Do not attempt to download photos from URIs with unsupported URI scheme

mstilkerich · Dec 27, 2022 · 1edbdba · 1edbdba
1 parent 73b94ff
commit 1edbdba
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,7 @@
 - Fixes for better handling of incoming vCard4 (Fixes: #411)
   - Handle data-URI-style inline PHOTO as used in vCard4
   - Use VCard conversion to handle v4 properties such as KIND=group for which extensions are used in v3 vCards
+- Fix: Do not attempt to download photos from URIs with unsupported URI scheme (supported are http and https) (#411)
 
 ## Version 5.0.0-beta1 (to 4.4.4)
 

diff --git a/src/DelayedPhotoLoader.php b/src/DelayedPhotoLoader.php
@@ -125,11 +125,21 @@ private function computePhotoFromProperty(): string
         $cropProp = $photoProp['X-ABCROP-RECTANGLE'];
 
         // check if photo needs to be downloaded
+        $photoUri = null;
         $kind = $photoProp['VALUE'];
         if (($kind instanceof VObject\Parameter) && strcasecmp('uri', (string) $kind) == 0) {
-            $photoUri = (string) $photoProp;
-        } else {
-            $photoUri = null;
+            if (preg_match('#^([[:alpha:]][[:alnum:]]*)://#', (string) $photoProp, $matches)) {
+                $scheme = strtolower($matches[1]);
+                if ($scheme === 'http' || $scheme === 'https') {
+                    $photoUri = (string) $photoProp;
+                } else {
+                    $infra = Config::inst();
+                    $logger = $infra->logger();
+                    $msg = "Unsupported URI scheme $scheme for PHOTO property";
+                    $logger->warning($msg);
+                    throw new \Exception($msg);
+                }
+            }
         }
 
         // true if the photo must be processed (downloaded/cropped) and the result should be cached

diff --git a/tests/Unit/DataConversionTest.php b/tests/Unit/DataConversionTest.php
@@ -519,6 +519,22 @@ public function testPhotoloaderHandlesUnauthenticatedUsageError(): void
         $logger->expectMessage("error", "determineCacheKey: user must be logged on to use photo cache");
     }
 
+    /**
+     * Tests that DelayedPhotoLoader logs a warning if it encounters an unsupported PHOTO URI scheme
+     */
+    public function testPhotoloaderHandlesUnknownUriScheme(): void
+    {
+        $logger = TestInfrastructure::logger();
+
+        $vcard = TestInfrastructure::readVCard("tests/Unit/data/vcardImport/UriPhoto.vcf");
+        $this->assertNotNull($vcard->PHOTO);
+        $vcard->PHOTO->setValue('ftp://localhost/raven.jpg');
+        $proxy = new DelayedPhotoLoader($vcard, $this->abook);
+
+        $this->assertEquals("", $proxy);
+        $logger->expectMessage("warning", "Unsupported URI scheme ftp for PHOTO property");
+    }
+
     /**
      * Tests that the function properly reports single-value attributes.
      */