httpUtil.php 28 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785
  1. <?php
  2. declare(strict_types=1);
  3. final class FreshRSS_http_Util {
  4. private const RETRY_AFTER_PATH = DATA_PATH . '/Retry-After/';
  5. private const PRIVATE_SUBNETS = [
  6. '127.0.0.0/8', // RFC1700 (Loopback)
  7. '10.0.0.0/8', // RFC1918
  8. '192.168.0.0/16', // RFC1918
  9. '172.16.0.0/12', // RFC1918
  10. '169.254.0.0/16', // RFC3927
  11. '0.0.0.0/8', // RFC5735
  12. '240.0.0.0/4', // RFC1112
  13. '::1/128', // Loopback
  14. 'fc00::/7', // Unique Local Address
  15. 'fe80::/10', // Link Local Address
  16. '::ffff:0:0/96', // IPv4 translations
  17. '::/128', // Unspecified address
  18. ];
  19. /** @var array<string, string[]> $resolve_ok */
  20. private static array $resolve_ok = [];
  21. private static function getRetryAfterFile(string $url, string $proxy): string {
  22. $domain = parse_url($url, PHP_URL_HOST);
  23. if (!is_string($domain) || $domain === '') {
  24. return '';
  25. }
  26. $domainWide = Minz_Request::serverIsPublic($domain);
  27. $port = parse_url($url, PHP_URL_PORT);
  28. if (is_int($port)) {
  29. $domain .= ':' . $port;
  30. }
  31. return self::RETRY_AFTER_PATH . urlencode($domain) .
  32. ($domainWide ? '' : '_' . hash('sha256', $url)) .
  33. (empty($proxy) ? '' : '_' . urlencode($proxy)) . '.txt';
  34. }
  35. /**
  36. * Clean up old Retry-After files
  37. */
  38. private static function cleanRetryAfters(): void {
  39. if (!is_dir(self::RETRY_AFTER_PATH)) {
  40. return;
  41. }
  42. $files = glob(self::RETRY_AFTER_PATH . '*.txt', GLOB_NOSORT);
  43. if ($files === false) {
  44. return;
  45. }
  46. foreach ($files as $file) {
  47. if (@filemtime($file) < time()) {
  48. @unlink($file);
  49. }
  50. }
  51. }
  52. /**
  53. * Check whether the URL needs to wait for a Retry-After period.
  54. * @return int The timestamp of when the Retry-After expires, or 0 if not set.
  55. */
  56. public static function getRetryAfter(string $url, string $proxy): int {
  57. if (rand(0, 30) === 1) { // Remove old files once in a while
  58. self::cleanRetryAfters();
  59. }
  60. $txt = self::getRetryAfterFile($url, $proxy);
  61. if ($txt === '') {
  62. return 0;
  63. }
  64. $retryAfter = @filemtime($txt) ?: 0;
  65. if ($retryAfter <= 0) {
  66. return 0;
  67. }
  68. if ($retryAfter < time()) {
  69. @unlink($txt);
  70. return 0;
  71. }
  72. return $retryAfter;
  73. }
  74. /**
  75. * Store the HTTP Retry-After header value of an HTTP `429 Too Many Requests` or `503 Service Unavailable` response.
  76. */
  77. public static function setRetryAfter(string $url, string $proxy, string $retryAfter): int {
  78. $txt = self::getRetryAfterFile($url, $proxy);
  79. if ($txt === '') {
  80. return 0;
  81. }
  82. $limits = FreshRSS_Context::systemConf()->limits;
  83. if (ctype_digit($retryAfter)) {
  84. $retryAfter = time() + (int)$retryAfter;
  85. } else {
  86. $retryAfter = \SimplePie\Misc::parse_date($retryAfter) ?:
  87. (time() + max(600, $limits['retry_after_default'] ?? 0));
  88. }
  89. $retryAfter = min($retryAfter, time() + max(3600, $limits['retry_after_max'] ?? 0));
  90. @mkdir(self::RETRY_AFTER_PATH);
  91. if (!touch($txt, $retryAfter)) {
  92. Minz_Log::error('Failed to set Retry-After for ' . $url);
  93. return 0;
  94. }
  95. return $retryAfter;
  96. }
  97. /**
  98. * @param array<mixed> $curl_params
  99. * @return array<mixed>
  100. */
  101. public static function sanitizeCurlParams(array $curl_params): array {
  102. $safe_params = [
  103. CURLOPT_COOKIE,
  104. CURLOPT_COOKIEFILE,
  105. CURLOPT_FOLLOWLOCATION, // We filter this value later, only allowing `false`
  106. CURLOPT_HTTPHEADER,
  107. CURLOPT_MAXREDIRS,
  108. CURLOPT_POST,
  109. CURLOPT_POSTFIELDS,
  110. CURLOPT_PROXY,
  111. CURLOPT_PROXYTYPE,
  112. CURLOPT_USERAGENT,
  113. ];
  114. foreach ($curl_params as $k => $_) {
  115. if (!in_array($k, $safe_params, true)) {
  116. unset($curl_params[$k]);
  117. continue;
  118. }
  119. // Allow only an empty value just to enable the libcurl cookie engine
  120. if ($k === CURLOPT_COOKIEFILE) {
  121. $curl_params[$k] = '';
