From 8076ff7da886757d1d45f8bf62f158cf0d0d6b15 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Tim=20D=C3=BCsterhus?= <duesterhus@woltlab.com>
Date: Wed, 11 May 2022 15:21:05 +0200
Subject: [PATCH] Require package servers to use https on the default port in
 PackageUpdateServerAddForm

---
 .../form/PackageUpdateServerAddForm.class.php | 30 ++++++++++++++-----
 .../server/PackageUpdateServer.class.php      |  7 ++---
 wcfsetup/install/lang/de.xml                  |  3 ++
 wcfsetup/install/lang/en.xml                  |  3 ++
 4 files changed, 31 insertions(+), 12 deletions(-)

diff --git a/wcfsetup/install/files/lib/acp/form/PackageUpdateServerAddForm.class.php b/wcfsetup/install/files/lib/acp/form/PackageUpdateServerAddForm.class.php
index 2520a46eda..c532f80631 100755
--- a/wcfsetup/install/files/lib/acp/form/PackageUpdateServerAddForm.class.php
+++ b/wcfsetup/install/files/lib/acp/form/PackageUpdateServerAddForm.class.php
@@ -2,7 +2,7 @@
 
 namespace wcf\acp\form;
 
-use wcf\data\package\update\server\PackageUpdateServer;
+use Laminas\Diactoros\Uri;
 use wcf\data\package\update\server\PackageUpdateServerAction;
 use wcf\data\package\update\server\PackageUpdateServerList;
 use wcf\form\AbstractForm;
@@ -10,7 +10,6 @@ use wcf\system\exception\UserInputException;
 use wcf\system\request\LinkHandler;
 use wcf\system\WCF;
 use wcf\util\StringUtil;
-use wcf\util\Url;
 
 /**
  * Shows the server add form.
@@ -89,12 +88,29 @@ class PackageUpdateServerAddForm extends AbstractForm
             throw new UserInputException('serverURL');
         }
 
-        if (!PackageUpdateServer::isValidServerURL($this->serverURL)) {
-            throw new UserInputException('serverURL', 'invalid');
-        }
+        try {
+            $url = new Uri($this->serverURL);
+            $this->serverURL = (string)$url;
 
-        if (\str_ends_with(\strtolower(Url::parse($this->serverURL)['host']), '.woltlab.com')) {
-            throw new UserInputException('serverURL', 'woltlab');
+            if (!$url->getHost()) {
+                throw new UserInputException('serverURL', 'invalid');
+            }
+            if ($url->getHost() !== 'localhost') {
+                if ($url->getScheme() !== 'https') {
+                    throw new UserInputException('serverURL', 'invalidScheme');
+                }
+                if ($url->getPort()) {
+                    throw new UserInputException('serverURL', 'nonStandardPort');
+                }
+            }
+            if ($url->getUserInfo()) {
+                throw new UserInputException('serverURL', 'userinfo');
+            }
+            if (\str_ends_with(\strtolower($url->getHost()), '.woltlab.com')) {
+                throw new UserInputException('serverURL', 'woltlab');
+            }
+        } catch (\InvalidArgumentException) {
+            throw new UserInputException('serverURL', 'invalid');
         }
 
         if (($duplicate = $this->findDuplicateServer())) {
diff --git a/wcfsetup/install/files/lib/data/package/update/server/PackageUpdateServer.class.php b/wcfsetup/install/files/lib/data/package/update/server/PackageUpdateServer.class.php
index acf5cb21f7..5bb6a1b8d3 100644
--- a/wcfsetup/install/files/lib/data/package/update/server/PackageUpdateServer.class.php
+++ b/wcfsetup/install/files/lib/data/package/update/server/PackageUpdateServer.class.php
@@ -142,16 +142,13 @@ class PackageUpdateServer extends DatabaseObject
     }
 
     /**
-     * Returns true if the given server url is valid.
-     *
-     * @param string $serverURL
-     * @return  bool
+     * @deprecated 5.6 This method was only used in PackageUpdateServerAddForm.
      */
     public static function isValidServerURL($serverURL)
     {
         $parsedURL = Url::parse($serverURL);
 
