Make URI parsing algorithm more strict.

Thanks Michael Gusev <mgusev@sugarcrm.com> for contributing this patch. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2024-12-22 16:31:53 +00:00 · 2013-04-16 13:46:00 -07:00 · 2013-04-16 13:46:00 -07:00 · 6e37ecd1c8
commit 6e37ecd1c8
parent 20eff0a3a0
3 changed files with 13 additions and 1 deletions
--- a/5
+++ b/5
@ -9,6 +9,11 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
    . Internal change
 ==========================

+4.6.0, unknown release date
+# URI parsing algorithm was made more strict, so only prefixes which
+  looks like schemes will actually be schemes.  Thanks
+  Michael Gusev <mgusev@sugarcrm.com> for fixing.
+
 4.5.0, released 2013-02-17
 # Fix bug where stacked attribute transforms clobber each other;
  this also means it's no longer possible to override attribute
--- a/library/HTMLPurifier/URIParser.php
+++ b/library/HTMLPurifier/URIParser.php
@ -30,7 +30,7 @@ class HTMLPurifier_URIParser
        // Note that ["<>] are an addition to the RFC's recommended
        // characters, because they represent external delimeters.
        $r_URI = '!'.
-            '(([^:/?#"<>]+):)?'. // 2. Scheme
+            '(([a-zA-Z0-9\.\+\-]+):)?'. // 2. Scheme
            '(//([^/?#"<>]*))?'. // 4. Authority
            '([^?#"<>]*)'.       // 5. Path
            '(\?([^#"<>]*))?'.   // 7. Query
--- a/tests/HTMLPurifier/URIParserTest.php
+++ b/tests/HTMLPurifier/URIParserTest.php
@ -140,6 +140,13 @@ class HTMLPurifier_URIParserTest extends HTMLPurifier_Harness
        );
    }

+    function testEmbeddedColon() {
+        $this->assertParsing(
+            '{:test:}',
+            null, null, null, null, '{:test:}', null, null
+        );
+    }
+
 }

 // vim: et sw=4 sts=4