[ss-2018-008] Validate against malformed urls

src/Control/Director.php

@@ -728,13 +728,26 @@ public static function is_relative_url($url)
      */
     public static function is_site_url($url)
     {
-        $urlHost = parse_url($url, PHP_URL_HOST);
+        $parsedURL = parse_url($url);
+
+        // Validate user (disallow slashes)
+        if (!empty($parsedURL['user']) && strstr($parsedURL['user'], '\\')) {
+            return false;
+        }
+        if (!empty($parsedURL['pass']) && strstr($parsedURL['pass'], '\\')) {
+            return false;
+        }
+
+        // Validate host[:port]
         $actualHost = parse_url(self::protocolAndHost(), PHP_URL_HOST);
-        if ($urlHost && $actualHost && $urlHost == $actualHost) {
+        if (!empty($parsedURL['host'])
+            && $actualHost
+            && $parsedURL['host'] === $actualHost
+        ) {
             return true;
-        } else {
-            return self::is_relative_url($url);
         }
+
+        return self::is_relative_url($url);
     }
 
     /**

tests/php/Control/DirectorTest.php

@@ -380,6 +380,10 @@ public function testIsSiteUrl()
         $this->assertFalse(Director::is_site_url("http://test.com?url=" . Director::absoluteBaseURL()));
         $this->assertFalse(Director::is_site_url("http://test.com?url=" . urlencode(Director::absoluteBaseURL())));
         $this->assertFalse(Director::is_site_url("//test.com?url=" . Director::absoluteBaseURL()));
+        $this->assertFalse(Director::is_site_url('http://google.com\@test.com'));
+        $this->assertFalse(Director::is_site_url('http://google.com/@test.com'));
+        $this->assertFalse(Director::is_site_url('http://google.com:pass\@test.com'));
+        $this->assertFalse(Director::is_site_url('http://google.com:pass/@test.com'));
     }
 
     /**