improve detection of file urls

freekmurze · freekmurze · commit dfc3635b83dd · 2024-12-13T17:09:34.000+01:00
diff --git a/src/Browsershot.php b/src/Browsershot.php
@@ -259,8 +259,12 @@ public function setUrl(string $url): static
     {
         $url = trim($url);
 
-        if (str_starts_with(strtolower($url), 'file://') || str_starts_with(strtolower($url), 'file:/')) {
-            throw FileUrlNotAllowed::make();
+        $unsupportedProtocols = ['file://', 'file:/', 'file:\\', 'file:\\\\'];
+
+        foreach($unsupportedProtocols as $unsupportedProtocol) {
+            if (str_starts_with(strtolower($url), $unsupportedProtocol)) {
+                throw FileUrlNotAllowed::make();
+            }
         }
 
         $this->url = $url;
diff --git a/tests/BrowsershotTest.php b/tests/BrowsershotTest.php
@@ -54,7 +54,12 @@
 
 it('will not allow a file url', function () {
     Browsershot::url('file://test');
-})->throws(FileUrlNotAllowed::class);
+})->throws(FileUrlNotAllowed::class)->with([
+    'file://test',
+    'file:/test',
+    'file:\test',
+    'file:\\test',
+]);
 
 it('will not allow a file url that has leading spaces', function () {
     Browsershot::url('    file://test');

Original file line number	Diff line number	Diff line change
`@@ -259,8 +259,12 @@ public function setUrl(string $url): static`
`259`	`259`	`{`
`260`	`260`	`$url = trim($url);`
`261`	`261`
`262`		`- if (str_starts_with(strtolower($url), 'file://') \|\| str_starts_with(strtolower($url), 'file:/')) {`
`263`		`- throw FileUrlNotAllowed::make();`
	`262`	`+ $unsupportedProtocols = ['file://', 'file:/', 'file:\\', 'file:\\\\'];`
	`263`	`+`
	`264`	`+ foreach($unsupportedProtocols as $unsupportedProtocol) {`
	`265`	`+ if (str_starts_with(strtolower($url), $unsupportedProtocol)) {`
	`266`	`+ throw FileUrlNotAllowed::make();`
	`267`	`+ }`
`264`	`268`	`}`
`265`	`269`
`266`	`270`	`$this->url = $url;`