  122. }
  123. // Remove HTTP authentication headers problematic for security
  124. if ($k === CURLOPT_HTTPHEADER && is_array($curl_params[$k])) {
  125. $curl_params[$k] = array_filter($curl_params[$k],
  126. fn($header) => is_string($header) && !preg_match('/^(Remote[-_\s]*User|X[-_\s]*WebAuth[-_\s]*User)\\s*:/i', $header));
  127. }
  128. }
  129. return $curl_params;
  130. }
  131. private static function idn_to_puny(string $url): string {
  132. if (function_exists('idn_to_ascii')) {
  133. $idn = parse_url($url, PHP_URL_HOST);
  134. if (is_string($idn) && $idn != '') {
  135. $puny = idn_to_ascii($idn);
  136. $pos = strpos($url, $idn);
  137. if ($puny != false && $pos !== false) {
  138. $url = substr_replace($url, $puny, $pos, strlen($idn));
  139. }
  140. }
  141. }
  142. return $url;
  143. }
  144. public static function checkUrl(string $url, bool $fixScheme = true): string|false {
  145. $url = trim($url);
  146. if ($url == '') {
  147. return '';
  148. }
  149. if ($fixScheme && preg_match('#^https?://#i', $url) !== 1) {
  150. $url = 'https://' . ltrim($url, '/');
  151. }
  152. $url = self::idn_to_puny($url); // https://bugs.php.net/bug.php?id=53474
  153. $urlRelaxed = str_replace('_', 'z', $url); //PHP discussion #64948 Underscore
  154. if (is_string(filter_var($urlRelaxed, FILTER_VALIDATE_URL))) {
  155. return $url;
  156. } else {
  157. return false;
  158. }
  159. }
  160. /**
  161. * Remove the charset meta information of an HTML document, e.g.:
  162. * `<meta charset="..." />`
  163. * `<meta http-equiv="Content-Type" content="text/html; charset=...">`
  164. */
  165. private static function stripHtmlMetaCharset(string $html): string {
  166. return preg_replace('/<meta\s[^>]*charset\s*=\s*[^>]+>/i', '', $html, 1) ?? '';
  167. }
  168. /**
  169. * Set an XML preamble to enforce the HTML content type charset received by HTTP.
  170. * @param string $html the raw downloaded HTML content
  171. * @param string $contentType an HTTP Content-Type such as 'text/html; charset=utf-8'
  172. * @return string an HTML string with XML encoding information for DOMDocument::loadHTML()
  173. */
  174. private static function enforceHttpEncoding(string $html, string $contentType = ''): string {
  175. $httpCharset = preg_match('/\bcharset=([0-9a-z_-]{2,12})$/i', $contentType, $matches) === 1 ? $matches[1] : '';
  176. if ($httpCharset == '') {
  177. // No charset defined by HTTP
  178. if (preg_match('/<meta\s[^>]*charset\s*=[\s\'"]*UTF-?8\b/i', substr($html, 0, 2048))) {
  179. // Detect UTF-8 even if declared too deep in HTML for DOMDocument
  180. $httpCharset = 'UTF-8';
  181. } else {
  182. // Do nothing
  183. return $html;
  184. }
  185. }
  186. $httpCharsetNormalized = \SimplePie\Misc::encoding($httpCharset);
  187. if (in_array($httpCharsetNormalized, ['windows-1252', 'US-ASCII'], true)) {
  188. // Default charset for HTTP, do nothing
  189. return $html;
  190. }
  191. if (substr($html, 0, 3) === "\xEF\xBB\xBF" || // UTF-8 BOM
  192. substr($html, 0, 2) === "\xFF\xFE" || // UTF-16 Little Endian BOM
  193. substr($html, 0, 2) === "\xFE\xFF" || // UTF-16 Big Endian BOM
  194. substr($html, 0, 4) === "\xFF\xFE\x00\x00" || // UTF-32 Little Endian BOM
  195. substr($html, 0, 4) === "\x00\x00\xFE\xFF") { // UTF-32 Big Endian BOM
  196. // Existing byte order mark, do nothing
  197. return $html;
  198. }
  199. if (preg_match('/^<[?]xml[^>]+encoding\b/', substr($html, 0, 64))) {
  200. // Existing XML declaration, do nothing
  201. return $html;
  202. }
  203. if ($httpCharsetNormalized !== 'UTF-8') {
  204. // Try to change encoding to UTF-8 using mbstring or iconv or intl
  205. $utf8 = \SimplePie\Misc::change_encoding($html, $httpCharsetNormalized, 'UTF-8');
  206. if (is_string($utf8)) {
  207. $html = self::stripHtmlMetaCharset($utf8);
  208. $httpCharsetNormalized = 'UTF-8';
  209. }
  210. }
  211. if ($httpCharsetNormalized === 'UTF-8') {
  212. // Save encoding information as Unicode BOM
  213. return "\xEF\xBB\xBF" . $html;
  214. }
  215. // Give up
  216. return $html;
  217. }
  218. /**
  219. * Set an HTML base URL to the HTML content if there is none.
