Elgato_dark/appwrite
1
0
Fork 0
mirror of https://github.com/appwrite/appwrite synced 2026-05-24 09:28:40 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

fix: tests

Browse source
This commit is contained in:
loks0n 2025-01-23 17:20:57 +00:00
parent f5efc53406
commit 507d210bcb
2 changed files with 8 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
app/controllers/api/account.php
View file

@ -21,6 +21,7 @@ use Appwrite\Event\Usage;
use Appwrite\Extend\Exception; use Appwrite\Extend\Exception;
use Appwrite\Hooks\Hooks; use Appwrite\Hooks\Hooks;
use Appwrite\Network\Validator\Email; use Appwrite\Network\Validator\Email;
use Appwrite\Network\Validator\Redirect;
use Appwrite\OpenSSL\OpenSSL; use Appwrite\OpenSSL\OpenSSL;
use Appwrite\SDK\AuthType; use Appwrite\SDK\AuthType;
use Appwrite\SDK\ContentType; use Appwrite\SDK\ContentType;

10
src/Appwrite/Network/Validator/Redirect.php
View file

@ -37,30 +37,34 @@ class Redirect extends Host
/** /**
* Is valid * Is valid
* *
* Validation will pass if scheme is not http or https or host is in whitelist * Validation will pass when $value is a valid URL and the host is allowed
* *
* @param mixed $value * @param mixed $value
* @return bool * @return bool
*/ */
public function isValid($value): bool public function isValid($value): bool
{ {
// `parse_url` returns false for URL with only a scheme. // `parse_url` returns false for URL with only a scheme
// We need to check for this case separately. // We need to check for this case separately
if (preg_match('/^([a-z][a-z0-9+\.-]*):\/+$/i', $value, $matches)) { if (preg_match('/^([a-z][a-z0-9+\.-]*):\/+$/i', $value, $matches)) {
$scheme = strtolower($matches[1]); $scheme = strtolower($matches[1]);
return $scheme !== 'javascript'; return $scheme !== 'javascript';
} }
// `parse_url` returns false for invalid URLs
$url = \parse_url($value); $url = \parse_url($value);
if ($url === false || !isset($url["scheme"])) { if ($url === false || !isset($url["scheme"])) {
return false; return false;
} }
// If scheme is javascript, it's an XSS vector
$scheme = strtolower($url["scheme"]); $scheme = strtolower($url["scheme"]);
if ($scheme === "javascript") { if ($scheme === "javascript") {
return false; return false;
} }
// If scheme is not http or https, we don't need to check the host
// Allow deep links to other user apps.
if (!\in_array($scheme, ["http", "https"])) { if (!\in_array($scheme, ["http", "https"])) {
return true; return true;
} }