Added a domain check for validation URLs in Apple Pay demo.
authoraakash_jain@apple.com <aakash_jain@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 4 Jul 2019 00:57:53 +0000 (00:57 +0000)
committeraakash_jain@apple.com <aakash_jain@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 4 Jul 2019 00:57:53 +0000 (00:57 +0000)
https://bugs.webkit.org/show_bug.cgi?id=199433

Patch by Jon Davis <jond@apple.com> on 2019-07-03
Reviewed by David Kilzer.

* demos/payment-request/merchant-validation.php:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@247122 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Websites/webkit.org/ChangeLog
Websites/webkit.org/demos/payment-request/merchant-validation.php

index 296e60e..7bc2f70 100644 (file)
@@ -1,3 +1,12 @@
+2019-07-03  Jon Davis  <jond@apple.com>
+
+        Added a domain check for validation URLs in Apple Pay demo.
+        https://bugs.webkit.org/show_bug.cgi?id=199433
+
+        Reviewed by David Kilzer.
+
+        * demos/payment-request/merchant-validation.php:
+
 2019-06-05  Jon Davis  <jond@apple.com>
 
         Fix icons positioned incorrectly when a featured image is used
index 094f1f7..8475e44 100644 (file)
@@ -51,11 +51,21 @@ try {
 }
 
 $validationURL = isset($postedData['validationURL']) ? $postedData['validationURL'] : '';
+$URLcomponents = parse_url($validationURL);
+if (!isset($URLcomponents['scheme']) || !isset($URLcomponents['host']))
+    die('The validation URL is not valid.');
+if ('https' !== strtolower($URLcomponents['scheme']))
+    die('The validation URL scheme is not valid.');
+$validationHost = strtolower($URLcomponents['host']);
+if (!('apple.com' === $validationHost || '.apple.com' === substr($validationHost, -10)))
+    die('The validation URL host is not valid.');
+
 $merchantIdentifier = isset($postedData['merchantIdentifier']) ? $postedData['merchantIdentifier'] : MERCHANT_IDENTIFIER;
 $displayName = isset($postedData['displayName']) ? $postedData['displayName'] : DISPLAY_NAME;
 $intiative = isset($postedData['intiative']) ? $postedData['intiative'] : INITIATIVE;
 $intiativeContext = isset($postedData['intiativeContext']) ? $postedData['intiativeContext'] : INITIATIVE_CONTEXT;
 
+
 $postData = array(
     'merchantIdentifier' => $merchantIdentifier,
     'displayName' => $displayName,