Web scraping forbid security headers in cURL (#7496)

Prevent using `Remote-User`, `X-WebAuth-User` during Web scraping.
author: Alexandre Alapetite <alexandre@alapetite.fr> 2025-04-07 08:33:13 +0200
committer: GitHub <noreply@github.com> 2025-04-07 08:33:13 +0200
commit: d3d9acca9f905fc03d6151f6ad75567256310831 (patch)
tree: 51061d6c242f16734b0abac53db05dca100f07ca /lib/lib_rss.php
parent: 54e2f9107d03c5b3bb260f38fdb2736bce449fd4 (diff)
1 files changed, 12 insertions, 1 deletions
diff --git a/lib/lib_rss.php b/lib/lib_rss.php
index 7e7dd4790..4fb4fdef9 100644
--- a/lib/lib_rss.php
+++ b/lib/lib_rss.php
@@ -567,7 +567,18 @@ function httpGet(string $url, string $cachePath, string $type = 'html', array $a
 
 	curl_setopt_array($ch, FreshRSS_Context::systemConf()->curl_options);
 
-	if (isset($attributes['curl_params']) && is_array($attributes['curl_params'])) {
+	if (is_array($attributes['curl_params'] ?? null)) {
+		$options = $attributes['curl_params'];
+		if (is_array($options[CURLOPT_HTTPHEADER] ?? null)) {
+			// Remove headers problematic for security
+			$options[CURLOPT_HTTPHEADER] = array_filter($options[CURLOPT_HTTPHEADER],
+				fn($header) => is_string($header) && !preg_match('/^(Remote-User|X-WebAuth-User)\\s*:/i', $header));
+			// Add Accept header if it is not set
+			if (preg_grep('/^Accept\\s*:/i', $options[CURLOPT_HTTPHEADER]) === false) {
+				$options[CURLOPT_HTTPHEADER][] = 'Accept: ' . $accept;
+			}
+			$attributes['curl_params'] = $options;
+		}
 		curl_setopt_array($ch, $attributes['curl_params']);
 	}
author	Alexandre Alapetite <alexandre@alapetite.fr>	2025-04-07 08:33:13 +0200
committer	GitHub <noreply@github.com>	2025-04-07 08:33:13 +0200
commit	d3d9acca9f905fc03d6151f6ad75567256310831 (patch)
tree	51061d6c242f16734b0abac53db05dca100f07ca /lib/lib_rss.php
parent	54e2f9107d03c5b3bb260f38fdb2736bce449fd4 (diff)