diff options
| author | Stefan Giehl <stefan@matomo.org> | 2021-03-10 11:40:51 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-03-10 11:40:51 +0300 |
| commit | c753825478c52a132fdb1871af4283acea565dd2 (patch) | |
| tree | 62c13ebfd0f594ad212016a4242e33660da548e7 /plugins/API | |
| parent | a8da26394b2e76742c25d16eaac5c7bda0377bda (diff) | |
Only allow valid hosts for prefixUrl in API listing (#17315)
* Only allow valid hosts for prefixUrl in API listing
* remove error suppression
* additionally check for empty hostname
Diffstat (limited to 'plugins/API')
| -rw-r--r-- | plugins/API/Controller.php | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/plugins/API/Controller.php b/plugins/API/Controller.php index 585cb14ba9..2fb196d291 100644 --- a/plugins/API/Controller.php +++ b/plugins/API/Controller.php @@ -64,7 +64,8 @@ class Controller extends \Piwik\Plugin\Controller $ApiDocumentation = new DocumentationGenerator(); $prefixUrls = Common::getRequestVar('prefixUrl', 'https://demo.matomo.org/', 'string'); - if (!UrlHelper::isLookLikeUrl($prefixUrls) || strpos($prefixUrls, 'http') !== 0) { + $hostname = parse_url($prefixUrls, PHP_URL_HOST); + if (empty($hostname) || !UrlHelper::isLookLikeUrl($prefixUrls) || strpos($prefixUrls, 'http') !== 0 || !Url::isValidHost($hostname)) { $prefixUrls = ''; } return $ApiDocumentation->getApiDocumentationAsStringForDeveloperReference($outputExampleUrls = true, $prefixUrls); |