diff options
| -rw-r--r-- | core/Url.php | 3 | ||||
| -rw-r--r-- | tests/PHPUnit/Unit/UrlTest.php | 2 |
2 files changed, 5 insertions, 0 deletions
diff --git a/core/Url.php b/core/Url.php index 3e38b4718a..7578088de4 100644 --- a/core/Url.php +++ b/core/Url.php @@ -240,9 +240,12 @@ class Url return true; } + // Escape trusted hosts for preg_match call below foreach ($trustedHosts as &$trustedHost) { $trustedHost = preg_quote($trustedHost); } + $trustedHosts = str_replace("/", "\\/", $trustedHosts); + $untrustedHost = Common::mb_strtolower($host); $untrustedHost = rtrim($untrustedHost, '.'); diff --git a/tests/PHPUnit/Unit/UrlTest.php b/tests/PHPUnit/Unit/UrlTest.php index 9ad2571be6..3153e43acc 100644 --- a/tests/PHPUnit/Unit/UrlTest.php +++ b/tests/PHPUnit/Unit/UrlTest.php @@ -231,6 +231,8 @@ class UrlTest extends \PHPUnit_Framework_TestCase array(false, 'www.example.com:8080', array('example.com'), 'host:port is valid'), array(true, 'www.example.com:8080', array('example.com:8080'), 'host:port is valid'), array(false, 'www.whatever.com', array('*.whatever.com'), 'regex char is escaped'), + array(false, 'www.whatever.com', array('www.whatever.com/abc'), 'with path starting with /a does not throw error'), + array(false, 'www.whatever.com', array('www.whatever.com/path/here'), 'with path starting with /p does not throw error'), ); } |