From: Eric Wong <e@80x24.org>
To: meta@public-inbox.org
Cc: Leah Neukirchen <leah@vuxu.org>
Subject: [PATCH v2] wwwattach: prevent deep-linking via Referer match
Date: Mon, 23 Nov 2020 14:15:35 +0000 [thread overview]
Message-ID: <20201123141535.GA15950@dcvr> (raw)
In-Reply-To: <20201108074917.GA29704@dcvr>
This prevents `<img src=' tags from being used to deep-link
image attachments from HTML outside of the current host and
reduces potential for abuse.
Some browsers (e.g. Firefox) favor content detection and will
display images irrespective of the Content-Type header being
"application/octet-stream", and "Content-Disposition: attachment"
doesn't stop them, either.
Tested with dillo and Firefox.
Reported-by: Leah Neukirchen <leah@vuxu.org>
---
Deployed on public-inbox.org (http://ou63pmih66umazou.onion/)
but not others.
lib/PublicInbox/WwwAttach.pm | 26 ++++++++++++++++++++++++--
1 file changed, 24 insertions(+), 2 deletions(-)
diff --git a/lib/PublicInbox/WwwAttach.pm b/lib/PublicInbox/WwwAttach.pm
index 0b2cda90..09c66d02 100644
--- a/lib/PublicInbox/WwwAttach.pm
+++ b/lib/PublicInbox/WwwAttach.pm
@@ -9,6 +9,22 @@ use bytes (); # only for bytes::length
use PublicInbox::EmlContentFoo qw(parse_content_type);
use PublicInbox::Eml;
+sub referer_match ($) {
+ my ($ctx) = @_;
+ my $env = $ctx->{env};
+ my $referer = $env->{HTTP_REFERER} // '';
+ return 1 if $referer eq ''; # no referer is always OK for wget/curl
+
+ # prevent deep-linking from other domains on some browsers (Firefox)
+ # n.b.: $ctx->{-inbox}->base_url($env) with INBOX_URL won't work
+ # with dillo, we can only match "$url_scheme://$HTTP_HOST/" without
+ # path components
+ my $base_url = $env->{'psgi.url_scheme'} . '://' .
+ ($env->{HTTP_HOST} //
+ "$env->{SERVER_NAME}:$env->{SERVER_PORT}") . '/';
+ index($referer, $base_url) == 0;
+}
+
sub get_attach_i { # ->each_part callback
my ($part, $depth, $idx) = @{$_[0]};
my $ctx = $_[1];
@@ -28,8 +44,14 @@ sub get_attach_i { # ->each_part callback
$ctx->{env});
$part = $ctx->zflush($part->body);
} else { # TODO: allow user to configure safe types
- $res->[1]->[1] = 'application/octet-stream';
- $part = $part->body;
+ if (referer_match($ctx)) {
+ $res->[1]->[1] = 'application/octet-stream';
+ $part = $part->body;
+ } else {
+ $res->[0] = 403;
+ $res->[1]->[1] = 'text/plain';
+ $part = "Deep-linking prevented\n";
+ }
}
push @{$res->[1]}, 'Content-Length', bytes::length($part);
$res->[2]->[0] = $part;
prev parent reply other threads:[~2020-11-23 14:15 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-07 19:10 MIME types for image attachments Leah Neukirchen
2020-11-07 20:39 ` Eric Wong
2020-11-08 0:05 ` Leah Neukirchen
2020-11-08 7:49 ` [PATCH] wwwattach: set "Content-Disposition: attachment" Eric Wong
2020-11-23 14:15 ` Eric Wong [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://public-inbox.org/README
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201123141535.GA15950@dcvr \
--to=e@80x24.org \
--cc=leah@vuxu.org \
--cc=meta@public-inbox.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).