Insufficient URL checking

alvarcarto / url-to-pdf-api

Web page PDF/PNG rendering done right. Self-hosted service for rendering receipts, invoices, or any content.

MIT License

7.01k stars 774 forks source link

Insufficient URL checking #7

Closed phfalk closed 6 years ago

phfalk commented 6 years ago

I think it might be a good idea to restrict URLs to http:// and https:// protocols. The current demo allows file:// type URLs and can therefore be used to read information from the file system.

Try for example https://url-to-pdf-api.herokuapp.com/api/render?url=file:///etc/passwd

There might be issues with other protocols as well. I only tested file:// URLs.

phfalk commented 6 years ago

See also #6

kimmobrunfeldt commented 6 years ago

Thank you for opening the issue! Fixed in https://github.com/alvarcarto/url-to-pdf-api/commit/af5f96cc06fda90ea1dab5756e508aa11e139080