Support relative path for Spark and RTL external url, check in server settings if we are using a secure protocol

2025-03-03 09:29:10 +01:00 · 2019-02-28 22:20:14 +09:00 · 2019-02-28 22:20:14 +09:00 · ebef085a9c
commit ebef085a9c
parent 2c1f159d72
2 changed files with 26 additions and 8 deletions
--- a/BTCPayServer/Configuration/SparkConnectionString.cs
+++ b/BTCPayServer/Configuration/SparkConnectionString.cs
@ -29,17 +29,12 @@ namespace BTCPayServer.Configuration
                            error = "Duplicated server attribute";
                            return false;
                        }
-                        if (!Uri.IsWellFormedUriString(kv[1], UriKind.Absolute))
+                        if (!Uri.IsWellFormedUriString(kv[1], UriKind.RelativeOrAbsolute))
                        {
                            error = "Invalid URI";
                            return false;
                        }
-                        resultTemp.Server = new Uri(kv[1], UriKind.Absolute);
-                        if(resultTemp.Server.Scheme == "http")
-                        {
-                            error = "Insecure transport protocol (http)";
-                            return false;
-                        }
+                        resultTemp.Server = new Uri(kv[1], UriKind.RelativeOrAbsolute);
                        break;
                    case "cookiefile":
                    case "cookiefilepath":
--- a/BTCPayServer/Controllers/ServerController.cs
+++ b/BTCPayServer/Controllers/ServerController.cs
@ -586,7 +586,19 @@ namespace BTCPayServer.Controllers
            vm.WalletName = walletName;
            try
            {
-                vm.ServiceLink = $"{external.ConnectionString.Server.AbsoluteUri}?access-key={await external.ExtractAccessKey()}";
+                string serviceUri = null;
+
+                if (external.ConnectionString.Server.IsAbsoluteUri)
+                {
+                    serviceUri = external.ConnectionString.Server.AbsoluteUri;
+                    AssertSecure(serviceUri);
+                }
+                else
+                {
+                    AssertSecure(this.Request.GetCurrentUrl());
+                    serviceUri = this.Request.GetRelativePathOrAbsolute(external.ConnectionString.Server.ToString());
+                }
+                vm.ServiceLink = $"{serviceUri}?access-key={await external.ExtractAccessKey()}";
            }
            catch (Exception ex)
            {
@ -596,6 +608,17 @@ namespace BTCPayServer.Controllers
            return View("LightningWalletServices", vm);
        }

+        private void AssertSecure(string serviceUri)
+        {
+            if (!Uri.TryCreate(serviceUri, UriKind.Absolute, out var uri))
+                throw new System.Security.SecurityException("Invalid serviceUri");
+            if(!uri.Scheme.Equals("https", StringComparison.OrdinalIgnoreCase) && 
+               !uri.DnsSafeHost.EndsWith(".onion", StringComparison.OrdinalIgnoreCase))
+            {
+                throw new System.Security.SecurityException("You can only access this service through https or Tor");
+            }
+        }
+
        [Route("server/services/lnd/{cryptoCode}/{index}")]
        public async Task<IActionResult> LndServices(string cryptoCode, int index, uint? nonce)
        {