- fix multiple vulnerabilities in af_proxy_http

- fix vulnerability in rewrite_relative_url() which prevented some URLs from being properly absolutized
- fetch_file_contents: validate all URLs before requesting them
- validate URLs: explicitly whitelist http and https scheme, forbid everything else
- DiskCache/cached_url: only serve whitelisted content types (images, video)
- simplify filename/URL handling code, remove and consolidate some less-used functions
master
Andrew Dolgov 4 years ago
parent 5b17fdc362
commit c3d14e1fa5

@ -88,7 +88,7 @@ class Backend extends Handler {
} }
function help() { function help() {
$topic = clean_filename($_REQUEST["topic"]); // only one for now $topic = basename(clean($_REQUEST["topic"])); // only one for now
if ($topic == "main") { if ($topic == "main") {
$info = get_hotkeys_info(); $info = get_hotkeys_info();

@ -191,7 +191,7 @@ class DiskCache {
]; ];
public function __construct($dir) { public function __construct($dir) {
$this->dir = CACHE_DIR . "/" . clean_filename($dir); $this->dir = CACHE_DIR . "/" . basename(clean($dir));
} }
public function getDir() { public function getDir() {
@ -227,9 +227,7 @@ class DiskCache {
} }
public function getFullPath($filename) { public function getFullPath($filename) {
$filename = clean_filename($filename); return $this->dir . "/" . basename(clean($filename));
return $this->dir . "/" . $filename;
} }
public function put($filename, $data) { public function put($filename, $data) {

@ -1124,9 +1124,9 @@ class Feeds extends Handler_Protected {
$pdo = Db::pdo(); $pdo = Db::pdo();
$url = Feeds::fix_url($url); $url = validate_url($url);
if (!$url || !Feeds::validate_feed_url($url)) return array("code" => 2); if (!$url) return array("code" => 2);
$contents = @fetch_file_contents($url, false, $auth_login, $auth_pass); $contents = @fetch_file_contents($url, false, $auth_login, $auth_pass);
@ -1924,7 +1924,7 @@ class Feeds extends Handler_Protected {
} }
static function get_feeds_from_html($url, $content) { static function get_feeds_from_html($url, $content) {
$url = Feeds::fix_url($url); $url = validate_url($url);
$baseUrl = substr($url, 0, strrpos($url, '/') + 1); $baseUrl = substr($url, 0, strrpos($url, '/') + 1);
$feedUrls = []; $feedUrls = [];
@ -1955,56 +1955,6 @@ class Feeds extends Handler_Protected {
return preg_match("/<html|DOCTYPE html/i", substr($content, 0, 8192)) !== 0; return preg_match("/<html|DOCTYPE html/i", substr($content, 0, 8192)) !== 0;
} }
static function validate_feed_url($url) {
$parts = parse_url($url);
return ($parts['scheme'] == 'http' || $parts['scheme'] == 'feed' || $parts['scheme'] == 'https');
}
/**
* Fixes incomplete URLs by prepending "http://".
* Also replaces feed:// with http://, and
* prepends a trailing slash if the url is a domain name only.
*
* @param string $url Possibly incomplete URL
*
* @return string Fixed URL.
*/
static function fix_url($url) {
// support schema-less urls
if (strpos($url, '//') === 0) {
$url = 'https:' . $url;
}
if (strpos($url, '://') === false) {
$url = 'http://' . $url;
} else if (substr($url, 0, 5) == 'feed:') {
$url = 'http:' . substr($url, 5);
}
//prepend slash if the URL has no slash in it
// "http://www.example" -> "http://www.example/"
if (strpos($url, '/', strpos($url, ':') + 3) === false) {
$url .= '/';
}
//convert IDNA hostname to punycode if possible
if (function_exists("idn_to_ascii")) {
$parts = parse_url($url);
if (mb_detect_encoding($parts['host']) != 'ASCII')
{
$parts['host'] = idn_to_ascii($parts['host']);
$url = build_url($parts);
}
}
if ($url != "http:///")
return $url;
else
return '';
}
static function add_feed_category($feed_cat, $parent_cat_id = false, $order_id = 0) { static function add_feed_category($feed_cat, $parent_cat_id = false, $order_id = 0) {
if (!$feed_cat) return false; if (!$feed_cat) return false;

