From 283d41ec80ad410d68634245cf56114bc19331ee Mon Sep 17 00:00:00 2001 From: David Benson Date: Fri, 13 May 2022 17:39:58 +0100 Subject: [PATCH] 18.0.3 release --- .../java/com/mxgraph/online/ProxyServlet.java | 66 +++++++++++-------- 1 file changed, 38 insertions(+), 28 deletions(-) diff --git a/src/main/java/com/mxgraph/online/ProxyServlet.java b/src/main/java/com/mxgraph/online/ProxyServlet.java index d7ea3c629b..99a88937f9 100644 --- a/src/main/java/com/mxgraph/online/ProxyServlet.java +++ b/src/main/java/com/mxgraph/online/ProxyServlet.java @@ -15,6 +15,7 @@ import java.net.URL; import java.net.URLConnection; import java.net.UnknownHostException; +import java.net.InetAddress; import java.util.logging.Level; import java.util.logging.Logger; @@ -245,42 +246,51 @@ public boolean checkUrlParameter(String url) { URL parsedUrl = new URL(url); String protocol = parsedUrl.getProtocol(); - String host = parsedUrl.getHost().toLowerCase(); + String host = parsedUrl.getHost(); + InetAddress address = InetAddress.getByName(host); + String hostAddress = address.getHostAddress(); + host = host.toLowerCase(); return (protocol.equals("http") || protocol.equals("https")) - && !host.endsWith(".internal") - && !host.endsWith(".local") - && !host.contains("localhost") - && !host.startsWith("0.") // 0.0.0.0/8 - && !host.startsWith("10.") // 10.0.0.0/8 - && !host.startsWith("127.") // 127.0.0.0/8 - && !host.startsWith("169.254.") // 169.254.0.0/16 - && !host.startsWith("172.16.") // 172.16.0.0/12 - && !host.startsWith("172.17.") // 172.16.0.0/12 - && !host.startsWith("172.18.") // 172.16.0.0/12 - && !host.startsWith("172.19.") // 172.16.0.0/12 - && !host.startsWith("172.20.") // 172.16.0.0/12 - && !host.startsWith("172.21.") // 172.16.0.0/12 - && !host.startsWith("172.22.") // 172.16.0.0/12 - && !host.startsWith("172.23.") // 172.16.0.0/12 - && !host.startsWith("172.24.") // 172.16.0.0/12 - && !host.startsWith("172.25.") // 172.16.0.0/12 - && !host.startsWith("172.26.") // 172.16.0.0/12 - && !host.startsWith("172.27.") // 172.16.0.0/12 - && !host.startsWith("172.28.") // 172.16.0.0/12 - && !host.startsWith("172.29.") // 172.16.0.0/12 - && !host.startsWith("172.30.") // 172.16.0.0/12 - && !host.startsWith("172.31.") // 172.16.0.0/12 - && !host.startsWith("192.0.0.") // 192.0.0.0/24 - && !host.startsWith("192.168.") // 192.168.0.0/16 - && !host.startsWith("198.18.") // 198.18.0.0/15 - && !host.startsWith("198.19.") // 198.18.0.0/15 + && !address.isAnyLocalAddress() + && !address.isLoopbackAddress() + && !host.endsWith(".internal") // Redundant + && !host.endsWith(".local") // Redundant + && !host.contains("localhost") // Redundant + && !hostAddress.startsWith("0.") // 0.0.0.0/8 + && !hostAddress.startsWith("10.") // 10.0.0.0/8 + && !hostAddress.startsWith("127.") // 127.0.0.0/8 + && !hostAddress.startsWith("169.254.") // 169.254.0.0/16 + && !hostAddress.startsWith("172.16.") // 172.16.0.0/12 + && !hostAddress.startsWith("172.17.") // 172.16.0.0/12 + && !hostAddress.startsWith("172.18.") // 172.16.0.0/12 + && !hostAddress.startsWith("172.19.") // 172.16.0.0/12 + && !hostAddress.startsWith("172.20.") // 172.16.0.0/12 + && !hostAddress.startsWith("172.21.") // 172.16.0.0/12 + && !hostAddress.startsWith("172.22.") // 172.16.0.0/12 + && !hostAddress.startsWith("172.23.") // 172.16.0.0/12 + && !hostAddress.startsWith("172.24.") // 172.16.0.0/12 + && !hostAddress.startsWith("172.25.") // 172.16.0.0/12 + && !hostAddress.startsWith("172.26.") // 172.16.0.0/12 + && !hostAddress.startsWith("172.27.") // 172.16.0.0/12 + && !hostAddress.startsWith("172.28.") // 172.16.0.0/12 + && !hostAddress.startsWith("172.29.") // 172.16.0.0/12 + && !hostAddress.startsWith("172.30.") // 172.16.0.0/12 + && !hostAddress.startsWith("172.31.") // 172.16.0.0/12 + && !hostAddress.startsWith("192.0.0.") // 192.0.0.0/24 + && !hostAddress.startsWith("192.168.") // 192.168.0.0/16 + && !hostAddress.startsWith("198.18.") // 198.18.0.0/15 + && !hostAddress.startsWith("198.19.") // 198.18.0.0/15 && !host.endsWith(".arpa"); // reverse domain (needed?) } catch (MalformedURLException e) { return false; } + catch (UnknownHostException e) + { + return false; + } } else {