Commit Graph

7 Commits

Author SHA1 Message Date
Andrew Dolgov a817d3794d * use get_random_bytes() for CSRF token
* get_random_bytes: use PHP7 random_bytes() if it is available
* validate CSRF token using hash_equals
2020-09-17 08:59:18 +03:00
Andrew Dolgov 91e1542a82 af_proxy_http: require separate token to access imgproxy 2020-09-15 10:59:57 +03:00
Andrew Dolgov 79f102c25d af_proxy_http: never print received data directly, always redirect to cached_url
cache/getUrl: basename() passed filename just in case
2020-09-15 08:02:28 +03:00
Andrew Dolgov c3d14e1fa5 - fix multiple vulnerabilities in af_proxy_http
- fix vulnerability in rewrite_relative_url() which prevented some URLs from being properly absolutized
- fetch_file_contents: validate all URLs before requesting them
- validate URLs: explicitly whitelist http and https scheme, forbid everything else
- DiskCache/cached_url: only serve whitelisted content types (images, video)
- simplify filename/URL handling code, remove and consolidate some less-used functions
2020-09-14 19:46:52 +03:00
Andrew Dolgov 10c63ed582 pluginhost: add helper methods to get private/public pluginmethod endpoint URLs 2019-08-15 20:23:45 +03:00
Andrew Dolgov bdf29856fb fix several leftover mentions of old (renamed) class name, duh 2019-08-15 17:12:59 +03:00
Andrew Dolgov de5669f723 af_zz_imgproxy: rename to af_proxy_http, use priority hook loader 2019-08-15 16:27:53 +03:00