Convert hex hostname segments to decimals

brandonkelly · brandonkelly · commit d49e93e5ba0c · 2026-01-05T15:41:46.000-08:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,7 +5,7 @@
 - The `utils/fix-field-layout-uids` command now checks for duplicate top-level field layout UUIDs. ([#18193](https://github.com/craftcms/cms/pull/18193))
 - Fixed a bug where all plugin settings were being saved to the project config, rather than just posted settings. ([craftcms/commerce#4006](https://github.com/craftcms/commerce/issues/4006))
 - Fixed a bug where custom selects could be positioned incorrectly after the window was resized. ([#18179](https://github.com/craftcms/cms/issues/18179))
-- Fixed an SSRF vulnerability. (GHSA-96pq-hxpw-rgh8)
+- Fixed SSRF vulnerabilities. (GHSA-96pq-hxpw-rgh8, GHSA-m5r2-8p9x-hp5m)
 - Fixed a SQL injection vulnerability. (GHSA-2453-mppf-46cj)
 
 ## 4.16.17 - 2025-12-0421
diff --git a/src/gql/resolvers/mutations/Asset.php b/src/gql/resolvers/mutations/Asset.php
@@ -24,6 +24,7 @@
 use GraphQL\Error\UserError;
 use GraphQL\Type\Definition\ResolveInfo;
 use GuzzleHttp\Client;
+use Illuminate\Support\Collection;
 use Throwable;
 use yii\base\Exception;
 use yii\base\InvalidArgumentException;
@@ -280,8 +281,20 @@ protected function handleUpload(AssetElement $asset, array $fileInformation): bo
 
     private function validateHostname(string $url): bool
     {
-        // make sure the hostname is alphanumeric and not an IP address
         $hostname = parse_url($url, PHP_URL_HOST);
+
+        // convert hex segments to decimal
+        $hostname = Collection::make(explode('.', $hostname))
+            ->map(function(string $chunk) {
+                if (str_starts_with($chunk, '0x')) {
+                    $octets = str_split(substr($chunk, 2), 2);
+                    return implode('.', array_map('hexdec', $octets));
+                }
+                return $chunk;
+            })
+            ->join('.');
+
+        // make sure the hostname is alphanumeric and not an IP address
         if (
             !filter_var($hostname, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME) ||
             filter_var($hostname, FILTER_VALIDATE_IP)
