Merge pull request #9181 from Sesquipedalian/3.0/attachments_and_proxy

[3.0] Fixes a couple things with attachments and the image proxy

Author: Sesquipedalian

Sources/Actions/AttachmentApprove.php

@@ -100,7 +100,7 @@ public function execute(): void
 
 		while ($row = Db::$db->fetch_assoc($request)) {
 			// We can only add it if we can approve in this board!
-			if ($allowed_boards = [0] || \in_array($row['id_board'], $allowed_boards)) {
+			if ($allowed_boards === [0] || \in_array($row['id_board'], $allowed_boards)) {
 				$attachments[] = $row['id_attach'];
 
 				// Also come up with the redirection URL.

Sources/ProxyServer.php

@@ -139,6 +139,15 @@ public function checkRequest(): bool
 			return false;
 		}
 
+		// Just in case...
+		if (
+			filter_var($request->host, FILTER_VALIDATE_IP) !== false
+			|| $request->host === 'localhost'
+			|| $request->host === Url::create(Config::$boardurl)->host
+		) {
+			return false;
+		}
+
 		// Ensure any non-ASCII characters in the URL are encoded correctly
 		$request = \strval($request->toAscii());
 

Sources/Url.php

@@ -488,8 +488,16 @@ public function proxied(): self
 			return $proxied;
 		}
 
-		// Don't bother with HTTPS URLs, schemeless URLs, or obviously invalid URLs.
-		if (empty($proxied->scheme) || empty($proxied->host) || empty($proxied->path) || $proxied->scheme === 'https') {
+		if (
+			// Don't bother with HTTPS URLs, schemeless URLs, or obviously invalid URLs.
+			empty($proxied->scheme)
+			|| $proxied->scheme === 'https'
+			|| empty($proxied->host)
+			|| empty($proxied->path)
+			// Don't proxy localhost or IP addresses.
+			|| $proxied->host === 'localhost'
+			|| filter_var($proxied->host, FILTER_VALIDATE_IP) !== false
+		) {
 			return $proxied;
 		}