Bug #93, fix for security vulnerability in Timedtext controller

* https://iet.eu.teamwork.com/desk/#/tickets/366419
IET-OU · Jul 12, 2019 · 3f39f2d · 3f39f2d
1 parent 6ea6528
commit 3f39f2d
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/application/controllers/timedtext.php b/application/controllers/timedtext.php
@@ -39,6 +39,12 @@ public function webvtt() {
       $this->_error("Error, 'url' is a required parameter.", 400);
     }
 
+    // Security.
+    if (! preg_match('@^https?:\/\/podcast.open.ac.uk\/@', $ttml_url)) {
+      $this->_error("Error, bad 'url' parameter.", 400);
+      return;
+    }
+
     $p = parse_url($ttml_url);