-        return \in_array($parsedURL['scheme'], ['http', 'https']) && $parsedURL['host'] !== '';
+        return \in_array($parsedURL['scheme'], ['https']) && $parsedURL['host'] !== '';
     }
 
     /**
diff --git a/wcfsetup/install/lang/de.xml b/wcfsetup/install/lang/de.xml
index 600318f9f0..fb74664365 100644
--- a/wcfsetup/install/lang/de.xml
+++ b/wcfsetup/install/lang/de.xml
@@ -2840,6 +2840,9 @@ Kein Abschnitt darf leer sein und alle Abschnitten dÃ¼rfen nur folgende Zeichen
 		<item name="wcf.acp.updateServer.packages"><![CDATA[Pakete]]></item>
 		<item name="wcf.acp.updateServer.serverURL"><![CDATA[Adresse]]></item>
 		<item name="wcf.acp.updateServer.serverURL.error.invalid"><![CDATA[Die eingetragene Adresse ist ungÃ¼ltig.]]></item>
+		<item name="wcf.acp.updateServer.serverURL.error.invalidScheme"><![CDATA[Die eingetragene Adresse muss das <kbd>https://</kbd>-Protokoll verwenden.]]></item>
+		<item name="wcf.acp.updateServer.serverURL.error.nonStandardPort"><![CDATA[Die eingetragene Adresse darf keinen abweichenden Port verwenden.]]></item>
+		<item name="wcf.acp.updateServer.serverURL.error.userinfo"><![CDATA[Die eingetragene Adresse darf keine Login-Informationen enthalten.]]></item>
 		<item name="wcf.acp.updateServer.serverURL.error.woltlab"><![CDATA[Die offiziellen Paketserver sind bereits hinterlegt und korrekt konfiguriert.]]></item>
 		<item name="wcf.acp.updateServer.serverURL.error.duplicate"><![CDATA[Dieser Paketserver ist bereits hinterlegt. {if LANGUAGE_USE_INFORMAL_VARIANT}Du kannst{else}Sie kÃ¶nnen{/if} <a href="{link controller="PackageUpdateServerEdit" id=$errorType[duplicate]->packageUpdateServerID}{/link}"><strong>den bestehenden Paketserver bearbeiten</strong></a>.]]></item>
 		<item name="wcf.acp.updateServer.status"><![CDATA[Status]]></item>
diff --git a/wcfsetup/install/lang/en.xml b/wcfsetup/install/lang/en.xml
index 8ccc9da5e7..c6438d2a99 100644
--- a/wcfsetup/install/lang/en.xml
+++ b/wcfsetup/install/lang/en.xml
@@ -2771,6 +2771,9 @@ If you have <strong>already bought the licenses for the listed apps</strong>, th
 		<item name="wcf.acp.updateServer.packages"><![CDATA[Packages]]></item>
 		<item name="wcf.acp.updateServer.serverURL"><![CDATA[Address]]></item>
 		<item name="wcf.acp.updateServer.serverURL.error.invalid"><![CDATA[The address is invalid.]]></item>
+		<item name="wcf.acp.updateServer.serverURL.error.invalidScheme"><![CDATA[The address must use the <kbd>https://</kbd> scheme.]]></item>
+		<item name="wcf.acp.updateServer.serverURL.error.nonStandardPort"><![CDATA[The address must not use a non-standard port.]]></item>
+		<item name="wcf.acp.updateServer.serverURL.error.userinfo"><![CDATA[The address may not contain credentials.]]></item>
 		<item name="wcf.acp.updateServer.serverURL.error.woltlab"><![CDATA[The official servers are already set up and correctly configured.]]></item>
 		<item name="wcf.acp.updateServer.serverURL.error.duplicate"><![CDATA[The entered server already exists. You can <a href="{link controller="PackageUpdateServerEdit" id=$errorType[duplicate]->packageUpdateServerID}{/link}"><strong>edit this server instead</strong></a>.]]></item>
 		<item name="wcf.acp.updateServer.status"><![CDATA[Status]]></item>
-- 
2.20.1