Merge pull request PrestaShop#37828 from M0rgan01/validate-url

Add URL Validation when installing theme from URL
mattgoud · Jan 23, 2025 · a5cec95 · a5cec95
2 parents d7e2539 + c1bf16e
commit a5cec95
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/classes/Tools.php b/classes/Tools.php
@@ -2107,6 +2107,13 @@ public static function file_get_contents(
      */
     public static function createFileFromUrl($url)
     {
+        //TODO use Validate::isUrl instead when it will be less permissive and also allows schemes to be validated
+        $scheme = parse_url($url, PHP_URL_SCHEME);
+
+        // Check if the scheme is allowed
+        if (!in_array(strtolower($scheme), ['http', 'https'], true)) {
+            return false;
+        }
         $remoteFile = fopen($url, 'rb');
         if (!$remoteFile) {
             return false;