Validate Host header matches expected value before allowing access to Uploads

author: Mark Felder <feld@feld.me> 2023-05-29 14:16:03 -0400
committer: Mark Felder <feld@feld.me> 2023-05-29 14:16:03 -0400
commit: a60dd0d92dae2471025827bc57d3cf3194003110 (patch)
tree: e6987e6465a9aa9f61d2d57ed2cbf92578f54e14 /lib
parent: 843fcca5b4d022e4c088d4a60839b4a286500148 (diff)
download: pleroma-a60dd0d92dae2471025827bc57d3cf3194003110.tar.gz
pleroma-a60dd0d92dae2471025827bc57d3cf3194003110.zip
1 files changed, 10 insertions, 1 deletions
diff --git a/lib/pleroma/web/plugs/uploaded_media.ex b/lib/pleroma/web/plugs/uploaded_media.ex
index 8b3bc9acb..49db9808f 100644
--- a/lib/pleroma/web/plugs/uploaded_media.ex
+++ b/lib/pleroma/web/plugs/uploaded_media.ex
@@ -46,12 +46,21 @@ defmodule Pleroma.Web.Plugs.UploadedMedia do
 
     config = Pleroma.Config.get(Pleroma.Upload)
 
-    with uploader <- Keyword.fetch!(config, :uploader),
+    media_host = Pleroma.Upload.base_url() |> URI.parse() |> Map.get(:host)
+
+    with {:valid_host, true} <- {:valid_host, match?(^media_host, conn.host)},
+         uploader <- Keyword.fetch!(config, :uploader),
          proxy_remote = Keyword.get(config, :proxy_remote, false),
          {:ok, get_method} <- uploader.get_file(file),
          false <- media_is_banned(conn, get_method) do
       get_media(conn, get_method, proxy_remote, opts)
     else
+      {:valid_host, false} ->
+        conn
+
+        send_resp(conn, 400, Plug.Conn.Status.reason_phrase(400))
+        |> halt()
+
       _ ->
         conn
         |> send_resp(:internal_server_error, dgettext("errors", "Failed"))
author	Mark Felder <feld@feld.me>	2023-05-29 14:16:03 -0400
committer	Mark Felder <feld@feld.me>	2023-05-29 14:16:03 -0400
commit	a60dd0d92dae2471025827bc57d3cf3194003110 (patch)
tree	e6987e6465a9aa9f61d2d57ed2cbf92578f54e14 /lib
parent	843fcca5b4d022e4c088d4a60839b4a286500148 (diff)
download	pleroma-a60dd0d92dae2471025827bc57d3cf3194003110.tar.gz pleroma-a60dd0d92dae2471025827bc57d3cf3194003110.zip