tedkulp/PrivateBin
1
0
Fork 0
mirror of https://github.com/PrivateBin/PrivateBin.git synced 2026-04-19 21:58:08 -04:00
Code Issues Packages Projects Releases Wiki Activity

Strengthen validation of URL in proxy services

Browse Source 
This should definitively rule out any circumstances, where invalid URLs could cause problems.

Both URL validity is checked before it is forwarded to the URL shortener proxy _and_ the host part is explicitly compared to make sure the domain is really the same one.

TOOD:
* [ ] some tests may be needed here (hmpff…)
This commit is contained in:
rugk
2025-09-02 22:40:22 +02:00
committed by GitHub
parent a72545c994
commit 2c1a17a07f
1 changed files with 8 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/Proxy/AbstractProxy.php
+8 -1
View File
@@ -49,7 +49,14 @@ abstract class AbstractProxy
*/
public function __construct(Configuration $conf, string $link)
{
if (!str_starts_with($link, $conf->getKey('basepath') . '?')) {
if (!filter_var($link, FILTER_VALIDATE_URL, FILTER_FLAG_PATH_REQUIRED & FILTER_FLAG_QUERY_REQUIRED)) {
$this->_error = 'Invalid URL given.';
return;
}
if (!str_starts_with($link, $conf->getKey('basepath') . '?') ||
parse_url($link, PHP_URL_HOST) != parse_url($conf->getKey('basepath'), PHP_URL_HOST)
) {
$this->_error = 'Trying to shorten a URL that isn\'t pointing at our instance.';
return;
}