  220. * @param string $html the raw downloaded HTML content
  221. * @param string $href the HTML base URL
  222. * @return string an HTML string
  223. */
  224. private static function enforceHtmlBase(string $html, string $href): string {
  225. $doc = new DOMDocument();
  226. $doc->loadHTML($html, LIBXML_NONET | LIBXML_NOERROR | LIBXML_NOWARNING);
  227. if ($doc->documentElement === null) {
  228. return '';
  229. }
  230. $xpath = new DOMXPath($doc);
  231. $bases = $xpath->evaluate('//base');
  232. if (!($bases instanceof DOMNodeList) || $bases->length === 0) {
  233. $base = $doc->createElement('base');
  234. if ($base === false) {
  235. return $html;
  236. }
  237. $base->setAttribute('href', $href);
  238. $head = null;
  239. $heads = $xpath->evaluate('//head');
  240. if ($heads instanceof DOMNodeList && $heads->length > 0) {
  241. $head = $heads->item(0);
  242. }
  243. if ($head instanceof DOMElement) {
  244. $head->insertBefore($base, $head->firstChild);
  245. } else {
  246. $doc->documentElement->insertBefore($base, $doc->documentElement->firstChild);
  247. }
  248. }
  249. // Save the start of HTML because libxml2 saveHTML() risks scrambling it
  250. $htmlPos = stripos($html, '<html');
  251. $htmlStart = $htmlPos === false || $htmlPos > 512 ? '' : substr($html, 0, $htmlPos);
  252. $html = $doc->saveHTML() ?: $html;
  253. if ($htmlStart !== '' && !str_starts_with($html, $htmlStart)) {
  254. // libxml2 saveHTML() risks removing Unicode BOM and XML declaration,
  255. // which affects future detection of charset encoding, so manually restore it
  256. $htmlPos = stripos($html, '<html');
  257. $html = $htmlPos === false || $htmlPos > 512 ? $html : $htmlStart . substr($html, $htmlPos);
  258. }
  259. return $html;
  260. }
  261. public static function compareURLOrigins(string $url1, string $url2): bool {
  262. $url1 = parse_url(strtolower($url1));
  263. $url2 = parse_url(strtolower($url2));
  264. if ($url1 === false || $url2 === false) {
  265. return false;
  266. }
  267. foreach ([&$url1, &$url2] as &$url) {
  268. $url['port'] ??= match ($url['scheme']) {
  269. 'http' => 80,
  270. 'https' => 443,
  271. default => 0,
  272. };
  273. }
  274. return ($url1['scheme'] ?? '') === ($url2['scheme'] ?? '') &&
  275. ($url1['host'] ?? '') === ($url2['host'] ?? '') &&
  276. ($url1['port'] ?? '') === ($url2['port'] ?? '');
  277. }
  278. /**
  279. * Returns a value for CURLOPT_RESOLVE as an array, null if no allowed IPs were found, false if the domain failed to resolve.
