Changeset View
Changeset View
Standalone View
Standalone View
src/parser/PhutilURI.php
| Show First 20 Lines • Show All 91 Lines • ▼ Show 20 Lines | public function __construct($uri) { | ||||
| // the input string has leading whitespace, fail the parse. | // the input string has leading whitespace, fail the parse. | ||||
| if ($parts) { | if ($parts) { | ||||
| if (ltrim($uri) != $uri) { | if (ltrim($uri) != $uri) { | ||||
| $parts = false; | $parts = false; | ||||
| } | } | ||||
| } | } | ||||
| // NOTE: `parse_url()` is very liberal about host names; fail the parse if | // NOTE: `parse_url()` is very liberal about host names; fail the parse if | ||||
| // the host looks like garbage. | // the host looks like garbage. In particular, we do not allow hosts which | ||||
| // begin with "." or "-". See T12961 for a specific attack which relied on | |||||
| // hosts beginning with "-". | |||||
| if ($parts) { | if ($parts) { | ||||
| $host = idx($parts, 'host', ''); | $host = idx($parts, 'host', ''); | ||||
| if (!preg_match('/^([a-zA-Z0-9\\.\\-]*)$/', $host)) { | if (strlen($host)) { | ||||
| if (!preg_match('/^[a-zA-Z0-9]+[a-zA-Z0-9\\.\\-]*\z/', $host)) { | |||||
| $parts = false; | $parts = false; | ||||
| } | } | ||||
| } | } | ||||
| } | |||||
| if (!$parts) { | if (!$parts) { | ||||
| $parts = array(); | $parts = array(); | ||||
| } | } | ||||
| // stringyness is to preserve API compatibility and | // stringyness is to preserve API compatibility and | ||||
| // allow the tests to continue passing | // allow the tests to continue passing | ||||
| $this->protocol = idx($parts, 'scheme', ''); | $this->protocol = idx($parts, 'scheme', ''); | ||||
| ▲ Show 20 Lines • Show All 269 Lines • Show Last 20 Lines | |||||