* sanitize: never rewrite relative links to our own prefix

* use Config::get_self_url() instead of get_self_url_prefix() in a bunch of places
4 years ago · 70adfd4a74
parent 6f835ded78
commit 70adfd4a74
9 changed files with 19 additions and 19 deletions
--- a/classes/diskcache.php
+++ b/classes/diskcache.php
@ -273,7 +273,7 @@ class DiskCache {
 	}

 	public function get_url($filename) {
-		return get_self_url_prefix() . "/public.php?op=cached&file=" . basename($this->dir) . "/" . basename($filename);
+		return Config::get_self_url() . "/public.php?op=cached&file=" . basename($this->dir) . "/" . basename($filename);
 	}

 	// check for locally cached (media) URLs and rewrite to local versions
--- a/classes/handler/public.php
+++ b/classes/handler/public.php
@ -64,7 +64,7 @@ class Handler_Public extends Handler {
 		$feed_site_url = $qfh_ret[2];
 		/* $last_error = $qfh_ret[3]; */

-		$feed_self_url = get_self_url_prefix() .
+		$feed_self_url = Config::get_self_url() .
 			"/public.php?op=rss&id=$feed&key=" .
 			Feeds::_get_access_key($feed, false, $owner_uid);

@ -177,10 +177,8 @@ class Handler_Public extends Handler {

 			$feed['title'] = $feed_title;
 			$feed['feed_url'] = $feed_self_url;
-
-			$feed['self_url'] = get_self_url_prefix();
-
-			$feed['articles'] = array();
+			$feed['self_url'] = Config::get_self_url();
+			$feed['articles'] = [];

 			while ($line = $result->fetch()) {

@ -403,7 +401,7 @@ class Handler_Public extends Handler {
 			if ($_REQUEST['return'] && mb_strpos($return, Config::get(Config::SELF_URL_PATH)) === 0) {
 				header("Location: " . clean($_REQUEST['return']));
 			} else {
-				header("Location: " . get_self_url_prefix());
+				header("Location: " . Config::get_self_url());
 			}
 		}
 	}
@ -780,7 +778,7 @@ class Handler_Public extends Handler {

 		$timestamp = date("Y-m-d", strtotime($timestamp));

-		return "tag:" . parse_url(get_self_url_prefix(), PHP_URL_HOST) . ",$timestamp:/$id";
+		return "tag:" . parse_url(Config::get_self_url(), PHP_URL_HOST) . ",$timestamp:/$id";
 	}

 	// this should be used very carefully because this endpoint is exposed to unauthenticated users
--- a/classes/opml.php
+++ b/classes/opml.php
@ -635,7 +635,7 @@ class OPML extends Handler_Protected {
 	}

 	static function get_publish_url(){
-		return get_self_url_prefix() .
+		return Config::get_self_url() .
 			"/public.php?op=publishOpml&key=" .
 			Feeds::_get_access_key('OPML:Publish', false, $_SESSION["uid"]);
 	}
--- a/classes/pluginhost.php
+++ b/classes/pluginhost.php
@ -609,7 +609,7 @@ class PluginHost {

 	// handled by classes/pluginhandler.php, requires valid session
 	function get_method_url(Plugin $sender, string $method, $params = [])  {
-		return get_self_url_prefix() . "/backend.php?" .
+		return Config::get_self_url() . "/backend.php?" .
 			http_build_query(
 				array_merge(
 					[
@ -622,7 +622,7 @@ class PluginHost {

 	// shortcut syntax (disabled for now)
 	/* function get_method_url(Plugin $sender, string $method, $params)  {
-		return get_self_url_prefix() . "/backend.php?" .
+		return Config::get_self_url() . "/backend.php?" .
 			http_build_query(
 				array_merge(
 					[
@ -634,7 +634,7 @@ class PluginHost {
 	// WARNING: endpoint in public.php, exposed to unauthenticated users
 	function get_public_method_url(Plugin $sender, string $method, $params = [])  {
 		if ($sender->is_public_method($method)) {
-			return get_self_url_prefix() . "/public.php?" .
+			return Config::get_self_url() . "/public.php?" .
 				http_build_query(
 					array_merge(
 						[
--- a/classes/pref/feeds.php
+++ b/classes/pref/feeds.php
@ -1278,7 +1278,7 @@ class Pref_Feeds extends Handler_Protected {
 		$is_cat = clean($_REQUEST['is_cat']) == "true";
 		$search = clean($_REQUEST['search']);

