Commit Graph

15 Commits

Author SHA1 Message Date
Inverle
dcec27c69d Add SSRF mitigations using filter_var and CURLOPT_RESOLVE (#8400)
* Add SSRF mitigations using `filter_var` and `CURLOPT_RESOLVE`
The idea is to prevent FreshRSS from sending any HTTP requests to internal services, except for the ones that are explicitly allowed in the config.

Based on 6e82b46a48/lib/filelib.php (L3818) and https://github.com/symfony/symfony/blob/8.1/src/Symfony/Component/HttpClient/NoPrivateNetworkHttpClient.php

https://github.com/FreshRSS/simplepie/pull/76
https://github.com/FreshRSS/simplepie/pull/78

* Add allowlist setting in Web UI

* make readme

* Update app/i18n/fr/admin.php

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>

* make readme again

* make readme

* Further work

Still WIP and needs testing etc.

* Readd previous if check for domain combination allowlist

* Turn POST to GET after redirect

* Improve

* Update config.default.php

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>

* make readme

* Skip SSRF check if `CURLOPT_PROXY` is set

* make readme

* Fix `!empty()` mistake

* Respect max redirects feed option when fetching with `httpGet()`

* Respect max redirects during SimplePie fetching + fix bypass

bypass fix: `CURLOPT_FOLLOWLOCATION` was moved below so that emulated redirects are enforced.

* Avoid FreshRSS and Minz code in SimplePie
https://github.com/FreshRSS/FreshRSS/pull/8400#discussion_r2935375980

* Corrected hook code

* phpdoc wrong return type

* Add CIDR support in allowlist

* Implement simple DNS caching

* Suppress `dns_get_record()` warnings

* A bit of proof-reading

* Minor typo

* Fix proxy logic

* Fix HTTP POST redirect logic

* Proofread checkCIDR
Add fixes for several situations

* Remove credentials from URL in logs

* Ensure `CURLOPT_FOLLOWLOCATION` is `false` by setting it at the end

* Fix codesniffer long line

* Fix potential bypass due to wrong return value

If there were no records returned by `dns_get_record()`, no overrides to `CURLOPT_RESOLVE` would get passed,
and a potential bypass could occur, when cURL would try to resolve the domain by itself.

* Put the URL at the end in logs

* Add documentation and environment variable support

* make readme

* Fix wrong behavior in case of IP

* Fix duplicate selector in CSS

* Minor type check change

* i18n fr, en

* Minor type check change

* Fix whitespace i18n fr

* make fix-all

* Fix `$ips_ok` not being returned after domain records were cached

* make readme

* PHPStan fix

* make readme

* Minor syntax in SimplePie

* Only return `null` if no allowed IPs were found

* Add wildcard *, help message

* Consistent docs with help message

* i18n: pl

* SimplePie compatibility PHP 7.2

* make fix-all

* Sync SimplePie
* https://github.com/FreshRSS/simplepie/pull/76

* 💥 Breaking change in the Changelog

* Document `INTERNAL_HOST_ALLOWLIST` in Docker docs

* Remove `Cookie` and `Authorization` headers in `httpGet()` during cross-origin redirect

* Minor whitespace
And same comment convention than below

* Remove authentication headers and change POST to GET on redirect in SimplePie

* Remove .local in Docker example

* Fill in default ports when comparing URL origins

* Remove .local from other places than the Docker example

* Rewrite WebSub subscribe to use `httpGet()`

* make fix-all

* Also unset `CURLOPT_USERPWD` during redirects

* phpcs fix

* Always unset `CURLOPT_FOLLOWLOCATION`

* Bump SimplePie
https://github.com/FreshRSS/simplepie/pull/78

* Update logic for CURLOPT_FOLLOWLOCATION

* Fix PHPStan

* Changelog fix security section

* Update most common RSS Bridge case
https://hub.docker.com/r/rssbridge/rss-bridge

* Replace misleading 127.0.0.1:8080 example for Docker
This does not make sense for a Docker container

---------

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
2026-06-28 18:51:04 +02:00
polybjorn
b08c4ef243 docs: standardise English heading style and surface hidden pages (#8766)
Apply sentence case to all H1s in docs/en/ and remove redundant "FreshRSS"
from titles where the docs site context already implies it. Align the three
section index titles to "Administrator/Developer/User manual", matching
the existing root H1 "FreshRSS manual (English)".

