nextcloud /
server
@@ -33,68 +33,68 @@ |
||
| 33 | 33 | * @package OC\Security |
| 34 | 34 | */ |
| 35 | 35 | class TrustedDomainHelper { |
| 36 | - /** @var IConfig */ |
|
| 37 | - private $config; |
|
| 36 | + /** @var IConfig */ |
|
| 37 | + private $config; |
|
| 38 | 38 | |
| 39 | - /** |
|
| 40 | - * @param IConfig $config |
|
| 41 | - */ |
|
| 42 | - public function __construct(IConfig $config) { |
|
| 43 | - $this->config = $config; |
|
| 44 | - } |
|
| 39 | + /** |
|
| 40 | + * @param IConfig $config |
|
| 41 | + */ |
|
| 42 | + public function __construct(IConfig $config) { |
|
| 43 | + $this->config = $config; |
|
| 44 | + } |
|
| 45 | 45 | |
| 46 | - /** |
|
| 47 | - * Strips a potential port from a domain (in format domain:port) |
|
| 48 | - * @param string $host |
|
| 49 | - * @return string $host without appended port |
|
| 50 | - */ |
|
| 51 | - private function getDomainWithoutPort($host) { |
|
| 52 | - $pos = strrpos($host, ':'); |
|
| 53 | - if ($pos !== false) { |
|
| 54 | - $port = substr($host, $pos + 1); |
|
| 55 | - if (is_numeric($port)) { |
|
| 56 | - $host = substr($host, 0, $pos); |
|
| 57 | - } |
|
| 58 | - } |
|
| 59 | - return $host; |
|
| 60 | - } |
|
| 46 | + /** |
|
| 47 | + * Strips a potential port from a domain (in format domain:port) |
|
| 48 | + * @param string $host |
|
| 49 | + * @return string $host without appended port |
|
| 50 | + */ |
|
| 51 | + private function getDomainWithoutPort($host) { |
|
| 52 | + $pos = strrpos($host, ':'); |
|
| 53 | + if ($pos !== false) { |
|
| 54 | + $port = substr($host, $pos + 1); |
|
| 55 | + if (is_numeric($port)) { |
|
| 56 | + $host = substr($host, 0, $pos); |
|
| 57 | + } |
|
| 58 | + } |
|
| 59 | + return $host; |
|
| 60 | + } |
|
| 61 | 61 | |
| 62 | - /** |
|
| 63 | - * Checks whether a domain is considered as trusted from the list |
|
| 64 | - * of trusted domains. If no trusted domains have been configured, returns |
|
| 65 | - * true. |
|
| 66 | - * This is used to prevent Host Header Poisoning. |
|
| 67 | - * @param string $domainWithPort |
|
| 68 | - * @return bool true if the given domain is trusted or if no trusted domains |
|
| 69 | - * have been configured |
|
| 70 | - */ |
|
| 71 | - public function isTrustedDomain($domainWithPort) { |
|
| 72 | - $domain = $this->getDomainWithoutPort($domainWithPort); |
|
| 62 | + /** |
|
| 63 | + * Checks whether a domain is considered as trusted from the list |
|
| 64 | + * of trusted domains. If no trusted domains have been configured, returns |
|
| 65 | + * true. |
|
| 66 | + * This is used to prevent Host Header Poisoning. |
|
| 67 | + * @param string $domainWithPort |
|
| 68 | + * @return bool true if the given domain is trusted or if no trusted domains |
|
| 69 | + * have been configured |
|
| 70 | + */ |
|
| 71 | + public function isTrustedDomain($domainWithPort) { |
|
| 72 | + $domain = $this->getDomainWithoutPort($domainWithPort); |
|
| 73 | 73 | |
| 74 | - // Read trusted domains from config |
|
