Commit 980bd08b authored by Petr Skoda's avatar Petr Skoda Committed by Eloy Lafuente
Browse files

MDL-50688 lib: fix local url validation bug

Change-Id: I350bb8c9ace5cc0403f083f728c100097be7aa7e
Reviewed-on: https://review.totaralms.com/8101

Tested-by: default avatarJenkins Automation <jenkins@totaralms.com>
Reviewed-by: default avatarSam Hemelryk <sam.hemelryk@totaralms.com>
Reviewed-by: default avatarAlastair Munro <alastair.munro@totaralms.com>
parent 3a8b5c11
......@@ -1036,11 +1036,15 @@ function clean_param($param, $type) {
// Simulate the HTTPS version of the site.
$httpswwwroot = str_replace('http://', 'https://', $CFG->wwwroot);
if (preg_match(':^/:', $param)) {
if ($param === $CFG->wwwroot) {
// Exact match;
} else if (!empty($CFG->loginhttps) && $param === $httpswwwroot) {
// Exact match;
} else if (preg_match(':^/:', $param)) {
// Root-relative, ok!
} else if (preg_match('/^' . preg_quote($CFG->wwwroot, '/') . '/i', $param)) {
} else if (preg_match('/^' . preg_quote($CFG->wwwroot . '/', '/') . '/i', $param)) {
// Absolute, and matches our wwwroot.
} else if (!empty($CFG->loginhttps) && preg_match('/^' . preg_quote($httpswwwroot, '/') . '/i', $param)) {
} else if (!empty($CFG->loginhttps) && preg_match('/^' . preg_quote($httpswwwroot . '/', '/') . '/i', $param)) {
// Absolute, and matches our httpswwwroot.
} else {
// Relative - let's make sure there are no tricks.
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment