Skip to content

Commit 8326aae

Browse files
committed
Pass links to external sites in changelog through url.php
This avoids possible information disclossure in the links (token). Signed-off-by: Michal Čihař <michal@cihar.com>
1 parent d2dc948 commit 8326aae

File tree

2 files changed

+21
-19
lines changed

2 files changed

+21
-19
lines changed

Diff for: changelog.php

+19-19
Original file line numberDiff line numberDiff line change
@@ -56,75 +56,75 @@
5656

5757
$replaces = array(
5858
'@(http://[./a-zA-Z0-9.-_-]*[/a-zA-Z0-9_])@'
59-
=> '<a href="\\1">\\1</a>',
59+
=> '<a href="url.php?url=\\1">\\1</a>',
6060

6161
// sourceforge users
6262
'/([0-9]{4}-[0-9]{2}-[0-9]{2}) (.+[^ ]) +&lt;(.*)@users.sourceforge.net&gt;/i'
63-
=> '\\1 <a href="https://sourceforge.net/users/\\3/">\\2</a>',
63+
=> '\\1 <a href="url.php?url=https://sourceforge.net/users/\\3/">\\2</a>',
6464
'/thanks to ([^\(\r\n]+) \(([-\w]+)\)/i'
65-
=> 'thanks to <a href="https://sourceforge.net/users/\\2/">\\1</a>',
65+
=> 'thanks to <a href="url.php?url=https://sourceforge.net/users/\\2/">\\1</a>',
6666
'/thanks to ([^\(\r\n]+) -\s+([-\w]+)/i'
67-
=> 'thanks to <a href="https://sourceforge.net/users/\\2/">\\1</a>',
67+
=> 'thanks to <a href="url.php?url=https://sourceforge.net/users/\\2/">\\1</a>',
6868

6969
// mail address
7070
'/([0-9]{4}-[0-9]{2}-[0-9]{2}) (.+[^ ]) +&lt;(.*@.*)&gt;/i'
7171
=> '\\1 <a href="mailto:\\3">\\2</a>',
7272

7373
// linking patches
7474
'/patch\s*#?([0-9]{6,})/i'
75-
=> '<a href="' . $tracker_url . '">patch #\\1</a>',
75+
=> '<a href="url.php?url=' . $tracker_url . '">patch #\\1</a>',
7676

7777
// linking RFE
7878
'/(?:rfe|feature)\s*#?([0-9]{6,})/i'
79-
=> '<a href="https://sourceforge.net/support/tracker.php?aid=\\1">RFE #\\1</a>',
79+
=> '<a href="url.php?url=https://sourceforge.net/support/tracker.php?aid=\\1">RFE #\\1</a>',
8080

8181
// linking files
8282
'/(\s+)([\\/a-z_0-9\.]+\.(?:php3?|html|pl|js|sh))/i'
83-
=> '\\1<a href="' . $github_url . 'commits/HEAD/\\2">\\2</a>',
83+
=> '\\1<a href="url.php?url=' . $github_url . 'commits/HEAD/\\2">\\2</a>',
8484

8585
// FAQ entries
8686
'/FAQ ([0-9]+)\.([0-9a-z]+)/i'
87-
=> '<a href="' . $faq_url . '#faq\\1-\\2">FAQ \\1.\\2</a>',
87+
=> '<a href="url.php?url=' . $faq_url . '#faq\\1-\\2">FAQ \\1.\\2</a>',
8888

8989
// linking bugs
9090
'/bug\s*#?([0-9]{6,})/i'
91-
=> '<a href="https://sourceforge.net/support/tracker.php?aid=\\1">bug #\\1</a>',
91+
=> '<a href="url.php?url=https://sourceforge.net/support/tracker.php?aid=\\1">bug #\\1</a>',
9292

9393
// all other 6+ digit numbers are treated as bugs
9494
'/(?<!bug|RFE|patch) #?([0-9]{6,})/i'
95-
=> '<a href="' . $tracker_url . '">bug #\\1</a>',
95+
=> '<a href="url.php?url=' . $tracker_url . '">bug #\\1</a>',
9696