Add missing H1s to two pages that were silently dropped from the sidebar:
the user FAQ and the Caddy reverse proxy page. The sidebar template uses
page.title (derived from H1 by jekyll-titles-from-headings), so pages
without an H1 had title=nil and were skipped.

Update sidebar parent labels in docs_nav.html and the chapter list in
en/index.md to use the new "* manual" naming. Update link text in section
indexes that referenced the old H1s. Bundle two grammar fixes encountered
along the way: "an User Interface" -> "a user interface", and drop the
awkward "the" in "Configuring the email address validation".

EN only. No filenames, URLs, or anchor targets changed (anchors come from
H2 and below, which are untouched). FR is generated from EN via po4a and
will be regenerated separately.

Co-authored-by: Bjørn A. Andersen <polybjorn@users.noreply.github.com>
2026-05-02 22:23:35 +02:00
Inverle
63c8fe1285 docs: Fix broken or dead links (#8548)
* docs: Fix broken or dead links
Used the following commands to find broken links:
1. `lychee -E --dump https://freshrss.github.io/FreshRSS/en/ --include freshrss.github.io --output links.txt`
2. `lychee -v --suggest --archive wayback --timeout 5 -u "Mozilla/5.0 (X11; Linux x86_64; rv:148.0) Gecko/20100101 Firefox/148.0" --files-from links.txt --output output.txt`
3. `cat output.txt`

Then did the same for https://freshrss.github.io/FreshRSS/fr/

We could look into using lychee in CI:
https://github.com/lycheeverse/lychee?tab=readme-ov-file#github-action-usage

* Replace PostgreSQL 16 link with current version

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>

* Remove paragraph about bug message format

* Update README with official app website links

* Replace broken French images with English versions

* Fix broken Fever API docs link in French docs

* Replace GNU Social link with new one in `shares.php`

---------

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
2026-03-02 08:21:23 +01:00
triatic
56df7f826a Should be REMOTE_USER not Remote-User (#7828)
For fastcgi, REMOTE_USER is the correct variable.
2025-08-15 12:15:54 +02:00
Alexandre Alapetite
aa45bcbe5a Fix Markdown 78a4256 (#7678)
Fix for 78a4256362
2025-06-18 22:15:54 +02:00
ghostvirus
78a4256362 Merge commit from fork 2025-06-18 21:11:41 +02:00
Shane Redman
8e3bfa1a47 Docs: fix minor typo in 09_AccessControl.md (#6465) (#6466)
chose -> choose
2024-05-15 21:38:39 +02:00
Joe Stump
641b891972 Fix trusted cidrs check (#5853)
* Fix ignored TRUSTED_PROXY issue

* Add a sub-section to the docs no property mappings for Authentik

* Typo

* Fix typing

* A few changes to the doc

---------

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
2023-11-11 08:40:51 +01:00
Mossroy
5374df384a Use RemoteIPInternalProxy directive of remoteip Apache module (#5740)
* Use RemoteIPInternalProxy directive of remoteip Apache module

instead of RemoteIPTrustedProxy directive

To allow internal IPs to be trusted: for internal clients,
and also for the case of chained internal reverse-proxies

Fixes #5726

* One last reference forgotten

---------

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
2023-10-25 16:23:03 +02:00
Alexandre Alapetite
e7689459f2 Rework trusted proxies (#5549)
* Rework trusted proxies
Fix https://github.com/FreshRSS/FreshRSS/issues/5502
Follow-up of https://github.com/FreshRSS/FreshRSS/pull/3226

New environment variable `TRUSTED_PROXY`: set to 0 to disable, or to a list of trusted IP ranges compatible with https://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteiptrustedproxy

New internal environment variable `CONN_REMOTE_ADDR` to remember the true IP address of the connection (e.g. last proxy), even when using mod_remoteip.

