From 2c711e9d3ca21230fc68f5b4dba2a7a0592b963b Mon Sep 17 00:00:00 2001
From: El RIDO <elrido@gmx.net>
Date: Sat, 29 Jun 2024 20:26:09 +0200
Subject: [PATCH 1/2] prevent bypassing YOURLS proxy URL filter, allowing to
 shorten non-self URLs

---
 CHANGELOG.md            | 1 +
 lib/YourlsProxy.php     | 2 +-
 tst/YourlsProxyTest.php | 7 +++++++
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 34d9485a..7ba2cb97 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,7 @@
 * FIXED: Reset password input field on creation of new paste (#1194)
 * FIXED: Allow database schema upgrade to skip versions (#1343)
 * FIXED: `bootstrap5` dark mode toggle unset on dark browser preference (#1340)
+* FIXED: Prevent bypassing YOURLS proxy URL filter, allowing to shorten non-self URLs
 
 ## 1.7.3 (2024-05-13)
 * CHANGED: Various tweaks of the `bootstrap5` template, suggested by the community
diff --git a/lib/YourlsProxy.php b/lib/YourlsProxy.php
index f616832d..de46a12b 100644
--- a/lib/YourlsProxy.php
+++ b/lib/YourlsProxy.php
@@ -47,7 +47,7 @@ class YourlsProxy
      */
     public function __construct(Configuration $conf, $link)
     {
-        if (strpos($link, $conf->getKey('basepath') . '?') === false) {
+        if (strpos($link, $conf->getKey('basepath') . '?') !== 0) {
             $this->_error = 'Trying to shorten a URL that isn\'t pointing at our instance.';
             return;
         }
diff --git a/tst/YourlsProxyTest.php b/tst/YourlsProxyTest.php
index d6e9cb76..389f510d 100644
--- a/tst/YourlsProxyTest.php
+++ b/tst/YourlsProxyTest.php
@@ -54,6 +54,13 @@ class YourlsProxyTest extends TestCase
         $this->assertEquals($yourls->getError(), 'Trying to shorten a URL that isn\'t pointing at our instance.');
     }
 
+    public function testSneakyForeignUrl()
+    {
+        $yourls = new YourlsProxy($this->_conf, 'https://other.example.com/?q=https://example.com/?foo#bar');
+        $this->assertTrue($yourls->isError());
+        $this->assertEquals($yourls->getError(), 'Trying to shorten a URL that isn\'t pointing at our instance.');
+    }
+
     public function testYourlsError()
     {
         // when statusCode is not 200, shorturl may not have been set

From 8e6e31db5cd7e50cfc6c1eeece8ac414fe37c30d Mon Sep 17 00:00:00 2001
From: El RIDO <elrido@gmx.net>
Date: Sun, 30 Jun 2024 07:45:06 +0200
Subject: [PATCH 2/2] fix test, basepath needs to be set

---
 tst/JsonApiTest.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tst/JsonApiTest.php b/tst/JsonApiTest.php
index 07f33ad2..f5b69a7c 100644
--- a/tst/JsonApiTest.php
+++ b/tst/JsonApiTest.php
@@ -325,6 +325,9 @@ class JsonApiTest extends TestCase
      */
     public function testShortenViaYourlsFailure()
     {
+        $options                            = parse_ini_file(CONF, true);
+        $options['main']['basepath']        = 'https://example.com/path'; // missing slash gets added by Configuration constructor
+        Helper::createIniFile(CONF, $options);
         $_SERVER['REQUEST_URI'] = '/path/shortenviayourls?link=https%3A%2F%2Fexample.com%2Fpath%2F%3Ffoo%23bar';
         $_GET['link']           = 'https://example.com/path/?foo#bar';
         ob_start();