| 75 | - $trustedList = $this->config->getSystemValue('trusted_domains', []); |
|
| 76 | - if (!is_array($trustedList)) { |
|
| 77 | - return false; |
|
| 78 | - } |
|
| 74 | + // Read trusted domains from config |
|
| 75 | + $trustedList = $this->config->getSystemValue('trusted_domains', []); |
|
| 76 | + if (!is_array($trustedList)) { |
|
| 77 | + return false; |
|
| 78 | + } |
|
| 79 | 79 | |
| 80 | - // Always allow access from localhost |
|
| 81 | - if (preg_match(Request::REGEX_LOCALHOST, $domain) === 1) { |
|
| 82 | - return true; |
|
| 83 | - } |
|
| 84 | - // Reject misformed domains in any case |
|
| 85 | - if (strpos($domain,'-') === 0 || strpos($domain,'..') !== false) { |
|
| 86 | - return false; |
|
| 87 | - } |
|
| 88 | - // Match, allowing for * wildcards |
|
| 89 | - foreach ($trustedList as $trusted) { |
|
| 90 | - if (gettype($trusted) !== 'string') { |
|
| 91 | - break; |
|
| 92 | - } |
|
| 93 | - $regex = '/^' . implode('[-\.a-zA-Z0-9]*', array_map(function($v) { return preg_quote($v, '/'); }, explode('*', $trusted))) . '$/i'; |
|
| 94 | - if (preg_match($regex, $domain) || preg_match($regex, $domainWithPort)) { |
|
| 95 | - return true; |
|
| 96 | - } |
|
| 97 | - } |
|
| 98 | - return false; |
|
| 99 | - } |
|
| 80 | + // Always allow access from localhost |
|
| 81 | + if (preg_match(Request::REGEX_LOCALHOST, $domain) === 1) { |
|
| 82 | + return true; |
|
| 83 | + } |
|
| 84 | + // Reject misformed domains in any case |
|
| 85 | + if (strpos($domain,'-') === 0 || strpos($domain,'..') !== false) { |
|
| 86 | + return false; |
|
| 87 | + } |
|
| 88 | + // Match, allowing for * wildcards |
|
| 89 | + foreach ($trustedList as $trusted) { |
|
| 90 | + if (gettype($trusted) !== 'string') { |
|
| 91 | + break; |
|
| 92 | + } |
|
| 93 | + $regex = '/^' . implode('[-\.a-zA-Z0-9]*', array_map(function($v) { return preg_quote($v, '/'); }, explode('*', $trusted))) . '$/i'; |
|
| 94 | + if (preg_match($regex, $domain) || preg_match($regex, $domainWithPort)) { |
|
| 95 | + return true; |
|
| 96 | + } |
|
| 97 | + } |
|
| 98 | + return false; |
|
| 99 | + } |
|
| 100 | 100 | } |
@@ -82,7 +82,7 @@ discard block |
||
| 82 | 82 | return true; |
| 83 | 83 | } |
| 84 | 84 | // Reject misformed domains in any case |
| 85 | - if (strpos($domain,'-') === 0 || strpos($domain,'..') !== false) { |
|
| 85 | + if (strpos($domain, '-') === 0 || strpos($domain, '..') !== false) { |
|
| 86 | 86 | return false; |
| 87 | 87 | } |
| 88 | 88 | // Match, allowing for * wildcards |
@@ -90,7 +90,7 @@ discard block |
||
| 90 | 90 | if (gettype($trusted) !== 'string') { |
| 91 | 91 | break; |
| 92 | 92 | } |
| 93 | - $regex = '/^' . implode('[-\.a-zA-Z0-9]*', array_map(function($v) { return preg_quote($v, '/'); }, explode('*', $trusted))) . '$/i'; |
|
| 93 | + $regex = '/^'.implode('[-\.a-zA-Z0-9]*', array_map(function($v) { return preg_quote($v, '/'); }, explode('*', $trusted))).'$/i'; |
|
| 94 | 94 | if (preg_match($regex, $domain) || preg_match($regex, $domainWithPort)) { |
| 95 | 95 | return true; |
| 96 | 96 | } |
