diff options
| author | 饺子w (Yumechi) <35571479+eternal-flame-AD@users.noreply.github.com> | 2024-10-22 04:17:56 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-10-22 18:17:56 +0900 |
| commit | 48d1539f3be895b7aa8ecdd6c581e47a55cc9264 (patch) | |
| tree | 74666ebcf95a7487b1a46cd8bf3d114b25a442e0 | |
| parent | Bump version to 2024.10.2-alpha.0 (diff) | |
| download | misskey-48d1539f3be895b7aa8ecdd6c581e47a55cc9264.tar.gz misskey-48d1539f3be895b7aa8ecdd6c581e47a55cc9264.tar.bz2 misskey-48d1539f3be895b7aa8ecdd6c581e47a55cc9264.zip | |
Merge commit from fork
[ghsa-gq5q-c77c-v236](https://github.com/misskey-dev/misskey/security/advisories/ghsa-gq5q-c77c-v236)
Signed-off-by: eternal-flame-AD <yume@yumechi.jp>
| -rw-r--r-- | CHANGELOG.md | 4 | ||||
| -rw-r--r-- | packages/backend/src/server/FileServerService.ts | 6 |
2 files changed, 8 insertions, 2 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index fde4901241..7e25ef3355 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,8 +15,8 @@ - Fix: デッキのタイムラインカラムで「センシティブなファイルを含むノートを表示」設定が使用できなかった問題を修正 ### Server -- - +- Fix: Nested proxy requestsを検出した際にブロックするように + [ghsa-gq5q-c77c-v236](https://github.com/misskey-dev/misskey/security/advisories/ghsa-gq5q-c77c-v236) ## 2024.10.1 diff --git a/packages/backend/src/server/FileServerService.ts b/packages/backend/src/server/FileServerService.ts index 41b6d2e83d..bf0a011699 100644 --- a/packages/backend/src/server/FileServerService.ts +++ b/packages/backend/src/server/FileServerService.ts @@ -319,6 +319,12 @@ export class FileServerService { ); } + if (!request.headers['user-agent']) { + throw new StatusError('User-Agent is required', 400, 'User-Agent is required'); + } else if (request.headers['user-agent'].toLowerCase().indexOf('misskey/') !== -1) { + throw new StatusError('Refusing to proxy a request from another proxy', 403, 'Proxy is recursive'); + } + // Create temp file const file = await this.getStreamAndTypeFromUrl(url); if (file === '404') { |