Add a whitelist of protocols for URLs

- for Shaare
 - for markdown description links and images

Not whitelisted protocols will be replaced by `http://`

application/Url.php

@@ -63,6 +63,30 @@ function add_trailing_slash($url)
     return $url . (!endsWith($url, '/') ? '/' : '');
 }
 
+/**
+ * Replace not whitelisted protocols by 'http://' from given URL.
+ *
+ * @param string $url       URL to clean
+ * @param array  $protocols List of allowed protocols (aside from http(s)).
+ *
+ * @return string URL with allowed protocol
+ */
+function whitelist_protocols($url, $protocols)
+{
+    if (startsWith($url, '?') || startsWith($url, '/')) {
+        return $url;
+    }
+    $protocols = array_merge(['http', 'https'], $protocols);
+    $protocol = preg_match('#^(\w+):/?/?#', $url, $match);
+    // Protocol not allowed: we remove it and replace it with http
+    if ($protocol === 1 && ! in_array($match[1], $protocols)) {
+        $url = str_replace($match[0], 'http://', $url);
+    } else if ($protocol !== 1) {
+        $url = 'http://' . $url;
+    }
+    return $url;
+}
+
 /**
  * URL representation and cleanup utilities
  *

application/config/ConfigManager.php

@@ -312,6 +312,7 @@ class ConfigManager
         $this->setEmpty('security.ban_duration', 1800);
         $this->setEmpty('security.session_protection_disabled', false);
         $this->setEmpty('security.open_shaarli', false);
+        $this->setEmpty('security.allowed_protocols', ['ftp', 'ftps', 'magnet']);
 
         $this->setEmpty('general.header_link', '?');
         $this->setEmpty('general.links_per_page', 20);

index.php

@@ -1237,13 +1237,7 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history)
         // Remove duplicates.
         $tags = implode(' ', array_unique(explode(' ', $tags)));
 
-        $url = trim($_POST['lf_url']);
-        if (! startsWith($url, 'http:') && ! startsWith($url, 'https:')
-            && ! startsWith($url, 'ftp:') && ! startsWith($url, 'magnet:')
-            && ! startsWith($url, '?') && ! startsWith($url, 'javascript:')
-        ) {
-            $url = 'http://' . $url;
-        }
+        $url = whitelist_protocols(trim($_POST['lf_url']), $conf->get('security.allowed_protocols'));
 
         $link = array(
             'id' => $id,

plugins/markdown/markdown.php

@@ -26,7 +26,11 @@ function hook_markdown_render_linklist($data, $conf)
             $value = stripNoMarkdownTag($value);
             continue;
         }
-        $value['description'] = process_markdown($value['description'], $conf->get('security.markdown_escape', true));
+        $value['description'] = process_markdown(
+            $value['description'],
+            $conf->get('security.markdown_escape', true),
+            $conf->get('security.allowed_protocols')
+        );
     }
     return $data;
 }
@@ -46,7 +50,11 @@ function hook_markdown_render_feed($data, $conf)
             $value = stripNoMarkdownTag($value);
             continue;
         }
-        $value['description'] = process_markdown($value['description'], $conf->get('security.markdown_escape', true));
+        $value['description'] = process_markdown(
+            $value['description'],
+            $conf->get('security.markdown_escape', true),
+            $conf->get('security.allowed_protocols')
+        );
     }
 
     return $data;
@@ -71,7 +79,8 @@ function hook_markdown_render_daily($data, $conf)
             }
             $value2['formatedDescription'] = process_markdown(
                 $value2['formatedDescription'],
-                $conf->get('security.markdown_escape', true)
+                $conf->get('security.markdown_escape', true),
+                $conf->get('security.allowed_protocols')
             );
         }
     }
@@ -231,6 +240,25 @@ function reverse_space2nbsp($description)
     return preg_replace('/(^| ) /m', '$1 ', $description);
 }
 
+/**
+ * Replace not whitelisted protocols with http:// in given description.
+ *
+ * @param string $description      input description text.
+ * @param array  $allowedProtocols list of allowed protocols.
+ *
+ * @return string $description without malicious link.
+ */
+function filter_protocols($description, $allowedProtocols)
+{
+    return preg_replace_callback(
+        '#]\((.*?)\)#is',
+        function ($match) use ($allowedProtocols) {
+            return ']('. whitelist_protocols($match[1], $allowedProtocols) .')';
+        },
+        $description
+    );
+}
+
 /**
  * Remove dangerous HTML tags (tags, iframe, etc.).
  * Doesn't affect <code> content (already escaped by Parsedown).
@@ -275,7 +303,7 @@ function sanitize_html($description)
  *
  * @return string HTML processed $description.
  */
-function process_markdown($description, $escape = true)
+function process_markdown($description, $escape = true, $allowedProtocols = [])
 {
     $parsedown = new Parsedown();
 
