importer: Check imported Geofeed override URLs

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/scripts/location-importer.in b/src/scripts/location-importer.in
index 55a293bee83314135dfddc0fcd48b2cac4a0e587..63d682de08cde65bce56935a925d787e7d48f87b 100644 (file)
--- a/src/scripts/location-importer.in
+++ b/src/scripts/location-importer.in
@@ -1917,7 +1917,21 @@ class CLI(object):
                                                elif type == "geofeed":
                                                        url = block.get("geofeed")
 
-                                                       # XXX Check the URL
+                                                       # Parse the URL
+                                                       try:
+                                                               url = urllib.parse.urlparse(url)
+                                                       except ValueError as e:
+                                                               log.warning("Skipping invalid URL %s: %s" % (url, e))
+                                                               continue
+
+                                                       # Make sure that this is a HTTPS URL
+                                                       if not url.scheme == "https":
+                                                               log.warning("Skipping Geofeed URL that is not using HTTPS: %s" \
+                                                                       % url.geturl())
+                                                               continue
+
+                                                       # Normalize the URL and convert it back
+                                                       url = url.geturl()
 
                                                        self.db.execute("""
                                                                INSERT INTO