prevent bypassing YOURLS proxy URL filter, allowing to shorten non-self URLs

This commit is contained in:
El RIDO 2024-06-29 20:26:09 +02:00
parent 0eae149474
commit 2c711e9d3c
No known key found for this signature in database
GPG key ID: 0F5C940A6BD81F92
3 changed files with 9 additions and 1 deletions

View file

@ -6,6 +6,7 @@
* FIXED: Reset password input field on creation of new paste (#1194)
* FIXED: Allow database schema upgrade to skip versions (#1343)
* FIXED: `bootstrap5` dark mode toggle unset on dark browser preference (#1340)
* FIXED: Prevent bypassing YOURLS proxy URL filter, allowing to shorten non-self URLs
## 1.7.3 (2024-05-13)
* CHANGED: Various tweaks of the `bootstrap5` template, suggested by the community

View file

@ -47,7 +47,7 @@ class YourlsProxy
*/
public function __construct(Configuration $conf, $link)
{
if (strpos($link, $conf->getKey('basepath') . '?') === false) {
if (strpos($link, $conf->getKey('basepath') . '?') !== 0) {
$this->_error = 'Trying to shorten a URL that isn\'t pointing at our instance.';
return;
}

View file

@ -54,6 +54,13 @@ class YourlsProxyTest extends TestCase
$this->assertEquals($yourls->getError(), 'Trying to shorten a URL that isn\'t pointing at our instance.');
}
public function testSneakyForeignUrl()
{
$yourls = new YourlsProxy($this->_conf, 'https://other.example.com/?q=https://example.com/?foo#bar');
$this->assertTrue($yourls->isError());
$this->assertEquals($yourls->getError(), 'Trying to shorten a URL that isn\'t pointing at our instance.');
}
public function testYourlsError()
{
// when statusCode is not 200, shorturl may not have been set