-		$link = get_self_url_prefix() . "/public.php?" . http_build_query([
+		$link = Config::get_self_url() . "/public.php?" . http_build_query([
 			'op' => 'rss',
 			'id' => $feed_id,
 			'is_cat' => (int)$is_cat,
--- a/classes/rpc.php
+++ b/classes/rpc.php
@ -175,7 +175,7 @@ class RPC extends Handler_Protected {
 		$error_params = [];

 		$client_scheme = parse_url($client_location, PHP_URL_SCHEME);
-		$server_scheme = parse_url(get_self_url_prefix(), PHP_URL_SCHEME);
+		$server_scheme = parse_url(Config::get_self_url(), PHP_URL_SCHEME);

 		if (get_schema_version() != SCHEMA_VERSION) {
 			$error = Errors::E_SCHEMA_MISMATCH;
@ -183,7 +183,7 @@ class RPC extends Handler_Protected {
 			$error = Errors::E_URL_SCHEME_MISMATCH;
 			$error_params["client_scheme"] = $client_scheme;
 			$error_params["server_scheme"] = $server_scheme;
-			$error_params["self_url_path"] = get_self_url_prefix();
+			$error_params["self_url_path"] = Config::get_self_url();
 		}

 		if ($error == Errors::E_SUCCESS) {
@ -463,7 +463,7 @@ class RPC extends Handler_Protected {
 		$max_feed_id = $row["mid"];
 		$num_feeds = $row["nf"];

-		$params["self_url_prefix"] = get_self_url_prefix();
+		$params["self_url_prefix"] = Config::get_self_url();
 		$params["max_feed_id"] = (int) $max_feed_id;
 		$params["num_feeds"] = (int) $num_feeds;
 		$params["hotkeys"] = $this->get_hotkeys_map();
--- a/classes/sanitizer.php
+++ b/classes/sanitizer.php
@ -64,7 +64,9 @@ class Sanitizer {
 		$doc->loadHTML('<?xml encoding="UTF-8">' . $res);
 		$xpath = new DOMXPath($doc);

-		$rewrite_base_url = $site_url ? $site_url : get_self_url_prefix();
+		// is it a good idea to possibly rewrite urls to our own prefix?
+		// $rewrite_base_url = $site_url ? $site_url : Config::get_self_url();
+		$rewrite_base_url = $site_url ? $site_url : "http://domain.invalid/";

 		$entries = $xpath->query('(//a[@href]|//img[@src]|//source[@srcset|@src])');

--- a/include/functions.php
+++ b/include/functions.php
@ -217,7 +217,7 @@
 	}

 	// this returns Config::SELF_URL_PATH sans ending slash
-	/** function is @deprecated */
+	/** function is @deprecated by Config::get_self_url() */
 	function get_self_url_prefix() {
 		return Config::get_self_url();
 	}
--- a/plugins/bookmarklets/init.php
+++ b/plugins/bookmarklets/init.php
@ -146,7 +146,7 @@ class Bookmarklets extends Plugin {

 				if ($feed_id) {
 					?>
-					<form method='GET' action="<?= htmlspecialchars(get_self_url_prefix() . "/prefs.php") ?>">
+					<form method='GET' action="<?= htmlspecialchars(Config::get_self_url() . "/prefs.php") ?>">
 						<input type='hidden' name='tab' value='feeds'>
 						<input type='hidden' name='method' value='editfeed'>
 						<input type='hidden' name='methodparam' value="<?= $feed_id ?>">