@ -1234,7 +1234,7 @@ class Handler_Public extends Handler {
public function pluginhandler() { public function pluginhandler() {
$host = new PluginHost(); $host = new PluginHost();
$plugin_name = clean_filename($_REQUEST["plugin"]); $plugin_name = basename(clean($_REQUEST["plugin"]));
$method = clean($_REQUEST["pmethod"]); $method = clean($_REQUEST["pmethod"]);
$host->load($plugin_name, PluginHost::KIND_USER, 0); $host->load($plugin_name, PluginHost::KIND_USER, 0);

@ -193,7 +193,7 @@ class PluginHost {
foreach ($plugins as $class) { foreach ($plugins as $class) {
$class = trim($class); $class = trim($class);
$class_file = strtolower(clean_filename($class)); $class_file = strtolower(basename(clean($class)));
if (!is_dir(__DIR__."/../plugins/$class_file") && if (!is_dir(__DIR__."/../plugins/$class_file") &&
!is_dir(__DIR__."/../plugins.local/$class_file")) continue; !is_dir(__DIR__."/../plugins.local/$class_file")) continue;

@ -1701,7 +1701,7 @@ class Pref_Feeds extends Handler_Protected {
foreach ($feeds as $feed) { foreach ($feeds as $feed) {
$feed = trim($feed); $feed = trim($feed);
if (Feeds::validate_feed_url($feed)) { if (validate_url($feed)) {
$this->pdo->beginTransaction(); $this->pdo->beginTransaction();

@ -572,7 +572,7 @@ class RPC extends Handler_Protected {
function log() { function log() {
$msg = clean($_REQUEST['msg']); $msg = clean($_REQUEST['msg']);
$file = clean_filename($_REQUEST['file']); $file = basename(clean($_REQUEST['file']));
$line = (int) clean($_REQUEST['line']); $line = (int) clean($_REQUEST['line']);
$context = clean($_REQUEST['context']); $context = clean($_REQUEST['context']);

