From ff2f48a2a7ba2f45e35d3fb57faeda30986bb2bf Mon Sep 17 00:00:00 2001 From: Web Addicto Date: Thu, 26 Jan 2017 21:30:04 +0100 Subject: [PATCH 1/8] Make sure we do not proxify our own proxy URL // Make sure we do not proxy ourself if(stripos($url, app_url()) === 0){ return $base_url; } --- src/helpers.php | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/helpers.php b/src/helpers.php index 8ced2e4..f5db6c3 100644 --- a/src/helpers.php +++ b/src/helpers.php @@ -147,6 +147,11 @@ function proxify_url($url, $base_url = ''){ $url = rel2abs($url, $base_url); } + // Make sure we do not proxy ourself + if(stripos($url, app_url()) === 0){ + return $base_url; + } + return app_url().'?q='.url_encrypt($url); } @@ -185,4 +190,4 @@ function rel2abs($rel, $base) return $scheme . '://' . $abs; } -?> \ No newline at end of file +?> From f43d11bead13c11e3c93411f32b1ce5916c5eedf Mon Sep 17 00:00:00 2001 From: Web Addicto Date: Thu, 26 Jan 2017 21:31:54 +0100 Subject: [PATCH 2/8] Small fix return $url; instead of return $base_url; --- src/helpers.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/helpers.php b/src/helpers.php index f5db6c3..62fe85e 100644 --- a/src/helpers.php +++ b/src/helpers.php @@ -149,7 +149,7 @@ function proxify_url($url, $base_url = ''){ // Make sure we do not proxy ourself if(stripos($url, app_url()) === 0){ - return $base_url; + return $url; } return app_url().'?q='.url_encrypt($url); From 3cfeafdae0bb5fcedc3ad425e04d1b7818b4195d Mon Sep 17 00:00:00 2001 From: Web Addicto Date: Sat, 28 Jan 2017 15:50:01 +0100 Subject: [PATCH 3/8] Improved matching of our proxy host Extract PHP_URL_HOST from both URLs, remove "www.", and compare both including subdomain. So this way we don't proxy our own proxy. Tested and working perfectly. --- src/helpers.php | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/src/helpers.php b/src/helpers.php index 62fe85e..afbc7c2 100644 --- a/src/helpers.php +++ b/src/helpers.php @@ -147,10 +147,16 @@ function proxify_url($url, $base_url = ''){ $url = rel2abs($url, $base_url); } - // Make sure we do not proxy ourself - if(stripos($url, app_url()) === 0){ - return $url; - } + // Make sure we do not proxy our proxy: + + // Extract the real host (without www.) from the two URLs + $host1 = preg_replace('/^www\./is', '', trim(parse_url($url, PHP_URL_HOST))); + $host2 = preg_replace('/^www\./is', '', trim(parse_url(app_url(), PHP_URL_HOST))); + + // Compare the two hosts (including subdomains) with our proxy URL + if(strtolower($host1) == strtolower($host2) || stripos(".".$host1, $host2) ){ + return $base_url; + } return app_url().'?q='.url_encrypt($url); } From 3a7f909480986d8b945153b1febeb8bf2b260743 Mon Sep 17 00:00:00 2001 From: Web Addicto Date: Sat, 28 Jan 2017 15:51:10 +0100 Subject: [PATCH 4/8] Better comments --- src/helpers.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/helpers.php b/src/helpers.php index afbc7c2..cd5cf4b 100644 --- a/src/helpers.php +++ b/src/helpers.php @@ -153,7 +153,7 @@ function proxify_url($url, $base_url = ''){ $host1 = preg_replace('/^www\./is', '', trim(parse_url($url, PHP_URL_HOST))); $host2 = preg_replace('/^www\./is', '', trim(parse_url(app_url(), PHP_URL_HOST))); - // Compare the two hosts (including subdomains) with our proxy URL + // Make sure our proxy app host is not present in the URL to be proxified if(strtolower($host1) == strtolower($host2) || stripos(".".$host1, $host2) ){ return $base_url; } From 9d59c7a296ea0034ff289f4a58f50ccd8cf155cd Mon Sep 17 00:00:00 2001 From: Web Addicto Date: Sat, 28 Jan 2017 16:59:21 +0100 Subject: [PATCH 5/8] Allow only http and https scheme on proxify_url() Make sure the schema is only http and https (for security reasons). --- src/helpers.php | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/helpers.php b/src/helpers.php index cd5cf4b..618903c 100644 --- a/src/helpers.php +++ b/src/helpers.php @@ -158,6 +158,11 @@ function proxify_url($url, $base_url = ''){ return $base_url; } + // Make sure the schema is only http and https + if(in_array(strtolower(parse_url($url, PHP_URL_SCHEME)), array('http', 'https'), true)){ + return $base_url; + } + return app_url().'