Validate Host header matches expected value before allowing access to Uploads

This commit is contained in:
Mark Felder 2023-05-29 14:16:03 -04:00
parent 843fcca5b4
commit a60dd0d92d
2 changed files with 24 additions and 1 deletions

View File

@ -46,12 +46,21 @@ def call(%{request_path: <<"/", @path, "/", file::binary>>} = conn, opts) do
config = Pleroma.Config.get(Pleroma.Upload)
with uploader <- Keyword.fetch!(config, :uploader),
media_host = Pleroma.Upload.base_url() |> URI.parse() |> Map.get(:host)
with {:valid_host, true} <- {:valid_host, match?(^media_host, conn.host)},
uploader <- Keyword.fetch!(config, :uploader),
proxy_remote = Keyword.get(config, :proxy_remote, false),
{:ok, get_method} <- uploader.get_file(file),
false <- media_is_banned(conn, get_method) do
get_media(conn, get_method, proxy_remote, opts)
else
{:valid_host, false} ->
conn
send_resp(conn, 400, Plug.Conn.Status.reason_phrase(400))
|> halt()
_ ->
conn
|> send_resp(:internal_server_error, dgettext("errors", "Failed"))

View File

@ -40,4 +40,18 @@ test "sends Content-Disposition header when name param is set", %{
&(&1 == {"content-disposition", ~s[inline; filename="\\"cofe\\".gif"]})
)
end
test "denies access to media if wrong Host", %{
attachment_url: attachment_url
} do
conn = get(build_conn(), attachment_url)
assert conn.status == 200
clear_config([Pleroma.Upload, :base_url], "http://media.localhost/")
conn = get(build_conn(), attachment_url)
assert conn.status == 400
end
end