From d771c50d636a5cd3467746aa845b71bdd40f1a5f Mon Sep 17 00:00:00 2001 From: Michael Date: Sun, 17 May 2020 06:13:58 +0000 Subject: [PATCH] Issue 8565: Sanitize input data Fixes #8565 --- src/Model/GServer.php | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/Model/GServer.php b/src/Model/GServer.php index bc189af9d6..1eb7ec0e13 100644 --- a/src/Model/GServer.php +++ b/src/Model/GServer.php @@ -339,7 +339,7 @@ class GServer * @param string $server_url address of the server * @throws \Friendica\Network\HTTPException\InternalServerErrorException */ - private static function discoverRelay(string $server_url) + public static function discoverRelay(string $server_url) { Logger::info('Discover relay data', ['server' => $server_url]); @@ -353,6 +353,15 @@ class GServer return; } + // Sanitize incoming data, see https://github.com/friendica/friendica/issues/8565 + $data['subscribe'] = (bool)$data['subscribe'] ?? false; + + if (!$data['subscribe'] || empty($data['scope']) || !in_array(strtolower($data['scope']), ['all', 'tags'])) { + $data['scope'] = ''; + $data['subscribe'] = false; + $data['tags'] = []; + } + $gserver = DBA::selectFirst('gserver', ['id', 'relay-subscribe', 'relay-scope'], ['nurl' => Strings::normaliseLink($server_url)]); if (!DBA::isResult($gserver)) { return;