[#1246] Check for https as well as http when checking URLs

* in cgi-bin/Apache/LiveJournal::trans, we need only check against the current page's protocol (http or https) * in other files, we check for both http and https Fixes #1246.
dreamwidth · Feb 26, 2015 · 9a39f5b · 9a39f5b
1 parent 40e7f79
commit 9a39f5b
Show file tree

Hide file tree

Showing 19 changed files with 27 additions and 28 deletions.
diff --git a/bin/logsummarize.pl b/bin/logsummarize.pl
@@ -96,7 +96,7 @@ BEGIN
 	}
 
 	my $ref = $r->[F_REF];
-	if ($ref =~ m!^http://([^/]+)!) {
+	if ($ref =~ m!^https?://([^/]+)!) {
 	    $ref = $1;
 	    $st{'referer'}->{$ref}++ unless ($ref =~ /livejournal\.com$/);
 	}

diff --git a/cgi-bin/Apache/LiveJournal.pm b/cgi-bin/Apache/LiveJournal.pm
@@ -500,8 +500,7 @@ sub trans
         # -- uppercase usernames
         # -- users with hyphens/underscores, except users from external domains (see table 'domains')
         if ( $orig_user ne lc($orig_user) ||
-            $orig_user =~ /[_-]/ && $u && $u->journal_base !~ m!^http://$host!i && $opts->{'vhost'} !~ /^other:/) {
-
+            $orig_user =~ /[_-]/ && $u && $u->journal_base !~ m!^$protocol://$host!i && $opts->{'vhost'} !~ /^other:/) {
             my $newurl = $uri;
 
             # if we came through $opts->{vhost} eq "users" path above, then
@@ -884,7 +883,7 @@ sub trans
             # redirect them to their canonical URL if on wrong host/prefix
             if (my $u = LJ::load_user($user)) {
                 my $canon_url = $u->journal_base;
-                unless ($canon_url =~ m!^http://$host!i || $LJ::DEBUG{'user_vhosts_no_wronghost_redirect'}) {
+                unless ($canon_url =~ m!^$protocol://$host!i || $LJ::DEBUG{'user_vhosts_no_wronghost_redirect'}) {
                     return redir($apache_r, "$canon_url$uri$args_wq");
                 }
             }
@@ -1603,7 +1602,7 @@ sub mogile_fetch {
             LJ::MemCache::add( $memkey, $paths, $cache_for ) if @paths;
         }
 
-        if ( defined $paths->[0] && $paths->[0] =~ m/^http:/ ) {
+        if ( defined $paths->[0] && $paths->[0] =~ m/^https?:/ ) {
             # reproxy url
             $apache_r->headers_out->{'X-REPROXY-CACHE-FOR'} = "$cache_for; Last-Modified Content-Type";
             $apache_r->headers_out->{'X-REPROXY-URL'} = join( ' ', @$paths );

diff --git a/cgi-bin/DW/Controller/Feeds.pm b/cgi-bin/DW/Controller/Feeds.pm
@@ -143,7 +143,7 @@ sub index_handler {
                     if ( $type eq "link" &&
                          $val =~ m!rel=.alternate.!i &&
                          $val =~ m!type=.application/(?:rss|atom)\+xml.!i &&
-                         $val =~ m!href=[\"\'](http://[^\"\']+)[\"\']!i ) {
+                         $val =~ m!href=[\"\'](https?://[^\"\']+)[\"\']!i ) {
                             $syn_url = $1;
                             last;
                     }

diff --git a/cgi-bin/DW/Routing.pm b/cgi-bin/DW/Routing.pm
@@ -207,7 +207,7 @@ sub _call_hash {
 
         unless ( $renamed_u && $orig_u->equals( $renamed_u ) ) {
             my $journal_host = $renamed_u->journal_base;
-            $journal_host =~ s!http://!!;
+            $journal_host =~ s!https?://!!;
 
             return $r->redirect( LJ::create_url( $r->uri, host => $journal_host, keep_args => 1 ) );
         }

diff --git a/cgi-bin/DW/Worker/ContentImporter/LiveJournal.pm b/cgi-bin/DW/Worker/ContentImporter/LiveJournal.pm
@@ -119,7 +119,7 @@ sub get_feed_account_from_url {
 
     # see if it looks like a valid URL
     return undef
-        unless $url =~ m!^http://([^:/]+)(?::(\d+))?!;
+        unless $url =~ m!^https?://([^:/]+)(?::(\d+))?!;
 
