diff --git a/classes/backend.php b/classes/backend.php
index 122e28c6511924e2b0ea8afa14d44e5fa0642680..5bd7247288415ed724659f1219849175c7a358df 100644
--- a/classes/backend.php
+++ b/classes/backend.php
@@ -88,7 +88,7 @@ class Backend extends Handler {
}
function help() {
- $topic = clean_filename($_REQUEST["topic"]); // only one for now
+ $topic = basename(clean($_REQUEST["topic"])); // only one for now
if ($topic == "main") {
$info = get_hotkeys_info();
diff --git a/classes/diskcache.php b/classes/diskcache.php
index 68829b8e387e94787224f3f9eb3b72d4169bf71a..74415189cd25acc619433fbb4a933514d773529e 100644
--- a/classes/diskcache.php
+++ b/classes/diskcache.php
@@ -191,7 +191,7 @@ class DiskCache {
];
public function __construct($dir) {
- $this->dir = CACHE_DIR . "/" . clean_filename($dir);
+ $this->dir = CACHE_DIR . "/" . basename(clean($dir));
}
public function getDir() {
@@ -227,9 +227,7 @@ class DiskCache {
}
public function getFullPath($filename) {
- $filename = clean_filename($filename);
-
- return $this->dir . "/" . $filename;
+ return $this->dir . "/" . basename(clean($filename));
}
public function put($filename, $data) {
diff --git a/classes/feeds.php b/classes/feeds.php
index 55a514cc0f714849ec38f575d8e92f6a614530b2..58ba1b6f8c3cd3b46ac0be57f48b44e63bc03d7b 100755
--- a/classes/feeds.php
+++ b/classes/feeds.php
@@ -1124,9 +1124,9 @@ class Feeds extends Handler_Protected {
$pdo = Db::pdo();
- $url = Feeds::fix_url($url);
+ $url = validate_url($url);
- if (!$url || !Feeds::validate_feed_url($url)) return array("code" => 2);
+ if (!$url) return array("code" => 2);
$contents = @fetch_file_contents($url, false, $auth_login, $auth_pass);
@@ -1924,7 +1924,7 @@ class Feeds extends Handler_Protected {
}
static function get_feeds_from_html($url, $content) {
- $url = Feeds::fix_url($url);
+ $url = validate_url($url);
$baseUrl = substr($url, 0, strrpos($url, '/') + 1);
$feedUrls = [];
@@ -1955,56 +1955,6 @@ class Feeds extends Handler_Protected {
return preg_match("/<html|DOCTYPE html/i", substr($content, 0, 8192)) !== 0;
}
- static function validate_feed_url($url) {
- $parts = parse_url($url);
-
- return ($parts['scheme'] == 'http' || $parts['scheme'] == 'feed' || $parts['scheme'] == 'https');
- }
-
- /**
- * Fixes incomplete URLs by prepending "http://".
- * Also replaces feed:// with http://, and
- * prepends a trailing slash if the url is a domain name only.
- *
- * @param string $url Possibly incomplete URL
- *
- * @return string Fixed URL.
