lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Use MAIN_SECURITY_ANTI_SSRF_SERVER_IP as whitelist for local IP.

Browse Source
This commit is contained in:
Laurent Destailleur 2021-04-19 15:16:00 +02:00
parent 2cd9289de1
commit a8187af8ef
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
htdocs/core/lib/geturl.lib.php
View File

@ -204,6 +204,11 @@ function getURLContent($url, $postorget = 'GET', $param = '', $followlocation =
$info['content'] = 'Error bad hostname. Must be a local URL.';
break;
}
if (!empty($conf->global->MAIN_SECURITY_ANTI_SSRF_SERVER_IP) && !in_array($iptocheck, explode(',', '127.0.0.1,::1,'.$conf->global->MAIN_SECURITY_ANTI_SSRF_SERVER_IP))) {
$info['http_code'] = 400;
$info['content'] = 'Error bad hostname IP (IP is not a local IP defined into list MAIN_SECURITY_SERVER_IP). Must be a local URL in allowed list.';
break;
}
}
// Common check (local and external)
if (in_array($iptocheck, array('100.100.100.200'))) {