||||||
return 'Do not specify a protocol, just the domain. '.$example_domain;
|
return pht(
|
||||||
|
'The custom domain should not include a protocol. Just provide '.
|
||||||
|
'the bare domain name (for example, "%s").',
|
||||||
|
$example_domain);
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($uri->getPort()) {
|
||||||
|
return pht(
|
||||||
|
'The custom domain should not include a port number. Just provide '.
|
||||||
|
'the bare domain name (for example, "%s").',
|
||||||
|
$example_domain);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (strpos($custom_domain, '/') !== false) {
|
if (strpos($custom_domain, '/') !== false) {
|
||||||
return 'Do not specify a path, just the domain. '.$example_domain;
|
return pht(
|
||||||
|
'The custom domain should not specify a path (hosting a Phame '.
|
||||||
|
'blog at a path is currently not supported). Instead, just provide '.
|
||||||
|
'the bare domain name (for example, "%s").',
|
||||||
|
$example_domain);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (strpos($custom_domain, '.') === false) {
|
if (strpos($custom_domain, '.') === false) {
|
||||||
return 'Custom domain must contain at least one dot (.) because '.
|
return pht(
|
||||||
'some browsers fail to set cookies on domains such as '.
|
'The custom domain should contain at least one dot (.) because '.
|
||||||
'http://example. '.$example_domain;
|
'some browsers fail to set cookies on domains without a dot. Instead, '.
|
||||||
|
'use a normal looking domain name like "%s".',
|
||||||
|
$example_domain);
|
||||||
}
|
}
|
||||||
|
|
||||||
return $valid;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
public function getBloggerPHIDs() {
|
public function getBloggerPHIDs() {
|
||||||
|
|
Loading…
Reference in a new issue