- */
- static function fix_url($url) {
-
- // support schema-less urls
- if (strpos($url, '//') === 0) {
- $url = 'https:' . $url;
- }
-
- if (strpos($url, '://') === false) {
- $url = 'http://' . $url;
- } else if (substr($url, 0, 5) == 'feed:') {
- $url = 'http:' . substr($url, 5);
- }
-
- //prepend slash if the URL has no slash in it
- // "http://www.example" -> "http://www.example/"
- if (strpos($url, '/', strpos($url, ':') + 3) === false) {
- $url .= '/';
- }
-
- //convert IDNA hostname to punycode if possible
- if (function_exists("idn_to_ascii")) {
- $parts = parse_url($url);
- if (mb_detect_encoding($parts['host']) != 'ASCII')
- {
- $parts['host'] = idn_to_ascii($parts['host']);
- $url = build_url($parts);
- }
- }
-
- if ($url != "http:///")
- return $url;
- else
- return '';
- }
-
static function add_feed_category($feed_cat, $parent_cat_id = false, $order_id = 0) {
if (!$feed_cat) return false;
diff --git a/classes/handler/public.php b/classes/handler/public.php
index e6d94e223228ba4d0bd4a3792d955196ff170ad8..135cdcbc7876759d507ed40e17a5bc27cb37efd4 100755
--- a/classes/handler/public.php
+++ b/classes/handler/public.php
@@ -1234,7 +1234,7 @@ class Handler_Public extends Handler {
public function pluginhandler() {
$host = new PluginHost();
- $plugin_name = clean_filename($_REQUEST["plugin"]);
+ $plugin_name = basename(clean($_REQUEST["plugin"]));
$method = clean($_REQUEST["pmethod"]);
$host->load($plugin_name, PluginHost::KIND_USER, 0);
diff --git a/classes/pluginhost.php b/classes/pluginhost.php
index 4fec13000eda02746ac4b649ec07b2b160108e59..c6c036783990b779070f272a8c0b5d63bc4da74d 100755
--- a/classes/pluginhost.php
+++ b/classes/pluginhost.php
@@ -193,7 +193,7 @@ class PluginHost {
foreach ($plugins as $class) {
$class = trim($class);
- $class_file = strtolower(clean_filename($class));
+ $class_file = strtolower(basename(clean($class)));
if (!is_dir(__DIR__."/../plugins/$class_file") &&
!is_dir(__DIR__."/../plugins.local/$class_file")) continue;
diff --git a/classes/pref/feeds.php b/classes/pref/feeds.php
index 9d29ab47831f0c785bd9d15460fbecbdfc5e4682..8cdb1577c302dafe783b064e8468df9e395c549e 100755
--- a/classes/pref/feeds.php
+++ b/classes/pref/feeds.php
@@ -1701,7 +1701,7 @@ class Pref_Feeds extends Handler_Protected {
foreach ($feeds as $feed) {
$feed = trim($feed);
- if (Feeds::validate_feed_url($feed)) {
+ if (validate_url($feed)) {
$this->pdo->beginTransaction();
diff --git a/classes/rpc.php b/classes/rpc.php
index 208551075763566dff2b446823cdc2fd9a991069..7f809f29bc85381f0fa5ff588283e4d665e3f3cb 100755
--- a/classes/rpc.php
+++ b/classes/rpc.php
@@ -572,7 +572,7 @@ class RPC extends Handler_Protected {
function log() {
$msg = clean($_REQUEST['msg']);
- $file = clean_filename($_REQUEST['file']);
+ $file = basename(clean($_REQUEST['file']));
$line = (int) clean($_REQUEST['line']);
$context = clean($_REQUEST['context']);
diff --git a/include/functions.php b/include/functions.php
index 16953a0a1a2f0c129708c050533c6dde898c85fa..43e9eb8f6631fec9c8ef9ba4dfd1db532fdcefc1 100644
--- a/include/functions.php
+++ b/include/functions.php
@@ -238,8 +238,9 @@
$url = ltrim($url, ' ');
$url = str_replace(' ', '%20', $url);
- if (strpos($url, "//") === 0)
- $url = 'http:' . $url;
+ $url = validate_url($url);
+
+ if (!$url) return false;
$url_host = parse_url($url, PHP_URL_HOST);
$fetch_domain_hits[$url_host] += 1;
@@ -623,10 +624,6 @@
}
}
- function clean_filename($filename) {
- return basename(preg_replace("/\.\.|[\/\\\]/", "", clean($filename)));
- }
-
function make_password($length = 12) {
$password = "";
$possible = "0123456789abcdfghjkmnpqrstvwxyzABCDFGHJKMNPQRSTVWXYZ*%+^";
@@ -1517,13 +1514,6 @@
return $parts['scheme'] . "://" . $parts['host'] . $parts['path'];
}
- function cleanup_url_path($path) {
- $path = str_replace("/./", "/", $path);
- $path = str_replace("//", "/", $path);
-
- return $path;
- }
-
/**
* Converts a (possibly) relative URL to a absolute one.
