public/tt-rss
1
0
Fork 0
mirror of https://git.tt-rss.org/git/tt-rss.git synced 2025-12-13 10:05:56 +00:00
Code Issues Releases Wiki Activity

- fix multiple vulnerabilities in af_proxy_http

Browse Source 
- fix vulnerability in rewrite_relative_url() which prevented some URLs from being properly absolutized
- fetch_file_contents: validate all URLs before requesting them
- validate URLs: explicitly whitelist http and https scheme, forbid everything else
- DiskCache/cached_url: only serve whitelisted content types (images, video)
- simplify filename/URL handling code, remove and consolidate some less-used functions
This commit is contained in:
Andrew Dolgov
2020-09-14 19:46:52 +03:00
parent 5b17fdc362
commit c3d14e1fa5
9 changed files with 72 additions and 95 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
plugins/af_proxy_http/init.php
View File

@@ -45,8 +45,7 @@ class Af_Proxy_Http extends Plugin {
}
public function imgproxy() {
$url = rewrite_relative_url(get_self_url_prefix(), $_REQUEST["url"]);
$url = validate_url(clean($_REQUEST["url"]));
// called without user context, let's just redirect to original URL
if (!$_SESSION["uid"]) {
@@ -59,7 +58,6 @@ class Af_Proxy_Http extends Plugin {
if ($this->cache->exists($local_filename)) {
header("Location: " . $this->cache->getUrl($local_filename));
return;
//$this->cache->send($local_filename);
} else {
$data = fetch_file_contents(["url" => $url, "max_size" => MAX_CACHE_FILE_SIZE]);
@@ -97,14 +95,13 @@ class Af_Proxy_Http extends Plugin {
imagedestroy($img);
} else {
header("Content-type: text/html");
header("Content-type: text/plain");
http_response_code(400);
print "<h1>Proxy request failed.</h1>";
print "<p>Fetch error $fetch_last_error ($fetch_last_error_code)</p>";
print "<p>URL: $url</p>";
print "<textarea cols='80' rows='25'>" . htmlspecialchars($fetch_last_error_content) . "</textarea>";
print "Proxy request failed.\n".
"Fetch error $fetch_last_error ($fetch_last_error_code)\n".
"Requested URL: $url";
}
}
}