From c3d14e1fa54c7dade7b1b7955575e2991396d7ef Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Mon, 14 Sep 2020 19:46:52 +0300 Subject: - fix multiple vulnerabilities in af_proxy_http - fix vulnerability in rewrite_relative_url() which prevented some URLs from being properly absolutized - fetch_file_contents: validate all URLs before requesting them - validate URLs: explicitly whitelist http and https scheme, forbid everything else - DiskCache/cached_url: only serve whitelisted content types (images, video) - simplify filename/URL handling code, remove and consolidate some less-used functions --- plugins/af_proxy_http/init.php | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) (limited to 'plugins/af_proxy_http/init.php') diff --git a/plugins/af_proxy_http/init.php b/plugins/af_proxy_http/init.php index 80100160d..936942387 100644 --- a/plugins/af_proxy_http/init.php +++ b/plugins/af_proxy_http/init.php @@ -45,8 +45,7 @@ class Af_Proxy_Http extends Plugin { } public function imgproxy() { - - $url = rewrite_relative_url(get_self_url_prefix(), $_REQUEST["url"]); + $url = validate_url(clean($_REQUEST["url"])); // called without user context, let's just redirect to original URL if (!$_SESSION["uid"]) { @@ -59,7 +58,6 @@ class Af_Proxy_Http extends Plugin { if ($this->cache->exists($local_filename)) { header("Location: " . $this->cache->getUrl($local_filename)); return; - //$this->cache->send($local_filename); } else { $data = fetch_file_contents(["url" => $url, "max_size" => MAX_CACHE_FILE_SIZE]); @@ -97,14 +95,13 @@ class Af_Proxy_Http extends Plugin { imagedestroy($img); } else { - header("Content-type: text/html"); + header("Content-type: text/plain"); http_response_code(400); - print "

Proxy request failed.

"; - print "

Fetch error $fetch_last_error ($fetch_last_error_code)

"; - print "

URL: $url

"; - print ""; + print "Proxy request failed.\n". + "Fetch error $fetch_last_error ($fetch_last_error_code)\n". + "Requested URL: $url"; } } } -- cgit v1.2.3