diff options
author | Andrew Dolgov <[email protected]> | 2020-09-14 19:46:52 +0300 |
---|---|---|
committer | Andrew Dolgov <[email protected]> | 2020-09-14 19:46:52 +0300 |
commit | c3d14e1fa54c7dade7b1b7955575e2991396d7ef (patch) | |
tree | adf8415ace77f14bf8042cb518d0c78fecc5baef /plugins/af_proxy_http/init.php | |
parent | 5b17fdc36281dd11e4ba0830f368a29aaba134da (diff) |
- fix multiple vulnerabilities in af_proxy_http
- fix vulnerability in rewrite_relative_url() which prevented some URLs from being properly absolutized
- fetch_file_contents: validate all URLs before requesting them
- validate URLs: explicitly whitelist http and https scheme, forbid everything else
- DiskCache/cached_url: only serve whitelisted content types (images, video)
- simplify filename/URL handling code, remove and consolidate some less-used functions
Diffstat (limited to 'plugins/af_proxy_http/init.php')
-rw-r--r-- | plugins/af_proxy_http/init.php | 13 |
1 files changed, 5 insertions, 8 deletions
diff --git a/plugins/af_proxy_http/init.php b/plugins/af_proxy_http/init.php index 80100160d..936942387 100644 --- a/plugins/af_proxy_http/init.php +++ b/plugins/af_proxy_http/init.php @@ -45,8 +45,7 @@ class Af_Proxy_Http extends Plugin { } public function imgproxy() { - - $url = rewrite_relative_url(get_self_url_prefix(), $_REQUEST["url"]); + $url = validate_url(clean($_REQUEST["url"])); // called without user context, let's just redirect to original URL if (!$_SESSION["uid"]) { @@ -59,7 +58,6 @@ class Af_Proxy_Http extends Plugin { if ($this->cache->exists($local_filename)) { header("Location: " . $this->cache->getUrl($local_filename)); return; - //$this->cache->send($local_filename); } else { $data = fetch_file_contents(["url" => $url, "max_size" => MAX_CACHE_FILE_SIZE]); @@ -97,14 +95,13 @@ class Af_Proxy_Http extends Plugin { imagedestroy($img); } else { - header("Content-type: text/html"); + header("Content-type: text/plain"); http_response_code(400); - print "<h1>Proxy request failed.</h1>"; - print "<p>Fetch error $fetch_last_error ($fetch_last_error_code)</p>"; - print "<p>URL: $url</p>"; - print "<textarea cols='80' rows='25'>" . htmlspecialchars($fetch_last_error_content) . "</textarea>"; + print "Proxy request failed.\n". + "Fetch error $fetch_last_error ($fetch_last_error_code)\n". + "Requested URL: $url"; } } } |