豆豆友情提示:这是一个非官方 GitHub 代理镜像,主要用于网络测试或访问加速。请勿在此进行登录、注册或处理任何敏感信息。进行这些操作请务必访问官方网站 github.com。 Raw 内容也通过此代理提供。
Skip to content

Commit d20aecf

Browse files
committed
1 parent 70f3d60 commit d20aecf

File tree

2 files changed

+12
-0
lines changed

2 files changed

+12
-0
lines changed

CHANGELOG.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@
66
- Fixed a bug where `users/suspend-user` and `users/unsuspend-user` actions required that the logged-in user have control panel access. ([#18485](https://github.com/craftcms/cms/issues/18485))
77
- Fixed a bug where flipping an image within the Image Editor didn’t always work. ([#18486](https://github.com/craftcms/cms/issues/18486))
88
- Fixed a bug where SVG files missing their `width` and `height` attributes weren’t getting them set as expected.
9+
- Fixed a [moderate-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) SSRF vulnerability. (GHSA-3m9m-24vh-39wx)
910

1011
## 4.17.8 - 2026-02-25
1112

src/gql/resolvers/mutations/Asset.php

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -251,6 +251,10 @@ protected function handleUpload(AssetElement $asset, array $fileInformation): bo
251251
} elseif (!empty($fileInformation['url'])) {
252252
$url = $fileInformation['url'];
253253

254+
if (!$this->validateScheme($url)) {
255+
throw new UserError("$url contains an invalid scheme.");
256+
}
257+
254258
if (!$this->validateHostname($url)) {
255259
throw new UserError("$url contains an invalid hostname.");
256260
}
@@ -297,6 +301,13 @@ protected function handleUpload(AssetElement $asset, array $fileInformation): bo
297301
return true;
298302
}
299303

304+
private function validateScheme(string $url): bool
305+
{
306+
// block Gopher/File/FTP Smuggling
307+
$scheme = parse_url($url, PHP_URL_SCHEME);
308+
return in_array(strtolower($scheme), ['http', 'https'], true);
309+
}
310+
300311
private function validateHostname(string $url): bool
301312
{
302313
$hostname = parse_url($url, PHP_URL_HOST);

0 commit comments

Comments
 (0)