@ -238,8 +238,9 @@
$url = ltrim($url, ' '); $url = ltrim($url, ' ');
$url = str_replace(' ', '%20', $url); $url = str_replace(' ', '%20', $url);
if (strpos($url, "//") === 0) $url = validate_url($url);
$url = 'http:' . $url;
if (!$url) return false;
$url_host = parse_url($url, PHP_URL_HOST); $url_host = parse_url($url, PHP_URL_HOST);
$fetch_domain_hits[$url_host] += 1; $fetch_domain_hits[$url_host] += 1;
@ -623,10 +624,6 @@
} }
} }
function clean_filename($filename) {
return basename(preg_replace("/\.\.|[\/\\\]/", "", clean($filename)));
}
function make_password($length = 12) { function make_password($length = 12) {
$password = ""; $password = "";
$possible = "0123456789abcdfghjkmnpqrstvwxyzABCDFGHJKMNPQRSTVWXYZ*%+^"; $possible = "0123456789abcdfghjkmnpqrstvwxyzABCDFGHJKMNPQRSTVWXYZ*%+^";
@ -1517,13 +1514,6 @@
return $parts['scheme'] . "://" . $parts['host'] . $parts['path']; return $parts['scheme'] . "://" . $parts['host'] . $parts['path'];
} }
function cleanup_url_path($path) {
$path = str_replace("/./", "/", $path);
$path = str_replace("//", "/", $path);
return $path;
}
/** /**
* Converts a (possibly) relative URL to a absolute one. * Converts a (possibly) relative URL to a absolute one.
* *
@ -1533,33 +1523,35 @@
* @return string Absolute URL * @return string Absolute URL
*/ */
function rewrite_relative_url($url, $rel_url) { function rewrite_relative_url($url, $rel_url) {
if (strpos($rel_url, "://") !== false) {
$rel_parts = parse_url($rel_url);
if ($rel_parts['host'] && $rel_parts['scheme']) {
return $rel_url; return $rel_url;
} else if (strpos($rel_url, "//") === 0) { } else if (strpos($rel_url, "//") === 0) {
# protocol-relative URL (rare but they exist) # protocol-relative URL (rare but they exist)
return "https:" . $rel_url;
} else if (strpos($rel_url, "magnet:") === 0) {
# allow magnet links
return $rel_url; return $rel_url;
} else if (preg_match("/^[a-z]+:/i", $rel_url)) {
# magnet:, feed:, etc
return $rel_url;
} else if (strpos($rel_url, "/") === 0) {
$parts = parse_url($url);
$parts['path'] = $rel_url;
$parts['path'] = cleanup_url_path($parts['path']);
return build_url($parts);
} else { } else {
$parts = parse_url($url); $parts = parse_url($url);
if (!isset($parts['path'])) { if (!isset($parts['path'])) {
$parts['path'] = '/'; $parts['path'] = '/';
} }
$dir = $parts['path']; $dir = $parts['path'];
if (substr($dir, -1) !== '/') { if (substr($dir, -1) !== '/') {
$dir = dirname($parts['path']); $dir = dirname($parts['path']);
$dir !== '/' && $dir .= '/'; $dir !== '/' && $dir .= '/';
} }
$parts['path'] = $dir . $rel_url; $parts['path'] = $dir . $rel_url;
$parts['path'] = cleanup_url_path($parts['path']);
$parts['path'] = str_replace("/./", "/", $parts['path']);
$parts['path'] = str_replace("//", "/", $parts['path']);
return build_url($parts); return build_url($parts);
} }
@ -1837,6 +1829,15 @@
if ($mimetype == "application/octet-stream") if ($mimetype == "application/octet-stream")
$mimetype = "video/mp4"; $mimetype = "video/mp4";
/* only serve video and images */
if (!preg_match("/(image|video)\//", $mimetype)) {
http_response_code(400);
header("Content-type: text/plain");
print "Stored file has disallowed content type ($mimetype)";
return false;
}
header("Content-type: $mimetype"); header("Content-type: $mimetype");
$stamp = gmdate("D, d M Y H:i:s", filemtime($filename)) . " GMT"; $stamp = gmdate("D, d M Y H:i:s", filemtime($filename)) . " GMT";
@ -1924,3 +1925,34 @@
return $ttrss_version['version']; return $ttrss_version['version'];
} }
function validate_url($url) {
# fix protocol-relative URLs
if (strpos($url, "//") === 0)
$url = "https:" . $url;
if (filter_var($url, FILTER_VALIDATE_URL) === FALSE)
return false;
$tokens = parse_url($url);
if (!$tokens['host'])
return false;
if (!in_array($tokens['scheme'], ['http', 'https']))
return false;
//convert IDNA hostname to punycode if possible
if (function_exists("idn_to_ascii")) {
if (mb_detect_encoding($tokens['host']) != 'ASCII') {
$parts['host'] = idn_to_ascii($tokens['host']);
$url = build_url($tokens);
}
}
/* if ($tokens['host'] == 'localhost' || $tokens['host'] == '127.0.0.1')
return false; */
return $url;
}

@ -45,8 +45,7 @@ class Af_Proxy_Http extends Plugin {
} }
public function imgproxy() { public function imgproxy() {
$url = validate_url(clean($_REQUEST["url"]));
$url = rewrite_relative_url(get_self_url_prefix(), $_REQUEST["url"]);
// called without user context, let's just redirect to original URL // called without user context, let's just redirect to original URL
if (!$_SESSION["uid"]) { if (!$_SESSION["uid"]) {
@ -59,7 +58,6 @@ class Af_Proxy_Http extends Plugin {
if ($this->cache->exists($local_filename)) { if ($this->cache->exists($local_filename)) {
header("Location: " . $this->cache->getUrl($local_filename)); header("Location: " . $this->cache->getUrl($local_filename));
return; return;
//$this->cache->send($local_filename);
} else { } else {
$data = fetch_file_contents(["url" => $url, "max_size" => MAX_CACHE_FILE_SIZE]); $data = fetch_file_contents(["url" => $url, "max_size" => MAX_CACHE_FILE_SIZE]);
@ -97,14 +95,13 @@ class Af_Proxy_Http extends Plugin {
imagedestroy($img); imagedestroy($img);
} else { } else {
header("Content-type: text/html"); header("Content-type: text/plain");
http_response_code(400); http_response_code(400);
print "<h1>Proxy request failed.</h1>"; print "Proxy request failed.\n".
print "<p>Fetch error $fetch_last_error ($fetch_last_error_code)</p>"; "Fetch error $fetch_last_error ($fetch_last_error_code)\n".
print "<p>URL: $url</p>"; "Requested URL: $url";
print "<textarea cols='80' rows='25'>" . htmlspecialchars($fetch_last_error_content) . "</textarea>";
} }
} }
} }

Loading…
Cancel
Save