@@ -283,6 +311,7 @@ function process_markdown($description, $escape = true)
     $processedDescription = reverse_nl2br($processedDescription);
     $processedDescription = reverse_space2nbsp($processedDescription);
     $processedDescription = reverse_text2clickable($processedDescription);
+    $processedDescription = filter_protocols($processedDescription, $allowedProtocols);
     $processedDescription = unescape($processedDescription);
     $processedDescription = $parsedown
         ->setMarkupEscaped($escape)

tests/Url/WhitelistProtocolsTest.php

@@ -0,0 +1,63 @@
+<?php
+
+require_once 'application/Url.php';
+
+use Shaarli\Config\ConfigManager;
+
+/**
+ * Class WhitelistProtocolsTest
+ *
+ * Test whitelist_protocols() function of Url.
+ */
+class WhitelistProtocolsTest extends PHPUnit_Framework_TestCase
+{
+    /**
+     * Test whitelist_protocols() on a note (relative URL).
+     */
+    public function testWhitelistProtocolsRelative()
+    {
+        $whitelist = ['ftp', 'magnet'];
+        $url = '?12443564';
+        $this->assertEquals($url, whitelist_protocols($url, $whitelist));
+        $url = '/path.jpg';
+        $this->assertEquals($url, whitelist_protocols($url, $whitelist));
+    }
+
+    /**
+     * Test whitelist_protocols() on a note (relative URL).
+     */
+    public function testWhitelistProtocolMissing()
+    {
+        $whitelist = ['ftp', 'magnet'];
+        $url = 'test.tld/path/?query=value#hash';
+        $this->assertEquals('http://'. $url, whitelist_protocols($url, $whitelist));
+    }
+
+    /**
+     * Test whitelist_protocols() with allowed protocols.
+     */
+    public function testWhitelistAllowedProtocol()
+    {
+        $whitelist = ['ftp', 'magnet'];
+        $url = 'http://test.tld/path/?query=value#hash';
+        $this->assertEquals($url, whitelist_protocols($url, $whitelist));
+        $url = 'https://test.tld/path/?query=value#hash';
+        $this->assertEquals($url, whitelist_protocols($url, $whitelist));
+        $url = 'ftp://test.tld/path/?query=value#hash';
+        $this->assertEquals($url, whitelist_protocols($url, $whitelist));
+        $url = 'magnet:test.tld/path/?query=value#hash';
+        $this->assertEquals($url, whitelist_protocols($url, $whitelist));
+    }
+
+    /**
+     * Test whitelist_protocols() with allowed protocols.
+     */
+    public function testWhitelistDisallowedProtocol()
+    {
+        $whitelist = ['ftp', 'magnet'];
+        $url = 'javascript:alert("xss");';
+        $this->assertEquals('http://alert("xss");', whitelist_protocols($url, $whitelist));
+        $url = 'other://test.tld/path/?query=value#hash';
+        $this->assertEquals('http://test.tld/path/?query=value#hash', whitelist_protocols($url, $whitelist));
+    }
+}

tests/plugins/PluginMarkdownTest.php

@@ -26,6 +26,7 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
     {
         PluginManager::$PLUGINS_PATH = 'plugins';
         $this->conf = new ConfigManager('tests/utils/config/configJson');
+        $this->conf->set('security.allowed_protocols', ['ftp', 'magnet']);
     }
 
     /**
@@ -183,15 +184,19 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
     }
 
     /**
-     * Test hashtag links processed with markdown.
+     * Make sure that the generated HTML match the reference HTML file.
      */
-    public function testMarkdownHashtagLinks()
+    public function testMarkdownGlobalProcessDescription()
     {
         $md = file_get_contents('tests/plugins/resources/markdown.md');
         $md = format_description($md);
         $html = file_get_contents('tests/plugins/resources/markdown.html');
 
-        $data = process_markdown($md);
+        $data = process_markdown(
+            $md,
+            $this->conf->get('security.markdown_escape', true),
+            $this->conf->get('security.allowed_protocols')
+        );
         $this->assertEquals($html, $data);
     }
 

tests/plugins/resources/markdown.html

@@ -21,4 +21,13 @@
 next #foo</code></pre>
 <p>Block:</p>
 <pre><code>lorem ipsum #foobar http://link.tld
-#foobar http://link.tld</code></pre></div>
+#foobar http://link.tld</code></pre>
+<p><a href="?123456">link</a><br />
+<img src="/img/train.png" alt="link" /><br />
+<a href="http://test.tld/path/?query=value#hash">link</a><br />
+<a href="http://test.tld/path/?query=value#hash">link</a><br />
+<a href="https://test.tld/path/?query=value#hash">link</a><br />
+<a href="ftp://test.tld/path/?query=value#hash">link</a><br />
+<a href="magnet:test.tld/path/?query=value#hash">link</a><br />
+<a href="http://alert('xss')">link</a><br />
+<a href="http://test.tld/path/?query=value#hash">link</a></p></div>

tests/plugins/resources/markdown.md

@@ -21,4 +21,14 @@ Block:
 ```
 lorem ipsum #foobar http://link.tld
 #foobar http://link.tld
-```
+```
+
+[link](?123456)
+![link](/img/train.png)
+[link](test.tld/path/?query=value#hash)
+[link](http://test.tld/path/?query=value#hash)
+[link](https://test.tld/path/?query=value#hash)
+[link](ftp://test.tld/path/?query=value#hash)
+[link](magnet:test.tld/path/?query=value#hash)
+[link](javascript:alert('xss'))
+[link](other://test.tld/path/?query=value#hash)