Skip to content

Commit 72890f7

Browse files
ildyriad7415
ildyria
and
d7415
authored
Mitigate small SSRF (#3861)
Co-authored-by: Martin Stone <[email protected]>
1 parent 8e1b669 commit 72890f7

File tree

2 files changed

+45
-1
lines changed

2 files changed

+45
-1
lines changed

app/Image/Files/DownloadedFile.php

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@
1010

1111
use App\Exceptions\MediaFileOperationException;
1212
use App\Exceptions\MediaFileUnsupportedException;
13+
use App\Models\Configs;
1314
use Safe\Exceptions\PcreException;
1415
use function Safe\fclose;
1516
use function Safe\fopen;
@@ -41,7 +42,16 @@ public function __construct(string $url)
4142
$basename = pathinfo($path, PATHINFO_FILENAME);
4243
$extension = '.' . pathinfo($path, PATHINFO_EXTENSION);
4344

44-
$download_stream = fopen($url, 'rb');
45+
$opts = [
46+
'http' => [
47+
'follow_location' => !Configs::getValueAsBool('import_via_url_block_redirect'),
48+
'max_redirects' => 3,
49+
'timeout' => 10.0,
50+
],
51+
];
52+
53+
$context = stream_context_create($opts);
54+
$download_stream = fopen($url, 'rb', context: $context);
4555
$download_stream_data = stream_get_meta_data($download_stream);
4656

4757
/** @var string|null $original_mime_type */

database/migrations/2025_12_10_171646_add_setting_follow_link_redirection.php

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
<?php
2+
3+
/**
4+
* SPDX-License-Identifier: MIT
5+
* Copyright (c) 2017-2018 Tobias Reich
6+
* Copyright (c) 2018-2025 LycheeOrg.
7+
*/
8+
9+
use App\Models\Extensions\BaseConfigMigration;
10+
11+
return new class() extends BaseConfigMigration {
12+
public const CONFIG = 'Admin';
13+
14+
/**
15+
* @return array<int,array{key:string,value:string,is_secret:bool,cat:string,type_range:string,description:string,order?:int,not_on_docker?:bool,is_expert?:bool}>
16+
*/
17+
public function getConfigs(): array
18+
{
19+
return [
20+
[
21+
'key' => 'import_via_url_block_redirect',
22+
'value' => '1',
23+
'cat' => self::CONFIG,
24+
'type_range' => self::BOOL,
25+
'description' => 'Import via URL should not follow redirections',
26+
'details' => '<span class="pi pi-exclamation-triangle text-orange-500"></span> Disabling this exposes your localhost to the Import via URL functionality and could lead to Server-Side Request Forgery (SSRF).',
27+
'is_secret' => false,
28+
'is_expert' => true,
29+
'level' => 0,
30+
'order' => 24,
31+
],
32+
];
33+
}
34+
};

0 commit comments

Comments
 (0)