* Add SSRF mitigations using `filter_var` and `CURLOPT_RESOLVE`
The idea is to prevent FreshRSS from sending any HTTP requests to internal services, except for the ones that are explicitly allowed in the config.
Based on 6e82b46a48/lib/filelib.php (L3818) and https://github.com/symfony/symfony/blob/8.1/src/Symfony/Component/HttpClient/NoPrivateNetworkHttpClient.phphttps://github.com/FreshRSS/simplepie/pull/76https://github.com/FreshRSS/simplepie/pull/78
* Add allowlist setting in Web UI
* make readme
* Update app/i18n/fr/admin.php
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
* make readme again
* make readme
* Further work
Still WIP and needs testing etc.
* Readd previous if check for domain combination allowlist
* Turn POST to GET after redirect
* Improve
* Update config.default.php
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
* make readme
* Skip SSRF check if `CURLOPT_PROXY` is set
* make readme
* Fix `!empty()` mistake
* Respect max redirects feed option when fetching with `httpGet()`
* Respect max redirects during SimplePie fetching + fix bypass
bypass fix: `CURLOPT_FOLLOWLOCATION` was moved below so that emulated redirects are enforced.
* Avoid FreshRSS and Minz code in SimplePie
https://github.com/FreshRSS/FreshRSS/pull/8400#discussion_r2935375980
* Corrected hook code
* phpdoc wrong return type
* Add CIDR support in allowlist
* Implement simple DNS caching
* Suppress `dns_get_record()` warnings
* A bit of proof-reading
* Minor typo
* Fix proxy logic
* Fix HTTP POST redirect logic
* Proofread checkCIDR
Add fixes for several situations
* Remove credentials from URL in logs
* Ensure `CURLOPT_FOLLOWLOCATION` is `false` by setting it at the end
* Fix codesniffer long line
* Fix potential bypass due to wrong return value
If there were no records returned by `dns_get_record()`, no overrides to `CURLOPT_RESOLVE` would get passed,
and a potential bypass could occur, when cURL would try to resolve the domain by itself.
* Put the URL at the end in logs
* Add documentation and environment variable support
* make readme
* Fix wrong behavior in case of IP
* Fix duplicate selector in CSS
* Minor type check change
* i18n fr, en
* Minor type check change
* Fix whitespace i18n fr
* make fix-all
* Fix `$ips_ok` not being returned after domain records were cached
* make readme
* PHPStan fix
* make readme
* Minor syntax in SimplePie
* Only return `null` if no allowed IPs were found
* Add wildcard *, help message
* Consistent docs with help message
* i18n: pl
* SimplePie compatibility PHP 7.2
* make fix-all
* Sync SimplePie
* https://github.com/FreshRSS/simplepie/pull/76
* 💥 Breaking change in the Changelog
* Document `INTERNAL_HOST_ALLOWLIST` in Docker docs
* Remove `Cookie` and `Authorization` headers in `httpGet()` during cross-origin redirect
* Minor whitespace
And same comment convention than below
* Remove authentication headers and change POST to GET on redirect in SimplePie
* Remove .local in Docker example
* Fill in default ports when comparing URL origins
* Remove .local from other places than the Docker example
* Rewrite WebSub subscribe to use `httpGet()`
* make fix-all
* Also unset `CURLOPT_USERPWD` during redirects
* phpcs fix
* Always unset `CURLOPT_FOLLOWLOCATION`
* Bump SimplePie
https://github.com/FreshRSS/simplepie/pull/78
* Update logic for CURLOPT_FOLLOWLOCATION
* Fix PHPStan
* Changelog fix security section
* Update most common RSS Bridge case
https://hub.docker.com/r/rssbridge/rss-bridge
* Replace misleading 127.0.0.1:8080 example for Docker
This does not make sense for a Docker container
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
* Add closed msg field
i18n
fix
* Display based on registration type
* Save as FreshRSS_Context::systemConf()->closed_registration_message instead
* Improve messages
* Revert unrelated changes
* make fix-all
* Minor whitespace
* Simplify logic
* Fix invalid use of empty() and sympler syntax
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
The compatibility does support only a minimum version of FreshRSS. If we need
something a bit more clever in the future, it is possible to handle a rule
with a bit more complexity.
See https://github.com/FreshRSS/FreshRSS/issues/5903
* Update app/Controllers/extensionController.php
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
* Update app/i18n/pl/admin.php
Co-authored-by: Inverle <inverle@proton.me>
* Minor move phpstan-type
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
Co-authored-by: Inverle <inverle@proton.me>
* Add Persian (fa) translations for FreshRSS
* Fix Persian translation and syntax issues
* Apply fix-all for Persian translation2
* Fix syntax errors and update Persian translations
* Mark untranslated strings as IGNORE and fix remaining TODOs
* make fix-all
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
* New stats box layout
* repartition: table overview improved with links and icons
* Show selected feed name in title
* i18n string: overview
* fix
* fix
* fix
* delete unused stat in frss
* Update app/i18n/fr/admin.php
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
* Add privacy settings on extension list retrieval
There is a new privacy page to handle all configuration related to privacy. At
the moment, only privacy related to extensions can be configured.
The new settings allow to change the location of the extension list file and to
choose if the selected file is cached for a day or retrieved for each request.
Fix#4570
* Update code to pass PHPStan
* make fix-all
---------
Co-authored-by: maTh <math-home@web.de>
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
* New feature: shareable user query
Share the output of a user query by RSS / HTML / OPML with other people through unique URLs.
Replaces the global admin token, which was the only option (but unsafe) to share RSS outputs with other people.
Also add a new HTML output for people without an RSS reader.
fix https://github.com/FreshRSS/FreshRSS/issues/3066#issuecomment-648977890
fix https://github.com/FreshRSS/FreshRSS/issues/3178#issuecomment-769435504
* Remove unused method
* Fix token saving
* Implement HTML view
* Update i18n for master token
* Revert i18n get_favorite
* Fix missing i18n for user queries from before this PR
* Remove irrelevant tests
* Add link to RSS version
* Fix getGet
* Fix getState
* Fix getSearch
* Alternative getSearch
* Default getOrder
* Explicit default state
* Fix test
* Add OPML sharing
* Remove many redundant SQL queries from original implementation of user queries
* Fix article tags
* Use default user settings
* Prepare public search
* Fixes
* Allow user search on article tags
* Implement user search
* Revert filter bug
* Revert wrong SQL left outer join change
* Implement checkboxes
* Safe check of OPML
* Fix label
* Remove RSS button to favour new sharing method
That sharing button was using a global admin token
* First version of HTTP 304
* Disallow some recusrivity
fix https://github.com/FreshRSS/FreshRSS/issues/6086
* Draft of nav
* Minor httpConditional
* Add support for offset for pagination
* Fix offset pagination
* Fix explicit order ASC
* Add documentation
* Help links i18n
* Note about deprecated master token
* Typo
* Doc about format
* More WebSub doc
* UI for WebSub + more documentation
And spellcheck Frech
* Links to WebSub doc from readme
* Add link to WebSub doc in admin interface
* Fix checkbox
* Plural
* Add Persian/فارسی Language
* Fix i18n
* make fix-all
And several manual fixes
* Exclude Persian from English typo check
* Update CREDITS.md
I added myself to the list
* Credits alphabetic order
---------
Co-authored-by: AmirHossein <marjani@outlook.com>
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>