Web scraping forbid security headers in cURL (#7496)

Prevent using `Remote-User`, `X-WebAuth-User` during Web scraping.

2 files changed, 15 insertions, 1 deletions

diff --git a/app/views/helpers/feed/update.phtml b/app/views/helpers/feed/update.phtml
index 41d879843..6a04edd07 100644
--- a/app/views/helpers/feed/update.phtml
+++ b/app/views/helpers/feed/update.phtml
@@ -823,6 +823,9 @@
 							$httpHeaders = [];
 						}
 						$httpHeaders = array_filter($httpHeaders, 'is_string');
+						// Remove headers problematic for security
+						$httpHeaders = array_filter($httpHeaders,
+							fn(string $header) => !preg_match('/^(Remote-User|X-WebAuth-User)\\s*:/i', $header));
 					?>
 					<textarea class="valid-json" id="http_headers" name="http_headers" rows="3" cols="64" spellcheck="false"><?php
 						foreach ($httpHeaders as $header) {
diff --git a/lib/lib_rss.php b/lib/lib_rss.php
index 7e7dd4790..4fb4fdef9 100644
--- a/lib/lib_rss.php
+++ b/lib/lib_rss.php
@@ -567,7 +567,18 @@ function httpGet(string $url, string $cachePath, string $type = 'html', array $a
 
 	curl_setopt_array($ch, FreshRSS_Context::systemConf()->curl_options);
 
-	if (isset($attributes['curl_params']) && is_array($attributes['curl_params'])) {
+	if (is_array($attributes['curl_params'] ?? null)) {
+		$options = $attributes['curl_params'];
+		if (is_array($options[CURLOPT_HTTPHEADER] ?? null)) {
+			// Remove headers problematic for security
+			$options[CURLOPT_HTTPHEADER] = array_filter($options[CURLOPT_HTTPHEADER],
+				fn($header) => is_string($header) && !preg_match('/^(Remote-User|X-WebAuth-User)\\s*:/i', $header));
+			// Add Accept header if it is not set
+			if (preg_grep('/^Accept\\s*:/i', $options[CURLOPT_HTTPHEADER]) === false) {
+				$options[CURLOPT_HTTPHEADER][] = 'Accept: ' . $accept;
+			}
+			$attributes['curl_params'] = $options;
+		}
 		curl_setopt_array($ch, $attributes['curl_params']);
 	}