*
@@ -1533,33 +1523,35 @@
* @return string Absolute URL
*/
function rewrite_relative_url($url, $rel_url) {
- if (strpos($rel_url, "://") !== false) {
+
+ $rel_parts = parse_url($rel_url);
+
+ if ($rel_parts['host'] && $rel_parts['scheme']) {
return $rel_url;
} else if (strpos($rel_url, "//") === 0) {
# protocol-relative URL (rare but they exist)
+ return "https:" . $rel_url;
+ } else if (strpos($rel_url, "magnet:") === 0) {
+ # allow magnet links
return $rel_url;
- } else if (preg_match("/^[a-z]+:/i", $rel_url)) {
- # magnet:, feed:, etc
- return $rel_url;
- } else if (strpos($rel_url, "/") === 0) {
- $parts = parse_url($url);
- $parts['path'] = $rel_url;
- $parts['path'] = cleanup_url_path($parts['path']);
-
- return build_url($parts);
-
} else {
$parts = parse_url($url);
+
if (!isset($parts['path'])) {
$parts['path'] = '/';
}
+
$dir = $parts['path'];
+
if (substr($dir, -1) !== '/') {
$dir = dirname($parts['path']);
$dir !== '/' && $dir .= '/';
}
+
$parts['path'] = $dir . $rel_url;
- $parts['path'] = cleanup_url_path($parts['path']);
+
+ $parts['path'] = str_replace("/./", "/", $parts['path']);
+ $parts['path'] = str_replace("//", "/", $parts['path']);
return build_url($parts);
}
@@ -1837,6 +1829,15 @@
if ($mimetype == "application/octet-stream")
$mimetype = "video/mp4";
+ /* only serve video and images */
+ if (!preg_match("/(image|video)\//", $mimetype)) {
+ http_response_code(400);
+ header("Content-type: text/plain");
+
+ print "Stored file has disallowed content type ($mimetype)";
+ return false;
+ }
+
header("Content-type: $mimetype");
$stamp = gmdate("D, d M Y H:i:s", filemtime($filename)) . " GMT";
@@ -1924,3 +1925,34 @@
return $ttrss_version['version'];
}
+
+ function validate_url($url) {
+
+ # fix protocol-relative URLs
+ if (strpos($url, "//") === 0)
+ $url = "https:" . $url;
+
+ if (filter_var($url, FILTER_VALIDATE_URL) === FALSE)
+ return false;
+
+ $tokens = parse_url($url);
+
+ if (!$tokens['host'])
+ return false;
+
+ if (!in_array($tokens['scheme'], ['http', 'https']))
+ return false;
+
+ //convert IDNA hostname to punycode if possible
+ if (function_exists("idn_to_ascii")) {
+ if (mb_detect_encoding($tokens['host']) != 'ASCII') {
+ $parts['host'] = idn_to_ascii($tokens['host']);
+ $url = build_url($tokens);
+ }
+ }
+
+ /* if ($tokens['host'] == 'localhost' || $tokens['host'] == '127.0.0.1')
+ return false; */
+
+ return $url;
+ }
diff --git a/plugins/af_proxy_http/init.php b/plugins/af_proxy_http/init.php
index 80100160d1b5f3f60691da539e7e19adaa6279a1..93694238785e25301c837525b2af466ee6235c55 100644
--- a/plugins/af_proxy_http/init.php
+++ b/plugins/af_proxy_http/init.php
@@ -45,8 +45,7 @@ class Af_Proxy_Http extends Plugin {
}
public function imgproxy() {
-
- $url = rewrite_relative_url(get_self_url_prefix(), $_REQUEST["url"]);
+ $url = validate_url(clean($_REQUEST["url"]));
// called without user context, let's just redirect to original URL
if (!$_SESSION["uid"]) {
@@ -59,7 +58,6 @@ class Af_Proxy_Http extends Plugin {
if ($this->cache->exists($local_filename)) {
header("Location: " . $this->cache->getUrl($local_filename));
return;
- //$this->cache->send($local_filename);
} else {
$data = fetch_file_contents(["url" => $url, "max_size" => MAX_CACHE_FILE_SIZE]);
@@ -97,14 +95,13 @@ class Af_Proxy_Http extends Plugin {
imagedestroy($img);
} else {
- header("Content-type: text/html");
+ header("Content-type: text/plain");
http_response_code(400);
- print "<h1>Proxy request failed.</h1>";
- print "<p>Fetch error $fetch_last_error ($fetch_last_error_code)</p>";
- print "<p>URL: $url</p>";
- print "<textarea cols='80' rows='25'>" . htmlspecialchars($fetch_last_error_content) . "</textarea>";
+ print "Proxy request failed.\n".
+ "Fetch error $fetch_last_error ($fetch_last_error_code)\n".
+ "Requested URL: $url";
}
}
}