36degrees
Member
- Affected version
- v2.2.16, but also reproduced in XenForo test forum
This issue occurs when an unfurling a URL like https://www.birdwatching.com/optics/2014travelscopes/review.html, which includes the favicon using
It looks like
Additionally, the inclusion of
It also looks like Symfony now includes a
<link rel="shortcut icon" href="../../images_icons/favicon.ico">proxy.php tries to load the URL https://www.birdwatching.com/optics/2014travelscopes/review.html/../../images_icons/favicon.ico which resolves incorrectly to https://www.birdwatching.com/optics/images_icons/favicon.ico (it should be It looks like
XF::convertToAbsoluteUrl does not correctly take relative paths into account (or at least assumes that base paths will be directories).Additionally, the inclusion of
../../ triggers ModSecurity rule 930100: Path Traversal Attack (/../) from the OWSAP Core Rule Set, which on our server results in the request being blocked.It also looks like Symfony now includes a
Symfony\Component\DomCrawler\UriResolver class which does seem to resolve things correctly, so may be worth exploring:
Code:
php > echo Symfony\Component\DomCrawler\UriResolver::resolve('../../images_icons/favicon.ico', 'https://www.birdwatching.com/optics/2014travelscopes/review.html');
https://www.birdwatching.com/images_icons/favicon.ico