From aa89ea77690b954a6739ee4ec5227c4d369202d3 Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <noreply@fakecake.org>
Date: Tue, 15 Sep 2020 10:39:09 +0300
Subject: [PATCH] validate_url: only allow safe ports (80, 443), disallow
 access to loopback

---
 include/functions.php | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/include/functions.php b/include/functions.php
index 63b717701..19eac41ae 100644
--- a/include/functions.php
+++ b/include/functions.php
@@ -1941,9 +1941,15 @@
 		if (!$tokens['host'])
 			return false;
 
+		if (!in_array($tokens['port'], [80, 443, '']))
+			return false;
+
 		if (!in_array($tokens['scheme'], ['http', 'https']))
 			return false;
 
+		if ($tokens['host'] == 'localhost' || $tokens['host'] == '::1' || strpos($tokens['host'], '127.') === 0)
+			return false;
+
 		//convert IDNA hostname to punycode if possible
 		if (function_exists("idn_to_ascii")) {
 			if (mb_detect_encoding($tokens['host']) != 'ASCII') {
@@ -1952,8 +1958,5 @@
 			}
 		}
 
-		/* if ($tokens['host'] == 'localhost' || $tokens['host'] == '127.0.0.1')
-			return false; */
-
 		return $url;
 	}