only disallow colons in strings returned by getLangUrl

NatLibFi · Apr 26, 2022 · fe9e356 · fe9e356
1 parent 2932952
commit fe9e356
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/model/Request.php b/model/Request.php
@@ -184,8 +184,8 @@ public function getLangUrl($newlang=null)
         if ($newlang !== null) {
             $langurl = preg_replace("#^(.*/)?{$this->lang}/#", "$1{$newlang}/", $langurl);
         }
-        // make sure that the resulting URL doesn't contain suspicious characters
-        $langurl = preg_replace("#[^a-zA-Z0-9/-]#", "", $langurl);
+        // make sure that the resulting URL isn't interpreted as an absolute URL
+        $langurl = str_replace(":", "", $langurl);
         return $langurl;
     }
 

diff --git a/tests/RequestTest.php b/tests/RequestTest.php
@@ -237,7 +237,7 @@ public function testGetLangUrlSanitizeSpecialChars() {
     $this->request->setServerConstant('REQUEST_URI', '/Skosmos/http://example.com');
     $this->request->setLang('en');
     $langurl = $this->request->getLangUrl();
-    $this->assertEquals("http//examplecom", $langurl);
+    $this->assertEquals("http//example.com", $langurl);
   }
 
 }