From 97feec8ebf450d449d0975076ae0e99d4b076a5f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Guillot?= <f@miniflux.net>
Date: Mon, 26 Feb 2024 20:08:10 -0800
Subject: [PATCH] Add more URL validation in media proxy

---
 internal/ui/proxy.go | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/internal/ui/proxy.go b/internal/ui/proxy.go
index 1af18ec1..110aeb5a 100644
--- a/internal/ui/proxy.go
+++ b/internal/ui/proxy.go
@@ -10,6 +10,7 @@ import (
 	"errors"
 	"log/slog"
 	"net/http"
+	"net/url"
 	"time"
 
 	"miniflux.app/v2/internal/config"
@@ -54,6 +55,27 @@ func (h *handler) mediaProxy(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	u, err := url.Parse(string(decodedURL))
+	if err != nil {
+		html.BadRequest(w, r, errors.New("invalid URL provided"))
+		return
+	}
+
+	if u.Scheme != "http" && u.Scheme != "https" {
+		html.BadRequest(w, r, errors.New("invalid URL provided"))
+		return
+	}
+
+	if u.Host == "" {
+		html.BadRequest(w, r, errors.New("invalid URL provided"))
+		return
+	}
+
+	if !u.IsAbs() {
+		html.BadRequest(w, r, errors.New("invalid URL provided"))
+		return
+	}
+
 	mediaURL := string(decodedURL)
 	slog.Debug("MediaProxy: Fetching remote resource",
 		slog.String("media_url", mediaURL),