Disable access to unsafe.php for blacklisted hosts.

mrjoelkemp · mrjoelkemp · commit a5ca8fa94a8e · 2014-12-30T16:26:19.000-05:00
A better fix that uses an env var is coming in #23. This is a temporary fix to close the hole. Fixes #22
diff --git a/src/eval/unsafe.php b/src/eval/unsafe.php
@@ -1,38 +1,68 @@
 <?php
-        // Turn off errors since eval will throw them on invalid syntax
-        $inString       = @ini_set('log_errors', false);
-        $token          = @ini_set('display_errors', true);
+  // Turn off errors since eval will throw them on invalid syntax
+  $inString = @ini_set('log_errors', false);
+  $token = @ini_set('display_errors', true);
 
-        // CORS support
-        header("Access-Control-Allow-Origin: *");
-        header("Content-type: application/json");
+  // CORS support
+  header("Access-Control-Allow-Origin: *");
+  header("Content-type: application/json");
 
-        $code = $_POST['code'];
+  if (isRequestFromBlacklistedHost()) {
+    echo getJsonOutput(array(
+      'result' => 'Tried to access unsafe eval from a blacklisted host',
+      'error' => ''
+    ));
+    exit();
+  }
 
-        // Remove error prone snippets
-        $toRemove = array("<?php", "?>", "<?");
+  $code = $_POST['code'];
 
-        $code = str_replace($toRemove, "", $code);
+  // Remove error prone snippets
+  $toRemove = array("<?php", "?>", "<?");
 
-        // Simple output buffering to capture
-        // error messages and send them to the user
-        ob_start();
+  $code = str_replace($toRemove, "", $code);
 
-        eval($code);
-        $result = ob_get_clean();
-        $error = error_get_last();
+  // Simple output buffering to capture
+  // error messages and send them to the user
+  ob_start();
 
-        echo getJsonOutput(array(
-                'result' => $result,
-                'error' => $error
-        ));
+  eval($code);
+  $result = ob_get_clean();
+  $error = error_get_last();
 
-        @ini_set('display_errors', $token);
-        @ini_set('log_errors', $inString);
+  echo getJsonOutput(array(
+    'result' => $result,
+    'error' => $error
+  ));
 
-        function getJsonOutput($options) {
-                $result = $options['result'];
-                $error  = $options['error'];
-                return json_encode(array("result" => $result, "error" => $error));
+  @ini_set('display_errors', $token);
+  @ini_set('log_errors', $inString);
+
+  function getJsonOutput($options) {
+    $result = $options['result'];
+    $error  = $options['error'];
+    return json_encode(array("result" => $result, "error" => $error));
+  }
+
+  function isRequestFromBlacklistedHost() {
+    // Prevents unsafe access on hosting providers (#22)
+    $blacklistedHosts = array(
+      'cloudcontrolled',
+      'herokuapp'
+    );
+
+    $isFromBlacklistedHost = false;
+
+    if (isset($_SERVER['HTTP_ORIGIN'])) {
+      $origin = $_SERVER['HTTP_ORIGIN'];
+
+      foreach ($blacklistedHosts as $host) {
+        if (strpos($origin, $host) !== false) {
+          $isFromBlacklistedHost = true;
         }
+      }
+    }
+
+    return $isFromBlacklistedHost;
+  }
 ?>
