From 3433f88dcccf69d57af6fb8434f848a0556d5a9e Mon Sep 17 00:00:00 2001 From: tastytea Date: Fri, 26 Nov 2021 04:35:09 +0100 Subject: [PATCH] Don't allow redirections to external websites. See . --- README.md | 5 ++++- src/libravatarserv.cpp | 6 ++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index b66b587..8431eb3 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ specification for hosting profile images tied to email or OpenID addresses. * MD5 hashes * SHA256 hashes * Variable image size (`s` or `size`) -* Default fallbacks (`d` or `default`): 404, URL, mp/mm, identicon, retro +* Default fallbacks (`d` or `default`): 404, URL (only on the same server), mp/mm, identicon, retro The API is explained in greater detail at the [Libravar wiki](https://wiki.libravatar.org/api/). @@ -24,6 +24,9 @@ The API is explained in greater detail at the * The default fallbacks monsterid, wavatar, robohash and pagan * Patches welcome * forcedefault +* Fallback URLs for to external sites (due to [CWE-601](https://cwe.mitre.org/data/definitions/601.html)) + * We have a server setting (`LIBRAVATARSERV_REDIRECT_*`) to redirect to + libravatar.org. ## Usage diff --git a/src/libravatarserv.cpp b/src/libravatarserv.cpp index ba22de2..74d3511 100644 --- a/src/libravatarserv.cpp +++ b/src/libravatarserv.cpp @@ -1,5 +1,5 @@ /* This file is part of libravatarserv. - * Copyright © 2018, 2019, 2020 tastytea + * Copyright © 2018, 2019, 2020, 2021 tastytea * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -15,10 +15,12 @@ */ #include "libravatarserv.hpp" + #include "version.hpp" #include #include + #include using namespace libravatarserv; @@ -81,7 +83,7 @@ int main() { cout << "Status: 404 Not Found\n\n"; } - else if (avatar.fallback.substr(0, 4) == "http") + else if (avatar.fallback[0] == '/') { cout << "Status: 307 Temporary Redirect\n"; cout << "Location: " << avatar.fallback << endl << endl;