From 01f611226164f4a5ab33da24396c755c60bf785b Mon Sep 17 00:00:00 2001
From: josdejong <wjosdejong@gmail.com>
Date: Wed, 31 Jul 2013 21:42:09 +0200
Subject: [PATCH] Fixed a security error in the server side file retriever
 script of the web app.

---
 HISTORY.md                |  2 ++
 app/web/fileretriever.php | 17 +++++++++++------
 bower.json                |  2 +-
 package.json              |  2 +-
 4 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/HISTORY.md b/HISTORY.md
index 0832eb2ff..5525b150a 100644
--- a/HISTORY.md
+++ b/HISTORY.md
@@ -7,6 +7,8 @@ http://jsoneditoronline.org
 
 - Fixed non working option `indentation`.
 - Fixed css not being loaded with AMD in case of multiple scripts.
+- Fixed a security error in the server side file retriever script of
+  the web application.
 
 
 ## 2013-05-27, version 2.2.1
diff --git a/app/web/fileretriever.php b/app/web/fileretriever.php
index 09e078523..f3664e6dd 100644
--- a/app/web/fileretriever.php
+++ b/app/web/fileretriever.php
@@ -51,14 +51,19 @@ function getFilename($id) {
                 'header' => "Accept: application/json\r\n"
             )
         ));
-        $body = file_get_contents($url, false, $context);
-        if ($body != false) {
-            header("Content-Disposition: attachment; filename=\"$filename\"");
-            header('Content-type: application/json');
-            echo $body;
+        if (preg_match('/^https?:\/\//', $url)) { // only allow to fetch http:// and https:// urls
+            $body = file_get_contents($url, false, $context);
+            if ($body != false) {
+                header("Content-Disposition: attachment; filename=\"$filename\"");
+                header('Content-type: application/json');
+                echo $body;
+            }
+            else {
+                header('HTTP/1.1 404 Not Found');
+            }
         }
         else {
-            header('HTTP/1.1 404 Not Found');
+            header('HTTP/1.1 403 Forbidden');
         }
     }
     else if (isset($_GET['id'])) {
diff --git a/bower.json b/bower.json
index 805e9f1cb..6ddcf923a 100644
--- a/bower.json
+++ b/bower.json
@@ -1,6 +1,6 @@
 {
     "name": "jsoneditor",
-    "version": "2.3.0-SNAPSHOT",
+    "version": "2.2.2-SNAPSHOT",
     "description": "A web-based tool to view, edit and format JSON",
     "tags": [
         "json",
diff --git a/package.json b/package.json
index 0b67cd56a..78879a9af 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
     "name": "jsoneditor",
-    "version": "2.3.0-SNAPSHOT",
+    "version": "2.2.2-SNAPSHOT",
     "description": "A web-based tool to view, edit and format JSON",
     "tags": [
         "json",