mark: A photo of Mark kneeling on top of the Taal Volcano in the Philippines. It was a long hike. (Default)
Mark Smith ([staff profile] mark) wrote in [site community profile] changelog2009-06-12 05:58 pm
  • Add Memory
  • Share This Entry

[dw-free] http://bugs.dwscoalition.org/show_bug.cgi?id=1287

[commit: http://hg.dwscoalition.org/dw-free/rev/94480661f601]

http://bugs.dwscoalition.org/show_bug.cgi?id=1287

Sanitize input of custom domains, and fix support for URLs with trailing
dots in the domain.

Patch by [personal profile] exor674.

Files modified:
  • cgi-bin/Apache/LiveJournal.pm
  • cgi-bin/LJ/Setting/DomainMapping.pm
  • htdocs/manage/domain.bml
--------------------------------------------------------------------------------
diff -r 374d3d6141ad -r 94480661f601 cgi-bin/Apache/LiveJournal.pm
--- a/cgi-bin/Apache/LiveJournal.pm	Fri Jun 12 17:48:19 2009 +0000
+++ b/cgi-bin/Apache/LiveJournal.pm	Fri Jun 12 17:58:07 2009 +0000
@@ -245,7 +245,10 @@ sub trans
     my $args = $r->args;
     my $args_wq = $args ? "?$args" : "";
     my $host = $r->headers_in->{"Host"};
-    my $hostport = ($host =~ s/:\d+$//) ? $& : "";
+    my $hostport = ( $host =~ s/:\d+$// ) ? $& : "";
+
+    # Allow hosts ending in . to work properly.
+    $host =~ s/\.$//;
 
     # disable TRACE (so scripts on non-LJ domains can't invoke
     # a trace to get the LJ cookies in the echo)
diff -r 374d3d6141ad -r 94480661f601 cgi-bin/LJ/Setting/DomainMapping.pm
--- a/cgi-bin/LJ/Setting/DomainMapping.pm	Fri Jun 12 17:48:19 2009 +0000
+++ b/cgi-bin/LJ/Setting/DomainMapping.pm	Fri Jun 12 17:58:07 2009 +0000
@@ -12,9 +12,12 @@ sub save {
 
     # sanitize POST value
 
-    my $domainname = $args->{journaldomain};
+    my $domainname = lc( $args->{journaldomain} );
+
     $domainname =~ s!^(http://)?(www\.)?!!;
-    $domainname = lc($domainname);
+
+    # Strip off trailing '.', and any path or port the user might have entered.
+    $domainname =~ s!\.([:/].+)?$!!;
 
     my $dbh = LJ::get_db_writer();
 
diff -r 374d3d6141ad -r 94480661f601 htdocs/manage/domain.bml
--- a/htdocs/manage/domain.bml	Fri Jun 12 17:48:19 2009 +0000
+++ b/htdocs/manage/domain.bml	Fri Jun 12 17:58:07 2009 +0000
@@ -50,13 +50,17 @@ body<=
 
         # journal domains
         my $dom_cap = LJ::get_cap($u, 'domainmap');
-        if ((exists $POST{'journaldomain'} && $u->{'journaldomain'} ne $POST{'journaldomain'}) ||
-            (!$dom_cap && $POST{'journaldomain_del'})) {
+        if ( ( exists $POST{journaldomain} && $u->{journaldomain} ne $POST{journaldomain} ) ||
+            ( !$dom_cap && $POST{journaldomain_del} ) ) {
 
-            $POST{'journaldomain'} =~ s!^(http://)?(www\.)?!!;
-            my $dom = lc($POST{'journaldomain'});
-            if (($dom_cap && !$dom) || (!$dom_cap && $POST{'journaldomain_del'})) {
-                $dbh->do("DELETE FROM domains WHERE userid=?", undef, $u->{'userid'});
+            my $dom = lc( $POST{journaldomain} );
+            $dom =~ s!^(http://)?(www\.)?!!;
+
+            # Strip off trailing '.', and any path or port the user might have entered.
+            $dom =~ s!\.([:/].+)?$!!;
+
+            if ( ( $dom_cap && !$dom ) || ( !$dom_cap && $POST{journaldomain_del} ) ) {
+                $dbh->do( "DELETE FROM domains WHERE userid=?", undef, $u->{userid} );
             } else {
                 $dbh->do("INSERT INTO domains VALUES (?, ?)", undef, $dom, $u->{'userid'});
                 if ($dbh->err) {
--------------------------------------------------------------------------------