From 213d6330b1e3d26467647cc95d8a4f478b1ec796 Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <noreply@fakecake.org>
Date: Thu, 17 Sep 2020 07:36:47 +0300
Subject: fetch_file_contents: resolve requested hosts and check for possible
 loopback address

---
 include/functions.php | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/include/functions.php b/include/functions.php
index 508801fb7..4ef734218 100644
--- a/include/functions.php
+++ b/include/functions.php
@@ -243,6 +243,13 @@
 		if (!$url) return false;
 
 		$url_host = parse_url($url, PHP_URL_HOST);
+		$ip_addr = gethostbyname($url_host);
+
+		if (!$ip_addr || strpos($ip_addr, "127.0") === 0) {
+			$fetch_last_error = "URL hostname failed to resolve or resolved to loopback address ($ip_addr)";
+			return false;
+		}
+
 		$fetch_domain_hits[$url_host] += 1;
 
 		/*if ($fetch_domain_hits[$url_host] > MAX_FETCH_REQUESTS_PER_HOST) {
-- 
cgit v1.2.3