Restrict certificate loading to HTTP and HTTPS urls (#34)

* Update Certificate.php * Fix mistake in fetchParentCertificate * Fix StyleCI issues * Fix StyleCI issues * Refactor fetchParentCertificate scheme check and add comment
spatie · Jul 29, 2020 · 66fbd0e · 66fbd0e
1 parent 1240470
commit 66fbd0e
Showing 1 changed file with 11 additions and 2 deletions.
diff --git a/src/Certificate.php b/src/Certificate.php
@@ -4,8 +4,8 @@
 
 use phpseclib\File\ASN1;
 use phpseclib\File\X509;
-use Spatie\CertificateChain\Exceptions\CouldNotLoadCertificate;
 use Spatie\CertificateChain\Exceptions\CouldNotCreateCertificate;
+use Spatie\CertificateChain\Exceptions\CouldNotLoadCertificate;
 
 class Certificate
 {
@@ -81,7 +81,16 @@ public function getParentCertificateUrl(): string
 
     public function fetchParentCertificate(): self
     {
-        return static::loadFromUrl($this->getParentCertificateUrl());
+        $url = $this->getParentCertificateUrl();
+
+        // Only allow for parent certificates to be read from HTTP and HTTPS URLs to 
+        // prevent local file inclusion vulnerabilities
+        $scheme = parse_url($url, PHP_URL_SCHEME);
+        if (! in_array($scheme, ['http', 'https'])) {
+            throw CouldNotLoadCertificate::invalidCertificateUrl($url);
+        }
+
+        return static::loadFromUrl($url);
     }
 
     public function hasParentInTrustChain(): bool