mirror of
https://github.com/owncast/owncast.git
synced 2024-12-18 07:12:33 +03:00
Block Private URLs at serverurl
API endpoint (#3295)
* Block Private URLs at `serverurl` API endpoint * Block Private URLs at `serverurl` with `net/netip`
This commit is contained in:
parent
50c4c1a5c7
commit
062de79920
2 changed files with 19 additions and 0 deletions
|
@ -5,6 +5,7 @@ import (
|
|||
"fmt"
|
||||
"net"
|
||||
"net/http"
|
||||
"net/netip"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"reflect"
|
||||
|
@ -406,6 +407,14 @@ func SetServerURL(w http.ResponseWriter, r *http.Request) {
|
|||
return
|
||||
}
|
||||
|
||||
// Block Private IP URLs
|
||||
ipAddr, ipErr := netip.ParseAddr(utils.GetHostnameWithoutPortFromURLString(rawValue))
|
||||
|
||||
if ipErr == nil && ipAddr.IsPrivate() {
|
||||
controllers.WriteSimpleResponse(w, false, "Server URL cannot be private")
|
||||
return
|
||||
}
|
||||
|
||||
// Trim any trailing slash
|
||||
serverURL := strings.TrimRight(rawValue, "/")
|
||||
|
||||
|
|
|
@ -379,6 +379,16 @@ func GetHostnameFromURLString(s string) string {
|
|||
return u.Host
|
||||
}
|
||||
|
||||
// GetHostnameWithoutPortFromURLString will return the hostname component without the port from a URL object.
|
||||
func GetHostnameWithoutPortFromURLString(s string) string {
|
||||
u, err := url.Parse(s)
|
||||
if err != nil {
|
||||
return ""
|
||||
}
|
||||
|
||||
return u.Hostname()
|
||||
}
|
||||
|
||||
// GetHashtagsFromText returns all the #Hashtags from a string.
|
||||
func GetHashtagsFromText(text string) []string {
|
||||
re := regexp.MustCompile(`#[a-zA-Z0-9_]+`)
|
||||
|
|
Loading…
Reference in a new issue