From 2c1a17a07f9a6452c8926eb84e4ac07c8100b015 Mon Sep 17 00:00:00 2001
From: rugk <rugk+git@posteo.de>
Date: Tue, 2 Sep 2025 22:40:22 +0200
Subject: [PATCH] Strengthen validation of URL in proxy services
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This should definitively rule out any circumstances, where invalid URLs could cause problems.

Both URL validity is checked before it is forwarded to the URL shortener proxy _and_ the host part is explicitly compared to make sure the domain is really the same one.

TOOD:
* [ ] some tests may be needed here (hmpff…)
---
 lib/Proxy/AbstractProxy.php | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/lib/Proxy/AbstractProxy.php b/lib/Proxy/AbstractProxy.php
index 77e918ff..bcf0a188 100644
--- a/lib/Proxy/AbstractProxy.php
+++ b/lib/Proxy/AbstractProxy.php
@@ -49,7 +49,14 @@ abstract class AbstractProxy
      */
     public function __construct(Configuration $conf, string $link)
     {
-        if (!str_starts_with($link, $conf->getKey('basepath') . '?')) {
+        if (!filter_var($link, FILTER_VALIDATE_URL, FILTER_FLAG_PATH_REQUIRED & FILTER_FLAG_QUERY_REQUIRED)) {
+            $this->_error = 'Invalid URL given.';
+            return;
+        }
+        
+        if (!str_starts_with($link, $conf->getKey('basepath') . '?') ||
+            parse_url($link, PHP_URL_HOST) != parse_url($conf->getKey('basepath'), PHP_URL_HOST)
+           ) {
             $this->_error = 'Trying to shorten a URL that isn\'t pointing at our instance.';
             return;
         }