From ed6e5e2781cb550dd1b415d2c5248d0ae0be647c Mon Sep 17 00:00:00 2001
From: Melissa Draper <melissa@catalyst.net.nz>
Date: Tue, 1 Nov 2011 10:46:54 +1300
Subject: [PATCH] Add sanitize_url() and apply to XSS vulns in rss parser

It is currently possible for URLs in the rss parser to be
exploited with XSS. sanitize_url has been added to sanitize
RSS URL values before they are published.

Change-Id: Idacecbce0c3fc33dd2921df9b580acd1251929e6
Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>
---
 htdocs/blocktype/externalfeed/lib.php |   16 ++++++++++++++--
 htdocs/lib/web.php                    |   15 +++++++++++++++
 2 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/htdocs/blocktype/externalfeed/lib.php b/htdocs/blocktype/externalfeed/lib.php
index 47bc3fb..3c5f69d 100644
--- a/htdocs/blocktype/externalfeed/lib.php
+++ b/htdocs/blocktype/externalfeed/lib.php
@@ -71,6 +71,10 @@ class PluginBlocktypeExternalfeed extends SystemBlocktype {
             $chunks = array_chunk($data->content, isset($configdata['count']) ? $configdata['count'] : 10);
             $data->content = $chunks[0];
 
+            foreach ($data->content as $k => $c) {
+                $data->content[$k]->link =  sanitize_url($c->link);
+            }
+
             // Attempt to fix relative URLs in the feeds
             if (!empty($data->image['link'])) {
                 $data->description = preg_replace(
@@ -93,7 +97,7 @@ class PluginBlocktypeExternalfeed extends SystemBlocktype {
             $smarty->assign('url', $data->url);
             // 'full' won't be set for feeds created before 'full' support was added
             $smarty->assign('full', isset($configdata['full']) ? $configdata['full'] : false); 
-            $smarty->assign('link', $data->link);
+            $smarty->assign('link', sanitize_url($data->link));
             $smarty->assign('entries', $data->content);
             $smarty->assign('feedimage', self::make_feed_image_tag($data->image));
             $smarty->assign('lastupdated', get_string('lastupdatedon', 'blocktype.externalfeed', format_date($data->lastupdate)));
@@ -364,6 +368,10 @@ class PluginBlocktypeExternalfeed extends SystemBlocktype {
     private static function make_feed_image_tag($image) {
         $result = '';
 
+        if ($image['url']) {
+            $image['url'] = sanitize_url($image['url']);
+        }
+
         if (!$image['url']) {
             return '';
         }
@@ -373,8 +381,12 @@ class PluginBlocktypeExternalfeed extends SystemBlocktype {
             return '<img src="' . hsc($image) . '">';
         }
 
+        if ($image['link']) {
+            $image['link'] = sanitize_url($image['link']);
+        }
+
         if (!empty($image['link'])) {
-            $result .= '<a href="' . hsc($image['link']) . '">';
+            $result .= '<a href="' . $image['link'] . '">';
         }
 
         $url = $image['url'];
diff --git a/htdocs/lib/web.php b/htdocs/lib/web.php
index b8182d8..10a142d 100644
--- a/htdocs/lib/web.php
+++ b/htdocs/lib/web.php
@@ -3078,3 +3078,18 @@ function mahara_http_request($config) {
 
     return $result;
 }
+
+function sanitize_url($url) {
+
+    $parsedurl = parse_url($url);
+    if (!isset($parsedurl['scheme'])) {
+        return '';
+    }
+    if (in_array($parsedurl['scheme'], array('https', 'http', 'ftp')) === false) {
+        return '';
+    }
+    if (!filter_var($url, FILTER_VALIDATE_URL)) {
+        return '';
+    }
+    return $url;
+}
-- 
1.7.1