fixed id param sneaking into urls

6e3c27b0 · Dominik Hebeler · 4ea33821 · 6e3c27b0 · 6e3c27b0 · 6e3c27b0
Commit 6e3c27b0 authored 4 years ago by Dominik Hebeler
--- a/app/Document.php
+++ b/app/Document.php
@@ -7,7 +7,6 @@ use URL;

 abstract class Document
 {
-
    protected $password;
    protected $baseUrl;

@@ -33,10 +32,10 @@ abstract class Document
        $urlToProxy = base64_encode(str_rot13($url));
        $urlToProxy = str_replace("/", "<<SLASH>>", $urlToProxy);
        $urlToProxy = urlencode($urlToProxy);
-
+        
        if ($topLevel) {
            $params = \Request::all();
-
+            
            # Password
            $pw         = md5(env('PROXY_PASSWORD') . $url);
            $urlToProxy = base64_encode(str_rot13($url));
@@ -51,9 +50,9 @@ abstract class Document
            $params             = \Request::all();
            $params['password'] = $this->password;
            $params['url']      = $urlToProxy;
+            $params["id"]       = \Request::route("id");

            $iframeUrl = action('ProxyController@proxy', $params);
-
        }

        return $iframeUrl;
@@ -124,7 +123,8 @@ abstract class Document
        }
        /* replace '//' or '/./' or '/foo/../' with '/' */
        $re = array('#(/\.?/)#', '#/(?!\.\.)[^/]+/\.\./#');
-        for ($n = 1; $n > 0; $abs = preg_replace($re, '/', $abs, -1, $n)) {}
+        for ($n = 1; $n > 0; $abs = preg_replace($re, '/', $abs, -1, $n)) {
+        }

        /* absolute URL is ready! */
        return ($scheme . '://' . $abs);

--- a/app/Http/Controllers/ProxyController.php
+++ b/app/Http/Controllers/ProxyController.php
@@ -126,12 +126,13 @@ class ProxyController extends Controller
            ->with('targetUrl', $targetUrl);
    }

-    public function proxy(Request $request, $password, $url)
+    public function proxy(Request $request, $password, $id, $url)
    {
        $supportedContentTypes = [
            'text/html',
        ];

+        
        $targetUrl = str_replace("<<SLASH>>", "/", $url);
        $targetUrl = str_rot13(base64_decode($targetUrl));

@@ -144,8 +145,8 @@ class ProxyController extends Controller
        if (!Cache::has($hash) || env("CACHE_ENABLED") === false) {
            // Inits the Curl connection for being able to preload multiple URLs while using a keep-alive connection
            $this->initCurl();
-            
-            $key = $request->input('id', '');
+
+            $key = $request->route('id', '');
            if (!preg_match("/^[a-f0-9]{32}$/", $key)) {
                abort(404);
            }
@@ -442,14 +443,14 @@ class ProxyController extends Controller
            # Params
            $params['password'] = $pw;
            $params['url'] = $urlToProxy;
-
+            
            $iframeUrl = action('ProxyController@proxyPage', $params);
        } else {
            $params = \Request::all();
            $params['password'] = $password;
            $params['url'] = $urlToProxy;
            $params["id"] = $key;
-
+            
            $iframeUrl = action('ProxyController@proxy', $params);
        }


--- a/app/Http/Middleware/Browserverification.php
+++ b/app/Http/Middleware/Browserverification.php
@@ -18,13 +18,13 @@ class Browserverification
    {
        $redis = Redis::connection("central");

-        $key = $request->input('id');
+        $key = $request->route('id');
        if (!preg_match("/^[a-f0-9]{32}$/", $key)) {
            abort(404);
        }

        $answer = $redis->brpoplpush($key, $key, 3);
-
+        
        if ($answer === null) {
            abort(404);
        }

--- a/routes/web.php
+++ b/routes/web.php
@@ -45,4 +45,4 @@ Route::post('/', function (Request $request) {

 Route::get('{password}/{url}', 'ProxyController@proxyPage')->middleware('throttle:60:1')->middleware('checkpw');

-Route::get('proxy/{password}/{url}', 'ProxyController@proxy')->middleware('browserverification')->middleware('checkpw:true');
+Route::get('proxy/{password}/{id}/{url}', 'ProxyController@proxy')->middleware('browserverification')->middleware('checkpw:true');