A few extra safety checks

iMattPro · iMattPro · commit e645b4a49e61 · 2026-03-24T14:11:44.000-07:00
diff --git a/ucp/controller/webpush.php b/ucp/controller/webpush.php
@@ -309,6 +309,8 @@ public function is_valid_endpoint(string $endpoint): bool
 			return false;
 		}
 
+		$host = strtolower($host);
+
 		if (in_array($host, self::PUSH_SERVICE_WHITELIST, true))
 		{
 			return true;
@@ -358,6 +360,8 @@ public function subscribe(symfony_request $symfony_request): JsonResponse
 
 		$data = json_sanitizer::decode($symfony_request->get('data', ''));
 
+		$data['endpoint'] = $data['endpoint'] ?? '';
+
 		if (!$this->is_valid_endpoint($data['endpoint']))
 		{
 			throw new http_exception(Response::HTTP_BAD_REQUEST, 'WEBPUSH_INVALID_ENDPOINT');

Original file line number	Diff line number	Diff line change
`@@ -309,6 +309,8 @@ public function is_valid_endpoint(string $endpoint): bool`
`309`	`309`	`return false;`
`310`	`310`	`}`
`311`	`311`
	`312`	`+ $host = strtolower($host);`
	`313`	`+`
`312`	`314`	`if (in_array($host, self::PUSH_SERVICE_WHITELIST, true))`
`313`	`315`	`{`
`314`	`316`	`return true;`
`@@ -358,6 +360,8 @@ public function subscribe(symfony_request $symfony_request): JsonResponse`
`358`	`360`
`359`	`361`	`$data = json_sanitizer::decode($symfony_request->get('data', ''));`
`360`	`362`
	`363`	`+ $data['endpoint'] = $data['endpoint'] ?? '';`
	`364`	`+`
`361`	`365`	`if (!$this->is_valid_endpoint($data['endpoint']))`
`362`	`366`	`{`
`363`	`367`	`throw new http_exception(Response::HTTP_BAD_REQUEST, 'WEBPUSH_INVALID_ENDPOINT');`