Merge pull request #12583 from owncloud/trim-port
Trim port from domain
This commit is contained in:
Morris Jobke
commit
4ec1da3014
3 changed files with 42 additions and 10 deletions
|
|
@ -65,24 +65,34 @@ class OC_Request {
|
|||
or ($type !== 'protocol' and OC_Config::getValue('forcessl', false));
|
||||
}
|
||||
|
||||
/**
|
||||
* Strips a potential port from a domain (in format domain:port)
|
||||
* @param $host
|
||||
* @return string $host without appended port
|
||||
*/
|
||||
public static function getDomainWithoutPort($host) {
|
||||
$pos = strrpos($host, ':');
|
||||
if ($pos !== false) {
|
||||
$port = substr($host, $pos + 1);
|
||||
if (is_numeric($port)) {
|
||||
$host = substr($host, 0, $pos);
|
||||
}
|
||||
}
|
||||
return $host;
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks whether a domain is considered as trusted from the list
|
||||
* of trusted domains. If no trusted domains have been configured, returns
|
||||
* true.
|
||||
* This is used to prevent Host Header Poisoning.
|
||||
* @param string $domain
|
||||
* @param string $domainWithPort
|
||||
* @return bool true if the given domain is trusted or if no trusted domains
|
||||
* have been configured
|
||||
*/
|
||||
public static function isTrustedDomain($domain) {
|
||||
public static function isTrustedDomain($domainWithPort) {
|
||||
// Extract port from domain if needed
|
||||
$pos = strrpos($domain, ':');
|
||||
if ($pos !== false) {
|
||||
$port = substr($domain, $pos + 1);
|
||||
if (is_numeric($port)) {
|
||||
$domain = substr($domain, 0, $pos);
|
||||
}
|
||||
}
|
||||
$domain = self::getDomainWithoutPort($domainWithPort);
|
||||
|
||||
// FIXME: Empty config array defaults to true for now. - Deprecate this behaviour with ownCloud 8.
|
||||
$trustedList = \OC::$server->getConfig()->getSystemValue('trusted_domains', array());
|
||||
|
|
@ -90,6 +100,11 @@ class OC_Request {
|
|||
return true;
|
||||
}
|
||||
|
||||
// FIXME: Workaround for older instances still with port applied. Remove for ownCloud 9.
|
||||
if(in_array($domainWithPort, $trustedList)) {
|
||||
return true;
|
||||
}
|
||||
|
||||
// Always allow access from localhost
|
||||
if (preg_match(self::REGEX_LOCALHOST, $domain) === 1) {
|
||||
return true;
|
||||
|
|
|
|||
|
|
@ -162,7 +162,7 @@ class OC_Setup {
|
|||
&& is_array($options['trusted_domains'])) {
|
||||
$trustedDomains = $options['trusted_domains'];
|
||||
} else {
|
||||
$trustedDomains = array(OC_Request::serverHost());
|
||||
$trustedDomains = array(\OC_Request::getDomainWithoutPort(\OC_Request::serverHost()));
|
||||
}
|
||||
|
||||
if (OC_Util::runningOnWindows()) {
|
||||
|
|
|
|||
|
|
@ -228,6 +228,23 @@ class Test_Request extends \Test\TestCase {
|
|||
OC_Config::deleteKey('overwritehost');
|
||||
}
|
||||
|
||||
public function hostWithPortProvider() {
|
||||
return array(
|
||||
array('localhost:500', 'localhost'),
|
||||
array('foo.com', 'foo.com'),
|
||||
array('[1fff:0:a88:85a3::ac1f]:801', '[1fff:0:a88:85a3::ac1f]'),
|
||||
array('[1fff:0:a88:85a3::ac1f]', '[1fff:0:a88:85a3::ac1f]')
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* @dataProvider hostWithPortProvider
|
||||
*/
|
||||
public function testGetDomainWithoutPort($hostWithPort, $host) {
|
||||
$this->assertEquals($host, OC_Request::getDomainWithoutPort($hostWithPort));
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* @dataProvider trustedDomainDataProvider
|
||||
*/
|
||||
|
|
|
|||
Loading…
Reference in a new issue