valvin
/
ttrss
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

validate_url: only allow safe ports (80, 443), disallow access to loopback

This commit is contained in:
Andrew Dolgov 2020-09-15 10:39:09 +03:00
parent 6c02fea641
commit aa89ea7769
1 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
include/functions.php
View File

@ -1941,9 +1941,15 @@
if (!$tokens['host']) if (!$tokens['host'])
return false; return false;
if (!in_array($tokens['port'], [80, 443, '']))
return false;
if (!in_array($tokens['scheme'], ['http', 'https'])) if (!in_array($tokens['scheme'], ['http', 'https']))
return false; return false;
if ($tokens['host'] == 'localhost' || $tokens['host'] == '::1' || strpos($tokens['host'], '127.') === 0)
return false;
//convert IDNA hostname to punycode if possible //convert IDNA hostname to punycode if possible
if (function_exists("idn_to_ascii")) { if (function_exists("idn_to_ascii")) {
if (mb_detect_encoding($tokens['host']) != 'ASCII') { if (mb_detect_encoding($tokens['host']) != 'ASCII') {
@ -1952,8 +1958,5 @@
} }
} }
/* if ($tokens['host'] == 'localhost' || $tokens['host'] == '127.0.0.1')
return false; */
return $url; return $url;
} }