From: Alexander Ebert <ebert@woltlab.com>
Date: Sun, 15 Apr 2018 21:10:29 +0000 (+0200)
Subject: Restrict external sources by host only
X-Git-Tag: 2.1.21~3
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=220f5317b7bd45e5d87c0ca3eed5ed15e9ebb79a;p=GitHub%2FWoltLab%2FWCF.git

Restrict external sources by host only
---

diff --git a/wcfsetup/install/files/lib/system/bbcode/ImageBBCode.class.php b/wcfsetup/install/files/lib/system/bbcode/ImageBBCode.class.php
index 3465f32c5c..05f8dfd6dd 100644
--- a/wcfsetup/install/files/lib/system/bbcode/ImageBBCode.class.php
+++ b/wcfsetup/install/files/lib/system/bbcode/ImageBBCode.class.php
@@ -24,7 +24,7 @@ class ImageBBCode extends AbstractBBCode {
 		}
 		
 		if ($parser->getOutputType() == 'text/html') {
-			if (!IMAGE_ALLOW_EXTERNAL_SOURCE && !ApplicationHandler::getInstance()->isInternalURL($src)) {
+			if (!IMAGE_ALLOW_EXTERNAL_SOURCE && !$this->isAllowedOrigin($src)) {
 				return '[IMG:<a href="'.$src.'">'.$src.'</a>]';
 			}
 			
@@ -57,4 +57,19 @@ class ImageBBCode extends AbstractBBCode {
 			return '';
 		}
 	}
+	
+	protected function isAllowedOrigin($src) {
+		static $ownDomains;
+		if ($ownDomains === null) {
+			$ownDomains = array();
+			foreach (ApplicationHandler::getInstance()->getApplications() as $application) {
+				if (!in_array($application->domainName, $ownDomains)) {
+					$ownDomains[] = $application->domainName;
+				}
+			}
+		}
+		
+		$host = @parse_url($src, PHP_URL_HOST);
+		return $host !== false && in_array($host, $ownDomains);
+	}
 }