From a8187af8ef74a3f863f5127ea08157097b9f9461 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Mon, 19 Apr 2021 15:16:00 +0200
Subject: [PATCH] Use MAIN_SECURITY_ANTI_SSRF_SERVER_IP as whitelist for local
 IP.

---
 htdocs/core/lib/geturl.lib.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/htdocs/core/lib/geturl.lib.php b/htdocs/core/lib/geturl.lib.php
index d3f40418269..81ff51f00c7 100644
--- a/htdocs/core/lib/geturl.lib.php
+++ b/htdocs/core/lib/geturl.lib.php
@@ -204,6 +204,11 @@ function getURLContent($url, $postorget = 'GET', $param = '', $followlocation =
 					$info['content'] = 'Error bad hostname. Must be a local URL.';
 					break;
 				}
+				if (!empty($conf->global->MAIN_SECURITY_ANTI_SSRF_SERVER_IP) && !in_array($iptocheck, explode(',', '127.0.0.1,::1,'.$conf->global->MAIN_SECURITY_ANTI_SSRF_SERVER_IP))) {
+					$info['http_code'] = 400;
+					$info['content'] = 'Error bad hostname IP (IP is not a local IP defined into list MAIN_SECURITY_SERVER_IP). Must be a local URL in allowed list.';
+					break;
+				}
 			}
 			// Common check (local and external)
 			if (in_array($iptocheck, array('100.100.100.200'))) {