..F....... [DEV-2612] fixed leading and trailing C0 control and space…

… characters not being trimmed before parsing URLs * commit '8dae704880999032d57ef8f3339eafe7842dc914': ..F....... [DEV-2612] fixed leading and trailing C0 control and space characters not being trimmed before parsing URLs
zabbix · Aug 10, 2023 · d05854b · d05854b
2 parents 6730590 + 8dae704
commit d05854b
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 3 deletions.
diff --git a/frontends/php/include/classes/validators/CHtmlUrlValidator.php b/frontends/php/include/classes/validators/CHtmlUrlValidator.php
@@ -52,7 +52,7 @@ public static function validate($url, $allow_user_macro = true, $validate_uri_sc
 			}
 		}
 
-		$url_parts = parse_url(preg_replace('/[\r\n\t]/', '', $url));
+		$url_parts = parse_url(preg_replace('/[\r\n\t]/', '', trim($url, "\x00..\x1F\x20")));
 		if (!$url_parts) {
 			return false;
 		}

diff --git a/frontends/php/tests/unit/include/classes/validators/CHtmlUrlValidatorTest.php b/frontends/php/tests/unit/include/classes/validators/CHtmlUrlValidatorTest.php
@@ -80,7 +80,8 @@ public function providerValidateURL() {
 			['{$USER_URL_MACRO}?a=1',									true,	true],
 			['http://{$USER_URL_MACRO}?a=1',							true,	true],
 			['http://{$USER_URL_MACRO}',								true,	true],
-			["h\tt\rt\nps://zabbix.com",								true,	true], // CR, LF and TAB characters are ingored by browsers.
+			["\x00\x20https://zabbix.com\x1F\x20",						true,	true], // Leading and trailing C0 control and space characters are ignored by browsers.
+			["h\tt\rt\nps://zabbix.com",								true,	true], // CR, LF and TAB characters are ignored by browsers.
 			['ht tps://zabbix.com',										true,	true], // URL with spaces in schema is treated as a path.
 			// Macros not allowed.
 			['http://{$USER_URL_MACRO}',								false,	true], // Macros not allowed, but it's a host.
@@ -96,7 +97,8 @@ public function providerValidateURL() {
 			['http:///',												true,	false], // url_parse() returs false.
 			['http:',													true,	false], // Scheme with no host.
 			['http://?',												true,	false], // url_parse() returns false.
-			["ja\tva\rsc\nript:alert(1)",								true,	false], // Invalid scheme. CR, LF and TAB characters are ingored by browsers.
+			["\x00\x20javascript:alert(1)\x1F\x20",						true,	false], // Invalid scheme. Leading and trailing C0 control and space characters are ignored by browsers.
+			["ja\tva\rsc\nript:alert(1)",								true,	false], // Invalid scheme. CR, LF and TAB characters are ignored by browsers.
 			['javascript:alert(]',										true,	false], // Invalid scheme.
 			['protocol://{$INVALID!MACRO}',								true,	false], // Invalid scheme. Also macro is not valid, but that's secondary.
 			['',														true,	false], // Cannot be empty.