diff options
| author | Joas Schilling <nickvergessen@gmx.de> | 2013-06-03 12:15:23 +0200 |
|---|---|---|
| committer | Joas Schilling <nickvergessen@gmx.de> | 2013-06-03 12:37:54 +0200 |
| commit | 81140ec8877236050b822517f735b49503bcd44d (patch) | |
| tree | 914d34ce2773d807a7020caa80158d65e38c184c /phpBB/includes | |
| parent | 96b4066368e6e9c7f701daac7440807cce345702 (diff) | |
| download | forums-81140ec8877236050b822517f735b49503bcd44d.tar forums-81140ec8877236050b822517f735b49503bcd44d.tar.gz forums-81140ec8877236050b822517f735b49503bcd44d.tar.bz2 forums-81140ec8877236050b822517f735b49503bcd44d.tar.xz forums-81140ec8877236050b822517f735b49503bcd44d.zip | |
[ticket/8319] Prepend Board URL to LOCAL_URL links to prevent abuse
The description says:
"The URL must be relative to the topic page and cannot contain a server name
or protocol."
We now enforce this and will add a new token with the current behaviour back.
PHPBB3-8319
Diffstat (limited to 'phpBB/includes')
| -rw-r--r-- | phpBB/includes/acp/acp_bbcodes.php | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/phpBB/includes/acp/acp_bbcodes.php b/phpBB/includes/acp/acp_bbcodes.php index 0644b38eb1..2cb1390c8e 100644 --- a/phpBB/includes/acp/acp_bbcodes.php +++ b/phpBB/includes/acp/acp_bbcodes.php @@ -427,7 +427,15 @@ class acp_bbcodes $fp_replace = str_replace($token, $replace, $fp_replace); $sp_match = str_replace(preg_quote($token, '!'), $sp_tokens[$token_type], $sp_match); - $sp_replace = str_replace($token, '${' . ($n + 1) . '}', $sp_replace); + if ($token_type === 'LOCAL_URL') + { + // Prepend the board url to local relative links + $sp_replace = str_replace($token, generate_board_url() . '/' . '${' . ($n + 1) . '}', $sp_replace); + } + else + { + $sp_replace = str_replace($token, '${' . ($n + 1) . '}', $sp_replace); + } } $fp_match = '!' . $fp_match . '!' . $modifiers; |