commit: a60dd0d92dae2471025827bc57d3cf3194003110
parent 843fcca5b4d022e4c088d4a60839b4a286500148
Author: Mark Felder <feld@feld.me>
Date: Mon, 29 May 2023 14:16:03 -0400
Validate Host header matches expected value before allowing access to Uploads
Diffstat:
2 files changed, 24 insertions(+), 1 deletion(-)
diff --git a/lib/pleroma/web/plugs/uploaded_media.ex b/lib/pleroma/web/plugs/uploaded_media.ex
@@ -46,12 +46,21 @@ defmodule Pleroma.Web.Plugs.UploadedMedia do
config = Pleroma.Config.get(Pleroma.Upload)
- with uploader <- Keyword.fetch!(config, :uploader),
+ media_host = Pleroma.Upload.base_url() |> URI.parse() |> Map.get(:host)
+
+ with {:valid_host, true} <- {:valid_host, match?(^media_host, conn.host)},
+ uploader <- Keyword.fetch!(config, :uploader),
proxy_remote = Keyword.get(config, :proxy_remote, false),
{:ok, get_method} <- uploader.get_file(file),
false <- media_is_banned(conn, get_method) do
get_media(conn, get_method, proxy_remote, opts)
else
+ {:valid_host, false} ->
+ conn
+
+ send_resp(conn, 400, Plug.Conn.Status.reason_phrase(400))
+ |> halt()
+
_ ->
conn
|> send_resp(:internal_server_error, dgettext("errors", "Failed"))
diff --git a/test/pleroma/web/plugs/uploaded_media_plug_test.exs b/test/pleroma/web/plugs/uploaded_media_plug_test.exs
@@ -40,4 +40,18 @@ defmodule Pleroma.Web.Plugs.UploadedMediaPlugTest do
&(&1 == {"content-disposition", ~s[inline; filename="\\"cofe\\".gif"]})
)
end
+
+ test "denies access to media if wrong Host", %{
+ attachment_url: attachment_url
+ } do
+ conn = get(build_conn(), attachment_url)
+
+ assert conn.status == 200
+
+ clear_config([Pleroma.Upload, :base_url], "http://media.localhost/")
+
+ conn = get(build_conn(), attachment_url)
+
+ assert conn.status == 400
+ end
end