From 4b8a9a5189a625bf99fedec7fd31f6e146410a14 Mon Sep 17 00:00:00 2001
From: emkael <emkael@tlen.pl>
Date: Thu, 26 Apr 2018 01:00:12 +0200
Subject: Update FB API library

---
 .../Facebook/Url/FacebookUrlDetectionHandler.php   | 25 +++++++++++++++++++---
 .../src/Facebook/Url/FacebookUrlManipulator.php    |  4 ++--
 .../src/Facebook/Url/UrlDetectionInterface.php     |  2 +-
 3 files changed, 25 insertions(+), 6 deletions(-)

(limited to 'lib/facebook-graph-sdk/src/Facebook/Url')

diff --git a/lib/facebook-graph-sdk/src/Facebook/Url/FacebookUrlDetectionHandler.php b/lib/facebook-graph-sdk/src/Facebook/Url/FacebookUrlDetectionHandler.php
index 5fbb9ce..1d134dd 100644
--- a/lib/facebook-graph-sdk/src/Facebook/Url/FacebookUrlDetectionHandler.php
+++ b/lib/facebook-graph-sdk/src/Facebook/Url/FacebookUrlDetectionHandler.php
@@ -1,6 +1,6 @@
 <?php
 /**
- * Copyright 2014 Facebook, Inc.
+ * Copyright 2017 Facebook, Inc.
  *
  * You are hereby granted a non-exclusive, worldwide, royalty-free license to
  * use, copy, modify, and distribute this software in source code or binary
@@ -95,8 +95,9 @@ class FacebookUrlDetectionHandler implements UrlDetectionInterface
     protected function getHostName()
     {
         // Check for proxy first
-        if ($host = $this->getHeader('X_FORWARDED_HOST')) {
-            $elements = explode(',', $host);
+        $header = $this->getHeader('X_FORWARDED_HOST');
+        if ($header && $this->isValidForwardedHost($header)) {
+            $elements = explode(',', $header);
             $host = $elements[count($elements) - 1];
         } elseif (!$host = $this->getHeader('HOST')) {
             if (!$host = $this->getServerVar('SERVER_NAME')) {
@@ -160,4 +161,22 @@ class FacebookUrlDetectionHandler implements UrlDetectionInterface
     {
         return $this->getServerVar('HTTP_' . $key);
     }
+
+    /**
+     * Checks if the value in X_FORWARDED_HOST is a valid hostname
+     * Could prevent unintended redirections
+     *
+     * @param string $header
+     *
+     * @return boolean
+     */
+    protected function isValidForwardedHost($header)
+    {
+        $elements = explode(',', $header);
+        $host = $elements[count($elements) - 1];
+        
+        return preg_match("/^([a-z\d](-*[a-z\d])*)(\.([a-z\d](-*[a-z\d])*))*$/i", $host) //valid chars check
+            && 0 < strlen($host) && strlen($host) < 254 //overall length check
+            && preg_match("/^[^\.]{1,63}(\.[^\.]{1,63})*$/", $host); //length of each label
+    }
 }
diff --git a/lib/facebook-graph-sdk/src/Facebook/Url/FacebookUrlManipulator.php b/lib/facebook-graph-sdk/src/Facebook/Url/FacebookUrlManipulator.php
index 20a0299..daeab9c 100644
--- a/lib/facebook-graph-sdk/src/Facebook/Url/FacebookUrlManipulator.php
+++ b/lib/facebook-graph-sdk/src/Facebook/Url/FacebookUrlManipulator.php
@@ -1,6 +1,6 @@
 <?php
 /**
- * Copyright 2014 Facebook, Inc.
+ * Copyright 2017 Facebook, Inc.
  *
  * You are hereby granted a non-exclusive, worldwide, royalty-free license to
  * use, copy, modify, and distribute this software in source code or binary
@@ -76,7 +76,7 @@ class FacebookUrlManipulator
      */
     public static function appendParamsToUrl($url, array $newParams = [])
     {
-        if (!$newParams) {
+        if (empty($newParams)) {
             return $url;
         }
 
diff --git a/lib/facebook-graph-sdk/src/Facebook/Url/UrlDetectionInterface.php b/lib/facebook-graph-sdk/src/Facebook/Url/UrlDetectionInterface.php
index 764a606..dca38a0 100644
--- a/lib/facebook-graph-sdk/src/Facebook/Url/UrlDetectionInterface.php
+++ b/lib/facebook-graph-sdk/src/Facebook/Url/UrlDetectionInterface.php
@@ -1,6 +1,6 @@
 <?php
 /**
- * Copyright 2014 Facebook, Inc.
+ * Copyright 2017 Facebook, Inc.
  *
  * You are hereby granted a non-exclusive, worldwide, royalty-free license to
  * use, copy, modify, and distribute this software in source code or binary
-- 
cgit v1.2.3