Skip to content

Commit d62c50f

Browse files
committed
Added checks for valid URLs and response objects.
1 parent 97035a1 commit d62c50f

2 files changed

Lines changed: 32 additions & 15 deletions

File tree

composer.lock

Lines changed: 6 additions & 7 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

src/UniwebClient.php

Lines changed: 26 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -50,16 +50,34 @@ public function __construct(?array $credentials = null)
5050
*/
5151
public function getInstanceUrl(): string
5252
{
53-
if (!($url = $this->credentials['homepage'] ?? false)) {
53+
$url = trim($this->credentials['homepage'] ?? '');
54+
55+
if (!$url) {
5456
throw new Exception("Invalid empty homepage URL in credentials");
5557
}
5658

57-
// Add a trailing slash of needed
58-
if ($url[strlen($url) - 1] != '/') {
59-
$url .= '/';
59+
$parts = parse_url($url);
60+
$host = $parts['host'] ?? '';
61+
$path = $parts['path'] ?? '';
62+
63+
// If there is no host, there might be a missing '//'
64+
if (!$host && $path) {
65+
$parts = parse_url('//' . $url);
66+
$host = $parts['host'] ?? '';
67+
$path = $parts['path'] ?? '';
68+
}
69+
70+
if (!$host) {
71+
throw new Exception("Invalid homepage URL");
72+
}
73+
74+
// Path must end with a '/' iff it's not empty
75+
if ($path = trim($path, '/')) {
76+
$path .= '/';
6077
}
6178

62-
return $url;
79+
// Only allow for the secure HTTPS protocol
80+
return 'https://' . $host . '/' . $path;
6381
}
6482

6583
public function getClientName(): string
@@ -68,7 +86,7 @@ public function getClientName(): string
6886
throw new Exception("Invalid empty client name in credentials");
6987
}
7088

71-
return $clientName;
89+
return trim($clientName);
7290
}
7391

7492
public function getClientSecret(): string
@@ -77,7 +95,7 @@ public function getClientSecret(): string
7795
throw new Exception("Invalid empty client secret in credentials");
7896
}
7997

80-
return $clientSecret;
98+
return trim($clientSecret);
8199
}
82100

83101
/**
@@ -371,7 +389,7 @@ public function getAccessToken()
371389

372390
$result = json_decode($result);
373391

374-
if (property_exists($result, 'error')) {
392+
if (is_object($result) && property_exists($result, 'error')) {
375393
throw new Exception('Error: ' . $result->error);
376394
} elseif (!$result || !property_exists($result, 'expires_in')) {
377395
throw new Exception('Unable to obtain access token');

0 commit comments

Comments
 (0)