Changeset 3269:da4849c1ad84 for inc/core/class.dc.core.php

Timestamp:

07/17/16 10:09:33 (9 years ago)

Author:

franck <carnet.franck.paul@…>

Branch:

default

Message:

Prevents SSRF/XSPA on Feed import, thanks wiswat for reporting this.

File:

• inc/core/class.dc.core.php (modified) (1 diff)

inc/core/class.dc.core.php

@@ -1455 +1455 @@
                     'Include sub-categories in category page and category posts feed'),
                     array('wiki_comments','boolean',false,
-                    'Allow commenters to use a subset of wiki syntax')
+                    'Allow commenters to use a subset of wiki syntax'),
+                    array('import_feed_url_control','boolean',true,
+                    'Control feed URL before import'),
+                    array('import_feed_no_private_ip','boolean',true,
+                    'Prevent import feed from private IP'),
+                    array('import_feed_ip_regexp','string','',
+                    'Authorize import feed only from this IP regexp'),
+                    array('import_feed_port_regexp','string','/^(80|443)$/',
+                    'Authorize import feed only from this port regexp')
                );
           }