* Add SSRF mitigations using `filter_var` and `CURLOPT_RESOLVE`
The idea is to prevent FreshRSS from sending any HTTP requests to internal services, except for the ones that are explicitly allowed in the config.
Based on 6e82b46a48/lib/filelib.php (L3818) and https://github.com/symfony/symfony/blob/8.1/src/Symfony/Component/HttpClient/NoPrivateNetworkHttpClient.phphttps://github.com/FreshRSS/simplepie/pull/76https://github.com/FreshRSS/simplepie/pull/78
* Add allowlist setting in Web UI
* make readme
* Update app/i18n/fr/admin.php
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
* make readme again
* make readme
* Further work
Still WIP and needs testing etc.
* Readd previous if check for domain combination allowlist
* Turn POST to GET after redirect
* Improve
* Update config.default.php
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
* make readme
* Skip SSRF check if `CURLOPT_PROXY` is set
* make readme
* Fix `!empty()` mistake
* Respect max redirects feed option when fetching with `httpGet()`
* Respect max redirects during SimplePie fetching + fix bypass
bypass fix: `CURLOPT_FOLLOWLOCATION` was moved below so that emulated redirects are enforced.
* Avoid FreshRSS and Minz code in SimplePie
https://github.com/FreshRSS/FreshRSS/pull/8400#discussion_r2935375980
* Corrected hook code
* phpdoc wrong return type
* Add CIDR support in allowlist
* Implement simple DNS caching
* Suppress `dns_get_record()` warnings
* A bit of proof-reading
* Minor typo
* Fix proxy logic
* Fix HTTP POST redirect logic
* Proofread checkCIDR
Add fixes for several situations
* Remove credentials from URL in logs
* Ensure `CURLOPT_FOLLOWLOCATION` is `false` by setting it at the end
* Fix codesniffer long line
* Fix potential bypass due to wrong return value
If there were no records returned by `dns_get_record()`, no overrides to `CURLOPT_RESOLVE` would get passed,
and a potential bypass could occur, when cURL would try to resolve the domain by itself.
* Put the URL at the end in logs
* Add documentation and environment variable support
* make readme
* Fix wrong behavior in case of IP
* Fix duplicate selector in CSS
* Minor type check change
* i18n fr, en
* Minor type check change
* Fix whitespace i18n fr
* make fix-all
* Fix `$ips_ok` not being returned after domain records were cached
* make readme
* PHPStan fix
* make readme
* Minor syntax in SimplePie
* Only return `null` if no allowed IPs were found
* Add wildcard *, help message
* Consistent docs with help message
* i18n: pl
* SimplePie compatibility PHP 7.2
* make fix-all
* Sync SimplePie
* https://github.com/FreshRSS/simplepie/pull/76
* 💥 Breaking change in the Changelog
* Document `INTERNAL_HOST_ALLOWLIST` in Docker docs
* Remove `Cookie` and `Authorization` headers in `httpGet()` during cross-origin redirect
* Minor whitespace
And same comment convention than below
* Remove authentication headers and change POST to GET on redirect in SimplePie
* Remove .local in Docker example
* Fill in default ports when comparing URL origins
* Remove .local from other places than the Docker example
* Rewrite WebSub subscribe to use `httpGet()`
* make fix-all
* Also unset `CURLOPT_USERPWD` during redirects
* phpcs fix
* Always unset `CURLOPT_FOLLOWLOCATION`
* Bump SimplePie
https://github.com/FreshRSS/simplepie/pull/78
* Update logic for CURLOPT_FOLLOWLOCATION
* Fix PHPStan
* Changelog fix security section
* Update most common RSS Bridge case
https://hub.docker.com/r/rssbridge/rss-bridge
* Replace misleading 127.0.0.1:8080 example for Docker
This does not make sense for a Docker container
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
Apply sentence case to all H1s in docs/en/ and remove redundant "FreshRSS"
from titles where the docs site context already implies it. Align the three
section index titles to "Administrator/Developer/User manual", matching
the existing root H1 "FreshRSS manual (English)".
Add missing H1s to two pages that were silently dropped from the sidebar:
the user FAQ and the Caddy reverse proxy page. The sidebar template uses
page.title (derived from H1 by jekyll-titles-from-headings), so pages
without an H1 had title=nil and were skipped.
