From 8310f82a1a1e4d613024a7accd90b67ba3458086 Mon Sep 17 00:00:00 2001
From: Kijin Sung <kijin@kijinsung.com>
Date: Thu, 27 Jan 2022 21:37:19 +0900
Subject: [PATCH] Fix #1856 missing IDN support in URL validator

---
 classes/validator/Validator.class.php |  2 +-
 modules/member/member.model.php       | 25 +++++++++++--------------
 2 files changed, 12 insertions(+), 15 deletions(-)

diff --git a/classes/validator/Validator.class.php b/classes/validator/Validator.class.php
index 3b0069c27..7736b30a8 100644
--- a/classes/validator/Validator.class.php
+++ b/classes/validator/Validator.class.php
@@ -88,7 +88,7 @@ class Validator
 		$this->addRule(array(
 			'email' => '/^[\w-]+((?:\.|\+|\~)[\w-]+)*@[\w-]+(\.[\w-]+)+$/',
 			'userid' => '/^[a-z]+[\w-]*[a-z0-9_]+$/i',
-			'url' => '/^(https?|ftp|mms):\/\/[0-9a-z-]+(\.[_0-9a-z-]+)+(:\d+)?/',
+			'url' => '/^https?:\/\/[^\\\\/]+!',
 			'alpha' => '/^[a-z]*$/i',
 			'alpha_number' => '/^[a-z][a-z0-9_]*$/i',
 			'number' => '/^(?:[1-9]\\d*|0)$/',
diff --git a/modules/member/member.model.php b/modules/member/member.model.php
index 7d1cc557b..c02500270 100644
--- a/modules/member/member.model.php
+++ b/modules/member/member.model.php
@@ -481,8 +481,17 @@ class memberModel extends member
 			$oSecurity = new Security($info);
 			$oSecurity->encodeHTML('user_id', 'user_name', 'nick_name', 'find_account_answer', 'description', 'address.', 'group_list..');
 
-			$info->homepage = strip_tags($info->homepage);
-			$info->blog = strip_tags($info->blog);
+			// Validate URLs
+			$info->homepage = escape(strip_tags($info->homepage));
+			if ($info->homepage !== '' && !preg_match('!^https?://[^\\\\/]+!', $info->homepage))
+			{
+				$info->homepage = '';
+			}
+			$info->blog = escape(strip_tags($info->blog));
+			if ($info->blog !== '' && !preg_match('!^https?://[^\\\\/]+!', $info->blog))
+			{
+				$info->blog = '';
+			}
 
 			if($extra_vars)
 			{
@@ -499,18 +508,6 @@ class memberModel extends member
 				}
 			}
 
-			// Check format.
-			$oValidator = new Validator();
-			if(!$oValidator->applyRule('url', $info->homepage))
-			{
-				$info->homepage = '';
-			}
-
-			if(!$oValidator->applyRule('url', $info->blog))
-			{
-				$info->blog = '';
-			}
-
 			$GLOBALS['__member_info__'][$info->member_srl] = $info;
 		}