View Issue Details

IDProjectCategoryView StatusLast Update
0015363phplist applicationHTML Email Supportpublic16-04-10 18:38
Reporterneffets 
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
PlatformSuse SLES10OSLinux x64OS Version2.2.10
Product Version 
Target Version2.10.12Fixed in Version2.10.12 
Summary0015363: addAbsoluteResources does not / or fails in matching schema
Descriptionfunction: addAbsoluteResources (lib.php line 533)

the preg_match cannot match because "[x|y|z]" is used instead of "(x|y|z)"
AND
after this it matched (a failure) on links to if "http" are in the link anywhere.

Imagine link:
   a href="/.bin/fwd.fcgi?http://www.b2b-deutschland.de/wirtschaftsnews/091110/duerftige-aussichten-fuer-arcandor-glaeubiger/index.php"
It matched, but should not.

Result the url was not absolutized.

Attended result for website=www.b2b-deutschland.de should be:
  a href="http://www.b2b-deutschland.de/.bin/fwd.fcgi?http://www.b2b-deutschland.de/wirtschaftsnews/091110/duerftige-aussichten-fuer-arcandor-glaeubiger/index.php"

Patch:

Steps To ReproduceTake a link with relative path for own link tracking and give it a parameter with a fully qualified uri.
e.g.
 a href="http://www.b2b-deutschland.de/.bin/fwd.fcgi?http://www.b2b-deutschland.de/wirtschaftsnews/091110/duerftige-aussichten-fuer-arcandor-glaeubiger/index.php"
Additional InformationPatch lib.php
533c533
< if (preg_match("#[http|javascript|https|ftp|mailto]:#i",$match)) {
---
> if (preg_match("#^(http|javascript|https|ftp|mailto):#i",$match)) {
TagsNo tags attached.

Activities

11-11-09 19:11

 

patch_sts1.diff (586 bytes)
--- /srv/listserv.berlinonline.de/phplist-2.10.10.denied/public_html/lists/admin/lib.php	2009-01-28 13:02:34.000000000 +0100
+++ lib.php	2009-11-11 19:49:20.088478393 +0100
@@ -530,7 +530,7 @@
       $match = $foundtags[2][$i];
       $tagmatch = $foundtags[1][$i];
 #      print "$match<br/>";
-      if (preg_match("#[http|javascript|https|ftp|mailto]:#i",$match)) {
+      if (preg_match("#^(http|javascript|https|ftp|mailto):#i",$match)) {
         # scheme exists, leave it alone
       } elseif (preg_match("#\[.*\]#U",$match)) {
         # placeholders used, leave alone as well
patch_sts1.diff (586 bytes)

neffets

12-11-09 10:47

reporter   ~0050776

ACHTUNG:
  version mentioned ist 2.10.10. the current release (not 2.2.10)