Update sidebar parent labels in docs_nav.html and the chapter list in
en/index.md to use the new "* manual" naming. Update link text in section
indexes that referenced the old H1s. Bundle two grammar fixes encountered
along the way: "an User Interface" -> "a user interface", and drop the
awkward "the" in "Configuring the email address validation".
EN only. No filenames, URLs, or anchor targets changed (anchors come from
H2 and below, which are untouched). FR is generated from EN via po4a and
will be regenerated separately.
Co-authored-by: Bjørn A. Andersen <polybjorn@users.noreply.github.com>
* docs: Fix broken or dead links
Used the following commands to find broken links:
1. `lychee -E --dump https://freshrss.github.io/FreshRSS/en/ --include freshrss.github.io --output links.txt`
2. `lychee -v --suggest --archive wayback --timeout 5 -u "Mozilla/5.0 (X11; Linux x86_64; rv:148.0) Gecko/20100101 Firefox/148.0" --files-from links.txt --output output.txt`
3. `cat output.txt`
Then did the same for https://freshrss.github.io/FreshRSS/fr/
We could look into using lychee in CI:
https://github.com/lycheeverse/lychee?tab=readme-ov-file#github-action-usage
* Replace PostgreSQL 16 link with current version
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
* Remove paragraph about bug message format
* Update README with official app website links
* Replace broken French images with English versions
* Fix broken Fever API docs link in French docs
* Replace GNU Social link with new one in `shares.php`
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
* Fix ignored TRUSTED_PROXY issue
* Add a sub-section to the docs no property mappings for Authentik
* Typo
* Fix typing
* A few changes to the doc
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
* Use RemoteIPInternalProxy directive of remoteip Apache module
instead of RemoteIPTrustedProxy directive
To allow internal IPs to be trusted: for internal clients,
and also for the case of chained internal reverse-proxies
Fixes#5726
* One last reference forgotten
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
* Add OIDC
* Update documentation.
* Update apache conf adding IfModule
* Use IfDefine for OIDC in apache conf
* Fix non-oidc support
* Fix typing
* Use IfDefine to enable OIDC
* Add OIDC support to all dockerfiles
* Re add apache Require option
* Fixes and documentation
* A few more fixes
* A bit more doc
* Change type of environment variable
* Update readme
* Correct apache config for OIDC support.
* Fix README formatting
* Update oidc control path
* Fix oidc endpoint being cached
* A bit more review
* Simplify ExpiresActive
* Add session refresh and improve caching
* Allow more different setups
* A bit more documentation
* A bit more readme
---------
Co-authored-by: Aaron Schif <aschif@netdevgroup.com>
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
Co-authored-by: maTh <math-home@web.de>
* add HTTP_REMOTE_USER header for auth
* add ip whitelist for HTTP_REMOTE_USER header
* add IPv6 support for header auth
* fix formatting
* A few fixes
* Add some default trusted sources
* Fix IPv6 doc
* More standard header names
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
* Improved markdownlint
* Relaxed rules slighlty
* `npm run markdownlint` for automatic tests
* `npm run markdownlint_fix` for automatic syntax fixing
* Applied the fixes on all our Markdown files
* Add auto-registration when using http_auth
* Document HTTP auth auto-registration
* Check email variable for HTTP auth auto-registration
* Auto-create HTTP users by default
* Fix Context init
(I will provide in another PR a better fix requiring a bit of global refactoring)
* Init language
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
* Update Readme.conf
Add information in Readme.conf to hopefully stop bug reports about intended behavior.
* Update README.md
Co-Authored-By: pattems <patrick@crandol.com>
* Update README.md
Co-Authored-By: pattems <patrick@crandol.com>
* Update README.md
Co-Authored-By: pattems <patrick@crandol.com>
* Update README.md
Co-Authored-By: pattems <patrick@crandol.com>
* Update Readme
* Update Documentation Section
* Add main Documentation link near top of Document
* Make Documentation header a link
* Fix spelling mistake I didn't catch
* Apply suggestions from code review
Co-Authored-By: pattems <patrick@crandol.com>
* Changes per Frenzie comments
* Move non-disclaiming disclaimer
* English Admin Documentation Update
* Add Backup section
* Update wording in Index
* Move Footnotes to End
* Move Footnote
* Add content for todos
* Fix typos
* Fix a bunch of typos
* Remove a duplicated file (forgotten during dev merge)
* Improve the documentation a bit