Mirrors/mangadex_at_home
1
0
Fork 0
mirror of https://gitlab.com/mangadex-pub/mangadex_at_home.git synced 2024-11-17 00:22:32 +01:00
Code Issues Releases Activity

Fix referrer check

Browse Source
This commit is contained in:
AviKav 2020-07-05 12:56:15 -04:00
parent 5f005e61e9
commit 27bac2ef48
No known key found for this signature in database
GPG Key ID: 7BC4B96BC8A7167D
1 changed files with 19 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
src/main/kotlin/mdnet/base/server/ImageServer.kt
View File

@ -135,9 +135,10 @@ class ImageServer(
} }
} }
if (request.header("Referer")?.startsWith("https://mangadex.org") == false) { if (!request.referrerMatches(ALLOWED_REFERER_DOMAINS)) {
snapshot?.close() snapshot?.close()
Response(Status.FORBIDDEN) LOGGER.info { "Request for $sanitizedUri rejected due to non-allowed referrer ${request.header("Referer")}" }
return@then Response(Status.FORBIDDEN)
} else if (snapshot != null && imageDatum != null) { } else if (snapshot != null && imageDatum != null) {
request.handleCacheHit(sanitizedUri, getRc4(rc4Bytes), snapshot, imageDatum) request.handleCacheHit(sanitizedUri, getRc4(rc4Bytes), snapshot, imageDatum)
} else { } else {
@ -152,6 +153,21 @@ class ImageServer(
} }
} }
/**
* Filters referrers based on passed (sub)domains. Ignores `scheme` (protocol) in URL
*/
private fun Request.referrerMatches(allowedDomains: List<String>, permitBlank: Boolean = true): Boolean {
val referer = this.header("Referer") ?: return permitBlank // Referrer was misspelled as "Referer" and now we're stuck with it -_-
if (referer == "") return permitBlank
return allowedDomains.any {
referer.substringAfter("//") // Ignore scheme
.substringBefore("/") // Ignore path
.endsWith(it)
}
}
private fun Request.handleCacheHit(sanitizedUri: String, cipher: Cipher, snapshot: DiskLruCache.Snapshot, imageDatum: ImageDatum): Response { private fun Request.handleCacheHit(sanitizedUri: String, cipher: Cipher, snapshot: DiskLruCache.Snapshot, imageDatum: ImageDatum): Response {
// our files never change, so it's safe to use the browser cache // our files never change, so it's safe to use the browser cache
return if (this.header("If-Modified-Since") != null) { return if (this.header("If-Modified-Since") != null) {
@ -274,6 +290,7 @@ class ImageServer(
private val JACKSON: ObjectMapper = jacksonObjectMapper() private val JACKSON: ObjectMapper = jacksonObjectMapper()
.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false) .configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false)
.registerModule(JavaTimeModule()) .registerModule(JavaTimeModule())
private val ALLOWED_REFERER_DOMAINS = listOf("mangadex.org", "mangadex.network") // TODO: Factor out hardcoded domains?
private fun baseHandler(): Filter = private fun baseHandler(): Filter =
CachingFilters.Response.MaxAge(Clock.systemUTC(), Constants.MAX_AGE_CACHE) CachingFilters.Response.MaxAge(Clock.systemUTC(), Constants.MAX_AGE_CACHE)