function svenk_check_whitelisted_domain($success, $url, $keyword, $title) { /* This filter works like that: Return $success if everything is fine, return something else or die if not. Unfortunately the filter is called *before* the URL is escaped properly, so we have to do this twice (https://github.com/YOURLS/YOURLS/blob/master/includes/functions.php#L185). */ $url = yourls_escape(yourls_sanitize_url(yourls_encodeURI($url))); $url_host = parse_url($url, PHP_URL_HOST); if (!$url_host) { // we cannot even determine the host part of the $url, fail silently. // This more or less replaces Line191 in the functions.php file. # yourls_die('During Whitelist check, cannot determine host of URL', 'Forbidden', 403); return array('status' => 'fail', 'code' => 'error:nourl', 'message' => 'During whitelist check, cannot determine host of URL. Probably missing or malformed URL', 'errorCode' => 400); } /* make sure this is present: The configuration of whitelisted domains */ global $allowed_domains; foreach ($allowed_domains as $allowed_domain) { if (isset($allowed_domain['regexp'])) { // check if this whitelist entry catches the $url_host by regexp if (preg_match($allowed_domain['regexp'], $url_host)) { return $success; } } elseif (isset($allowed_domain['domain'])) { // check if this whitelist entry allows the $url_host by domain end test if (svenk_endsWith($url_host, $allowed_domain['domain'])) { return $success; } } } /* URL is not whitelisted. Fail verbosely */ return array('status' => 'fail', 'code' => 'error:whitelist', 'message' => 'This domain is not whitelisted.', 'errorCode' => 400); #yourls_die('This domain is not whitelisted', 'Forbidden', 403); }
/** * Add a new link in the DB, either with custom keyword, or find one * */ function yourls_add_new_link($url, $keyword = '', $title = '') { // Allow plugins to short-circuit the whole function $pre = yourls_apply_filter('shunt_add_new_link', false, $url, $keyword, $title); if (false !== $pre) { return $pre; } $url = yourls_encodeURI($url); $url = yourls_escape(yourls_sanitize_url($url)); if (!$url || $url == 'http://' || $url == 'https://') { $return['status'] = 'fail'; $return['code'] = 'error:nourl'; $return['message'] = yourls__('Missing or malformed URL'); $return['errorCode'] = '400'; return yourls_apply_filter('add_new_link_fail_nourl', $return, $url, $keyword, $title); } // Prevent DB flood $ip = yourls_get_IP(); yourls_check_IP_flood($ip); // Prevent internal redirection loops: cannot shorten a shortened URL if (yourls_get_relative_url($url)) { if (yourls_is_shorturl($url)) { $return['status'] = 'fail'; $return['code'] = 'error:noloop'; $return['message'] = yourls__('URL is a short URL'); $return['errorCode'] = '400'; return yourls_apply_filter('add_new_link_fail_noloop', $return, $url, $keyword, $title); } } yourls_do_action('pre_add_new_link', $url, $keyword, $title); $strip_url = stripslashes($url); $return = array(); // duplicates allowed or new URL => store it if (yourls_allow_duplicate_longurls() || !($url_exists = yourls_url_exists($url))) { if (isset($title) && !empty($title)) { $title = yourls_sanitize_title($title); } else { $title = yourls_get_remote_title($url); } $title = yourls_apply_filter('add_new_title', $title, $url, $keyword); // Custom keyword provided if ($keyword) { yourls_do_action('add_new_link_custom_keyword', $url, $keyword, $title); $keyword = yourls_escape(yourls_sanitize_string($keyword)); $keyword = yourls_apply_filter('custom_keyword', $keyword, $url, $title); if (!yourls_keyword_is_free($keyword)) { // This shorturl either reserved or taken already $return['status'] = 'fail'; $return['code'] = 'error:keyword'; $return['message'] = yourls_s('Short URL %s already exists in database or is reserved', $keyword); } else { // all clear, store ! yourls_insert_link_in_db($url, $keyword, $title); $return['url'] = array('keyword' => $keyword, 'url' => $strip_url, 'title' => $title, 'date' => date('Y-m-d H:i:s'), 'ip' => $ip); $return['status'] = 'success'; $return['message'] = yourls_s('%s added to database', yourls_trim_long_string($strip_url)); $return['title'] = $title; $return['html'] = yourls_table_add_row($keyword, $url, $title, $ip, 0, time()); $return['shorturl'] = YOURLS_SITE . '/' . $keyword; } // Create random keyword } else { yourls_do_action('add_new_link_create_keyword', $url, $keyword, $title); $timestamp = date('Y-m-d H:i:s'); $id = yourls_get_next_decimal(); $ok = false; do { $keyword = yourls_int2string($id); $keyword = yourls_apply_filter('random_keyword', $keyword, $url, $title); if (yourls_keyword_is_free($keyword)) { if (@yourls_insert_link_in_db($url, $keyword, $title)) { // everything ok, populate needed vars $return['url'] = array('keyword' => $keyword, 'url' => $strip_url, 'title' => $title, 'date' => $timestamp, 'ip' => $ip); $return['status'] = 'success'; $return['message'] = yourls_s('%s added to database', yourls_trim_long_string($strip_url)); $return['title'] = $title; $return['html'] = yourls_table_add_row($keyword, $url, $title, $ip, 0, time()); $return['shorturl'] = YOURLS_SITE . '/' . $keyword; } else { // database error, couldnt store result $return['status'] = 'fail'; $return['code'] = 'error:db'; $return['message'] = yourls_s('Error saving url to database'); } $ok = true; } $id++; } while (!$ok); @yourls_update_next_decimal($id); } // URL was already stored } else { yourls_do_action('add_new_link_already_stored', $url, $keyword, $title); $return['status'] = 'fail'; $return['code'] = 'error:url'; $return['url'] = array('keyword' => $url_exists->keyword, 'url' => $strip_url, 'title' => $url_exists->title, 'date' => $url_exists->timestamp, 'ip' => $url_exists->ip, 'clicks' => $url_exists->clicks); $return['message'] = yourls_s('%s already exists in database', yourls_trim_long_string($strip_url)); $return['title'] = $url_exists->title; $return['shorturl'] = YOURLS_SITE . '/' . $url_exists->keyword; } yourls_do_action('post_add_new_link', $url, $keyword, $title); $return['statusCode'] = 200; // regardless of result, this is still a valid request return yourls_apply_filter('add_new_link', $return, $url, $keyword, $title); }