forks/miniflux
1
0
Fork 0
Code Releases Activity

Add more URL validation in media proxy

Browse source
This commit is contained in:
Frédéric Guillot 2024-02-26 20:08:10 -08:00
parent bce21a9f91
commit 97feec8ebf
1 changed files with 22 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
internal/ui/proxy.go
View file

@ -10,6 +10,7 @@ import (
"errors" "errors"
"log/slog" "log/slog"
"net/http" "net/http"
"net/url"
"time" "time"
"miniflux.app/v2/internal/config" "miniflux.app/v2/internal/config"
@ -54,6 +55,27 @@ func (h *handler) mediaProxy(w http.ResponseWriter, r *http.Request) {
return return
} }
u, err := url.Parse(string(decodedURL))
if err != nil {
html.BadRequest(w, r, errors.New("invalid URL provided"))
return
}
if u.Scheme != "http" && u.Scheme != "https" {
html.BadRequest(w, r, errors.New("invalid URL provided"))
return
}
if u.Host == "" {
html.BadRequest(w, r, errors.New("invalid URL provided"))
return
}
if !u.IsAbs() {
html.BadRequest(w, r, errors.New("invalid URL provided"))
return
}
mediaURL := string(decodedURL) mediaURL := string(decodedURL)
slog.Debug("MediaProxy: Fetching remote resource", slog.Debug("MediaProxy: Fetching remote resource",
slog.String("media_url", mediaURL), slog.String("media_url", mediaURL),