Current Behavior
By tampering with the REST API requests, users can save any favicon URL in the database, and it doesn't even have to be a DuckDuckGo favicon URL.
It's also possible to save a favicon URL even when the admin setting for favicons is disabled.
Expected Behavior
Ideally, the DuckDuckGo URL should entirely be computed server-side, and the frontend should just send whether it wants to use the favicon service or not. Not storing the URL in the database would be even better as it would allow switching the favicon service without updating every user record.
But as a compromise to simplify the fix, the validator could also just validate the URL matches the DuckDuckGo favicon endpoint, and optionally that the hostname matches. I don't see how you could abuse changing just the hostname in the favicon URL, because if you want to fake a favicon appearance you can already link to a domain you own with the favicon of your choice.
Environment
Flarum version: 1.3.1
Extension version: dev-master as of 2022-06-13
Possible solution(s)
As described in expected behavior.
The simple solution can probably be done with a regular expression in the validator instead of allowing any value for favicon. But the regexp needs to change depending on the value of the favicon setting in the admin.
Bug Report
Current Behavior By tampering with the REST API requests, users can save any favicon URL in the database, and it doesn't even have to be a DuckDuckGo favicon URL.
It's also possible to save a favicon URL even when the admin setting for favicons is disabled.
Expected Behavior Ideally, the DuckDuckGo URL should entirely be computed server-side, and the frontend should just send whether it wants to use the favicon service or not. Not storing the URL in the database would be even better as it would allow switching the favicon service without updating every user record.
But as a compromise to simplify the fix, the validator could also just validate the URL matches the DuckDuckGo favicon endpoint, and optionally that the hostname matches. I don't see how you could abuse changing just the hostname in the favicon URL, because if you want to fake a favicon appearance you can already link to a domain you own with the favicon of your choice.
Environment
Possible solution(s) As described in expected behavior.
The simple solution can probably be done with a regular expression in the validator instead of allowing any value for
favicon
. But the regexp needs to change depending on the value of the favicon setting in the admin.