added scheme check

Ariadne-CMS · Jun 2, 2022 · 43abd41 · 43abd41
1 parent 565cffe
commit 43abd41
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 3 deletions.
diff --git a/src/http/ClientStream.php b/src/http/ClientStream.php
@@ -18,6 +18,10 @@
  */
 class ClientStream implements Client
 {
+    public $whitelist = [
+        'http','https'
+    ];
+
     private $options = [
         'headers'          => [],
         'timeout'          => 5,
@@ -75,6 +79,9 @@ private function mergeHeaders() {
     public function request( $type, $url, $request = null, $options = [] )
     {
         $url = \arc\url::url( (string) $url);
+        if (!in_array($url->scheme, $this->whitelist)) {
+            throw new \arc\IllegalRequest("Scheme ".$url->scheme." is not allowed", \arc\exceptions::ILLEGAL_ARGUMENT);
+        }
         if ($type == 'GET' && $request) {
             $url->query->import( $request);
             $request = null;

diff --git a/tests/http_clientstream.Test.php b/tests/http_clientstream.Test.php
@@ -56,9 +56,9 @@ function testHeader()
 
     function testBroken()
     {
+        $this->expectException(\arc\IllegalRequest::class);
         $client = new \arc\http\ClientStream();
         $page = $client->get('afeafawfafweaga');
-        $this->assertFalse($page);
     }
 
     // second request should unset old data
@@ -68,7 +68,7 @@ function testSecondRequest()
         $res1 = $client->get('https://www.ariadne-cms.org/');
         $resHeader1 = $client->responseHeaders;
 
-        $res2 = $client->get('invalid');
+        $res2 = $client->get('https://www.muze.nl/');
         $resHeader2 = $client->responseHeaders;
         $this->assertTrue($resHeader1 !== $resHeader2);
     }
@@ -78,7 +78,7 @@ function testFailGet()
         $client = new \arc\http\ClientStream();
 
         // do request, any will do
-        $result = $client->get('incorrect_url');
+        $result = $client->get('http://broken/');
 
         $this->assertFalse($result);
     }