From 2aeec4ced8a64b240f971f22c36632414f82ac13 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 6 Mar 2024 23:22:30 +0000
Subject: [PATCH] importer: Check imported Geofeed override URLs

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/scripts/location-importer.in | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/src/scripts/location-importer.in b/src/scripts/location-importer.in
index 55a293b..63d682d 100644
--- a/src/scripts/location-importer.in
+++ b/src/scripts/location-importer.in
@@ -1917,7 +1917,21 @@ class CLI(object):
 						elif type == "geofeed":
 							url = block.get("geofeed")
 
-							# XXX Check the URL
+							# Parse the URL
+							try:
+								url = urllib.parse.urlparse(url)
+							except ValueError as e:
+								log.warning("Skipping invalid URL %s: %s" % (url, e))
+								continue
+
+							# Make sure that this is a HTTPS URL
+							if not url.scheme == "https":
+								log.warning("Skipping Geofeed URL that is not using HTTPS: %s" \
+									% url.geturl())
+								continue
+
+							# Normalize the URL and convert it back
+							url = url.geturl()
 
 							self.db.execute("""
 								INSERT INTO
-- 
2.39.5