Commit 9d60ddd1 authored by Leigh Stoller's avatar Leigh Stoller

A set of minor changes to check URL validity.

parent 18275ba7
......@@ -154,7 +154,8 @@ else {
echo "<tr>
<td>Home Page URL:</td>
<td class=\"left\">
<input type=\"text\" name=\"usr_url\" size=45></td>
<input type=\"text\" name=\"usr_url\"
value=\"http://\" size=45></td>
</tr>\n";
echo "<tr>
......
......@@ -30,6 +30,8 @@ $TBAUTHCOOKIE = "HashCookie";
$TBNAMECOOKIE = "MyUidCookie";
$TBAUTHTIMEOUT = 21600;
$HTTPTAG = "http://";
#
# Database constants and the like.
#
......@@ -186,6 +188,33 @@ function SUEXEC($uid, $gid, $cmdandargs, $die) {
return $retval;
}
#
# Verify a URL.
#
function VERIFYURL($url) {
global $HTTPTAG;
if (strlen($url)) {
if (strstr($url, " ")) {
USERERROR("URL ($url) is malformed; spaces are not allowed. ".
"Please go back and fix it up.", 1);
}
if (strcmp($HTTPTAG, substr($url, 0, strlen($HTTPTAG)))) {
USERERROR("URL ($url) must begin with $HTTPTAG. ".
"Please go back and fix it up.", 1);
}
$fp = @fopen($url, "r");
if (! $fp) {
USERERROR("URL ($url) is not valid (cannot be accessed). ".
"Please go back and fix it up.", 1);
}
fclose($fp);
}
return 0;
}
#
# Beware empty spaces (cookies)!
#
......
......@@ -62,6 +62,29 @@ if (!isset($usr_affil) ||
FORMERROR("Institutional Affiliation");
}
#
# Check that email address looks reasonable. We need the domain for
# below anyway.
#
$email_domain = strstr($usr_email, "@");
if (! $email_domain ||
strcmp($usr_email, $email_domain) == 0 ||
strlen($email_domain) <= 1 ||
! strstr($email_domain, ".")) {
USERERROR("The email address `$usr_email' looks invalid!. Please ".
"go back and fix it up", 1);
}
$email_domain = substr($email_domain, 1);
$email_user = substr($usr_email, 0, strpos($usr_email, "@", 0));
#
# Check URLs.
#
if (strcmp($usr_url, $HTTPTAG) == 0) {
$usr_url = "";
}
VERIFYURL($usr_url);
#
# Now see if the user is requesting to change the password. We do the usual
# checks to make sure the two fields agree and that it passes our tests for
......
......@@ -45,7 +45,8 @@ if (!isset($usr_name) ||
FORMERROR("Full Name");
}
if (!isset($proj_URL) ||
strcmp($proj_URL, "") == 0) {
strcmp($proj_URL, "") == 0 ||
strcmp($proj_URL, $HTTPTAG) == 0) {
FORMERROR("Project URL");
}
if (!isset($usr_email) ||
......@@ -96,6 +97,15 @@ if (! $email_domain ||
$email_domain = substr($email_domain, 1);
$email_user = substr($usr_email, 0, strpos($usr_email, "@", 0));
#
# Check URLs.
#
if (strcmp($usr_url, $HTTPTAG) == 0) {
$usr_url = "";
}
VERIFYURL($usr_url);
VERIFYURL($proj_URL);
#
# Certain of these values must be escaped or otherwise sanitized.
#
......
......@@ -136,7 +136,7 @@ echo "<tr>
if ($row) {
echo " type=\"readonly\" value=\"$row[usr_URL]\">";
} else {
echo " type=\"text\" size=\"45\">";
echo " value=\"http://\" type=\"text\" size=\"45\">";
}
echo " </td>
......@@ -238,7 +238,8 @@ echo "<tr>
#
echo "<tr>
<td>*URL:</td>
<td><input type=\"text\" name=\"proj_URL\" size=\"45\"></td>
<td><input type=\"text\" name=\"proj_URL\"
value=\"http://\" size=\"45\"></td>
</tr>\n";
#
......
......@@ -60,6 +60,14 @@ if (! $email_domain ||
$email_domain = substr($email_domain, 1);
$email_user = substr($usr_email, 0, strpos($usr_email, "@", 0));
#
# Check URLs.
#
if (strcmp($usr_url, $HTTPTAG) == 0) {
$usr_url = "";
}
VERIFYURL($usr_url);
#
# Certain of these values must be escaped or otherwise sanitized.
#
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment