Fix URL validation see BT#10217

main/newscorm/learnpath.class.php

@@ -10354,38 +10354,55 @@ EOD;
      *
      * @return string
      */
-    public function checkXFrameOptions($src)
+    public function fixBlockedLinks($src)
-    {
+    {
-        if (strpos($src, api_get_path(WEB_CODE_PATH)) === false) {
+        $urlInfo = parse_url($src);
-            // Check X-Frame-Options
+        //$platformProtocol = api_get_protocol();
-            $ch = curl_init();
+
-
+        $platformProtocol = 'https';
-            $options = array(
+        if (strpos(api_get_path(WEB_CODE_PATH), 'https') === false) {
-                CURLOPT_URL => $src,
+            $platformProtocol = 'http';
-                CURLOPT_RETURNTRANSFER => true,
+        }
-                CURLOPT_HEADER => true,
+
-                CURLOPT_FOLLOWLOCATION => true,
+        $protocolFixApplied = false;
-                CURLOPT_ENCODING => "",
+        if ($platformProtocol != $urlInfo['scheme']) {
-                CURLOPT_AUTOREFERER => true,
+            $_SESSION['x_frame_source'] = $src;
-                CURLOPT_CONNECTTIMEOUT => 120,
+            $src = 'blank.php?error=x_frames_options';
-                CURLOPT_TIMEOUT => 120,
+            $protocolFixApplied = true;
-                CURLOPT_MAXREDIRS => 10,
+        }
-            );
+
-            curl_setopt_array($ch, $options);
+        if ($protocolFixApplied == false) {
-            $response = curl_exec($ch);
+            if (strpos($src, api_get_path(WEB_CODE_PATH)) === false) {
-            $httpCode = curl_getinfo($ch);
+                // Check X-Frame-Options
-            $headers = substr($response, 0, $httpCode['header_size']);
+                $ch = curl_init();
-
+
-            $error = false;
+                $options = array(
-            if (stripos($headers, 'X-Frame-Options: DENY') > -1 ||
+                    CURLOPT_URL => $src,
-                stripos($headers, 'X-Frame-Options: SAMEORIGIN')>-1
+                    CURLOPT_RETURNTRANSFER => true,
-            ) {
+                    CURLOPT_HEADER => true,
-                $error = true;
+                    CURLOPT_FOLLOWLOCATION => true,
-            }
+                    CURLOPT_ENCODING => "",
+                    CURLOPT_AUTOREFERER => true,
+                    CURLOPT_CONNECTTIMEOUT => 120,
+                    CURLOPT_TIMEOUT => 120,
+                    CURLOPT_MAXREDIRS => 10,
+                );
+                curl_setopt_array($ch, $options);
+                $response = curl_exec($ch);
+                $httpCode = curl_getinfo($ch);
+                $headers = substr($response, 0, $httpCode['header_size']);
+
+                $error = false;
+                if (stripos($headers, 'X-Frame-Options: DENY') > -1 ||
+                    stripos($headers, 'X-Frame-Options: SAMEORIGIN') > -1
+                ) {
+                    $error = true;
+                }
 
-            if ($error) {
+                if ($error) {
-                $_SESSION['x_frame_source'] = $src;
+                    $_SESSION['x_frame_source'] = $src;
-                $src = 'blank.php?error=x_frames_options';
+                    $src = 'blank.php?error=x_frames_options';
+                }
             }
         }
 

main/newscorm/lp_content.php

@@ -57,7 +57,7 @@ if ($dokeos_chapter) {
                 $src = 'blank.php?error=prerequisites';
             }
 
-            $src = $_SESSION['oLP']->checkXFrameOptions($src);
+            $src = $_SESSION['oLP']->fixBlockedLinks($src);
             break;
         case 2:
             $_SESSION['oLP']->stop_previous_item();

main/newscorm/lp_view.php

@@ -169,7 +169,7 @@ if (!isset($src)) {
                     $src = api_get_path(WEB_CODE_PATH).'newscorm/lp_view_item.php?lp_item_id='.$lp_item_id.'&'.api_get_cidreq();
                 }
 
-                $src = $_SESSION['oLP']->checkXFrameOptions($src);
+                $src = $_SESSION['oLP']->fixBlockedLinks($src);
 
                 $_SESSION['oLP']->start_current_item(); // starts time counter manually if asset
             } else {