Add APP_REMOTE_HOST_WHITE_LIST .env parameter

freescout-help-desk · freescout-help-desk · commit fc127d7dd421 · 2025-12-01T09:49:29.000-08:00
diff --git a/app/Misc/Helper.php b/app/Misc/Helper.php
@@ -1802,7 +1802,7 @@ public static function getRemoteFileContents($url, $follow_redirects = true)
         }
     }
 
-    public static function sanitizeRemoteUrl($url)
+    public static function sanitizeRemoteUrl($url, $throw_exception = false)
     {
         $parts = parse_url($url ?? '');
 
@@ -1815,6 +1815,11 @@ public static function sanitizeRemoteUrl($url)
         if (empty($parts['host'])) {
             return '';
         }
+
+        $host_white_list_str = str_replace(' ', '', mb_strtolower(config('app.remote_host_white_list')));
+        $host_white_list = explode(',', $host_white_list_str);
+
+        // Sanitize host name.
         $parts['host'] = mb_strtolower($parts['host']);
         $hostname = gethostname();
         $host_ip = gethostbyname($hostname);
@@ -1830,13 +1835,24 @@ public static function sanitizeRemoteUrl($url)
             $_SERVER['LOCAL_ADDR'] ?? ''
         ];
 
-        if (in_array($parts['host'], $restricted_hosts)) {
-            return '';
+        if (in_array($parts['host'], $restricted_hosts) && !in_array($parts['host'], $host_white_list)) {
+            if ($throw_exception) {
+                throw new \Exception(__('Domain or IP address is not allowed: :%host%. Whitelist it via APP_REMOTE_HOST_WHITE_LIST .env parameter.', ['%host%' => $parts['host']]), 1);
+            } else {
+                return '';
+            }
         }
 
+        // Sanitize host IP address.
         $remote_host_ip = gethostbyname($parts['host']);
-        if (in_array($remote_host_ip, ['0.0.0.0', '127.0.0.1', $host_ip, $_SERVER['SERVER_ADDR'] ?? '', $_SERVER['LOCAL_ADDR'] ?? ''])) {
-            return '';
+        if (in_array($remote_host_ip, ['0.0.0.0', '127.0.0.1', $host_ip, $_SERVER['SERVER_ADDR'] ?? '', $_SERVER['LOCAL_ADDR'] ?? ''])
+            && !in_array($remote_host_ip, $host_white_list)
+        ) {
+            if ($throw_exception) {
+                throw new \Exception(__('Domain or IP address is not allowed: :%host%. Whitelist it via APP_REMOTE_HOST_WHITE_LIST .env parameter.', ['%host%' => $remote_host_ip]), 1);
+            } else {
+                return '';
+            }
         }
 
         return $url;
diff --git a/config/app.php b/config/app.php
@@ -521,6 +521,15 @@
     */
     'alternative_reply_separation'    => env('APP_ALTERNATIVE_REPLY_SEPARATION', false),
 
+    /*
+    |--------------------------------------------------------------------------
+    | Comma separated list of white listed hosts.
+    | If some input containing URL becomes blank after saving it - add its host or IP here.
+    | Example: example.org,test.example.org,192.168.1.97
+    |-------------------------------------------------------------------------
+    */
+    'remote_host_white_list'    => env('APP_REMOTE_HOST_WHITE_LIST', ''),
+
     /*
     |--------------------------------------------------------------------------
     | Autoloaded Service Providers
