Make vm-ping more resilient, closes #289

basic/srv/vm/mgr/tools.py

@@ -67,7 +67,7 @@ def resolve_ip(domain, type):
 
 def ping_url(url):
     try:
-        return requests.post('https://tools.dasm.cz/vm-ping.php', data = {'url': url}, timeout=5).text == 'vm-pong'
+        return requests.get('https://tools.dasm.cz/vm-ping.php', params = {'url': url}, timeout=5).text == 'vm-pong'
     except requests.exceptions.Timeout:
         raise
     except:

basic/srv/vm/mgr/wsgiapp.py

@@ -163,7 +163,7 @@ class WSGIApp(object):
         try:
             domain = request.form['domain']
             port = request.form['port']
-            self.vmmgr.update_host(domain, port, False)
+            self.vmmgr.update_host(domain, port)
             server_name = request.environ['HTTP_X_FORWARDED_SERVER_NAME']
             url = '{}/setup-host'.format(tools.compile_url(server_name, port))
             response = self.render_json({'ok': request.session.lang.host_updated(url, url)})

zz-extra/vm-ping.php

@@ -1,14 +1,18 @@
 <?php
-$url = (string)filter_input(INPUT_POST, 'url');
+// Extract URL from 'url' GET field
+$url = (string)filter_input(INPUT_GET, 'url');
 if (empty($url)) {
     exit;
 }
 
-if(substr($url, -1) == '/') {
-    $url = substr($url, 0, -1);
+// Strip endpoint to scheme://host:port/vm-ping to prevent abuse
+$url = parse_url($url);
+if (!$url) {
+    exit;
 }
-$url .= '/vm-ping';
+$url = $url['scheme'].'://'.$url['host'].(!empty($url['port']) ? ':'.$url['port'] : '').'/vm-ping';
 
+// Ping the remote endpoint
 $ch = curl_init($url);
 curl_setopt_array($ch, [CURLOPT_RETURNTRANSFER => TRUE, CURLOPT_HEADER => FALSE, CURLOPT_SSL_VERIFYHOST => FALSE, CURLOPT_SSL_VERIFYPEER => FALSE, CURLOPT_TIMEOUT => 4]);
 $content = curl_exec($ch);