unofficial mirror of meta@public-inbox.org
 help / color / mirror / Atom feed
From: Eric Wong <e@80x24.org>
To: meta@public-inbox.org
Cc: Leah Neukirchen <leah@vuxu.org>
Subject: [PATCH v2] wwwattach: prevent deep-linking via Referer match
Date: Mon, 23 Nov 2020 14:15:35 +0000	[thread overview]
Message-ID: <20201123141535.GA15950@dcvr> (raw)
In-Reply-To: <20201108074917.GA29704@dcvr>

This prevents `<img src=' tags from being used to deep-link
image attachments from HTML outside of the current host and
reduces potential for abuse.

Some browsers (e.g. Firefox) favor content detection and will
display images irrespective of the Content-Type header being
"application/octet-stream", and "Content-Disposition: attachment"
doesn't stop them, either.

Tested with dillo and Firefox.

Reported-by: Leah Neukirchen <leah@vuxu.org>
---
  Deployed on public-inbox.org (http://ou63pmih66umazou.onion/)
  but not others.

 lib/PublicInbox/WwwAttach.pm | 26 ++++++++++++++++++++++++--
 1 file changed, 24 insertions(+), 2 deletions(-)

diff --git a/lib/PublicInbox/WwwAttach.pm b/lib/PublicInbox/WwwAttach.pm
index 0b2cda90..09c66d02 100644
--- a/lib/PublicInbox/WwwAttach.pm
+++ b/lib/PublicInbox/WwwAttach.pm
@@ -9,6 +9,22 @@ use bytes (); # only for bytes::length
 use PublicInbox::EmlContentFoo qw(parse_content_type);
 use PublicInbox::Eml;
 
+sub referer_match ($) {
+	my ($ctx) = @_;
+	my $env = $ctx->{env};
+	my $referer = $env->{HTTP_REFERER} // '';
+	return 1 if $referer eq ''; # no referer is always OK for wget/curl
+
+	# prevent deep-linking from other domains on some browsers (Firefox)
+	# n.b.: $ctx->{-inbox}->base_url($env) with INBOX_URL won't work
+	# with dillo, we can only match "$url_scheme://$HTTP_HOST/" without
+	# path components
+	my $base_url = $env->{'psgi.url_scheme'} . '://' .
+			($env->{HTTP_HOST} //
+			 "$env->{SERVER_NAME}:$env->{SERVER_PORT}") . '/';
+	index($referer, $base_url) == 0;
+}
+
 sub get_attach_i { # ->each_part callback
 	my ($part, $depth, $idx) = @{$_[0]};
 	my $ctx = $_[1];
@@ -28,8 +44,14 @@ sub get_attach_i { # ->each_part callback
 								$ctx->{env});
 		$part = $ctx->zflush($part->body);
 	} else { # TODO: allow user to configure safe types
-		$res->[1]->[1] = 'application/octet-stream';
-		$part = $part->body;
+		if (referer_match($ctx)) {
+			$res->[1]->[1] = 'application/octet-stream';
+			$part = $part->body;
+		} else {
+			$res->[0] = 403;
+			$res->[1]->[1] = 'text/plain';
+			$part = "Deep-linking prevented\n";
+		}
 	}
 	push @{$res->[1]}, 'Content-Length', bytes::length($part);
 	$res->[2]->[0] = $part;

      reply	other threads:[~2020-11-23 14:15 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-11-07 19:10 MIME types for image attachments Leah Neukirchen
2020-11-07 20:39 ` Eric Wong
2020-11-08  0:05   ` Leah Neukirchen
2020-11-08  7:49     ` [PATCH] wwwattach: set "Content-Disposition: attachment" Eric Wong
2020-11-23 14:15       ` Eric Wong [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://public-inbox.org/README

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20201123141535.GA15950@dcvr \
    --to=e@80x24.org \
    --cc=leah@vuxu.org \
    --cc=meta@public-inbox.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).