Issue 14324: Sanitize profile input

pull/14327/head
Michael 2024-07-28 04:34:44 +00:00
parent aae004d3d2
commit ef71840ddc
4 changed files with 38 additions and 6 deletions

View File

@ -1,6 +1,6 @@
-- ------------------------------------------ -- ------------------------------------------
-- Friendica 2024.06-rc (Yellow Archangel) -- Friendica 2024.06-rc (Yellow Archangel)
-- DB_UPDATE_VERSION 1570 -- DB_UPDATE_VERSION 1571
-- ------------------------------------------ -- ------------------------------------------

View File

@ -125,9 +125,9 @@ class Index extends BaseSettings
$country_name = trim($request['country_name']); $country_name = trim($request['country_name']);
$pub_keywords = self::cleanKeywords(trim($request['pub_keywords'])); $pub_keywords = self::cleanKeywords(trim($request['pub_keywords']));
$prv_keywords = self::cleanKeywords(trim($request['prv_keywords'])); $prv_keywords = self::cleanKeywords(trim($request['prv_keywords']));
$xmpp = trim($request['xmpp']); $xmpp = $this->cleanInput(trim($request['xmpp']));
$matrix = trim($request['matrix']); $matrix = $this->cleanInput(trim($request['matrix']));
$homepage = trim($request['homepage']); $homepage = $this->cleanInput(trim($request['homepage']));
if ((strpos($homepage, 'http') !== 0) && (strlen($homepage))) { if ((strpos($homepage, 'http') !== 0) && (strlen($homepage))) {
// neither http nor https in URL, add them // neither http nor https in URL, add them
$homepage = 'http://' . $homepage; $homepage = 'http://' . $homepage;
@ -358,6 +358,11 @@ class Index extends BaseSettings
return $profileFields; return $profileFields;
} }
private function cleanInput(string $input): string
{
return str_replace(['<', '>', '"', ' '], '', $input);
}
private static function cleanKeywords($keywords): string private static function cleanKeywords($keywords): string
{ {
$keywords = str_replace(',', ' ', $keywords); $keywords = str_replace(',', ' ', $keywords);

View File

@ -56,7 +56,7 @@ use Friendica\Database\DBA;
// This file is required several times during the test in DbaDefinition which justifies this condition // This file is required several times during the test in DbaDefinition which justifies this condition
if (!defined('DB_UPDATE_VERSION')) { if (!defined('DB_UPDATE_VERSION')) {
define('DB_UPDATE_VERSION', 1570); define('DB_UPDATE_VERSION', 1571);
} }
return [ return [

View File

@ -1486,4 +1486,31 @@ function update_1566()
Profile::setResponsibleRelayContact($user['uid']); Profile::setResponsibleRelayContact($user['uid']);
} }
DBA::close($users); DBA::close($users);
} }
function update_1571()
{
$profiles = DBA::select('profile', ['uid', 'homepage', 'xmpp', 'matrix']);
while ($profile = DBA::fetch($profiles)) {
$homepage = str_replace(['<', '>', '"', ' '], '', $profile['homepage']);
$xmpp = str_replace(['<', '>', '"', ' '], '', $profile['xmpp']);
$matrix = str_replace(['<', '>', '"', ' '], '', $profile['matrix']);
$fields = [];
if ($homepage != $profile['homepage']) {
$fields['homepage'] = $homepage;
}
if ($xmpp != $profile['xmpp']) {
$fields['xmpp'] = $xmpp;
}
if ($matrix != $profile['matrix']) {
$fields['matrix'] = $matrix;
}
if (!empty($fields)) {
Profile::update($fields, $profile['uid']);
}
}
DBA::close($profiles);
return Update::SUCCESS;
}