diff options
| author |  Alexandre Alapetite <alexandre@alapetite.fr>
| 2025-04-07 08:33:13 +0200 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2025-04-07 08:33:13 +0200 |
| commit | d3d9acca9f905fc03d6151f6ad75567256310831 (patch) | |
| tree | 51061d6c242f16734b0abac53db05dca100f07ca /app/views | |
| parent | 54e2f9107d03c5b3bb260f38fdb2736bce449fd4 (diff) | |
Web scraping forbid security headers in cURL (#7496)
Prevent using `Remote-User`, `X-WebAuth-User` during Web scraping.
Diffstat (limited to 'app/views')
| -rw-r--r-- | app/views/helpers/feed/update.phtml | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/app/views/helpers/feed/update.phtml b/app/views/helpers/feed/update.phtml index 41d879843..6a04edd07 100644 --- a/app/views/helpers/feed/update.phtml +++ b/app/views/helpers/feed/update.phtml @@ -823,6 +823,9 @@ $httpHeaders = []; } $httpHeaders = array_filter($httpHeaders, 'is_string'); + // Remove headers problematic for security + $httpHeaders = array_filter($httpHeaders, + fn(string $header) => !preg_match('/^(Remote-User|X-WebAuth-User)\\s*:/i', $header)); ?> <textarea class="valid-json" id="http_headers" name="http_headers" rows="3" cols="64" spellcheck="false"><?php foreach ($httpHeaders as $header) { |