mirror of
https://github.com/PrivateBin/PrivateBin.git
synced 2024-12-28 04:45:06 +01:00
prevent bypassing YOURLS proxy URL filter, allowing to shorten non-self URLs
This commit is contained in:
parent
0eae149474
commit
2c711e9d3c
3 changed files with 9 additions and 1 deletions
|
@ -6,6 +6,7 @@
|
|||
* FIXED: Reset password input field on creation of new paste (#1194)
|
||||
* FIXED: Allow database schema upgrade to skip versions (#1343)
|
||||
* FIXED: `bootstrap5` dark mode toggle unset on dark browser preference (#1340)
|
||||
* FIXED: Prevent bypassing YOURLS proxy URL filter, allowing to shorten non-self URLs
|
||||
|
||||
## 1.7.3 (2024-05-13)
|
||||
* CHANGED: Various tweaks of the `bootstrap5` template, suggested by the community
|
||||
|
|
|
@ -47,7 +47,7 @@ class YourlsProxy
|
|||
*/
|
||||
public function __construct(Configuration $conf, $link)
|
||||
{
|
||||
if (strpos($link, $conf->getKey('basepath') . '?') === false) {
|
||||
if (strpos($link, $conf->getKey('basepath') . '?') !== 0) {
|
||||
$this->_error = 'Trying to shorten a URL that isn\'t pointing at our instance.';
|
||||
return;
|
||||
}
|
||||
|
|
|
@ -54,6 +54,13 @@ class YourlsProxyTest extends TestCase
|
|||
$this->assertEquals($yourls->getError(), 'Trying to shorten a URL that isn\'t pointing at our instance.');
|
||||
}
|
||||
|
||||
public function testSneakyForeignUrl()
|
||||
{
|
||||
$yourls = new YourlsProxy($this->_conf, 'https://other.example.com/?q=https://example.com/?foo#bar');
|
||||
$this->assertTrue($yourls->isError());
|
||||
$this->assertEquals($yourls->getError(), 'Trying to shorten a URL that isn\'t pointing at our instance.');
|
||||
}
|
||||
|
||||
public function testYourlsError()
|
||||
{
|
||||
// when statusCode is not 200, shorturl may not have been set
|
||||
|
|
Loading…
Reference in a new issue