Paragon Initiative Enterprises: Incorrect detection of onion URLs

ID H1:181210
Type hackerone
Reporter e3amn2l
Modified 2016-11-13T00:43:42


Several places have incorrect code to detect if URL point to .onion domain (tor hidden server):

The following regexes: 1. #^https://([^/:]+)\.onion:(?:([0-9]+))# 2. #^https?://([^/]+)\.onion#

which is used in:

will pass for the following URLs which have as domain and are valid for curl in php (was tested via curl_setopt($ch, CURLOPT_URL, $url)) 1 => 1 => 2 => 2 ->

which is problematic because: 1. The code in: will not force HTTPS if url passed the above regex. (thus incorrect check = HTTPS not forced for not .onion domain) // Don't force HTTPS unset($defaults['curl'][CURLOPT_SSLVERSION]);

  1. the second regex allow http url (thus incorrect check = HTTP for not .onion domain is vulnerable to MITM)
  2. potential of code reuse by people who read the code and assume it's safe.

The following code just search for .onion in $url, for example will pass the check but isn't .onion website.


if (\strpos($url, '.onion') !== false) {

fix: 1. implement and use across the codebase function such as isUrlOnion($url) which return true if url point to onion domain, and use secure implementation, for example: consider using something like: function isUrlOnion($url) { $host = parse_url($url, PHP_URL_HOST); if($host != null) { return substr_compare($url, '.onion', -strlen('.onion')) === 0; } return false; }