mirror of
https://github.com/PrivateBin/PrivateBin.git
synced 2024-10-01 01:26:10 -04:00
prevent bypassing YOURLS proxy URL filter, allowing to shorten non-self URLs
This commit is contained in:
parent
0eae149474
commit
2c711e9d3c
@ -6,6 +6,7 @@
|
|||||||
* FIXED: Reset password input field on creation of new paste (#1194)
|
* FIXED: Reset password input field on creation of new paste (#1194)
|
||||||
* FIXED: Allow database schema upgrade to skip versions (#1343)
|
* FIXED: Allow database schema upgrade to skip versions (#1343)
|
||||||
* FIXED: `bootstrap5` dark mode toggle unset on dark browser preference (#1340)
|
* FIXED: `bootstrap5` dark mode toggle unset on dark browser preference (#1340)
|
||||||
|
* FIXED: Prevent bypassing YOURLS proxy URL filter, allowing to shorten non-self URLs
|
||||||
|
|
||||||
## 1.7.3 (2024-05-13)
|
## 1.7.3 (2024-05-13)
|
||||||
* CHANGED: Various tweaks of the `bootstrap5` template, suggested by the community
|
* CHANGED: Various tweaks of the `bootstrap5` template, suggested by the community
|
||||||
|
@ -47,7 +47,7 @@ class YourlsProxy
|
|||||||
*/
|
*/
|
||||||
public function __construct(Configuration $conf, $link)
|
public function __construct(Configuration $conf, $link)
|
||||||
{
|
{
|
||||||
if (strpos($link, $conf->getKey('basepath') . '?') === false) {
|
if (strpos($link, $conf->getKey('basepath') . '?') !== 0) {
|
||||||
$this->_error = 'Trying to shorten a URL that isn\'t pointing at our instance.';
|
$this->_error = 'Trying to shorten a URL that isn\'t pointing at our instance.';
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
@ -54,6 +54,13 @@ class YourlsProxyTest extends TestCase
|
|||||||
$this->assertEquals($yourls->getError(), 'Trying to shorten a URL that isn\'t pointing at our instance.');
|
$this->assertEquals($yourls->getError(), 'Trying to shorten a URL that isn\'t pointing at our instance.');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function testSneakyForeignUrl()
|
||||||
|
{
|
||||||
|
$yourls = new YourlsProxy($this->_conf, 'https://other.example.com/?q=https://example.com/?foo#bar');
|
||||||
|
$this->assertTrue($yourls->isError());
|
||||||
|
$this->assertEquals($yourls->getError(), 'Trying to shorten a URL that isn\'t pointing at our instance.');
|
||||||
|
}
|
||||||
|
|
||||||
public function testYourlsError()
|
public function testYourlsError()
|
||||||
{
|
{
|
||||||
// when statusCode is not 200, shorturl may not have been set
|
// when statusCode is not 200, shorturl may not have been set
|
||||||
|
Loading…
Reference in New Issue
Block a user