Infra-Mirrors/PrivateBin
1
0
Fork 0
mirror of https://github.com/PrivateBin/PrivateBin.git synced 2024-10-01 01:26:10 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'shorten-non-self-url'

Browse Source
This commit is contained in:
El RIDO 2024-07-09 20:33:54 +02:00
commit 0c4e810e67
No known key found for this signature in database
GPG Key ID: 0F5C940A6BD81F92
4 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -7,6 +7,7 @@
* FIXED: Reset password input field on creation of new paste (#1194) * FIXED: Reset password input field on creation of new paste (#1194)
* FIXED: Allow database schema upgrade to skip versions (#1343) * FIXED: Allow database schema upgrade to skip versions (#1343)
* FIXED: `bootstrap5` dark mode toggle unset on dark browser preference (#1340) * FIXED: `bootstrap5` dark mode toggle unset on dark browser preference (#1340)
* FIXED: Prevent bypassing YOURLS proxy URL filter, allowing to shorten non-self URLs
## 1.7.3 (2024-05-13) ## 1.7.3 (2024-05-13)
* CHANGED: Various tweaks of the `bootstrap5` template, suggested by the community * CHANGED: Various tweaks of the `bootstrap5` template, suggested by the community

2
lib/YourlsProxy.php
View File

@ -47,7 +47,7 @@ class YourlsProxy
*/ */
public function __construct(Configuration $conf, $link) public function __construct(Configuration $conf, $link)
{ {
if (strpos($link, $conf->getKey('basepath') . '?') === false) { if (strpos($link, $conf->getKey('basepath') . '?') !== 0) {
$this->_error = 'Trying to shorten a URL that isn\'t pointing at our instance.'; $this->_error = 'Trying to shorten a URL that isn\'t pointing at our instance.';
return; return;
} }

3
tst/JsonApiTest.php
View File

@ -325,6 +325,9 @@ class JsonApiTest extends TestCase
*/ */
public function testShortenViaYourlsFailure() public function testShortenViaYourlsFailure()
{ {
$options = parse_ini_file(CONF, true);
$options['main']['basepath'] = 'https://example.com/path'; // missing slash gets added by Configuration constructor
Helper::createIniFile(CONF, $options);
$_SERVER['REQUEST_URI'] = '/path/shortenviayourls?link=https%3A%2F%2Fexample.com%2Fpath%2F%3Ffoo%23bar'; $_SERVER['REQUEST_URI'] = '/path/shortenviayourls?link=https%3A%2F%2Fexample.com%2Fpath%2F%3Ffoo%23bar';
$_GET['link'] = 'https://example.com/path/?foo#bar'; $_GET['link'] = 'https://example.com/path/?foo#bar';
ob_start(); ob_start();

7
tst/YourlsProxyTest.php
View File

@ -54,6 +54,13 @@ class YourlsProxyTest extends TestCase
$this->assertEquals($yourls->getError(), 'Trying to shorten a URL that isn\'t pointing at our instance.'); $this->assertEquals($yourls->getError(), 'Trying to shorten a URL that isn\'t pointing at our instance.');
} }
public function testSneakyForeignUrl()
{
$yourls = new YourlsProxy($this->_conf, 'https://other.example.com/?q=https://example.com/?foo#bar');
$this->assertTrue($yourls->isError());
$this->assertEquals($yourls->getError(), 'Trying to shorten a URL that isn\'t pointing at our instance.');
}
public function testYourlsError() public function testYourlsError()
{ {
// when statusCode is not 200, shorturl may not have been set // when statusCode is not 200, shorturl may not have been set