open-dsi
/
nextcloud-server
mirror of https://github.com/nextcloud/server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

fix(theming): Harden admin web link settings

Browse Source 
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
pull/50293/head
Ferdinand Thiessen 1 year ago
parent f5cd0cbd70
commit ff835faf7b
No known key found for this signature in database
GPG Key ID: 45FAE7268762B400
2 changed files with 23 additions and 10 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 8
      apps/theming/lib/Controller/ThemingController.php
  2. 25
      apps/theming/tests/Controller/ThemingControllerTest.php

8
apps/theming/lib/Controller/ThemingController.php
Unescape View File

@ -194,11 +194,13 @@ class ThemingController extends Controller {
}
/**
* Check that a string is a valid http/https url
* Check that a string is a valid http/https url.
* Also validates that there is no way for XSS through HTML
*/
private function isValidUrl(string $url): bool {
return ((str_starts_with($url, 'http://') || str_starts_with($url, 'https://')) &&
filter_var($url, FILTER_VALIDATE_URL) !== false);
return ((str_starts_with($url, 'http://') || str_starts_with($url, 'https://'))
&& filter_var($url, FILTER_VALIDATE_URL) !== false)
&& !str_contains($url, '"');
}
/**

25
apps/theming/tests/Controller/ThemingControllerTest.php
Unescape View File

@ -125,11 +125,24 @@ class ThemingControllerTest extends TestCase {
}
public function dataUpdateStylesheetError() {
$urls = [
'url' => 'web address',
'imprintUrl' => 'legal notice address',
'privacyUrl' => 'privacy policy address',
];
$urlTests = [];
foreach ($urls as $urlKey => $urlName) {
// Check length limit
$urlTests[] = [$urlKey, 'http://example.com/' . str_repeat('a', 501), "The given {$urlName} is too long"];
// Check potential evil javascript
$urlTests[] = [$urlKey, 'javascript:alert(1)', "The given {$urlName} is not a valid URL"];
// Check XSS
$urlTests[] = [$urlKey, 'https://example.com/"><script/src="alert(\'1\')"><a/href/="', "The given {$urlName} is not a valid URL"];
}
return [
['name', str_repeat('a', 251), 'The given name is too long'],
['url', 'http://example.com/' . str_repeat('a', 501), 'The given web address is too long'],
['url', str_repeat('a', 501), 'The given web address is not a valid URL'],
['url', 'javascript:alert(1)', 'The given web address is not a valid URL'],
['slogan', str_repeat('a', 501), 'The given slogan is too long'],
['primary_color', '0082C9', 'The given color is invalid'],
['primary_color', '#0082Z9', 'The given color is invalid'],
@ -137,10 +150,8 @@ class ThemingControllerTest extends TestCase {
['background_color', '0082C9', 'The given color is invalid'],
['background_color', '#0082Z9', 'The given color is invalid'],
['background_color', 'Nextcloud', 'The given color is invalid'],
['imprintUrl', '0082C9', 'The given legal notice address is not a valid URL'],
['imprintUrl', '0082C9', 'The given legal notice address is not a valid URL'],
['imprintUrl', 'javascript:foo', 'The given legal notice address is not a valid URL'],
['privacyUrl', '#0082Z9', 'The given privacy policy address is not a valid URL'],
...$urlTests,
];
}

Write Preview
Loading…
Cancel
Save