diff options
Diffstat (limited to 'lib/facebook-graph-sdk/src/Facebook/Url')
3 files changed, 25 insertions, 6 deletions
diff --git a/lib/facebook-graph-sdk/src/Facebook/Url/FacebookUrlDetectionHandler.php b/lib/facebook-graph-sdk/src/Facebook/Url/FacebookUrlDetectionHandler.php index 5fbb9ce..1d134dd 100644 --- a/lib/facebook-graph-sdk/src/Facebook/Url/FacebookUrlDetectionHandler.php +++ b/lib/facebook-graph-sdk/src/Facebook/Url/FacebookUrlDetectionHandler.php @@ -1,6 +1,6 @@ <?php /** - * Copyright 2014 Facebook, Inc. + * Copyright 2017 Facebook, Inc. * * You are hereby granted a non-exclusive, worldwide, royalty-free license to * use, copy, modify, and distribute this software in source code or binary @@ -95,8 +95,9 @@ class FacebookUrlDetectionHandler implements UrlDetectionInterface protected function getHostName() { // Check for proxy first - if ($host = $this->getHeader('X_FORWARDED_HOST')) { - $elements = explode(',', $host); + $header = $this->getHeader('X_FORWARDED_HOST'); + if ($header && $this->isValidForwardedHost($header)) { + $elements = explode(',', $header); $host = $elements[count($elements) - 1]; } elseif (!$host = $this->getHeader('HOST')) { if (!$host = $this->getServerVar('SERVER_NAME')) { @@ -160,4 +161,22 @@ class FacebookUrlDetectionHandler implements UrlDetectionInterface { return $this->getServerVar('HTTP_' . $key); } + + /** + * Checks if the value in X_FORWARDED_HOST is a valid hostname + * Could prevent unintended redirections + * + * @param string $header + * + * @return boolean + */ + protected function isValidForwardedHost($header) + { + $elements = explode(',', $header); + $host = $elements[count($elements) - 1]; + + return preg_match("/^([a-z\d](-*[a-z\d])*)(\.([a-z\d](-*[a-z\d])*))*$/i", $host) //valid chars check + && 0 < strlen($host) && strlen($host) < 254 //overall length check + && preg_match("/^[^\.]{1,63}(\.[^\.]{1,63})*$/", $host); //length of each label + } } diff --git a/lib/facebook-graph-sdk/src/Facebook/Url/FacebookUrlManipulator.php b/lib/facebook-graph-sdk/src/Facebook/Url/FacebookUrlManipulator.php index 20a0299..daeab9c 100644 --- a/lib/facebook-graph-sdk/src/Facebook/Url/FacebookUrlManipulator.php +++ b/lib/facebook-graph-sdk/src/Facebook/Url/FacebookUrlManipulator.php @@ -1,6 +1,6 @@ <?php /** - * Copyright 2014 Facebook, Inc. + * Copyright 2017 Facebook, Inc. * * You are hereby granted a non-exclusive, worldwide, royalty-free license to * use, copy, modify, and distribute this software in source code or binary @@ -76,7 +76,7 @@ class FacebookUrlManipulator */ public static function appendParamsToUrl($url, array $newParams = []) { - if (!$newParams) { + if (empty($newParams)) { return $url; } diff --git a/lib/facebook-graph-sdk/src/Facebook/Url/UrlDetectionInterface.php b/lib/facebook-graph-sdk/src/Facebook/Url/UrlDetectionInterface.php index 764a606..dca38a0 100644 --- a/lib/facebook-graph-sdk/src/Facebook/Url/UrlDetectionInterface.php +++ b/lib/facebook-graph-sdk/src/Facebook/Url/UrlDetectionInterface.php @@ -1,6 +1,6 @@ <?php /** - * Copyright 2014 Facebook, Inc. + * Copyright 2017 Facebook, Inc. * * You are hereby granted a non-exclusive, worldwide, royalty-free license to * use, copy, modify, and distribute this software in source code or binary |