Pass links to external sites in changelog through url.php

This avoids possible information disclossure in the links (token). Signed-off-by: Michal Čihař <michal@cihar.com>
phpmyadmin · Apr 29, 2016 · 8326aae · 8326aae
1 parent d2dc948
commit 8326aae
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 19 deletions.
diff --git a/changelog.php b/changelog.php
@@ -56,75 +56,75 @@
 
 $replaces = array(
     '@(http://[./a-zA-Z0-9.-_-]*[/a-zA-Z0-9_])@'
-    => '<a href="\\1">\\1</a>',
+    => '<a href="url.php?url=\\1">\\1</a>',
 
     // sourceforge users
     '/([0-9]{4}-[0-9]{2}-[0-9]{2}) (.+[^ ]) +&lt;(.*)@users.sourceforge.net&gt;/i'
-    => '\\1 <a href="https://sourceforge.net/users/\\3/">\\2</a>',
+    => '\\1 <a href="url.php?url=https://sourceforge.net/users/\\3/">\\2</a>',
     '/thanks to ([^\(\r\n]+) \(([-\w]+)\)/i'
-    => 'thanks to <a href="https://sourceforge.net/users/\\2/">\\1</a>',
+    => 'thanks to <a href="url.php?url=https://sourceforge.net/users/\\2/">\\1</a>',
     '/thanks to ([^\(\r\n]+) -\s+([-\w]+)/i'
-    => 'thanks to <a href="https://sourceforge.net/users/\\2/">\\1</a>',
+    => 'thanks to <a href="url.php?url=https://sourceforge.net/users/\\2/">\\1</a>',
 
     // mail address
     '/([0-9]{4}-[0-9]{2}-[0-9]{2}) (.+[^ ]) +&lt;(.*@.*)&gt;/i'
     => '\\1 <a href="mailto:\\3">\\2</a>',
 
     // linking patches
     '/patch\s*#?([0-9]{6,})/i'
-    => '<a href="' . $tracker_url . '">patch #\\1</a>',
+    => '<a href="url.php?url=' . $tracker_url . '">patch #\\1</a>',
 
     // linking RFE
     '/(?:rfe|feature)\s*#?([0-9]{6,})/i'
-    => '<a href="https://sourceforge.net/support/tracker.php?aid=\\1">RFE #\\1</a>',
+    => '<a href="url.php?url=https://sourceforge.net/support/tracker.php?aid=\\1">RFE #\\1</a>',
 
     // linking files
     '/(\s+)([\\/a-z_0-9\.]+\.(?:php3?|html|pl|js|sh))/i'
-    => '\\1<a href="' . $github_url . 'commits/HEAD/\\2">\\2</a>',
+    => '\\1<a href="url.php?url=' . $github_url . 'commits/HEAD/\\2">\\2</a>',
 
     // FAQ entries
     '/FAQ ([0-9]+)\.([0-9a-z]+)/i'
-    => '<a href="' . $faq_url . '#faq\\1-\\2">FAQ \\1.\\2</a>',
+    => '<a href="url.php?url=' . $faq_url . '#faq\\1-\\2">FAQ \\1.\\2</a>',
 
     // linking bugs
     '/bug\s*#?([0-9]{6,})/i'
-    => '<a href="https://sourceforge.net/support/tracker.php?aid=\\1">bug #\\1</a>',
+    => '<a href="url.php?url=https://sourceforge.net/support/tracker.php?aid=\\1">bug #\\1</a>',
 
     // all other 6+ digit numbers are treated as bugs
     '/(?<!bug|RFE|patch) #?([0-9]{6,})/i'
-    => '<a href="' . $tracker_url . '">bug #\\1</a>',
+    => '<a href="url.php?url=' . $tracker_url . '">bug #\\1</a>',
 
     // GitHub issues
     '/issue\s*#?([0-9]{4,5}) /i'
-    => '<a href="' . $github_url . 'issues/\\1">issue #\\1</a> ',
+    => '<a href="url.php?url=' . $github_url . 'issues/\\1">issue #\\1</a> ',
 
     // transitioned SF.net project bug/rfe/patch links
     // by the time we reach 6-digit numbers, we can probably retire the above links
     '/patch\s*#?([0-9]{4,5}) /i'
-    => '<a href="' . $tracker_url_patch . '">patch #\\1</a> ',
+    => '<a href="url.php?url=' . $tracker_url_patch . '">patch #\\1</a> ',
     '/(?:rfe|feature)\s*#?([0-9]{4,5}) /i'
-    => '<a href="' . $tracker_url_rfe . '">RFE #\\1</a> ',
+    => '<a href="url.php?url=' . $tracker_url_rfe . '">RFE #\\1</a> ',
     '/bug\s*#?([0-9]{4,5}) /i'
-    => '<a href="' . $tracker_url_bug . '">bug #\\1</a> ',
+    => '<a href="url.php?url=' . $tracker_url_bug . '">bug #\\1</a> ',
     '/(?<!bug|RFE|patch) #?([0-9]{4,5}) /i'
-    => '<a href="' . $tracker_url_bug . '">bug #\\1</a> ',
+    => '<a href="url.php?url=' . $tracker_url_bug . '">bug #\\1</a> ',
 
     // CVE/CAN entries
     '/((CAN|CVE)-[0-9]+-[0-9]+)/'
-    => '<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=\\1">\\1</a>',
+    => '<a href="url.php?url=http://cve.mitre.org/cgi-bin/cvename.cgi?name=\\1">\\1</a>',
 
     // PMASAentries
     '/(PMASA-[0-9]+-[0-9]+)/'
-    => '<a href="https://www.phpmyadmin.net/security/\\1/">\\1</a>',
+    => '<a href="url.php?url=https://www.phpmyadmin.net/security/\\1/">\\1</a>',
 
     // Highlight releases (with links)
     '/([0-9]+)\.([0-9]+)\.([0-9]+)\.0 (\([0-9-]+\))/'
     => '<a name="\\1_\\2_\\3"></a>'
-        . '<a href="' . $github_url . 'commits/RELEASE_\\1_\\2_\\3">'
+        . '<a href="url.php?url=' . $github_url . 'commits/RELEASE_\\1_\\2_\\3">'
         . '\\1.\\2.\\3.0 \\4</a>',
     '/([0-9]+)\.([0-9]+)\.([0-9]+)\.([1-9][0-9]*) (\([0-9-]+\))/'
     => '<a name="\\1_\\2_\\3_\\4"></a>'
-        . '<a href="' . $github_url . 'commits/RELEASE_\\1_\\2_\\3_\\4">'
+        . '<a href="url.php?url=' . $github_url . 'commits/RELEASE_\\1_\\2_\\3_\\4">'
         . '\\1.\\2.\\3.\\4 \\5</a>',
 
     // Highlight releases (not linkable)

diff --git a/libraries/core.lib.php b/libraries/core.lib.php
@@ -769,6 +769,8 @@ function PMA_isAllowedDomain($url)
         'mariadb.org',
         /* php.net domains */
         'php.net',
+        /* sourceforge.net domain */
+        'sourceforge.net',
         /* Github domains*/
         'github.com','www.github.com',
         /* Following are doubtful ones. */