Fix #319

Author: dontqwerty

share/server/core/sources/geomap.php

@@ -6,6 +6,8 @@ class GeomapError extends MapSourceError {}
 // CSV source file handling
 //
 
+const ACCEPTED_GEOMAP_SERVER_URL_SCHEMES = ["http", "https"];
+
 function geomap_source_file($p) {
     return cfg('paths', 'geomap') . '/' . $p['source_file'] . '.csv';
 }
@@ -120,6 +122,7 @@ function geomap_get_contents($url) {
             'http' => array(
                 'timeout'    => cfg('global', 'http_timeout'),
                 'user_agent' => 'NagVis '.CONST_VERSION.' geomap',
+                'max_redirects' => 0,
             )
         );
 
@@ -268,6 +271,33 @@ function geomap_files($params) {
     );
 }
 
+function validate_geomap_server_base_url($url) {
+    # If the given url contains non standard URL characters, throw an error
+    $sanitized_url = filter_var($url, FILTER_SANITIZE_URL);
+    if ($sanitized_url !== $url) {
+        throw new GeomapError(l('Geomap server URL contains not allowed characters. Url: "[U]"',
+            array('U' => $url)));
+    }
+
+    $url_scheme = parse_url($url, PHP_URL_SCHEME);
+    if (!$url_scheme || !in_array(strtolower($url_scheme), ACCEPTED_GEOMAP_SERVER_URL_SCHEMES)) {
+        throw new GeomapError(l('Invalid scheme in Geomap server URL: "[U]"',
+            array('U' => $url)));
+    }
+
+    $url_query = parse_url($url, PHP_URL_QUERY);
+    if (!empty($url_query)) {
+        throw new GeomapError(l('Geomap server cannot contain query parameters. URL: "[U]"',
+            array('U' => $url)));
+    }
+
+    $url_fragment = parse_url($url, PHP_URL_FRAGMENT);
+    if (!empty($url_fragment)) {
+        throw new GeomapError(l('Geomap server cannot contain anchors. URL: "[U]"',
+            array('U' => $url)));
+    }
+}
+
 function process_geomap($MAPCFG, $map_name, &$map_config) {
     $params = $MAPCFG->getSourceParams();
     list($image_name, $image_path, $data_path) = geomap_files($params);
@@ -354,7 +384,9 @@ function process_geomap($MAPCFG, $map_name, &$map_config) {
         throw new GeomapError(l('Missing mandatory "width" and "height" parameters."'));
 
     // Using this API: http://pafciu17.dev.openstreetmap.org/
-    $url = cfg('global', 'geomap_server')
+    $geomap_server_base_url = cfg('global', 'geomap_server');
+    validate_geomap_server_base_url($geomap_server_base_url);
+    $url = $geomap_server_base_url
           .'?module=map'
           .'&width='.$params['width'].'&height='.$params['height']
           .'&type='.$params['geomap_type'];