From 774c8e0112c9006b723f8440bf5fa5bed309ce68 Mon Sep 17 00:00:00 2001
From: Chris <christian@haschek.at>
Date: Thu, 2 Nov 2023 20:23:01 +0100
Subject: [PATCH] disable follow to avoid CVEs

---
 api/geturl.php | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/api/geturl.php b/api/geturl.php
index 5fa89bb..3e224e5 100644
--- a/api/geturl.php
+++ b/api/geturl.php
@@ -42,7 +42,15 @@ else if(remote_filesize($url)*0.000001 > 20)
 
 $name = basename($url);
 $tmpfile = ROOT.DS.'tmp'.DS.$name;
-file_put_contents($tmpfile,file_get_contents($url));
+
+$context = stream_context_create(
+    array(
+        "http" => array(
+            "follow_location" => false,
+        ),
+    )
+);
+file_put_contents($tmpfile,file_get_contents($url, false, $context));
 
 $type = getTypeOfFile($tmpfile);