Problem with fetch api

Question

Problem with fetch api

nomadinteractif opened this issue 3 years ago · 2 comments

Hello and thank you for sharing this great tool!

My client just had an audit on the server and one of the feature is opening alot of secure data on the server.
Type in your browser something like
your-api-endpoint/?fetch=file:///etc/passwd

And than you can see it all.

At first I thought of disabling the «fetch» feature since I was not aware of what it was used for... but than read a bit and like it right away! So I push a little more to see where the problem was and from what I saw it's related to

// FilePond.class.php (#100)
function is_url($str) {
    return filter_var($str, FILTER_VALIDATE_URL)
}

This looks a little to permissive since it's allow plenty of schemes like «file://».

I have just restrict the function by allowing only few shemes.

// FilePond.class.php (#100)
function is_url($str) {
    if (!filter_var($str, FILTER_VALIDATE_URL)) {
        return false;
    }
    return in_array(parse_url($str, PHP_URL_SCHEME),['http','https','ftp']);
}

Cheers and keep on the good work

Answer 1 · 2021-11-18T15:36:52.000Z

Thanks for reporting! I'm fixing it now.

Answer 2 · 2021-11-18T15:48:03.000Z

Fixed 👍