Current working setups should not observe any significant change.

* Minor whitespace

* Safer trusted sources during install
Rework of https://github.com/FreshRSS/FreshRSS/pull/5358
https://github.com/FreshRSS/FreshRSS/issues/5357

* Minor readme
2023-07-30 12:59:18 +02:00
Aaron Schif
58b254f9cb Add OpenID Connect (#5351)
* Add OIDC

* Update documentation.

* Update apache conf adding IfModule

* Use IfDefine for OIDC in apache conf

* Fix non-oidc support

* Fix typing

* Use IfDefine to enable OIDC

* Add OIDC support to all dockerfiles

* Re add apache Require option

* Fixes and documentation

* A few more fixes

* A bit more doc

* Change type of environment variable

* Update readme

* Correct apache config for OIDC support.

* Fix README formatting

* Update oidc control path

* Fix oidc endpoint being cached

* A bit more review

* Simplify ExpiresActive

* Add session refresh and improve caching

* Allow more different setups

* A bit more documentation

* A bit more readme

---------

Co-authored-by: Aaron Schif <aschif@netdevgroup.com>
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
Co-authored-by: maTh <math-home@web.de>
2023-06-12 10:22:46 +02:00
drosoCode
2aba861bc9 Add HTTP_REMOTE_USER header for auth (#4063)
* add HTTP_REMOTE_USER header for auth

* add ip whitelist for HTTP_REMOTE_USER header

* add IPv6 support for header auth

* fix formatting

* A few fixes

* Add some default trusted sources

* Fix IPv6 doc

* More standard header names

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
2022-04-02 21:40:30 +02:00
Alexandre Alapetite
acbba9adb2 Improved markdownlint (#3918)
* Improved markdownlint
* Relaxed rules slighlty
* `npm run markdownlint` for automatic tests
* `npm run markdownlint_fix` for automatic syntax fixing
* Applied the fixes on all our Markdown files
2021-10-23 13:43:24 +02:00
bpatath
5c9d6a5396 Add auto-registration when using http_auth (#3003)
* Add auto-registration when using http_auth

* Document HTTP auth auto-registration

* Check email variable for HTTP auth auto-registration

* Auto-create HTTP users by default

* Fix Context init

(I will provide in another PR a better fix requiring a bit of global refactoring)

* Init language

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
2020-06-19 23:01:19 +02:00
Patrick
d7f8883926 Docs update (#2164)
* Update Readme.conf

Add information in Readme.conf to hopefully stop bug reports about intended behavior.

* Update README.md

Co-Authored-By: pattems <patrick@crandol.com>

* Update README.md

Co-Authored-By: pattems <patrick@crandol.com>

* Update README.md

Co-Authored-By: pattems <patrick@crandol.com>

* Update README.md

Co-Authored-By: pattems <patrick@crandol.com>

* Update Readme

* Update Documentation Section

* Add main Documentation link near top of Document

* Make Documentation header a link

* Fix spelling mistake I didn't catch

* Apply suggestions from code review

Co-Authored-By: pattems <patrick@crandol.com>

* Changes per Frenzie comments

* Move non-disclaiming disclaimer

* English Admin Documentation Update

* Add Backup section

* Update wording in Index

* Move Footnotes to End

* Move Footnote

* Add content for todos

* Fix typos

* Fix a bunch of typos

* Remove a duplicated file (forgotten during dev merge)

* Improve the documentation a bit
2019-10-22 11:17:12 +02:00