fix pingback's security issue
ref: https://joychou.org/web/typecho-ssrf-analysis-and-exploit.html
This commit is contained in:
joyqi
+62
-1
@@ -22,7 +22,7 @@ define('__TYPECHO_MB_SUPPORTED__', function_exists('mb_get_info') && function_ex
|
||||
class Typecho_Common
|
||||
{
|
||||
/** 程序版本 */
|
||||
const VERSION = '1.1/17.8.17';
|
||||
const VERSION = '1.1/17.10.13';
|
||||
|
||||
/**
|
||||
* 允许的属性
|
||||
@@ -1105,6 +1105,67 @@ EOF;
|
||||
return array($type, $header, $body);
|
||||
}
|
||||
|
||||
/**
|
||||
* 检查是否是一个安全的主机名
|
||||
*
|
||||
* @param $host
|
||||
* @return bool
|
||||
*/
|
||||
public static function checkSafeHost($host)
|
||||
{
|
||||
if ('localhost' == $host) {
|
||||
return false;
|
||||
}
|
||||
|
||||
$address = gethostbyname($host);
|
||||
$inet = inet_pton($address);
|
||||
|
||||
if ($inet === false) {
|
||||
// 有可能是ipv6的地址
|
||||
$records = dns_get_record($host, DNS_AAAA);
|
||||
|
||||
if (empty($records)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
$address = $records[0]['ipv6'];
|
||||
$inet = inet_pton($address);
|
||||
}
|
||||
|
||||
if (strpos($address, '.')) {
|
||||
// ipv4
|
||||
// 非公网地址
|
||||
$privateNetworks = array(
|
||||
'10.0.0.0|10.255.255.255',
|
||||
'172.16.0.0|172.31.255.255',
|
||||
'192.168.0.0|192.168.255.255',
|
||||
'169.254.0.0|169.254.255.255',
|
||||
'127.0.0.0|127.255.255.255'
|
||||
);
|
||||
|
||||
$long = ip2long($address);
|
||||
|
||||
foreach ($privateNetworks as $network) {
|
||||
list ($from, $to) = explode('|', $network);
|
||||
|
||||
if ($long >= ip2long($from) && $long <= ip2long($to)) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
} else {
|
||||
// ipv6
|
||||
// https://en.wikipedia.org/wiki/Private_network
|
||||
$from = inet_pton('fd00::');
|
||||
$to = inet_pton('fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff');
|
||||
|
||||
if ($inet >= $from && $inet <= $to) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* 获取图片
|
||||
*
|
||||
|
||||
Reference in New Issue
Block a user