9797
// GitHub issues
9898
'/issue\s*#?([0-9]{4,5}) /i'
99-
=> '<a href="' . $github_url . 'issues/\\1">issue #\\1</a> ',
99+
=> '<a href="url.php?url=' . $github_url . 'issues/\\1">issue #\\1</a> ',
100100

101101
// transitioned SF.net project bug/rfe/patch links
102102
// by the time we reach 6-digit numbers, we can probably retire the above links
103103
'/patch\s*#?([0-9]{4,5}) /i'
104-
=> '<a href="' . $tracker_url_patch . '">patch #\\1</a> ',
104+
=> '<a href="url.php?url=' . $tracker_url_patch . '">patch #\\1</a> ',
105105
'/(?:rfe|feature)\s*#?([0-9]{4,5}) /i'
106-
=> '<a href="' . $tracker_url_rfe . '">RFE #\\1</a> ',
106+
=> '<a href="url.php?url=' . $tracker_url_rfe . '">RFE #\\1</a> ',
107107
'/bug\s*#?([0-9]{4,5}) /i'
108-
=> '<a href="' . $tracker_url_bug . '">bug #\\1</a> ',
108+
=> '<a href="url.php?url=' . $tracker_url_bug . '">bug #\\1</a> ',
109109
'/(?<!bug|RFE|patch) #?([0-9]{4,5}) /i'
110-
=> '<a href="' . $tracker_url_bug . '">bug #\\1</a> ',
110+
=> '<a href="url.php?url=' . $tracker_url_bug . '">bug #\\1</a> ',
111111

112112
// CVE/CAN entries
113113
'/((CAN|CVE)-[0-9]+-[0-9]+)/'
114-
=> '<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=\\1">\\1</a>',
114+
=> '<a href="url.php?url=http://cve.mitre.org/cgi-bin/cvename.cgi?name=\\1">\\1</a>',
115115

116116
// PMASAentries
117117
'/(PMASA-[0-9]+-[0-9]+)/'
118-
=> '<a href="https://www.phpmyadmin.net/security/\\1/">\\1</a>',
118+
=> '<a href="url.php?url=https://www.phpmyadmin.net/security/\\1/">\\1</a>',
119119

120120
// Highlight releases (with links)
121121
'/([0-9]+)\.([0-9]+)\.([0-9]+)\.0 (\([0-9-]+\))/'
122122
=> '<a name="\\1_\\2_\\3"></a>'
123-
. '<a href="' . $github_url . 'commits/RELEASE_\\1_\\2_\\3">'
123+
. '<a href="url.php?url=' . $github_url . 'commits/RELEASE_\\1_\\2_\\3">'
124124
. '\\1.\\2.\\3.0 \\4</a>',
125125
'/([0-9]+)\.([0-9]+)\.([0-9]+)\.([1-9][0-9]*) (\([0-9-]+\))/'
126126
=> '<a name="\\1_\\2_\\3_\\4"></a>'
127-
. '<a href="' . $github_url . 'commits/RELEASE_\\1_\\2_\\3_\\4">'
127+
. '<a href="url.php?url=' . $github_url . 'commits/RELEASE_\\1_\\2_\\3_\\4">'
128128
. '\\1.\\2.\\3.\\4 \\5</a>',
129129

130130
// Highlight releases (not linkable)

Diff for: libraries/core.lib.php

+2
Original file line numberDiff line numberDiff line change
@@ -769,6 +769,8 @@ function PMA_isAllowedDomain($url)
769769
'mariadb.org',
770770
/* php.net domains */
771771
'php.net',
772+
/* sourceforge.net domain */
773+
'sourceforge.net',
772774
/* Github domains*/
773775
'github.com','www.github.com',
774776
/* Following are doubtful ones. */

0 commit comments

Comments
 (0)