genuineparts/alltube
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Prevent SSRF requests

Browse source 
By validating the provided URL before passing it to youtube-dl
This commit is contained in:
Pierre Rudloff 2022-02-27 10:54:56 +01:00
parent 2afbfb4bf2
commit 3a4f09dda0
7 changed files with 814 additions and 161 deletions
Download patch file Download diff file Expand all files Collapse all files

22
classes/Controller/FrontController.php
View file

@ -12,6 +12,7 @@ use Alltube\Library\Exception\WrongPasswordException;
use Alltube\Locale;
use Alltube\Middleware\CspMiddleware;
use Exception;
use Graby\HttpClient\Plugin\ServerSideRequestForgeryProtection\Exception\InvalidURLException;
use Slim\Http\StatusCode;
use Symfony\Component\ErrorHandler\ErrorRenderer\HtmlErrorRenderer;
use Throwable;
@ -198,24 +199,21 @@ class FrontController extends BaseController
*
* @return Response HTTP response
* @throws AlltubeLibraryException
* @throws InvalidURLException
*/
public function info(Request $request, Response $response): Response
{
$url = $request->getQueryParam('url') ?: $request->getQueryParam('v');
$url = $this->getVideoPageUrl($request);
if (isset($url) && !empty($url)) {
$this->video = $this->downloader->getVideo($url, $this->getFormat($request), $this->getPassword($request));
$this->video = $this->downloader->getVideo($url, $this->getFormat($request), $this->getPassword($request));
if ($this->config->convert && $request->getQueryParam('audio')) {
// We skip the info page and get directly to the download.
return $response->withRedirect(
$this->router->pathFor('download', [], $request->getQueryParams())
);
} else {
return $this->getInfoResponse($request, $response);
}
if ($this->config->convert && $request->getQueryParam('audio')) {
// We skip the info page and get directly to the download.
return $response->withRedirect(
$this->router->pathFor('download', [], $request->getQueryParams())
);
} else {
return $response->withRedirect($this->router->pathFor('index'));
return $this->getInfoResponse($request, $response);
}
}