diff options
| author | Mike Macgirvin <mike@macgirvin.com> | 2010-09-13 17:12:54 -0700 |
|---|---|---|
| committer | Mike Macgirvin <mike@macgirvin.com> | 2010-09-13 17:12:54 -0700 |
| commit | 38fde6672eb3d46b8b154ba2f22df99f91f64852 (patch) | |
| tree | 2b66ef1aa3d6575a124e0b3cdad9c2a3042d0444 | |
| parent | 2c96ad77396b0df2be481c4f90cc61ebaa83bc75 (diff) | |
| download | volse-hubzilla-38fde6672eb3d46b8b154ba2f22df99f91f64852.tar.gz volse-hubzilla-38fde6672eb3d46b8b154ba2f22df99f91f64852.tar.bz2 volse-hubzilla-38fde6672eb3d46b8b154ba2f22df99f91f64852.zip | |
provide allow list of friend sites for education/corporate environments,
pattern matchable
| -rw-r--r-- | boot.php | 44 | ||||
| -rw-r--r-- | mod/dfrn_request.php | 11 |
2 files changed, 50 insertions, 5 deletions
@@ -782,16 +782,54 @@ function get_uid() { }} if(! function_exists('validate_url')) { -function validate_url($url) { +function validate_url(&$url) { if(substr($url,0,4) != 'http') $url = 'http://' . $url; $h = parse_url($url); - if(! $h) + if(! $h) { return false; - if(! checkdnsrr($h['host'], 'ANY')) + } + if(! checkdnsrr($h['host'], 'ANY')) { return false; + } return true; }} +if(! function_exists('allowed_url')) { +function allowed_url($url) { + + $h = parse_url($url); + + if(! $h) { + return false; + } + + $str_allowed = get_config('system','allowed_sites'); + if(! $str_allowed) + return true; + + $found = false; + + $host = strtolower($h['host']); + + // always allow our own site + + if($host == strtolower($_SERVER['SERVER_NAME'])) + return true; + + $fnmatch = function_exists('fnmatch'); + $allowed = explode(',',$str_allowed); + + if(count($allowed)) { + foreach($allowed as $a) { + $pat = strtolower(trim($a)); + if(($fnmatch && fnmatch($pat,$host)) || ($pat == $host)) { + $found = true; + break; + } + } + } + return $found; +}} diff --git a/mod/dfrn_request.php b/mod/dfrn_request.php index 617d4b2d8..a22492fe6 100644 --- a/mod/dfrn_request.php +++ b/mod/dfrn_request.php @@ -134,7 +134,7 @@ function dfrn_request_post(&$a) { // invalid/bogus request - notice( t("Unrecoverable protocol error.") . EOL ); + notice( t('Unrecoverable protocol error.') . EOL ); goaway($a->get_baseurl()); return; // NOTREACHED } @@ -219,7 +219,14 @@ function dfrn_request_post(&$a) { goaway($a->get_baseurl() . '/' . $a->cmd); return; // NOTREACHED } + + if(! allowed_url($url)) { + notice( t('Disallowed profile URL.') . EOL); + goaway($a->get_baseurl() . '/' . $a->cmd); + return; // NOTREACHED + } + require_once('Scrape.php'); $parms = scrape_dfrn($url); @@ -301,7 +308,7 @@ function dfrn_request_post(&$a) { // This notice will only be seen by the requestor if the requestor and requestee are on the same server. if(! $failed) - notice( t("Your introduction has been sent.") . EOL ); + notice( t('Your introduction has been sent.') . EOL ); // "Homecoming" - send the requestor back to their site to record the introduction. |