prevent bypassing YOURLS proxy URL filter, allowing to shorten non-self URLs

This commit is contained in:
El RIDO 2024-06-29 20:26:09 +02:00
parent 0eae149474
commit 2c711e9d3c
No known key found for this signature in database
GPG Key ID: 0F5C940A6BD81F92
3 changed files with 9 additions and 1 deletions

View File

@ -6,6 +6,7 @@
* FIXED: Reset password input field on creation of new paste (#1194) * FIXED: Reset password input field on creation of new paste (#1194)
* FIXED: Allow database schema upgrade to skip versions (#1343) * FIXED: Allow database schema upgrade to skip versions (#1343)
* FIXED: `bootstrap5` dark mode toggle unset on dark browser preference (#1340) * FIXED: `bootstrap5` dark mode toggle unset on dark browser preference (#1340)
* FIXED: Prevent bypassing YOURLS proxy URL filter, allowing to shorten non-self URLs
## 1.7.3 (2024-05-13) ## 1.7.3 (2024-05-13)
* CHANGED: Various tweaks of the `bootstrap5` template, suggested by the community * CHANGED: Various tweaks of the `bootstrap5` template, suggested by the community

View File

@ -47,7 +47,7 @@ class YourlsProxy
*/ */
public function __construct(Configuration $conf, $link) public function __construct(Configuration $conf, $link)
{ {
if (strpos($link, $conf->getKey('basepath') . '?') === false) { if (strpos($link, $conf->getKey('basepath') . '?') !== 0) {
$this->_error = 'Trying to shorten a URL that isn\'t pointing at our instance.'; $this->_error = 'Trying to shorten a URL that isn\'t pointing at our instance.';
return; return;
} }

View File

@ -54,6 +54,13 @@ class YourlsProxyTest extends TestCase
$this->assertEquals($yourls->getError(), 'Trying to shorten a URL that isn\'t pointing at our instance.'); $this->assertEquals($yourls->getError(), 'Trying to shorten a URL that isn\'t pointing at our instance.');
} }
public function testSneakyForeignUrl()
{
$yourls = new YourlsProxy($this->_conf, 'https://other.example.com/?q=https://example.com/?foo#bar');
$this->assertTrue($yourls->isError());
$this->assertEquals($yourls->getError(), 'Trying to shorten a URL that isn\'t pointing at our instance.');
}
public function testYourlsError() public function testYourlsError()
{ {
// when statusCode is not 200, shorturl may not have been set // when statusCode is not 200, shorturl may not have been set