From 3ecd2f150d488debf10747df19af10a41646c0e1 Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Sat, 2 May 2020 14:24:06 +0200
Subject: [PATCH] [ticket/security/257] Enforce http(s) for URLs in image
 BBCode

SECURITY-257
---
 phpBB/includes/message_parser.php                    | 2 +-
 tests/bbcode/parser_test.php                         | 5 +++++
 tests/text_formatter/s9e/default_formatting_test.php | 4 ++++
 3 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/phpBB/includes/message_parser.php b/phpBB/includes/message_parser.php
index e1c28223dc..2c55d7b260 100644
--- a/phpBB/includes/message_parser.php
+++ b/phpBB/includes/message_parser.php
@@ -390,7 +390,7 @@ class bbcode_firstpass extends bbcode
 		$in = str_replace(' ', '%20', $in);
 
 		// Checking urls
-		if (!preg_match('#^' . get_preg_expression('url') . '$#iu', $in) && !preg_match('#^' . get_preg_expression('www_url') . '$#iu', $in))
+		if (!preg_match('#^' . get_preg_expression('url_http') . '$#iu', $in) && !preg_match('#^' . get_preg_expression('www_url') . '$#iu', $in))
 		{
 			return '[img]' . $in . '[/img]';
 		}
diff --git a/tests/bbcode/parser_test.php b/tests/bbcode/parser_test.php
index b569d371f1..ecd946c59f 100644
--- a/tests/bbcode/parser_test.php
+++ b/tests/bbcode/parser_test.php
@@ -120,6 +120,11 @@ class phpbb_bbcode_parser_test extends \phpbb_test_case
 				'[img]https://area51.phpbb.com/images/area51.png[/img]',
 				'[img:]https&#58;//area51&#46;phpbb&#46;com/images/area51&#46;png[/img:]',
 			),
+			array(
+				'Test default bbcodes: img with unsupported protocol',
+				'[img]foo://foo/bar[/img]',
+				'[img]foo://foo/bar[/img]',
+			),
 			array(
 				'Test default bbcodes: simple url',
 				'[url]https://area51.phpbb.com/[/url]',
diff --git a/tests/text_formatter/s9e/default_formatting_test.php b/tests/text_formatter/s9e/default_formatting_test.php
index ce15a52adc..80c06196ca 100644
--- a/tests/text_formatter/s9e/default_formatting_test.php
+++ b/tests/text_formatter/s9e/default_formatting_test.php
@@ -132,6 +132,10 @@ class phpbb_textformatter_s9e_default_formatting_test extends phpbb_test_case
 				'[img]https://area51.phpbb.com/images/area51.png[/img]',
 				'<img src="https://area51.phpbb.com/images/area51.png" class="postimage" alt="Image">'
 			),
+			array(
+				'[img]foo://area51.phpbb.com/images/area51.png[/img]',
+				'[img]foo://area51.phpbb.com/images/area51.png[/img]'
+			),
 			array(
 				'[url]https://area51.phpbb.com/[/url]',
 				'<a href="https://area51.phpbb.com/" class="postlink">https://area51.phpbb.com/</a>'