mirror of
https://github.com/owncast/owncast.git
synced 2024-12-21 16:54:46 +03:00
Block Private URLs at serverurl
API endpoint (#3295)
* Block Private URLs at `serverurl` API endpoint * Block Private URLs at `serverurl` with `net/netip`
This commit is contained in:
parent
50c4c1a5c7
commit
062de79920
2 changed files with 19 additions and 0 deletions
|
@ -5,6 +5,7 @@ import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"net"
|
"net"
|
||||||
"net/http"
|
"net/http"
|
||||||
|
"net/netip"
|
||||||
"os"
|
"os"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
"reflect"
|
"reflect"
|
||||||
|
@ -406,6 +407,14 @@ func SetServerURL(w http.ResponseWriter, r *http.Request) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Block Private IP URLs
|
||||||
|
ipAddr, ipErr := netip.ParseAddr(utils.GetHostnameWithoutPortFromURLString(rawValue))
|
||||||
|
|
||||||
|
if ipErr == nil && ipAddr.IsPrivate() {
|
||||||
|
controllers.WriteSimpleResponse(w, false, "Server URL cannot be private")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
// Trim any trailing slash
|
// Trim any trailing slash
|
||||||
serverURL := strings.TrimRight(rawValue, "/")
|
serverURL := strings.TrimRight(rawValue, "/")
|
||||||
|
|
||||||
|
|
|
@ -379,6 +379,16 @@ func GetHostnameFromURLString(s string) string {
|
||||||
return u.Host
|
return u.Host
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// GetHostnameWithoutPortFromURLString will return the hostname component without the port from a URL object.
|
||||||
|
func GetHostnameWithoutPortFromURLString(s string) string {
|
||||||
|
u, err := url.Parse(s)
|
||||||
|
if err != nil {
|
||||||
|
return ""
|
||||||
|
}
|
||||||
|
|
||||||
|
return u.Hostname()
|
||||||
|
}
|
||||||
|
|
||||||
// GetHashtagsFromText returns all the #Hashtags from a string.
|
// GetHashtagsFromText returns all the #Hashtags from a string.
|
||||||
func GetHashtagsFromText(text string) []string {
|
func GetHashtagsFromText(text string) []string {
|
||||||
re := regexp.MustCompile(`#[a-zA-Z0-9_]+`)
|
re := regexp.MustCompile(`#[a-zA-Z0-9_]+`)
|
||||||
|
|
Loading…
Reference in a new issue