From de4d5f38881d1a3e5ffb7130bf878cb4d9e31003 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Mon, 19 Apr 2021 15:07:07 +0200
Subject: [PATCH] Check file name end with .xml

---
 htdocs/api/class/api_setup.class.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/htdocs/api/class/api_setup.class.php b/htdocs/api/class/api_setup.class.php
index 75a37d81769..81927f65bae 100644
--- a/htdocs/api/class/api_setup.class.php
+++ b/htdocs/api/class/api_setup.class.php
@@ -1661,10 +1661,14 @@ class Setup extends DolibarrApi
 		if (empty($xmlremote)) {
 			$xmlremote = 'https://www.dolibarr.org/files/stable/signatures/filelist-'.DOL_VERSION.'.xml';
 		}
-		if ($xmlremote && !preg_match('/^https?:\/\//', $xmlremote)) {
+		if ($xmlremote && !preg_match('/^https?:\/\//i', $xmlremote)) {
 			$langs->load("errors");
 			throw new RestException(500, $langs->trans("ErrorURLMustStartWithHttp", $xmlremote));
 		}
+		if ($xmlremote && !preg_match('/\.xml$/', $xmlremote)) {
+			$langs->load("errors");
+			throw new RestException(500, $langs->trans("ErrorURLMustEndWith", '.xml'));
+		}
 
 		if ($target == 'local') {
 			if (dol_is_file($xmlfile)) {