update: don't match . with * using whitelisted image domain syntax

It's too easy for sysops to add `https://*imgur.com/**` instead of properly adding `https://*.imgur.com/**` or even better, `https://i.imgur.com/**`. This makes it easier to spot errors in the syntax errored since the intended whitelisted domain won't work. Add some more documentation to encourage safe practices and add example evil URLs that are permitted by the bypass for visual feedback of what is allowed.
2026-05-08 04:00:14 -05:00 · 2024-07-03 06:26:14 +00:00
parent ddea582f1f
commit b73f1d5a6f
2 changed files with 20 additions and 1 deletions
@@ -505,7 +505,7 @@ class Bbcode
            );

            $isWhitelisted = $whitelistedImageUrls->contains(function (string $pattern) use ($url) {
-                $pattern = str_replace(['\*\*', '\*'], ['.*', '[^\/]*'], preg_quote($pattern, '/'));
+                $pattern = str_replace(['\*\*', '\*'], ['.*', '[^\/.]*'], preg_quote($pattern, '/'));

                return preg_match('/^'.$pattern.'$/i', $url);
            });
@@ -64,6 +64,7 @@
                <thead>
                    <th>ID</th>
                    <th>URL Pattern</th>
+                    <th>Example bypassed URL</th>
                    <th>{{ __('common.created_at') }}</th>
                    <th>{{ __('forum.updated-at') }}</th>
                    <th>{{ __('common.actions') }}</th>
@@ -73,6 +74,9 @@
                        <tr>
                            <td>{{ $whitelistedImageUrl->id }}</td>
                            <td>{{ $whitelistedImageUrl->pattern }}</td>
+                            <td>
+                                {{ str_replace(['**', '*'], ['my.evil.example/evil', '_evil_'], $whitelistedImageUrl->pattern) }}
+                            </td>
                            <td>
                                <time
                                    datetime="{{ $whitelistedImageUrl->created_at }}"
@@ -197,6 +201,8 @@
                <code>*</code>
                wildcard will match everything except for
                <code>/</code>
+                and
+                <code>.</code>
                in the URL. You can also use
                <code>**</code>
                to match any character. You must never use
@@ -205,6 +211,19 @@
                <code>https://evil.example/subdomain.whitelisted-domain.example/image.png</code>
                to bypass the proxy.
            </p>
+            <p>
+                To match a url with a variable subdomain, make sure to manually specify the
+                <code>.</code>
+                otherwise a user can register
+                <code>https://evilimgur.com</code>
+                if you use
+                <code>https://*imgur.com/**</code>
+                (bad) instead of
+                <code>https://*.imgur.com/**</code>
+                (good) or
+                <code>https://i.imgur.com/**</code>
+                (best).
+            </p>
        </div>
    </section>
@endsection