Add composer.json so we can validate php extension requirements

[surrogator.git] / www / avatar.php

diff --git a/www/avatar.php b/www/avatar.php
index e707dc40f7955b5cfb8912ae8b896896cca49056..e20ddda763d5146881527b0bf178c8c4daef5bcc 100644 (file)
--- a/www/avatar.php
+++ b/www/avatar.php
@@ -96,7 +96,19 @@ if (isset($_GET['default'])) {
         //url
         $defaultMode = 'redirect';
         $default     = $_GET['default'];
-        //FIXME: validate?
+
+        $allowed = false;
+        foreach ($trustedDefaultUrls ?? [] as $urlPrefix) {
+            if (substr($default, 0, strlen($urlPrefix))  == $urlPrefix) {
+                $allowed = true;
+                break;
+            }
+        }
+        if (!$allowed) {
+            header('X-Info: default parameter URL not allowed');
+            $defaultMode = 'local';
+            $default     = 'default.png';
+        }
     }
 }
 
@@ -149,4 +161,4 @@ header('Content-Type: image/png');
 header('Content-Length:' . $stat['size']);
 
 readfile($imgFile);
-?>
\ No newline at end of file
+?>