yetangitu/PrivateBin
1
0
Fork 0
mirror of https://github.com/PrivateBin/PrivateBin.git synced 2025-10-03 01:39:15 +02:00
Code Issues Projects Releases Packages Wiki Activity

Strengthen validation of URL in proxy services

Browse source 
This should definitively rule out any circumstances, where invalid URLs could cause problems.

Both URL validity is checked before it is forwarded to the URL shortener proxy _and_ the host part is explicitly compared to make sure the domain is really the same one.

TOOD:
* [ ] some tests may be needed here (hmpff…)
This commit is contained in:
rugk 2025-09-02 22:40:22 +02:00 committed by GitHub
parent a72545c994
commit 2c1a17a07f
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 8 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

9
lib/Proxy/AbstractProxy.php
View file

@ -49,7 +49,14 @@ abstract class AbstractProxy
*/ */
public function __construct(Configuration $conf, string $link) public function __construct(Configuration $conf, string $link)
{ {
if (!str_starts_with($link, $conf->getKey('basepath') . '?')) { if (!filter_var($link, FILTER_VALIDATE_URL, FILTER_FLAG_PATH_REQUIRED & FILTER_FLAG_QUERY_REQUIRED)) {
$this->_error = 'Invalid URL given.';
return;
}
if (!str_starts_with($link, $conf->getKey('basepath') . '?') ||
parse_url($link, PHP_URL_HOST) != parse_url($conf->getKey('basepath'), PHP_URL_HOST)
) {
$this->_error = 'Trying to shorten a URL that isn\'t pointing at our instance.'; $this->_error = 'Trying to shorten a URL that isn\'t pointing at our instance.';
return; return;
} }