Skip to content

Update proxy-xml.php #269

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
alanEG wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Update proxy-xml.php #269

Changes from 2 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
265b490
Update proxy-xml.php
alanEG Jul 14, 2025
e4cacee
[pre-commit.ci] auto fixes from pre-commit.com hooks
pre-commit-ci[bot] Jul 14, 2025
425e8b0
Update proxy-xml.php
alanEG Oct 26, 2025
50519d2
Update proxy-xml.php
alanEG Oct 26, 2025
650724b
[pre-commit.ci] auto fixes from pre-commit.com hooks
pre-commit-ci[bot] Oct 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 33 additions & 10 deletions proxy-xml.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,15 +1,38 @@
<?php
if (isset($_GET['url'])) {
$url = $_GET['url'];
<?php
$whitelist = [
'blog.freecad.org'
];

if (filter_var($url, FILTER_VALIDATE_URL)) {
$response = file_get_contents($url);
function is_url_safe($url, $whitelist) {
$parsed = parse_url($url);
if (!$parsed || !isset($parsed['host'])) {
return false;
}

$host = strtolower($parsed['host']);

header('Content-Type: application/xml');
echo $response;
} else {
header("HTTP/1.1 400 Bad Request");
if (in_array($host, $whitelist)) {
return true;
}

$ip = gethostbyname($host);
Copy link

Copilot AI Aug 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The gethostbyname() function can be exploited for DNS rebinding attacks and may resolve to internal IP addresses. Consider using a more secure approach that validates against private IP ranges (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and blocks localhost resolution.

Copilot uses AI. Check for mistakes.
if ($ip === $host) {
return false;
}

if (in_array($ip, $whitelist)) {
return true;
}

return false;
}

$url = $_GET['url'] ?? '';
if (is_url_safe($url, $whitelist)) {
Comment thread
alanEG marked this conversation as resolved.
Outdated
$response = file_get_contents($url);
header('Content-Type: application/xml');
echo $response;
Copy link

Copilot AI Aug 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using file_get_contents() without timeout or context options can lead to denial of service attacks through slow responses or large file downloads. Consider adding a stream context with timeout and size limits, or use cURL with proper configuration.

Suggested change
echo $response;
// Set a timeout of 5 seconds
$context = stream_context_create([
'http' => [
'timeout' => 5
]
]);
// Limit response size to 2MB
$maxSize = 2 * 1024 * 1024; // 2MB
$response = '';
$handle = @fopen($url, 'r', false, $context);
if ($handle) {
while (!feof($handle) && strlen($response) < $maxSize) {
$response .= fread($handle, 8192);
}
fclose($handle);
if (strlen($response) >= $maxSize) {
header('HTTP/1.1 413 Payload Too Large');
echo "Response too large";
} else {
header('Content-Type: application/xml');
echo $response;
}
} else {
header('HTTP/1.1 502 Bad Gateway');
echo "Failed to fetch URL";
}

Copilot uses AI. Check for mistakes.
} else {
header("HTTP/1.1 400 Bad Request");
echo "URL not allowed";
Comment thread
alanEG marked this conversation as resolved.
Outdated
}
?>