     # Try to figure out if this is a local user.
     my ( $hostname, $port ) = ( $1, $2 );

diff --git a/cgi-bin/LJ/Console/Command/SynEdit.pm b/cgi-bin/LJ/Console/Command/SynEdit.pm
@@ -46,7 +46,7 @@ sub execute {
     return $self->error("Not a syndicated account")
         unless $u->is_syndicated;
     return $self->error("Invalid URL")
-        unless $newurl =~ m!^http://(.+?)/!;
+        unless $newurl =~ m!^https?://(.+?)/!;
 
     my $dbh = LJ::get_db_writer();
     my $oldurl = $dbh->selectrow_array("SELECT synurl FROM syndicated WHERE userid=?",

diff --git a/cgi-bin/LJ/S2.pm b/cgi-bin/LJ/S2.pm
@@ -3174,7 +3174,7 @@ sub set_handler
         } elsif ($cmd eq "set_image") {
             my $domexp = $get_domexp->();
             my $url = shift @args;
-            if ($url =~ m!^http://! && $url !~ /[\'\"\n\r]/) {
+            if ($url =~ m!^https?://! && $url !~ /[\'\"\n\r]/) {
                 $url = LJ::eurl($url);
                 $S2::pout->("setAttr($domexp, 'src', \"$url\");\n");
             }

diff --git a/cgi-bin/LJ/Session.pm b/cgi-bin/LJ/Session.pm
@@ -921,7 +921,7 @@ sub valid_domain_cookie {
 
 sub valid_destination {
     my $dest = shift;
-    return $dest =~ qr!^http://[-\w\.]+\.\Q$LJ::USER_DOMAIN\E/!;
+    return $dest =~ qr!^https?://[-\w\.]+\.\Q$LJ::USER_DOMAIN\E/!;
 }
 
 sub valid_cookie_generation {

diff --git a/cgi-bin/LJ/Setting/DomainMapping.pm b/cgi-bin/LJ/Setting/DomainMapping.pm
@@ -25,7 +25,7 @@ sub save {
 
     my $domainname = lc( $args->{journaldomain} );
 
-    $domainname =~ s!^(http://)?(www\.)?!!;
+    $domainname =~ s!^(https?://)?(www\.)?!!;
 
     # Strip off trailing '.', and any path or port the user might have entered.
     $domainname =~ s!\.([:/].+)?$!!;

diff --git a/cgi-bin/LJ/SynSuck.pm b/cgi-bin/LJ/SynSuck.pm
@@ -360,7 +360,7 @@ sub process_content {
         # <link>.
         # [zilla: 267] Patch: Chaz Meyers <lj-zilla@thechaz.net>
         if ( defined $it->{'id'} && $it->{'id'} ne $it->{'link'}
-             && $it->{'id'} =~ m!^http://! )
+             && $it->{'id'} =~ m!^https?://! )
         {
             $htmllink .= "<p class=\"ljsyndicationlink\">" .
                 "<a href=\"$it->{'id'}\">$it->{'id'}</a></p>";

diff --git a/cgi-bin/LJ/User.pm b/cgi-bin/LJ/User.pm
@@ -3530,12 +3530,12 @@ sub new_from_url {
     }
 
     # user subdomains
-    if ($LJ::USER_DOMAIN && $url =~ m!^http://([\w-]+)\.\Q$LJ::USER_DOMAIN\E/?$!) {
+    if ($LJ::USER_DOMAIN && $url =~ m!^https?://([\w-]+)\.\Q$LJ::USER_DOMAIN\E/?$!) {
         return LJ::load_user($1);
     }
 
     # subdomains that hold a bunch of users (eg, users.siteroot.com/username/)
-    if ($url =~ m!^http://\w+\.\Q$LJ::USER_DOMAIN\E/([\w-]+)/?$!) {
+    if ($url =~ m!^https?://\w+\.\Q$LJ::USER_DOMAIN\E/([\w-]+)/?$!) {
         return LJ::load_user($1);
     }
 
@@ -7601,7 +7601,7 @@ sub load_user_or_identity {
     return undef unless $arg =~ /\./;
 
     my $url = lc($arg);
-    $url = "http://$url" unless $url =~ m!^http://!;
+    $url = "http://$url" unless $url =~ m!^https?://!;
     $url .= "/" unless $url =~ m!/$!;
 
     # get from memcache

diff --git a/cgi-bin/LJ/Web.pm b/cgi-bin/LJ/Web.pm
@@ -726,9 +726,9 @@ sub check_referer {
 
     return 1 if $LJ::SITEROOT   && $referer =~ m!^\Q$LJ::SITEROOT\E$uri!;
     return 1 if $LJ::SSLROOT    && $referer =~ m!^\Q$LJ::SSLROOT\E$uri!;
-    return 1 if $LJ::DOMAIN     && $referer =~ m!^http://\Q$LJ::DOMAIN\E$uri!;
-    return 1 if $LJ::DOMAIN_WEB && $referer =~ m!^http://\Q$LJ::DOMAIN_WEB\E$uri!;
-    return 1 if $LJ::USER_VHOSTS && $referer =~ m!^http://([A-Za-z0-9_\-]{1,25})\.\Q$LJ::DOMAIN\E$uri!;
+    return 1 if $LJ::DOMAIN     && $referer =~ m!^https?://\Q$LJ::DOMAIN\E$uri!;
+    return 1 if $LJ::DOMAIN_WEB && $referer =~ m!^https?://\Q$LJ::DOMAIN_WEB\E$uri!;
+    return 1 if $LJ::USER_VHOSTS && $referer =~ m!^https?://([A-Za-z0-9_\-]{1,25})\.\Q$LJ::DOMAIN\E$uri!;
     return 1 if $origuri =~ m!^https?://! && $origreferer eq $origuri;
     return undef;
 }

