mirror of
https://git.tt-rss.org/git/tt-rss.git
synced 2025-12-13 19:15:56 +00:00
- fix multiple vulnerabilities in af_proxy_http
- fix vulnerability in rewrite_relative_url() which prevented some URLs from being properly absolutized - fetch_file_contents: validate all URLs before requesting them - validate URLs: explicitly whitelist http and https scheme, forbid everything else - DiskCache/cached_url: only serve whitelisted content types (images, video) - simplify filename/URL handling code, remove and consolidate some less-used functions
This commit is contained in:
Andrew Dolgov
@@ -88,7 +88,7 @@ class Backend extends Handler {
|
||||
}
|
||||
|
||||
function help() {
|
||||
$topic = clean_filename($_REQUEST["topic"]); // only one for now
|
||||
$topic = basename(clean($_REQUEST["topic"])); // only one for now
|
||||
|
||||
if ($topic == "main") {
|
||||
$info = get_hotkeys_info();
|
||||
|
||||
@@ -191,7 +191,7 @@ class DiskCache {
|
||||
];
|
||||
|
||||
public function __construct($dir) {
|
||||
$this->dir = CACHE_DIR . "/" . clean_filename($dir);
|
||||
$this->dir = CACHE_DIR . "/" . basename(clean($dir));
|
||||
}
|
||||
|
||||
public function getDir() {
|
||||
@@ -227,9 +227,7 @@ class DiskCache {
|
||||
}
|
||||
|
||||
public function getFullPath($filename) {
|
||||
$filename = clean_filename($filename);
|
||||
|
||||
return $this->dir . "/" . $filename;
|
||||
return $this->dir . "/" . basename(clean($filename));
|
||||
}
|
||||
|
||||
public function put($filename, $data) {
|
||||
|
||||
@@ -1124,9 +1124,9 @@ class Feeds extends Handler_Protected {
|
||||
|
||||
$pdo = Db::pdo();
|
||||
|
||||
$url = Feeds::fix_url($url);
|
||||
$url = validate_url($url);
|
||||
|
||||
if (!$url || !Feeds::validate_feed_url($url)) return array("code" => 2);
|
||||
if (!$url) return array("code" => 2);
|
||||
|
||||
$contents = @fetch_file_contents($url, false, $auth_login, $auth_pass);
|
||||
|
||||
@@ -1924,7 +1924,7 @@ class Feeds extends Handler_Protected {
|
||||
}
|
||||
|
||||
static function get_feeds_from_html($url, $content) {
|
||||
$url = Feeds::fix_url($url);
|
||||
$url = validate_url($url);
|
||||
$baseUrl = substr($url, 0, strrpos($url, '/') + 1);
|
||||
|
||||
$feedUrls = [];
|
||||
@@ -1955,56 +1955,6 @@ class Feeds extends Handler_Protected {
|
||||
return preg_match("/<html|DOCTYPE html/i", substr($content, 0, 8192)) !== 0;
|
||||
}
|
||||
|
||||
static function validate_feed_url($url) {
|
||||
$parts = parse_url($url);
|
||||
|
||||
return ($parts['scheme'] == 'http' || $parts['scheme'] == 'feed' || $parts['scheme'] == 'https');
|
||||
}
|
||||
|
||||
/**
|
||||
* Fixes incomplete URLs by prepending "http://".
|
||||
* Also replaces feed:// with http://, and
|
||||
* prepends a trailing slash if the url is a domain name only.
|
||||
*
|
||||
* @param string $url Possibly incomplete URL
|
||||
*
|
||||
* @return string Fixed URL.
|
||||
*/
|
||||
static function fix_url($url) {
|
||||
|
||||
// support schema-less urls
|
||||
if (strpos($url, '//') === 0) {
|
||||
$url = 'https:' . $url;
|
||||
}
|
||||
|
||||
if (strpos($url, '://') === false) {
|
||||
$url = 'http://' . $url;
|
||||
} else if (substr($url, 0, 5) == 'feed:') {
|
||||
$url = 'http:' . substr($url, 5);
|
||||
}
|
||||
|
||||
//prepend slash if the URL has no slash in it
|
||||
// "http://www.example" -> "http://www.example/"
|
||||
if (strpos($url, '/', strpos($url, ':') + 3) === false) {
|
||||
$url .= '/';
|
||||
}
|
||||
|
||||
//convert IDNA hostname to punycode if possible
|
||||
if (function_exists("idn_to_ascii")) {
|
||||
$parts = parse_url($url);
|
||||
if (mb_detect_encoding($parts['host']) != 'ASCII')
|
||||
{
|
||||
$parts['host'] = idn_to_ascii($parts['host']);
|
||||
$url = build_url($parts);
|
||||
}
|
||||
}
|
||||
|
||||
if ($url != "http:///")
|
||||
return $url;
|
||||
else
|
||||
return '';
|
||||
}
|
||||
|
||||
static function add_feed_category($feed_cat, $parent_cat_id = false, $order_id = 0) {
|
||||
|
||||
if (!$feed_cat) return false;
|
||||
|
||||
@@ -1234,7 +1234,7 @@ class Handler_Public extends Handler {
|
||||
public function pluginhandler() {
|
||||
$host = new PluginHost();
|
||||
|
||||
$plugin_name = clean_filename($_REQUEST["plugin"]);
|
||||
$plugin_name = basename(clean($_REQUEST["plugin"]));
|
||||
$method = clean($_REQUEST["pmethod"]);
|
||||
|
||||
$host->load($plugin_name, PluginHost::KIND_USER, 0);
|
||||
|
||||
@@ -193,7 +193,7 @@ class PluginHost {
|
||||
|
||||
foreach ($plugins as $class) {
|
||||
$class = trim($class);
|
||||
$class_file = strtolower(clean_filename($class));
|
||||
$class_file = strtolower(basename(clean($class)));
|
||||
|
||||
if (!is_dir(__DIR__."/../plugins/$class_file") &&
|
||||
!is_dir(__DIR__."/../plugins.local/$class_file")) continue;
|
||||
|
||||
@@ -1701,7 +1701,7 @@ class Pref_Feeds extends Handler_Protected {
|
||||
foreach ($feeds as $feed) {
|
||||
$feed = trim($feed);
|
||||
|
||||
if (Feeds::validate_feed_url($feed)) {
|
||||
if (validate_url($feed)) {
|
||||
|
||||
$this->pdo->beginTransaction();
|
||||
|
||||
|
||||
@@ -572,7 +572,7 @@ class RPC extends Handler_Protected {
|
||||
|
||||
function log() {
|
||||
$msg = clean($_REQUEST['msg']);
|
||||
$file = clean_filename($_REQUEST['file']);
|
||||
$file = basename(clean($_REQUEST['file']));
|
||||
$line = (int) clean($_REQUEST['line']);
|
||||
$context = clean($_REQUEST['context']);
|
||||
|
||||
|
||||
Reference in New Issue
Block a user