Don't allow double dot in proxy url

2022-08-21 20:06:59 -05:00 · 2022-08-21 20:06:59 -05:00 · f3818a8474
parent 010846bfcf
commit f3818a8474
1 changed files with 5 additions and 0 deletions
--- a/proxy.php
+++ b/proxy.php
@ -6,6 +6,11 @@ if (!isset($_GET['url'])) {

 $url = urldecode($_GET['url']);

+if (strpos($url, '/..') !== false) {
+  header('HTTP/1.0 403 Forbidden');
+  die();
+}
+
 if (
  strpos($url, 'http://', 0) !== 0 && 
  strpos($url, 'https://', 0) !== 0 &&