Bug #23321 » 15311.diff
| t3lib/class.t3lib_div.php (working copy) | ||
|---|---|---|
|
$decodedUrl = rawurldecode($url);
|
||
|
$decodedParts = @parse_url($decodedUrl);
|
||
|
$whitelistPattern = '/^(\p{Nd}|\p{L}|[_\/\.&=\?\+-~])+$/u';
|
||
|
$whitelistPattern = '/^([a-z0-9_\/\.&=\?\+~-])+$/i';
|
||
|
// Only http and https are allowed as scheme, and at least a path must be given:
|
||
|
if (isset($decodedParts['scheme']) && !t3lib_div::inList('http,https', $decodedParts['scheme']) || !isset($decodedParts['path'])) {
|
||
|
$url = '';
|
||
|
// Check all URL parts for invalid characters:
|
||
|
} else {
|
||
|
foreach ($decodedParts as $part) {
|
||
|
if (!preg_match($whitelistPattern, $part)) {
|
||
|
$url = '';
|
||
|
break;
|
||
|
foreach ($decodedParts as $partName => $part) {
|
||
|
if (t3lib_div::inList('path,query,fragment,user,pass', $partName)) {
|
||
|
if (!preg_match($whitelistPattern, $part)) {
|
||
|
$url = '';
|
||
|
break;
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
}
|
||