  280. *
  281. * @return array<string>|null|false
  282. */
  283. public static function getCurlResolveInfo(string $url): array|null|false {
  284. $url = strtolower($url);
  285. $parsed = parse_url($url);
  286. if ($parsed === false) {
  287. return false;
  288. }
  289. $host = $parsed['host'] ?? null;
  290. $scheme = $parsed['scheme'] ?? null;
  291. if ($host === null || $scheme === null) {
  292. return false;
  293. }
  294. if (str_starts_with($host, '[') && str_ends_with($host, ']')) {
  295. if (strlen($host) === 2) {
  296. return false;
  297. }
  298. $host = substr($host, 1, strlen($host) - 2);
  299. }
  300. $internal_host_allowlist = getenv('INTERNAL_HOST_ALLOWLIST');
  301. if (is_string($internal_host_allowlist) && $internal_host_allowlist !== '') {
  302. $internal_host_allowlist = preg_split('/\s+/', $internal_host_allowlist, -1, PREG_SPLIT_NO_EMPTY);
  303. }
  304. if (!is_array($internal_host_allowlist) || empty($internal_host_allowlist)) {
  305. $internal_host_allowlist = FreshRSS_Context::systemConf()->internal_host_allowlist;
  306. }
  307. if (in_array('*', $internal_host_allowlist, true)) {
  308. return []; // Disables SSRF checks entirely (unsafe)
  309. }
  310. $port = parse_url($url)['port'] ?? match ($scheme) {
  311. 'http' => 80,
  312. 'https' => 443,
  313. default => 0,
  314. };
  315. $resolve_str = "$host:$port:";
  316. $ips_ok = [];
  317. $ips = [];
  318. $records = [];
  319. if (filter_var($host, FILTER_VALIDATE_IP) !== false) {
  320. $ips[] = $host;
  321. } elseif (isset(self::$resolve_ok[$host])) {
  322. $ips = self::$resolve_ok[$host];
  323. } else {
  324. $records = @dns_get_record($host, DNS_A + DNS_AAAA);
  325. if ($records === false) {
  326. return false;
  327. }
  328. foreach ($records as $record) {
  329. $ip = $record['ip'] ?? $record['ipv6'];
  330. if (is_string($ip)) {
  331. $ips[] = $ip;
  332. }
  333. }
  334. self::$resolve_ok[$host] = $ips;
  335. }
  336. $cidr_allowlist = array_filter($internal_host_allowlist, fn($v, $_) => str_contains($v, '/'), ARRAY_FILTER_USE_BOTH);
  337. foreach ($ips as $ip) {
  338. $allowlist_str = "$ip:$port";
  339. $add_ip = $ip;
  340. if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6) !== false) {
  341. $allowlist_str = "[$ip]:$port";
  342. $add_ip = "[$ip]";
  343. }
  344. foreach ($cidr_allowlist as $cidr) {
  345. if (self::checkCIDR($ip, $cidr)) {
  346. $ips_ok[] = $add_ip;
  347. continue 2;
  348. }
  349. }
  350. if (in_array($allowlist_str, $internal_host_allowlist, true) ||
  351. in_array("$host:$port", $internal_host_allowlist, true)) {
  352. $ips_ok[] = $add_ip;
  353. continue;
  354. }
  355. if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) === false) {
  356. continue;
  357. }
  358. // Extra check because the above one might not be enough: https://github.com/php/php-src/issues/16944
  359. // Workaround is available by using `FILTER_FLAG_GLOBAL_RANGE` instead, but that was only added in PHP 8.2, and we need to support PHP 8.1+
  360. foreach (self::PRIVATE_SUBNETS as $cidr) {
  361. if (self::checkCIDR($ip, $cidr)) {
  362. continue 2;
  363. }
  364. }
  365. $ips_ok[] = $add_ip;
  366. }
  367. if (count($ips_ok) > 0) {
  368. if (count($records) > 0 || isset(self::$resolve_ok[$host])) {
  369. $resolve_str .= implode(',', $ips_ok);
  370. return [$resolve_str];
  371. }
  372. if (filter_var($host, FILTER_VALIDATE_IP) !== false) {
  373. // No resolve overrides since the URL only contained an IP, not a domain
  374. return [];
  375. }
  376. }
  377. if (count($ips) === 0) {
  378. return false;
  379. }
  380. return null;
  381. }
  382. /**
  383. * @param non-empty-string $url
  384. * @param string|null $cachePath path to cache file, or `null` to disable caching
  385. * @param string $type {html,ico,json,opml,xml}
  386. * @param array<string,mixed> $attributes May contain user-defined cURL options in `$attributes['curl_params']`
  387. * @param array<int,mixed> $curl_options Internal overrides of cURL options
  388. * @return array{body:string,effective_url:string,redirect_count:int,fail:bool,status:int,error:string}
  389. * `status` is the HTTP response code (e.g. 200, 404), or a custom negative value:
  390. * * `-200` served from local cache;
  391. * * `-429` blocked by active `Retry-After` period;
  392. * * `-500` `curl_init()` failure.
