|
9 | 9 | * Updated at: 2024-11-26 |
10 | 10 | */ |
11 | 11 |
|
12 | | -define("PHP_HTTPPROXY_VERSION", "0.1.6.4"); |
| 12 | +define("PHP_HTTPPROXY_VERSION", "0.1.6.5"); |
13 | 13 | define("DEFAULT_SOCKET_TIMEOUT", 1); |
14 | 14 | define("STATEFUL_SOCKET_TIMEOUT", 30); |
15 | 15 | define("MAX_EXECUTION_TIME", 0); |
| 16 | +define("ALLOW_INVOKE_INSECURE_METHOD", false); |
| 17 | +define("ALLOW_LOAD_INSECURE_SCRIPT", true); |
16 | 18 | define( "DEFAULT_USER_AGENT", 'php-httpproxy/' . PHP_HTTPPROXY_VERSION . ' (Server; PHP ' . phpversion() . '; Caterpillar; [email protected])'); |
17 | 19 |
|
18 | 20 | error_reporting(E_ALL); |
@@ -88,6 +90,10 @@ function fatal_handler() { |
88 | 90 |
|
89 | 91 | function load_script($data) { |
90 | 92 | $loaded_script = false; |
| 93 | + |
| 94 | + if (!ALLOW_LOAD_INSECURE_SCRIPT) { |
| 95 | + return $loaded_script; |
| 96 | + } |
91 | 97 |
|
92 | 98 | $fh = tmpfile(); |
93 | 99 | if ($fh !== false) { |
@@ -514,7 +520,21 @@ function relay_invoke_method($params) { |
514 | 520 | $callback = $params['callback']; |
515 | 521 | $requires = jsonrpc2_cast_to_array($params['requires']); |
516 | 522 | $args = jsonrpc2_cast_to_array($params['args']); |
517 | | - |
| 523 | + |
| 524 | + if (!ALLOW_INVOKE_INSECURE_METHOD) { |
| 525 | + $allow_callbacks = array("idn_to_ascii", "idn_to_utf8", "load_script"); |
| 526 | + if (!in_array($callback, $allow_callbacks)) { |
| 527 | + return array( |
| 528 | + "success" => false, |
| 529 | + "error" => array( |
| 530 | + "status" => 403, |
| 531 | + "code" => -1, |
| 532 | + "message" => $callback . " is not allowed" |
| 533 | + ) |
| 534 | + ); |
| 535 | + } |
| 536 | + } |
| 537 | + |
518 | 538 | foreach($requires as $required_url) { |
519 | 539 | try { |
520 | 540 | $result = relay_fetch_url(array( |
|
0 commit comments