Skip to content
Permalink
Browse files Browse the repository at this point in the history
Improve URL checks in hotlinking controller
  • Loading branch information
swissspidy committed Sep 2, 2022
1 parent 7f3af11 commit 3ad2099
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 3 deletions.
18 changes: 15 additions & 3 deletions includes/REST_API/Hotlinking_Controller.php
Expand Up @@ -672,9 +672,21 @@ private function validate_url( string $url ) {
}

$parts = array_map( 'intval', explode( '.', $ip ) );
if ( 127 === $parts[0] || 10 === $parts[0] || 0 === $parts[0]
|| ( 172 === $parts[0] && 16 <= $parts[1] && 31 >= $parts[1] )
|| ( 192 === $parts[0] && 168 === $parts[1] )
if (
0 === $parts[0] // 0.0.0.0/8.
||
127 === $parts[0] // 127.0.0.0/8.
||
10 === $parts[0] // 10.0.0.0/8.
||
( 172 === $parts[0] && 16 <= $parts[1] && 31 >= $parts[1] ) // 172.16.0.0/12.
||
( 192 === $parts[0] && 168 === $parts[1] ) // 192.168.0.0/16.
||
( 169 === $parts[0] && 254 === $parts[1] ) // 169.254.0.0/16.
||
// phpcs:ignore Squiz.PHP.CommentedOutCode.Found
( 100 === $parts[0] && 64 <= $parts[1] && 127 >= $parts[1] ) // Private: 100.64.0.0/10.
) {
// If host appears local, reject.
return false;
Expand Down
Expand Up @@ -573,6 +573,9 @@ public function data_validate_url_should_not_validate(): array {
'an external request when not allowed' => [
'url' => 'http://192.168.0.1/caniload.php',
],
'a request with disallowed link-local ip' => [
'url' => 'http://169.254.0.0/caniload.php',
],
'a port not considered safe by default' => [
'url' => 'https://example.com:81/caniload.php',
],
Expand Down

0 comments on commit 3ad2099

Please sign in to comment.