  393. */
  394. public static function httpGet(string $url, ?string $cachePath = null, string $type = 'html', array $attributes = [], array $curl_options = []): array {
  395. $limits = FreshRSS_Context::systemConf()->limits;
  396. $feed_timeout = empty($attributes['timeout']) || !is_numeric($attributes['timeout']) ? 0 : intval($attributes['timeout']);
  397. if ($cachePath !== null) {
  398. $cacheMtime = @filemtime($cachePath);
  399. if ($cacheMtime !== false && $cacheMtime > time() - intval($limits['cache_duration'])) {
  400. $body = @file_get_contents($cachePath);
  401. if ($body != false) {
  402. if (FreshRSS_Context::systemConf()->simplepie_syslog_enabled) {
  403. syslog(LOG_DEBUG, 'FreshRSS uses cache for ' . \SimplePie\Misc::url_remove_credentials($url));
  404. }
  405. return ['body' => $body, 'effective_url' => $url, 'redirect_count' => 0, 'fail' => false, 'status' => -200, 'error' => ''];
  406. }
  407. }
  408. }
  409. if (rand(0, 30) === 1) { // Remove old cache once in a while
  410. cleanCache(CLEANCACHE_HOURS);
  411. }
  412. $accept = '';
  413. $proxy = is_string(FreshRSS_Context::systemConf()->curl_options[CURLOPT_PROXY] ?? null) ? FreshRSS_Context::systemConf()->curl_options[CURLOPT_PROXY] : '';
  414. $options = []; // User-defined cURL options
  415. if (is_array($attributes['curl_params'] ?? null)) {
  416. $options = self::sanitizeCurlParams($attributes['curl_params']);
  417. $proxy = is_string($options[CURLOPT_PROXY] ?? null) ? $options[CURLOPT_PROXY] : $proxy;
  418. if (is_array($options[CURLOPT_HTTPHEADER] ?? null)) {
  419. // Add Accept header if it is not set
  420. if (preg_grep('/^Accept\\s*:/i', $options[CURLOPT_HTTPHEADER]) === false) {
  421. $options[CURLOPT_HTTPHEADER][] = 'Accept: ' . $accept;
  422. }
  423. }
  424. }
  425. $proxy = is_string($curl_options[CURLOPT_PROXY] ?? null) ? $curl_options[CURLOPT_PROXY] : $proxy;
  426. if (($retryAfter = FreshRSS_http_Util::getRetryAfter($url, $proxy)) > 0) {
  427. Minz_Log::warning('For that domain, will first retry after ' . date('c', $retryAfter) . '. ' . \SimplePie\Misc::url_remove_credentials($url));
  428. return ['body' => '', 'effective_url' => $url, 'redirect_count' => 0, 'fail' => true, 'status' => -429, 'error' => ''];
  429. }
  430. if (FreshRSS_Context::systemConf()->simplepie_syslog_enabled) {
  431. syslog(LOG_INFO, 'FreshRSS GET ' . $type . ' ' . \SimplePie\Misc::url_remove_credentials($url));
  432. }
  433. switch ($type) {
  434. case 'json':
  435. $accept = 'application/json,application/feed+json,application/javascript;q=0.9,text/javascript;q=0.8,*/*;q=0.7';
  436. break;
  437. case 'opml':
  438. $accept = 'text/x-opml,text/xml;q=0.9,application/xml;q=0.9,*/*;q=0.8';
  439. break;
  440. case 'xml':
  441. $accept = 'application/xml,application/xhtml+xml,text/xml;q=0.9,*/*;q=0.8';
  442. break;
  443. case 'ico':
  444. $accept = 'image/x-icon,image/vnd.microsoft.icon,image/ico,image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.1';
  445. break;
  446. case 'html':
  447. default:
  448. $accept = 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8';
  449. break;
  450. }
  451. $original_url = $url;
  452. $fail = false;
  453. $redirs = 0;
  454. $max_redirs = $curl_options[CURLOPT_MAXREDIRS] ?? $options[CURLOPT_MAXREDIRS] ?? FreshRSS_Context::systemConf()->curl_options[CURLOPT_MAXREDIRS] ?? null;
  455. if (!is_int($max_redirs)) {
  456. $max_redirs = 4;
  457. }
  458. while (true) {
  459. $url = is_string($url) ? $url : '';
  460. $resolve = [];
  461. if ($proxy === '') {
  462. $resolve = self::getCurlResolveInfo($url);
