fix: Fix a bug with URL check for avatars (#3002)

gchtr · web-flow · commit 456c24e7a438 · 2024-05-15T14:45:58.000+02:00
Fixes a bug introduced in #2947
diff --git a/src/Comment.php b/src/Comment.php
@@ -588,6 +588,7 @@ protected function avatar_default($default, $email, $size, $host)
                 $default = $avatar_default;
             }
         }
+
         if ('mystery' == $default) {
             $default = $host . '/avatar/ad516503a11cd5ca435acc9bb6523536?s=' . $size;
             // ad516503a11cd5ca435acc9bb6523536 == md5('unknown@gravatar.com')
@@ -597,7 +598,7 @@ protected function avatar_default($default, $email, $size, $host)
             $default = '';
         } elseif ('gravatar_default' == $default) {
             $default = $host . '/avatar/?s=' . $size;
-        } elseif (empty($email) && !\strstr($default, 'https://')) {
+        } elseif (empty($email) && !\preg_match('/^https?:\/\//', $default)) {
             $default = $host . '/avatar/?d=' . $default . '&amp;s=' . $size;
         }
         return $default;
diff --git a/tests/test-timber-comment-avatar.php b/tests/test-timber-comment-avatar.php
@@ -124,7 +124,7 @@ public function testAvatarSimple()
         # pass custom url on different domain. can't check by crawling as
         # i get a 302 regardless of default url
         # so just check it comes back with it in the url
-        $this->valid_avatar($comment, "https://upload.wikimedia.org/wikipedia/en/b/bc/Wiki.png");
+        $this->valid_avatar($comment, 'https://upload.wikimedia.org/wikipedia/en/b/bc/Wiki.png');
 
         # same domain.
         $this->valid_avatar($comment, $theme_url . "/images/default.png");
@@ -148,8 +148,9 @@ public function valid_avatar($comment, $default_url)
             # you get back the default in the avatar url?
             $this->assertEquals($params, "d=$default_url&amp;s=32");
         }
-        # you get back url?
-        $this->assertTrue(substr($avatar, 0, 6) == "https:");
+
+        // Check if we get back an URL (either http:// or https:).
+        $this->assertMatchesRegularExpression("/^https?:.*/", $avatar);
     }
 
     public function crawl($url)

Original file line number	Diff line number	Diff line change
`@@ -588,6 +588,7 @@ protected function avatar_default($default, $email, $size, $host)`
`588`	`588`	`$default = $avatar_default;`
`589`	`589`	`}`
`590`	`590`	`}`
	`591`	`+`
`591`	`592`	`if ('mystery' == $default) {`
`592`	`593`	`$default = $host . '/avatar/ad516503a11cd5ca435acc9bb6523536?s=' . $size;`
`593`	`594`	`// ad516503a11cd5ca435acc9bb6523536 == md5('[email protected]')`
`@@ -597,7 +598,7 @@ protected function avatar_default($default, $email, $size, $host)`
`597`	`598`	`$default = '';`
`598`	`599`	`} elseif ('gravatar_default' == $default) {`
`599`	`600`	`$default = $host . '/avatar/?s=' . $size;`
`600`		`- } elseif (empty($email) && !\strstr($default, 'https://')) {`
	`601`	`+ } elseif (empty($email) && !\preg_match('/^https?:\/\//', $default)) {`
`601`	`602`	`$default = $host . '/avatar/?d=' . $default . '&s=' . $size;`
`602`	`603`	`}`
`603`	`604`	`return $default;`