diff --git a/htdocs/admin/vgifts/index.bml b/htdocs/admin/vgifts/index.bml
@@ -74,7 +74,7 @@
 
             if ( length( $data ) == 0 ) {
                 $$loaderr = $ML{'.error.upload.nourl'};
-            } elsif ( $data !~ m!^http://! ) {
+            } elsif ( $data !~ m!^https?://! ) {
                 $$loaderr = $ML{'.error.upload.badurl'};
             } else {
                 my $ua = LJ::get_useragent( role => 'vgift' );

diff --git a/htdocs/editicons.bml b/htdocs/editicons.bml
@@ -318,7 +318,7 @@ use strict;
         $returl = LJ::CleanHTML::canonical_url($POST{'ret'});
         if ($returl) {
             my $redir_host;
-            $redir_host = $1 if $returl =~ m!^http://([\.:\w-]+)!i;
+            $redir_host = $1 if $returl =~ m!^https?://([\.:\w-]+)!i;
             return BML::redirect($returl) if $LJ::REDIRECT_ALLOWED{$redir_host};
         }
     }

diff --git a/htdocs/login.bml b/htdocs/login.bml
@@ -46,7 +46,7 @@ _c?>
     my $want_fail_redirect = sub {
         my @error_codes = @_;
 
-        if ($POST{ret_fail} && $POST{ret_fail} =~ m!^http://([\.:\w-]+)!i && 
+        if ($POST{ret_fail} && $POST{ret_fail} =~ m!^https?://([\.:\w-]+)!i &&
             $LJ::REDIRECT_ALLOWED{$1}) 
         {
             BML::redirect($POST{ret_fail} . LJ::eurl(join(',', @error_codes)));

diff --git a/htdocs/logout.bml b/htdocs/logout.bml
@@ -67,13 +67,13 @@ _c?>
             # Redirect to offsite uri if allowed.
             if ($POST{'ret'}) {
                 my $redir_host;
-                $redir_host = $1 if $POST{'ret'} =~ m#^http://([\.:\w-]+)#i;
+                $redir_host = $1 if $POST{'ret'} =~ m#^https?://([\.:\w-]+)#i;
                 return BML::redirect($POST{'ret'}) if $LJ::REDIRECT_ALLOWED{$redir_host};
             }
 
             $logged_out_html->();
         } else {
-            if ($POST{ret_fail} && $POST{ret_fail} =~ m!^http://([\.:\w-]+)!i &&
+            if ($POST{ret_fail} && $POST{ret_fail} =~ m!^https?://([\.:\w-]+)!i &&
                 $LJ::REDIRECT_ALLOWED{$1})
             {
                 return BML::redirect($POST{ret_fail} . LJ::eurl('incorrect_sessid'));
@@ -105,7 +105,7 @@ _c?>
             }
         }
     } else {
-        if ($POST{ret_fail} && $POST{ret_fail} =~ m!^http://([\.:\w-]+)!i &&
+        if ($POST{ret_fail} && $POST{ret_fail} =~ m!^https?://([\.:\w-]+)!i &&
            $LJ::REDIRECT_ALLOWED{$1})
         {
            return BML::redirect($POST{ret_fail} . LJ::eurl('no_user'));

diff --git a/htdocs/manage/domain.bml b/htdocs/manage/domain.bml
@@ -64,7 +64,7 @@ body<=
             ( !$dom_cap && $POST{journaldomain_del} ) ) {
 
             my $dom = lc( $POST{journaldomain} );
-            $dom =~ s!^(http://)?(www\.)?!!;
+            $dom =~ s!^(https?://)?(www\.)?!!;
 
             # Strip off trailing '.', and any path or port the user might have entered.
             $dom =~ s!\.([:/].+)?$!!;

diff --git a/htdocs/profile.bml b/htdocs/profile.bml
@@ -94,7 +94,7 @@ body<=
         my $url = $u->profile_url( full => $is_full );
 
         my $good_domain = $url;
-        $good_domain =~ s!^http://!!;
+        $good_domain =~ s!^https?://!!;
         $good_domain =~ s!/.*!!;
         if ( $domain ne $good_domain ) {
             return BML::redirect( $url );

diff --git a/styles/core2.s2 b/styles/core2.s2
@@ -3675,7 +3675,7 @@ function FriendsPage::print_stylesheets() {
 function generate_image_url ( string image_path ) : string
 "Take an image property and append style image directory path if not given absolute path"
 {
-    if ( $image_path != "" and not $image_path->starts_with("http://") ) {
+    if ( $image_path != "" and not ( $image_path->starts_with("http://") or $image_path->starts_with("https://") ) ) {
         $image_path = "$*STYLES_IMGDIR/$image_path";
     }