  463. if ($resolve === null) {
  464. Minz_Log::warning('Fetching this URL is not allowed, because the host’s IP is not in the allowlist [' .
  465. \SimplePie\Misc::url_remove_credentials($url) . ']');
  466. return ['body' => '', 'effective_url' => '', 'redirect_count' => 0, 'fail' => true, 'status' => -500, 'error' => ''];
  467. } elseif ($resolve === false) {
  468. return ['body' => '', 'effective_url' => '', 'redirect_count' => 0, 'fail' => true, 'status' => -500, 'error' => ''];
  469. }
  470. if (!empty($resolve)) {
  471. $curl_options[CURLOPT_RESOLVE] = $resolve; // Prevent DNS rebinding
  472. }
  473. }
  474. // TODO: Implement HTTP 1.1 conditional GET If-Modified-Since
  475. $ch = curl_init();
  476. if ($ch === false || $url === '') {
  477. return ['body' => '', 'effective_url' => '', 'redirect_count' => 0, 'fail' => true, 'status' => -500, 'error' => ''];
  478. }
  479. curl_setopt_array($ch, [
  480. CURLOPT_URL => $url,
  481. CURLOPT_HTTPHEADER => ['Accept: ' . $accept],
  482. CURLOPT_USERAGENT => FRESHRSS_USERAGENT,
  483. CURLOPT_CONNECTTIMEOUT => $feed_timeout > 0 ? $feed_timeout : $limits['timeout'],
  484. CURLOPT_TIMEOUT => $feed_timeout > 0 ? $feed_timeout : $limits['timeout'],
  485. CURLOPT_RETURNTRANSFER => true,
  486. CURLOPT_ACCEPT_ENCODING => '', //Enable all encodings
  487. //CURLOPT_VERBOSE => 1, // To debug sent HTTP headers
  488. ]);
  489. curl_setopt_array($ch, $options);
  490. curl_setopt_array($ch, FreshRSS_Context::systemConf()->curl_options);
  491. $responseHeaders = '';
  492. curl_setopt($ch, CURLOPT_HEADERFUNCTION, function (\CurlHandle $ch, string $header) use (&$responseHeaders) {
  493. if (trim($header) !== '') { // Skip e.g. separation with trailer headers
  494. $responseHeaders .= $header;
  495. }
  496. return strlen($header);
  497. });
  498. if (isset($attributes['ssl_verify'])) {
  499. curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, empty($attributes['ssl_verify']) ? 0 : 2);
  500. curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, (bool)$attributes['ssl_verify']);
  501. if (empty($attributes['ssl_verify'])) {
  502. curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, 'DEFAULT@SECLEVEL=1');
  503. }
  504. }
  505. if (defined('CURLOPT_PROTOCOLS_STR') && is_int(CURLOPT_PROTOCOLS_STR)) {
  506. $curl_options[CURLOPT_PROTOCOLS_STR] = 'http,https';
  507. if (defined('CURLOPT_REDIR_PROTOCOLS_STR') && is_int(CURLOPT_REDIR_PROTOCOLS_STR)) {
  508. $curl_options[CURLOPT_REDIR_PROTOCOLS_STR] = 'http,https';
  509. }
  510. } elseif (defined('CURLPROTO_HTTP') && defined('CURLPROTO_HTTPS')) {
  511. // Legacy PHP 8.2-
  512. if (defined('CURLOPT_PROTOCOLS')) {
  513. $curl_options[CURLOPT_PROTOCOLS] = CURLPROTO_HTTP | CURLPROTO_HTTPS;
  514. }
  515. if (defined('CURLOPT_REDIR_PROTOCOLS')) {
  516. $curl_options[CURLOPT_REDIR_PROTOCOLS] = CURLPROTO_HTTP | CURLPROTO_HTTPS;
  517. }
  518. }
  519. curl_setopt_array($ch, $curl_options);
  520. curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false); // We handle HTTP redirections manually for security
  521. $body = curl_exec($ch);
  522. $c_status = curl_getinfo($ch, CURLINFO_HTTP_CODE);
  523. $c_content_type = '' . curl_getinfo($ch, CURLINFO_CONTENT_TYPE);
  524. $c_effective_url = curl_getinfo($ch, CURLINFO_EFFECTIVE_URL);
  525. $c_error = curl_error($ch);
  526. $headers = [];
  527. if ($body !== false) {
  528. $responseHeaders .= "\r\n";
  529. $responseHeaders = \SimplePie\HTTP\Parser::prepareHeaders($responseHeaders);
  530. $parser = new \SimplePie\HTTP\Parser($responseHeaders);
  531. if ($parser->parse()) {
  532. $headers = $parser->headers;
  533. }
  534. }
  535. if (in_array($c_status, [301, 302, 303, 307, 308], true)) {
  536. // Handle the redirect by making another request
  537. $location = \SimplePie\Misc::absolutize_url($headers['location'] ?? $url, $url);
  538. if ($location === false) {
  539. $location = $url;
  540. }
  541. if (!self::compareURLOrigins($url, $location)) {
  542. unset($curl_options[CURLOPT_COOKIE]);
  543. unset($curl_options[CURLOPT_USERPWD]);
