Block curl to download from anything else than http or https.

Throw exception when download fails.

Block curl to download from anything else than http or https.
949ac40c · Alex Barth · 2cc44d55 · 949ac40c · 949ac40c
Commit 949ac40c authored 15 years ago by Alex Barth
--- a/libraries/http_request.inc
+++ b/libraries/http_request.inc
@@ -150,41 +150,53 @@ function http_request_get($url, $username = NULL, $password = NULL, $accept_inva
  if ($curl) {
    $headers[] = 'User-Agent: Drupal (+http://drupal.org/)';
    $result = new stdClass();
-    $download = curl_init($url);
-    curl_setopt($download, CURLOPT_FOLLOWLOCATION, TRUE);
+    // Only download via cURL if we can validate the scheme to be either http or
-    if (!empty($username)) {
+    // https.
-      curl_setopt($download, CURLOPT_USERPWD, "{$username}:{$password}");
+    // Validate in PHP, CURLOPT_PROTOCOLS is only supported with cURL 7.19.4
-    }
+    $uri = parse_url($url);
-    curl_setopt($download, CURLOPT_HTTPHEADER, $headers);
+    if ($uri['scheme'] != 'http' && $uri['scheme'] != 'https') {
-    curl_setopt($download, CURLOPT_HEADER, TRUE);
+      $result->error = 'invalid schema '. $uri['scheme'];
-    curl_setopt($download, CURLOPT_RETURNTRANSFER, TRUE);
+      $result->code = -1003; // This corresponds to drupal_http_request()
-    curl_setopt($download, CURLOPT_ENCODING, '');
-    if ($accept_invalid_cert) {
-      curl_setopt($download, CURLOPT_SSL_VERIFYPEER, 0);
    }
-    $header = '';
+    else {
-    $data = curl_exec($download);
-    $header_size = curl_getinfo($download, CURLINFO_HEADER_SIZE);
+      $download = curl_init($url);
-    $header = substr($data, 0, $header_size - 1);
+      curl_setopt($download, CURLOPT_FOLLOWLOCATION, TRUE);
-    $result->data = substr($data, $header_size);
+      if (!empty($username)) {
-    $header_lines = preg_split("/\r\n|\n|\r/", $header);
+        curl_setopt($download, CURLOPT_USERPWD, "{$username}:{$password}");
-    $result->headers = array();
-    array_shift($header_lines); // skip HTTP response status
-    while ($line = trim(array_shift($header_lines))) {
-      list($header, $value) = explode(':', $line, 2);
-      if (isset($result->headers[$header]) && $header == 'Set-Cookie') {
-        // RFC 2109: the Set-Cookie response header comprises the token Set-
-        // Cookie:, followed by a comma-separated list of one or more cookies.
-        $result->headers[$header] .= ','. trim($value);
      }
-      else {
+      curl_setopt($download, CURLOPT_HTTPHEADER, $headers);
-        $result->headers[$header] = trim($value);
+      curl_setopt($download, CURLOPT_HEADER, TRUE);
+      curl_setopt($download, CURLOPT_RETURNTRANSFER, TRUE);
+      curl_setopt($download, CURLOPT_ENCODING, '');
+      if ($accept_invalid_cert) {
+        curl_setopt($download, CURLOPT_SSL_VERIFYPEER, 0);
      }
-    }
+      $header = '';
-    $result->code = curl_getinfo($download, CURLINFO_HTTP_CODE);
+      $data = curl_exec($download);
+      $header_size = curl_getinfo($download, CURLINFO_HEADER_SIZE);
+      $header = substr($data, 0, $header_size - 1);
+      $result->data = substr($data, $header_size);
+      $header_lines = preg_split("/\r\n|\n|\r/", $header);
+      $result->headers = array();
+      array_shift($header_lines); // skip HTTP response status
+      while ($line = trim(array_shift($header_lines))) {
+        list($header, $value) = explode(':', $line, 2);
+        if (isset($result->headers[$header]) && $header == 'Set-Cookie') {
+          // RFC 2109: the Set-Cookie response header comprises the token Set-
+          // Cookie:, followed by a comma-separated list of one or more cookies.
+          $result->headers[$header] .= ','. trim($value);
+        }
+        else {
+          $result->headers[$header] = trim($value);
+        }
+      }
+      $result->code = curl_getinfo($download, CURLINFO_HTTP_CODE);
-    curl_close($download);
+      curl_close($download);
+    }
  }
  else {
    $result = drupal_http_request($url, $headers);

--- a/plugins/FeedsHTTPFetcher.inc
+++ b/plugins/FeedsHTTPFetcher.inc
@@ -31,6 +31,9 @@ class FeedsHTTPFetcher extends FeedsFetcher {
    else {
      $result = http_request_get($url);
    }
+    if ($result->code != 200) {
+      throw new Exception(t('Download of @url failed with code !code.', array('@url' => $url, '!code' => $result->code)));
+    }
    return new FeedsFetcherResult($result->data, 'text/xml');
  }