?q='.url_encrypt($url); } From 53b272932fd6018d5b47a0fecb6ff9be500488c0 Mon Sep 17 00:00:00 2001 From: Web Addicto Date: Sat, 28 Jan 2017 17:03:48 +0100 Subject: [PATCH 6/8] Small fix Fixed if(!in_array(strtolower(parse_url($url, PHP_URL_SCHEME)), array('http', 'https'), true)){ --- src/helpers.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/helpers.php b/src/helpers.php index 618903c..67c79c0 100644 --- a/src/helpers.php +++ b/src/helpers.php @@ -159,7 +159,7 @@ function proxify_url($url, $base_url = ''){ } // Make sure the schema is only http and https - if(in_array(strtolower(parse_url($url, PHP_URL_SCHEME)), array('http', 'https'), true)){ + if(!in_array(strtolower(parse_url($url, PHP_URL_SCHEME)), array('http', 'https'), true)){ return $base_url; } From 4607afa3c3dcc0f18304c72bb2875a442c33be34 Mon Sep 17 00:00:00 2001 From: Web Addicto Date: Sun, 29 Jan 2017 00:10:38 +0100 Subject: [PATCH 7/8] Improved function proxify_url() --- src/helpers.php | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/src/helpers.php b/src/helpers.php index 67c79c0..120931f 100644 --- a/src/helpers.php +++ b/src/helpers.php @@ -147,20 +147,24 @@ function proxify_url($url, $base_url = ''){ $url = rel2abs($url, $base_url); } - // Make sure we do not proxy our proxy: + // If $url is empty... + if(!$url){ + return $base_url ? $base_url : app_url(); + } - // Extract the real host (without www.) from the two URLs - $host1 = preg_replace('/^www\./is', '', trim(parse_url($url, PHP_URL_HOST))); - $host2 = preg_replace('/^www\./is', '', trim(parse_url(app_url(), PHP_URL_HOST))); + // Extract the real host (without www.) from $url and app_url() + $url_host = preg_replace('/^www\./is', '', trim(parse_url($url, PHP_URL_HOST))); + $app_host = preg_replace('/^www\./is', '', trim(parse_url(app_url(), PHP_URL_HOST))); - // Make sure our proxy app host is not present in the URL to be proxified - if(strtolower($host1) == strtolower($host2) || stripos(".".$host1, $host2) ){ - return $base_url; + // Make sure the proxy app host is not present in the URL to be proxified + if(strtolower($url_host) == strtolower($app_host) || stripos(".".$url_host, $app_host) ){ + // Maybe it would be better to show an error message? + return app_url(); } - // Make sure the schema is only http and https - if(!in_array(strtolower(parse_url($url, PHP_URL_SCHEME)), array('http', 'https'), true)){ - return $base_url; + // Make sure the scheme is http, https, ftp + if(!in_array(strtolower(parse_url($url, PHP_URL_SCHEME)), array('http','https','ftp'), true)){ + return $base_url ? $base_url : app_url(); } return app_url().'?q='.url_encrypt($url); From 220f63703913feb6615cf00f5c1398ccad85b084 Mon Sep 17 00:00:00 2001 From: Web Addicto Date: Tue, 31 Jan 2017 16:36:50 +0100 Subject: [PATCH 8/8] Don't proxify localhost and internal IP addresses --- src/helpers.php | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/src/helpers.php b/src/helpers.php index 120931f..432269f 100644 --- a/src/helpers.php +++ b/src/helpers.php @@ -162,6 +162,20 @@ function proxify_url($url, $base_url = ''){ return app_url(); } + // Make sure to not proxify localhost + if(strtolower($url_host) == "localhost" ){ + // Maybe it would be better to show an error message? + return app_url(); + } + + // Make sure to not proxify internal IP addresses + if(filter_var($url_host, FILTER_VALIDATE_IP)){ + if(filter_var($url_host, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) === false){ + // Maybe it would be better to show an error message? + return app_url(); + } + } + // Make sure the scheme is http, https, ftp if(!in_array(strtolower(parse_url($url, PHP_URL_SCHEME)), array('http','https','ftp'), true)){ return $base_url ? $base_url : app_url();