added check for private ip range

HaschekSolutions · Nov 2, 2023 · d349ee8 · d349ee8
1 parent 5c3ee9e
commit d349ee8
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 0 deletions.
diff --git a/api/geturl.php b/api/geturl.php
@@ -30,6 +30,9 @@
 
 $url = trim($_REQUEST['url']);
 
+if(checkURLForPrivateIPRange($url))
+    exit(json_encode(array('status'=>'err','reason'=>'Private IP range')));
+
 if(!$url || !startsWith($url, 'http'))
     exit(json_encode(array('status'=>'err','reason'=>'Invalid URL')));
 

diff --git a/inc/core.php b/inc/core.php
@@ -928,3 +928,40 @@ function executeUploadPermission()
         }
     }
 }
+
+/**
+ * Checks if a URL is valid
+ * @param string $url
+ * @return boolean (true if valid, false if not)
+ */
+function checkURLForPrivateIPRange($url)
+{
+    $host = getHost($url);
+    $ip = gethostbyname($host);
+    if(is_public_ipv4($ip) || is_public_ipv6($ip)) return false;
+    return true;
+}
+
+function getHost($url){ 
+    $URIs = parse_url(trim($url)); 
+    $host = !empty($URIs['host'])? $URIs['host'] : explode('/', $URIs['path'])[0];
+    return $host;  
+} 
+
+function is_public_ipv4($ip=NULL)
+{
+    return filter_var(
+        $ip,
+        FILTER_VALIDATE_IP,
+        FILTER_FLAG_IPV4 | FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE
+    ) === $ip ? TRUE : FALSE;
+}
+
+function is_public_ipv6($ip=NULL)
+{
+    return filter_var(
+        $ip,
+        FILTER_VALIDATE_IP,
+        FILTER_FLAG_IPV6 | FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE
+    ) === $ip ? TRUE : FALSE;
+}