Fix bug introduced in f2a5c17

When checking against the rule, we must remove the protocol from the image path since rules are stripped of their paths too.
symphonycms · Aug 2, 2016 · e92fe94 · e92fe94
1 parent 65cbcc5
commit e92fe94
Showing 1 changed file with 5 additions and 4 deletions.
diff --git a/lib/class.jit.php b/lib/class.jit.php
@@ -368,6 +368,7 @@ public function fetchImagePath(array &$parameters)
         // Fetch external images
         if ($parameters['settings']['external'] === true) {
             $image_path = $this->normalizeExternalImageUrl($parameters['image']);
+            $protocolLess = str_replace(array('http://', 'https://'), null, $image_path);
 
             // Image is external, check to see that it is a trusted source
             $rules = @file(WORKSPACE . '/jit-image-manipulation/trusted-sites', FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
@@ -383,15 +384,15 @@ public function fetchImagePath(array &$parameters)
                         $allowed = true;
                         break;
                     } // Wildcard after domain
-                    elseif (substr($rule, -1) == '*' && strncasecmp($parameters['image'], $rule, strlen($rule) - 1) == 0) {
+                    elseif (substr($rule, -1) == '*' && strncasecmp($protocolLess, $rule, strlen($rule) - 1) == 0) {
                         $allowed = true;
                         break;
                     } // Match the start of the rule with file path
-                    elseif (strncasecmp($rule, $parameters['image'], strlen($rule)) === 0) {
+                    elseif (strncasecmp($rule, $protocolLess, strlen($rule)) === 0) {
                         $allowed = true;
                         break;
                     } // Match subdomain wildcards
-                    elseif (substr($rule, 0, 1) == '*' && preg_match('/(' . preg_quote(substr((substr($rule, -1) == '*' ? rtrim($rule, "/*") : $rule), 2), '/') . ')/', $parameters['image'])) {
+                    elseif (substr($rule, 0, 1) == '*' && preg_match('/(' . preg_quote(substr((substr($rule, -1) == '*' ? rtrim($rule, "/*") : $rule), 2), '/') . ')/', $protocolLess)) {
                         $allowed = true;
                         break;
                     }
@@ -400,7 +401,7 @@ public function fetchImagePath(array &$parameters)
 
             if ($allowed == false) {
                 throw new JITDomainNotAllowed(
-                    sprintf('Error: Connecting to %s is not permitted.', \General::sanitize($parameters['image']))
+                    sprintf('Error: Connecting to %s is not permitted.', \General::sanitize($image_path))
                 );
             }