af_proxy_http: don't try to proxy back to ourselves

author: Andrew Dolgov <[email protected]> 2021-02-17 16:27:52 +0300
committer: Andrew Dolgov <[email protected]> 2021-02-17 16:27:52 +0300
commit: 35b6d63289dcce3be27127aec607c970b050a986 (patch)
tree: 9e49198d3d0fa6b2292d0df5eeb12b517e943990 /plugins
parent: 6ecee2abbd96eac2b0efab259c184644b71d1449 (diff)
1 files changed, 13 insertions, 2 deletions
diff --git a/plugins/af_proxy_http/init.php b/plugins/af_proxy_http/init.php
index 79d2f5294..5804e450f 100644
--- a/plugins/af_proxy_http/init.php
+++ b/plugins/af_proxy_http/init.php
@@ -50,8 +50,14 @@ class Af_Proxy_Http extends Plugin {
 	public function imgproxy() {
 		$url = UrlHelper::validate(clean($_REQUEST["url"]));
 
-		// called without user context, let's just redirect to original URL
-		if (!$_SESSION["uid"] || $_REQUEST['af_proxy_http_token'] != $_SESSION['af_proxy_http_token']) {
+		// immediately redirect to original URL if:
+		// - url points back to ourselves
+		// - called without user context
+		// - session-spefific token is invalid
+		if (
+			strpos($url, get_self_url_prefix()) === 0 ||
+			empty($_SESSION["uid"]) ||
+			$_REQUEST['af_proxy_http_token'] != $_SESSION['af_proxy_http_token']) {
 			header("Location: $url");
 			return;
 		}
@@ -104,6 +110,11 @@ class Af_Proxy_Http extends Plugin {
 	}
 
 	private function rewrite_url_if_needed($url, $all_remote = false) {
+		/* don't rewrite urls pointing to ourselves */
+
+		if (strpos($url, get_self_url_prefix()) === 0)
+			return $url;
+
 		/* we don't need to handle URLs where local cache already exists, tt-rss rewrites those automatically */
 		if (!$this->cache->exists(sha1($url))) {
author	Andrew Dolgov <[email protected]>	2021-02-17 16:27:52 +0300
committer	Andrew Dolgov <[email protected]>	2021-02-17 16:27:52 +0300
commit	35b6d63289dcce3be27127aec607c970b050a986 (patch)
tree	9e49198d3d0fa6b2292d0df5eeb12b517e943990 /plugins
parent	6ecee2abbd96eac2b0efab259c184644b71d1449 (diff)