  544. unset($options[CURLOPT_COOKIE]);
  545. unset($options[CURLOPT_USERPWD]);
  546. if (is_array($options[CURLOPT_HTTPHEADER] ?? null)) {
  547. $options[CURLOPT_HTTPHEADER] = array_filter($options[CURLOPT_HTTPHEADER], fn(mixed $header): bool =>
  548. is_string($header) && !preg_match('/^(Cookie|Authorization)\\s*:/i', $header));
  549. }
  550. if (is_array($curl_options[CURLOPT_HTTPHEADER] ?? null)) {
  551. $curl_options[CURLOPT_HTTPHEADER] = array_filter($curl_options[CURLOPT_HTTPHEADER], fn(mixed $header): bool =>
  552. is_string($header) && !preg_match('/^(Cookie|Authorization)\\s*:/i', $header));
  553. }
  554. }
  555. if ($max_redirs >= 0) {
  556. $redirs++;
  557. }
  558. if ($redirs > $max_redirs) {
  559. Minz_Log::warning('Error fetching content: Too many redirects were hit [' . \SimplePie\Misc::url_remove_credentials($original_url) . ']');
  560. break;
  561. }
  562. if ((isset($options[CURLOPT_POST]) || isset($curl_options[CURLOPT_POST])) &&
  563. in_array($c_status, [301, 302, 303], true)) { // Not for 307 and 308, which must not change the HTTP method
  564. unset($curl_options[CURLOPT_POST]);
  565. unset($curl_options[CURLOPT_POSTFIELDS]);
  566. unset($options[CURLOPT_POST]);
  567. unset($options[CURLOPT_POSTFIELDS]);
  568. if (is_array($options[CURLOPT_HTTPHEADER] ?? null)) {
  569. $options[CURLOPT_HTTPHEADER] = array_filter($options[CURLOPT_HTTPHEADER], fn(mixed $header): bool =>
  570. is_string($header) && !str_starts_with(strtolower(trim($header)), 'content-type:'));
  571. }
  572. if (is_array($curl_options[CURLOPT_HTTPHEADER] ?? null)) {
  573. $curl_options[CURLOPT_HTTPHEADER] = array_filter($curl_options[CURLOPT_HTTPHEADER], fn(mixed $header): bool =>
  574. is_string($header) && !str_starts_with(strtolower(trim($header)), 'content-type:'));
  575. }
  576. }
  577. $url = $location;
  578. continue;
  579. }
  580. $fail = $c_status != 200 || $c_error != '' || $body === false;
  581. if ($fail) {
  582. $body = '';
  583. Minz_Log::warning('Error fetching content: HTTP code ' . $c_status . ': ' . $c_error . ' ' . $url);
  584. if (in_array($c_status, [429, 503], true)) {
  585. $retryAfter = FreshRSS_http_Util::setRetryAfter($url, $proxy, $headers['retry-after'] ?? '');
  586. if ($c_status === 429) {
  587. $errorMessage = 'HTTP 429 Too Many Requests! [' . \SimplePie\Misc::url_remove_credentials($url) . ']';
  588. } elseif ($c_status === 503) {
  589. $errorMessage = 'HTTP 503 Service Unavailable! [' . \SimplePie\Misc::url_remove_credentials($url) . ']';
  590. }
  591. if ($retryAfter > 0) {
  592. $errorMessage .= ' We may retry after ' . date('c', $retryAfter);
  593. }
  594. }
  595. } elseif (!is_string($body) || strlen($body) === 0) { // TODO: Implement HTTP 410 Gone
  596. $body = '';
  597. } else {
  598. if (in_array($type, ['html', 'json', 'opml', 'xml'], true)) {
  599. $body = trim($body, " \n\r\t\v"); // Do not trim \x00 to avoid breaking a BOM
  600. }
  601. if (in_array($type, ['html', 'xml', 'opml'], true)) {
  602. $body = self::enforceHttpEncoding($body, $c_content_type);
  603. }
  604. if (in_array($type, ['html'], true)) {
  605. if (stripos($c_content_type, 'text/plain') !== false) {
  606. // Plain text to be displayed as preformatted text. Prefixed with UTF-8 BOM
  607. $body = "\xEF\xBB\xBF" . '<pre class="text-plain">' . htmlspecialchars($body, ENT_NOQUOTES, 'UTF-8') . '</pre>';
  608. } else {
  609. $body = self::enforceHtmlBase($body, $c_effective_url);
  610. }
  611. }
  612. }
  613. break;
  614. }
  615. if ($cachePath !== null && file_put_contents($cachePath, $body) === false) {
  616. Minz_Log::warning("Error saving cache $cachePath for $url");
  617. }
  618. return ['body' => is_string($body) ? $body : '', 'effective_url' => $c_effective_url, 'redirect_count' => $redirs,
  619. 'fail' => $fail, 'status' => $c_status, 'error' => $c_error];
  620. }
  621. /**
  622. * Converts an IP (v4 or v6) to a binary representation using inet_pton
  623. *
  624. * @param string $ip the IP to convert
  625. * @return string a binary representation of the specified IP
