video_playback: Check "host" parameter validity

author: Samantaz Fox <coding@samantaz.fr> 2022-02-11 01:36:53 +0100
committer: Samantaz Fox <coding@samantaz.fr> 2022-02-11 02:04:05 +0100
commit: 01135db80a0272b3a6b0bc733b883d90ac414337 (patch)
tree: e7b694c4bbd089b80a1958977fea41ff42eb7ca8 /src
parent: 955e3de56d1c5f323bc3b3a2ffc1fe22f52b3088 (diff)
download: invidious-01135db80a0272b3a6b0bc733b883d90ac414337.tar.gz
invidious-01135db80a0272b3a6b0bc733b883d90ac414337.tar.bz2
invidious-01135db80a0272b3a6b0bc733b883d90ac414337.zip
1 files changed, 8 insertions, 2 deletions
diff --git a/src/invidious/routes/video_playback.cr b/src/invidious/routes/video_playback.cr
index f6340c57..6ac1e780 100644
--- a/src/invidious/routes/video_playback.cr
+++ b/src/invidious/routes/video_playback.cr
@@ -14,12 +14,18 @@ module Invidious::Routes::VideoPlayback
     end
 
     if query_params["host"]? && !query_params["host"].empty?
-      host = "https://#{query_params["host"]}"
+      host = query_params["host"]
       query_params.delete("host")
     else
-      host = "https://r#{fvip}---#{mns.pop}.googlevideo.com"
+      host = "r#{fvip}---#{mns.pop}.googlevideo.com"
     end
 
+    # Sanity check, to avoid being used as an open proxy
+    if !host.matches?(/[\w-]+.googlevideo.com/)
+      return error_template(400, "Invalid \"host\" parameter.")
+    end
+
+    host = "https://#{host}"
     url = "/videoplayback?#{query_params}"
 
     headers = HTTP::Headers.new
author	Samantaz Fox <coding@samantaz.fr>	2022-02-11 01:36:53 +0100
committer	Samantaz Fox <coding@samantaz.fr>	2022-02-11 02:04:05 +0100
commit	01135db80a0272b3a6b0bc733b883d90ac414337 (patch)
tree	e7b694c4bbd089b80a1958977fea41ff42eb7ca8 /src
parent	955e3de56d1c5f323bc3b3a2ffc1fe22f52b3088 (diff)
download	invidious-01135db80a0272b3a6b0bc733b883d90ac414337.tar.gz invidious-01135db80a0272b3a6b0bc733b883d90ac414337.tar.bz2 invidious-01135db80a0272b3a6b0bc733b883d90ac414337.zip