From 1d8e224ebabb8a4c75b97f026950ed710faab0ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E0=BE=85=E0=BC=BB=20=C7=AC=C9=80=C4=A7=20=E0=BC=84?= =?UTF-8?q?=E0=BC=86=E0=BD=89?= Date: Tue, 31 Aug 2021 18:00:53 +0200 Subject: [PATCH] Minor security improvements #2 (#3041) * Escape HTML and attributes before returning * Remove deprecated vars --- includes/functions-shorturls.php | 12 ++++++++---- tests/tests/shorturl/shorturl.php | 3 +++ 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/includes/functions-shorturls.php b/includes/functions-shorturls.php index a1bdb0cf6..87e46f641 100644 --- a/includes/functions-shorturls.php +++ b/includes/functions-shorturls.php @@ -301,8 +301,6 @@ function yourls_edit_link( $url, $keyword, $newkeyword='', $title='' ) { $keyword = yourls_sanitize_keyword($keyword); $title = yourls_sanitize_title($title); $newkeyword = yourls_sanitize_keyword($newkeyword, true); - $strip_url = stripslashes( $url ); - $strip_title = stripslashes( $title ); if(!$url OR !$newkeyword) { $return['status'] = 'fail'; @@ -334,12 +332,18 @@ function yourls_edit_link( $url, $keyword, $newkeyword='', $title='' ) { $binds = array('url' => $url, 'newkeyword' => $newkeyword, 'title' => $title, 'keyword' => $keyword); $update_url = $ydb->fetchAffected($sql, $binds); if( $update_url ) { - $return['url'] = array( 'keyword' => $newkeyword, 'shorturl' => yourls_link($newkeyword), 'url' => $strip_url, 'display_url' => yourls_trim_long_string( $strip_url ), 'title' => $strip_title, 'display_title' => yourls_trim_long_string( $strip_title ) ); + $return['url'] = array( 'keyword' => $newkeyword, + 'shorturl' => yourls_link($newkeyword), + 'url' => yourls_esc_url($url), + 'display_url' => yourls_esc_html(yourls_trim_long_string($url)), + 'title' => yourls_esc_attr($title), + 'display_title' => yourls_esc_html(yourls_trim_long_string( $title )) + ); $return['status'] = 'success'; $return['message'] = yourls__( 'Link updated in database' ); } else { $return['status'] = 'fail'; - $return['message'] = /* //translators: "Error updating http://someurl/ (Shorturl: http://sho.rt/blah)" */ yourls_s( 'Error updating %s (Short URL: %s)', yourls_trim_long_string( $strip_url ), $keyword ) ; + $return['message'] = /* //translators: "Error updating http://someurl/ (Shorturl: http://sho.rt/blah)" */ yourls_s( 'Error updating %s (Short URL: %s)', yourls_esc_html(yourls_trim_long_string($url)), $keyword ) ; } // Nope diff --git a/tests/tests/shorturl/shorturl.php b/tests/tests/shorturl/shorturl.php index 55e61e5b3..0bde5e5c8 100644 --- a/tests/tests/shorturl/shorturl.php +++ b/tests/tests/shorturl/shorturl.php @@ -40,6 +40,9 @@ public function test_add_url() { $fail = yourls_add_new_link( $url, $keyword, $title ); $this->assertEquals( 'fail', $fail['status'] ); + + $fail = yourls_add_new_link( $url, rand_str(), rand_str() ); + $this->assertEquals( 'fail', $fail['status'] ); $this->assertEquals( 'error:url', $fail['code'] ); $fail = yourls_add_new_link( 'http://' . rand_str(), $keyword, $title );