Fix http_build_url with empty but set user #2050

Open
LeoColomb opened this Issue Mar 4, 2016 · 2 comments

Projects

None yet

2 participants

@LeoColomb
Member

Calling yourls_esc_url with

$url = 'Http://@ExAmPlE.com#BLAH'

calls yourls_lowercase_scheme_domain which got

$partial_original_url          = trim( http_build_url( $parts ), '/' );
// $partial_original_url       = 'Http://ExAmPlE.com'
$partial_lower_original_url    = trim( http_build_url( $parts, $lower ), '/' );
// $partial_lower_original_url = 'http://example.com'
$url                           = str_replace( $partial_original_url , $partial_lower_original_url, $url );
// $url                        = 'Http://@ExAmPlE.com#BLAH'

then comming back to yourls_esc_url and

if ( !yourls_is_allowed_protocol( $url, $protocols ) ) // TRUE ! <= 'Http' is not a allowed protocol
    return '';

returns $url = ''.


Maybe make yourls_is_allowed_protocol case insensitive?

@LeoColomb
Member

Issue introduced by 15a1f56.

@LeoColomb LeoColomb added bug core labels Mar 5, 2016
@ozh
Member
ozh commented Mar 5, 2016

☀️

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment