View Issue Details

WikiJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0007276mantisbtsecuritypublic2006-07-12 15:512009-06-26 12:06
ReporterUlfDunkel Assigned Tograngeway  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version1.0.3 
Summary0007276: My suggestion for a corrected (and simplified) string_sanitize_url()
Description

--------------------

validate the url as part of this site before continuing

function string_sanitize_url( $p_url )
{
// remove risky stuff
$t_url = strip_tags( urldecode( $p_url ) );

  if ( preg_match( '?http(s)*://?', $t_url ) > 0 )
  {
     // no embedded addresses
     if ( preg_match( '?^' . config_get( 'path' ) . '?', $t_url ) == 0 )
     { 
        // URL is ok if it begins with our path, if not, replace it
        $t_url = 'index.php';
     }
  }

  if ( $t_url == '' )
  {
     $t_url = 'index.php';
  }

  // no additional parameters
  if ( strpos( $t_url, '?' ) === FALSE )
  {
     return $t_url;
  }

  // split and encode parameters
  list( $t_path, $t_param ) = split( '\?', $t_url, 2 );

  if ( $t_param == "" )
  {
     return $t_url;
  }

  $t_vals = array();
  parse_str( $t_param, $t_vals );
  $t_param = '';

  foreach($t_vals as $k => $v)
  {
     if ($t_param != '')
     {
        $t_param .= '&'; 
     }

     // compose non-empty parameters
     $t_param .= "$k=$v";
  }

  return $t_path . '?' . $t_param;

}

Additional Information

This version keeps the source flat and removes all risky stuff right from the start.

TagsNo tags attached.

Relationships

related to 0007051 closedthraxisp Fix for 0006869 / 0007034 removes quoted "?" from arguments 

Activities

grangeway

grangeway

2008-08-02 18:20

reporter   ~0019007

Thank you for taking the time to report a problem with mantis.

Since this problem report was originally made, a number of releases have occured. Additionally no recent feedback has been received on this issue.
It appears that this issue has either been fixed, or may not be a relevant report for the current release.

Unfortunately you are not using the latest version and the problem might already be fixed. Please download the latest release from http://www.mantisbt.org/download.php

If you are able to reproduce this bug in the current release, or have some more information on how this feature could be improved in the current release. Please either change the mantis version on this bug report
to the version you tested and change the status back to "Open", or open a new issue report with more information.

Again, thank you for your continued support and report.