Allow prefixes that end in / to try ? and # as well

Bug 1286935 Seeing as we check the url against FILTER_VALIDATE_URL and that only site admins can add to the 'allowed iframe sources' that should be enough without having to add the / to the end of the url. Change-Id: I82e3623d3df2fa03012278d334994224c51a092e Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

Allow prefixes that end in / to try ? and # as well
Bug 1286935 Seeing as we check the url against FILTER_VALIDATE_URL and that only site admins can add to the 'allowed iframe sources' that should be enough without having to add the / to the end of the url. Change-Id: I82e3623d3df2fa03012278d334994224c51a092e Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>
c5851d8f · Robert Lyon · Aaron Wells · fb3715c6 · c5851d8f
Commit c5851d8f authored Apr 16, 2015 by Robert Lyon Committed by Aaron Wells Apr 17, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 1 deletion

htdocs/lib/upgrade.php htdocs/lib/upgrade.php +5 -1

No files found.
--- a/htdocs/lib/upgrade.php
+++ b/htdocs/lib/upgrade.php
@@ -1368,11 +1368,15 @@ function update_safe_iframe_regex() {
        // in future we may need to be more clever.  Admins who know
        // what they're doing, and need something fancy, can always
        // override this in config.php.
-        foreach ($prefixes as $r) {
+        foreach ($prefixes as $key => $r) {
            if (!preg_match('/^[a-zA-Z0-9\/\._-]+$/', $r)) {
                throw new SystemException('Invalid site passed to update_safe_iframe_regex');
            }
+            if (substr($r, -1) == '/') {
+                $prefixes[$key] = substr($r, 0, -1) . '($|[/?#])';
+            }
        }
+
        // Allowed iframe URLs should be one of the partial URIs in iframe_source,
        // prefaced by http:// or https:// or just // (which is a protocol-relative URL)
        $iframeregexp = '%^(http:|https:|)//(' . str_replace('.', '\.', implode('|', $prefixes)) . ')%';