Fix multiple security issues in legacy endpoints

application/components/search/engines/ElasticConnection.php

@@ -36,20 +36,35 @@ private function getHeaders()
             'Authorization: Basic ' . base64_encode($this->username.':'.$this->password),
         );
 
-        $clientIp = $this->getClientIp();
+        $clientIp = $this->sanitizeHeaderValue($this->getClientIp());
         if (!empty($clientIp)) {
             $headers[] = 'X-Forwarded-For: ' . $clientIp;
             $headers[] = 'X-Real-IP: ' . $clientIp;
         }
 
-        $userAgent = Yii::$app->getRequest()->getUserAgent();
+        $userAgent = $this->sanitizeHeaderValue(Yii::$app->getRequest()->getUserAgent());
         if (!empty($userAgent)) {
             $headers[] = 'User-Agent: ' . $userAgent;
         }
 
         return $headers;
     }
 
+    /**
+     * Strip CR/LF and other control characters from a value before placing it
+     * in an outbound HTTP header. Prevents header / request smuggling via
+     * client-controlled headers like User-Agent and X-Forwarded-For.
+     */
+    private function sanitizeHeaderValue($value)
+    {
+        if ($value === null) {
+            return '';
+        }
+        // Drop anything that could terminate a header line or inject control chars.
+        $clean = preg_replace('/[\x00-\x1F\x7F]/', '', (string)$value);
+        return trim($clean);
+    }
+
     private function getClientIp()
     {
         $request = Yii::$app->getRequest();

application/modules/front/controllers/IndexController.php

@@ -146,12 +146,21 @@ public function actionContact() {
     }
 
 	public function actionFlushCache($key = NULL) {
+		// Restrict cache management to loopback callers (server-local maintenance scripts).
+		// Without this guard any anonymous visitor could repeatedly flush the cache
+		// and cause a stampede on the origin database.
+		$remoteIp = Yii::$app->getRequest()->getUserIP();
+		$allowedIps = ['127.0.0.1', '::1'];
+		if (!in_array($remoteIp, $allowedIps, true)) {
+			throw new \yii\web\ForbiddenHttpException('Forbidden.');
+		}
+		if (!Yii::$app->getRequest()->getIsPost()) {
+			throw new \yii\web\MethodNotAllowedHttpException('POST required.');
+		}
 		if (is_null($key)) $success = Yii::$app->cache->flush();
 		else {
 			$key = rawurldecode($key);
 			$success = Yii::$app->cache->delete($key);
-			//Yii::log("Attempting to delete key $key", 'info', 'system.web.CController');
-			//$success = $key;
 		}
 		$this->view->params['success'] = $success;
 		echo $this->renderPartial('flushcache');

public/processer.php

@@ -24,8 +24,14 @@ function getIP() {
 
 		$errortype = $_POST['type']." ".$_POST['othererror'];
 		$errortext = $_POST['re_additional'];
-		$email = $_POST['email'];
-		if (strlen($email) <= 3) $email = $parameters['adminEmail'];
+		$email = isset($_POST['email']) ? trim((string)$_POST['email']) : '';
+		// Reject anything that doesn't look like a valid email address or that
+		// contains CR/LF (mail header injection). Fall back to adminEmail.
+		if (strlen($email) <= 3
+			|| !filter_var($email, FILTER_VALIDATE_EMAIL)
+			|| preg_match('/[\r\n]/', $email)) {
+			$email = $parameters['adminEmail'];
+		}
 
 		$resp = recaptcha_check_answer(
 				$privatekey,

public/share.php

@@ -1,6 +1,17 @@
 <?php
-	$hadithText = $_POST['hadithText'];
+	$hadithText = isset($_POST['hadithText']) ? (string)$_POST['hadithText'] : '';
 	$hadithPreviewText = nl2br(htmlspecialchars($hadithText));
+
+	$rawLink = isset($_POST['link']) ? (string)$_POST['link'] : '';
+	// Only allow a site-relative path, e.g. /bukhari/1. Reject anything that
+	// doesn't start with a single '/' or contains characters that could break
+	// out of the href attribute or change the host.
+	$link = '';
+	if (preg_match('#^/[A-Za-z0-9_\-./:?=&%]*$#', $rawLink) && strpos($rawLink, '//') !== 0) {
+		$link = $rawLink;
+	}
+	$linkAttr = htmlspecialchars($link, ENT_QUOTES, 'UTF-8');
+	$hadithTextUrl = rawurlencode($hadithText);
 ?>
 
 <h1> SHARE THIS HADITH </h1>
@@ -15,7 +26,7 @@
 <!-- Share buttons -->
 <div class="share_buttons">
 	<div class="share_button">
-		<a href="https://www.facebook.com/sharer.php?u=https://sunnah.com<?php echo $_POST['link']; ?>"
+		<a href="https://www.facebook.com/sharer.php?u=https://sunnah.com<?php echo $linkAttr; ?>"
 			target="blank"
 			rel="noopener noreferrer"
 			title="Share Hadith on Facebook"
@@ -24,7 +35,7 @@ class="icn-fb">
 	</div>
 
 	<div class="share_button">
-		<a href="https://twitter.com/intent/tweet?text=<?php echo urlencode($_POST['hadithText']); ?>&hashtags=SunnahCom,hadith"
+		<a href="https://twitter.com/intent/tweet?text=<?php echo $hadithTextUrl; ?>&hashtags=SunnahCom,hadith"
 			target="blank"
 			rel="noopener noreferrer"
 			title="Share Hadith on Twitter"
@@ -34,7 +45,7 @@ class="icn-twitter">
 
     <!-- WhatsApp -->
 	<div class="share_button">
-		<a href="https://api.whatsapp.com/send?url=https://sunnah.com<?php echo $_POST['link']; ?>&text=<?php echo urlencode($_POST['hadithText']); ?>" 
+		<a href="https://api.whatsapp.com/send?url=https://sunnah.com<?php echo $linkAttr; ?>&text=<?php echo $hadithTextUrl; ?>" 
 			target="_blank"
 			rel="noopener noreferrer"
 			title="Share Hadith on WhatsApp"
@@ -45,7 +56,7 @@ class="icn-whatsapp"
 
 	<!-- Telegram -->
 	<div class="share_button">
-		<a href="https://t.me/share/url?url=https://sunnah.com<?php echo $_POST['link']; ?>" 
+		<a href="https://t.me/share/url?url=https://sunnah.com<?php echo $linkAttr; ?>" 
 			target="_blank"
 			rel="noopener noreferrer"
 			title="Share Hadith on Telegram"