lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Enhance getURLContent

Browse Source
This commit is contained in:
Laurent Destailleur 2021-04-12 11:20:44 +02:00
parent a68378da3f
commit 86328462c7
1 changed files with 13 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
htdocs/core/lib/geturl.lib.php
View File

@ -152,20 +152,31 @@ function getURLContent($url, $postorget = 'GET', $param = '', $followlocation =
$hosttocheck = $newUrlArray['host'];
$hosttocheck = str_replace(array('[', ']'), '', $hosttocheck); // Remove brackets of IPv6
// Deny some reserved host names
if (in_array($hosttocheck, array('metadata.google.internal'))) {
$info['http_code'] = 400;
$info['content'] = 'Error bad hostname (Used by Google metadata). This value for hostname is not allowed.';
break;
}
// Clean host name $hosttocheck to convert it into an IP $iptocheck
if (in_array($hosttocheck, array('localhost', 'localhost.domain'))) {
$iptocheck = '127.0.0.1';
} elseif (in_array($hosttocheck, array('ip6-localhost', 'ip6-loopback'))) {
$iptocheck = '::1';
} else {
// TODO Resolve $iptocheck to get an IP and set CURLOPT_CONNECT_TO to use this ip
// TODO Resolve $hosttocheck to get the IP $iptocheck and set CURLOPT_CONNECT_TO to use this ip
$iptocheck = $hosttocheck;
}
if (!filter_var($iptocheck, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 | FILTER_FLAG_IPV6)) { // This is not an IP
$iptocheck = 0; //
$iptocheck = '0'; //
}
if ($iptocheck) {
if ($localurl == 0) { // Only external url allowed (dangerous, may allow to get malware)
if (!filter_var($iptocheck, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
// Deny ips like 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 0.0.0.0/8, 169.254.0.0/16, 127.0.0.0/8 et 240.0.0.0/4, ::1/128, ::/128, ::ffff:0:0/96, fe80::/10...
$info['http_code'] = 400;
$info['content'] = 'Error bad hostname IP (private or reserved range). Must be an external URL.';
break;