  626. */
  627. private static function ipToBits(string $ip): string {
  628. $binaryip = '';
  629. foreach (str_split(inet_pton($ip) ?: '') as $char) {
  630. $binaryip .= str_pad(decbin(ord($char)), 8, '0', STR_PAD_LEFT);
  631. }
  632. return $binaryip;
  633. }
  634. /**
  635. * Check if an ip belongs to the provided range (in CIDR format)
  636. *
  637. * @param string $ip the IP that we want to verify (ex: 192.168.16.1)
  638. * @param string $range the range to check against (ex: 192.168.16.0/24)
  639. * @return bool true if the IP is in the range, otherwise false
  640. */
  641. private static function checkCIDR(string $ip, string $range): bool {
  642. $binary_ip = self::ipToBits($ip);
  643. if ($binary_ip === '') {
  644. return false;
  645. }
  646. $split = explode('/', $range);
  647. $subnet = $split[0] ?? '';
  648. if ($subnet == '') {
  649. return false;
  650. }
  651. $binary_subnet = self::ipToBits($subnet);
  652. if ($binary_subnet === '') {
  653. return false;
  654. }
  655. if (strlen($binary_ip) !== strlen($binary_subnet)) {
  656. return false; // Do not mix IPv4 and IPv6
  657. }
  658. $mask_bits_str = $split[1] ?? '';
  659. if (!ctype_digit($mask_bits_str)) {
  660. return false;
  661. }
  662. $mask_bits = (int)$mask_bits_str;
  663. $max_mask_bits = str_contains($ip, ':') ? 128 : 32;
  664. if ($mask_bits < 0 || $mask_bits > $max_mask_bits) {
  665. return false; // Reject invalid mask bits lengths
  666. }
  667. if ($mask_bits === 0) {
  668. return true;
  669. }
  670. $ip_net_bits = substr($binary_ip, 0, $mask_bits);
  671. $subnet_bits = substr($binary_subnet, 0, $mask_bits);
  672. return $ip_net_bits === $subnet_bits;
  673. }
  674. /**
  675. * Check if the client (e.g. last proxy) is allowed to send unsafe headers.
  676. * This uses the `TRUSTED_PROXY` environment variable or the `trusted_sources` configuration option to get an array of the authorized ranges,
  677. * The connection IP is obtained from the `CONN_REMOTE_ADDR`
  678. * (if available, to be robust even when using Apache mod_remoteip) or `REMOTE_ADDR` environment variables.
  679. * @return bool true if the sender’s IP is in one of the ranges defined in the configuration, else false
  680. */
  681. public static function checkTrustedIP(): bool {
  682. if (!FreshRSS_Context::hasSystemConf()) {
  683. return false;
  684. }
  685. $remoteIp = Minz_Request::connectionRemoteAddress();
  686. if ($remoteIp === '') {
  687. return false;
  688. }
  689. $trusted = getenv('TRUSTED_PROXY');
  690. if ($trusted != 0 && is_string($trusted)) {
  691. $trusted = preg_split('/\s+/', $trusted, -1, PREG_SPLIT_NO_EMPTY);
  692. }
  693. if (!is_array($trusted) || empty($trusted)) {
  694. $trusted = FreshRSS_Context::systemConf()->trusted_sources;
  695. }
  696. foreach ($trusted as $cidr) {
  697. if (self::checkCIDR($remoteIp, $cidr)) {
  698. return true;
  699. }
  700. }
  701. return false;
  702. }
  703. public static function httpAuthUser(bool $onlyTrusted = true): string {
  704. $auths = array_unique(array_filter(
  705. array_intersect_key($_SERVER, ['REMOTE_USER' => '', 'REDIRECT_REMOTE_USER' => '', 'HTTP_REMOTE_USER' => '', 'HTTP_X_WEBAUTH_USER' => '']),
  706. fn($value) => is_string($value) && $value !== ''
  707. ));
  708. if (count($auths) > 1) {
  709. Minz_Log::warning('Multiple HTTP authentication headers!');
  710. return '';
  711. }
  712. if (!empty($_SERVER['REMOTE_USER']) && is_string($_SERVER['REMOTE_USER'])) {
  713. return $_SERVER['REMOTE_USER'];
  714. }
  715. if (!empty($_SERVER['REDIRECT_REMOTE_USER']) && is_string($_SERVER['REDIRECT_REMOTE_USER'])) {
  716. return $_SERVER['REDIRECT_REMOTE_USER'];
  717. }
  718. if (!$onlyTrusted || self::checkTrustedIP()) {
  719. if (!empty($_SERVER['HTTP_REMOTE_USER']) && is_string($_SERVER['HTTP_REMOTE_USER'])) {
  720. return $_SERVER['HTTP_REMOTE_USER'];
  721. }
  722. if (!empty($_SERVER['HTTP_X_WEBAUTH_USER']) && is_string($_SERVER['HTTP_X_WEBAUTH_USER'])) {
  723. return $_SERVER['HTTP_X_WEBAUTH_USER'];
  724. }
  725. }
  726. return '';
  727. }
  728. }