222
* Assert that the given URL is internal to the application
223
* @param string $url URL to check
224
* @return GalleryStatus a status code
225
* @deprecated This is a copy of GalleryUrlGenerator::assertIsInternalUrl from core API 7.43.
227
function assertIsInternalUrl($url) {
229
$urlGenerator =& $gallery->getUrlGenerator();
232
/* Detect header injection attempts */
233
if (!GalleryUtilities::isSafeHttpHeader($url)) {
234
$message = sprintf('Invalid URL! The requested URL %s contains malicious '
236
$urlGenerator->makeUrl($urlGenerator->getCurrentRequestUri()));
237
return GalleryCoreApi::error(ERROR_PERMISSION_DENIED, __FILE__, __LINE__, $message);
241
* Check for phishing attacks, don't allow return URLs to other sites or to other paths.
242
* Therefore first get the validPath, e.g. '/gallery2/' Do not allow ../ to break out of
243
* the path Allow all URLs that don't start with a protocol and neither with '/', eg.
244
* v/albumname but also www.EVIL.com is fine, since it's interpreted as a relative URL
247
. str_replace($urlGenerator->makeUrl(''), '', $urlGenerator->getCurrentUrlDir());
249
* We check for ../ and /../ patterns and on windows \../ would also break out,
250
* normalize to URL / *nix style paths to check fewer cases
252
$normUrl = str_replace("\\", '/', $url);
253
if (((empty($urlGenerator->_file[0]) || strpos($url, $urlGenerator->_file[0]) !== 0)
254
&& strpos($normUrl, $validPath) !== 0
255
&& strpos($url, $urlGenerator->getCurrentUrlDir()) !== 0
256
&& !( !preg_match('{^\s*\w*://}i', $normUrl)
257
&& preg_match('{^\s*[^/\s]}i', $normUrl)))
258
|| preg_match('{^\s*\.\./}', $normUrl)
259
|| strpos($normUrl, '/../') !== false) {
260
$message = sprintf('Invalid URL! The requested URL %s tried to insert a '
261
. 'redirection to %s which is not a part of this Gallery.',
262
$urlGenerator->makeUrl($urlGenerator->getCurrentRequestUri()),
264
return GalleryCoreApi::error(ERROR_PERMISSION_DENIED, __FILE__, __LINE__, $message);