/**
* @dataProvider getLocalUrls
* @group Core
*/
public function testIsLocalUrl($httphost, $scripturi, $requesturi, $testurl, $result)
{
$_SERVER['HTTP_HOST'] = $httphost;
$_SERVER['SCRIPT_URI'] = $scripturi;
$_SERVER['REQUEST_URI'] = $requesturi;
Config::getInstance()->General['enable_trusted_host_check'] = 1;
Config::getInstance()->General['trusted_hosts'] = array($httphost);
$urlToTest = $testurl;
$this->assertEquals($result, Url::isLocalUrl($urlToTest));
}
/**
* Returns if a nonce is valid and comes from a valid request.
*
* A nonce is valid if it matches the current nonce and if the current nonce
* has not expired.
*
* The request is valid if the referrer is a local URL (see {@link Url::isLocalUrl()})
* and if the HTTP origin is valid (see {@link getAcceptableOrigins()}).
*
* @param string $id The nonce's unique ID. See {@link getNonce()}.
* @param string $cnonce Nonce sent from client.
* @return bool `true` if valid; `false` otherwise.
*/
public static function verifyNonce($id, $cnonce)
{
$ns = new SessionNamespace($id);
$nonce = $ns->nonce;
// validate token
if (empty($cnonce) || $cnonce !== $nonce) {
return false;
}
// validate referrer
$referrer = Url::getReferrer();
if (!empty($referrer) && !Url::isLocalUrl($referrer)) {
return false;
}
// validate origin
$origin = self::getOrigin();
if (!empty($origin) && ($origin == 'null' || !in_array($origin, self::getAcceptableOrigins()))) {
return false;
}
return true;
}
/**
* Output redirection page instead of linking directly to avoid
* exposing the referrer on the Piwik demo.
*
* @internal param string $url (via $_GET)
*/
public function redirect()
{
$url = Common::getRequestVar('url', '', 'string', $_GET);
// validate referrer
$referrer = Url::getReferrer();
if (empty($referrer) || !Url::isLocalUrl($referrer)) {
die('Invalid Referrer detected - This means that your web browser is not sending the "Referrer URL" which is
required to proceed with the redirect. Verify your browser settings and add-ons, to check why your browser
is not sending this referrer.
<br/><br/>You can access the page at: ' . $url);
}
// mask visits to *.piwik.org
if (!self::isPiwikUrl($url)) {
Piwik::checkUserHasSomeViewAccess();
}
if (!UrlHelper::isLookLikeUrl($url)) {
die('Please check the &url= parameter: it should to be a valid URL');
}
@header('Content-Type: text/html; charset=utf-8');
echo '<html><head><meta http-equiv="refresh" content="0;url=' . $url . '" /></head></html>';
exit;
}
