summaryrefslogtreecommitdiffstats
path: root/api4/system.go
diff options
context:
space:
mode:
Diffstat (limited to 'api4/system.go')
-rw-r--r--api4/system.go32
1 files changed, 32 insertions, 0 deletions
diff --git a/api4/system.go b/api4/system.go
index 9177b8940..65d3b424b 100644
--- a/api4/system.go
+++ b/api4/system.go
@@ -40,6 +40,8 @@ func (api *API) InitSystem() {
api.BaseRoutes.ApiRoot.Handle("/logs", api.ApiHandler(postLog)).Methods("POST")
api.BaseRoutes.ApiRoot.Handle("/analytics/old", api.ApiSessionRequired(getAnalytics)).Methods("GET")
+
+ api.BaseRoutes.ApiRoot.Handle("/redirect_location", api.ApiSessionRequiredTrustRequester(getRedirectLocation)).Methods("GET")
}
func getSystemPing(c *Context, w http.ResponseWriter, r *http.Request) {
@@ -447,3 +449,33 @@ func testS3(c *Context, w http.ResponseWriter, r *http.Request) {
ReturnStatusOK(w)
}
+
+func getRedirectLocation(c *Context, w http.ResponseWriter, r *http.Request) {
+ url := r.URL.Query().Get("url")
+ if len(url) == 0 {
+ c.SetInvalidParam("url")
+ return
+ }
+
+ client := &http.Client{
+ CheckRedirect: func(req *http.Request, via []*http.Request) error {
+ return http.ErrUseLastResponse
+ },
+ }
+
+ m := make(map[string]string)
+ m["location"] = ""
+
+ res, err := client.Head(url)
+ if err != nil {
+ // Always return a success status and a JSON string to limit the amount of information returned to a
+ // hacker attempting to use Mattermost to probe a private network.
+ w.Write([]byte(model.MapToJson(m)))
+ return
+ }
+
+ m["location"] = res.Header.Get("Location")
+
+ w.Write([]byte(model.MapToJson(m)))
+ return
+}
generated by cgit v1.2.3-1-g7c22 (git 2.25.1) at 2024-05-09 04:12:33 +0000