@@ -33,68 +33,68 @@ |
||
33 | 33 | * @package OC\Security |
34 | 34 | */ |
35 | 35 | class TrustedDomainHelper { |
36 | - /** @var IConfig */ |
|
37 | - private $config; |
|
36 | + /** @var IConfig */ |
|
37 | + private $config; |
|
38 | 38 | |
39 | - /** |
|
40 | - * @param IConfig $config |
|
41 | - */ |
|
42 | - public function __construct(IConfig $config) { |
|
43 | - $this->config = $config; |
|
44 | - } |
|
39 | + /** |
|
40 | + * @param IConfig $config |
|
41 | + */ |
|
42 | + public function __construct(IConfig $config) { |
|
43 | + $this->config = $config; |
|
44 | + } |
|
45 | 45 | |
46 | - /** |
|
47 | - * Strips a potential port from a domain (in format domain:port) |
|
48 | - * @param string $host |
|
49 | - * @return string $host without appended port |
|
50 | - */ |
|
51 | - private function getDomainWithoutPort($host) { |
|
52 | - $pos = strrpos($host, ':'); |
|
53 | - if ($pos !== false) { |
|
54 | - $port = substr($host, $pos + 1); |
|
55 | - if (is_numeric($port)) { |
|
56 | - $host = substr($host, 0, $pos); |
|
57 | - } |
|
58 | - } |
|
59 | - return $host; |
|
60 | - } |
|
46 | + /** |
|
47 | + * Strips a potential port from a domain (in format domain:port) |
|
48 | + * @param string $host |
|
49 | + * @return string $host without appended port |
|
50 | + */ |
|
51 | + private function getDomainWithoutPort($host) { |
|
52 | + $pos = strrpos($host, ':'); |
|
53 | + if ($pos !== false) { |
|
54 | + $port = substr($host, $pos + 1); |
|
55 | + if (is_numeric($port)) { |
|
56 | + $host = substr($host, 0, $pos); |
|
57 | + } |
|
58 | + } |
|
59 | + return $host; |
|
60 | + } |
|
61 | 61 | |
62 | - /** |
|
63 | - * Checks whether a domain is considered as trusted from the list |
|
64 | - * of trusted domains. If no trusted domains have been configured, returns |
|
65 | - * true. |
|
66 | - * This is used to prevent Host Header Poisoning. |
|
67 | - * @param string $domainWithPort |
|
68 | - * @return bool true if the given domain is trusted or if no trusted domains |
|
69 | - * have been configured |
|
70 | - */ |
|
71 | - public function isTrustedDomain($domainWithPort) { |
|
72 | - $domain = $this->getDomainWithoutPort($domainWithPort); |
|
62 | + /** |
|
63 | + * Checks whether a domain is considered as trusted from the list |
|
64 | + * of trusted domains. If no trusted domains have been configured, returns |
|
65 | + * true. |
|
66 | + * This is used to prevent Host Header Poisoning. |
|
67 | + * @param string $domainWithPort |
|
68 | + * @return bool true if the given domain is trusted or if no trusted domains |
|
69 | + * have been configured |
|
70 | + */ |
|
71 | + public function isTrustedDomain($domainWithPort) { |
|
72 | + $domain = $this->getDomainWithoutPort($domainWithPort); |
|
73 | 73 | |
74 | - // Read trusted domains from config |
|
75 | - $trustedList = $this->config->getSystemValue('trusted_domains', []); |
|
76 | - if (!is_array($trustedList)) { |
|
77 | - return false; |
|
78 | - } |
|
74 | + // Read trusted domains from config |
|
75 | + $trustedList = $this->config->getSystemValue('trusted_domains', []); |
|
76 | + if (!is_array($trustedList)) { |
|
77 | + return false; |
|
78 | + } |
|
79 | 79 | |
80 | - // Always allow access from localhost |
|
81 | - if (preg_match(Request::REGEX_LOCALHOST, $domain) === 1) { |
|
82 | - return true; |
|
83 | - } |
|
84 | - // Reject misformed domains in any case |
|
85 | - if (strpos($domain,'-') === 0 || strpos($domain,'..') !== false) { |
|
86 | - return false; |
|
87 | - } |
|
88 | - // Match, allowing for * wildcards |
|
89 | - foreach ($trustedList as $trusted) { |
|
90 | - if (gettype($trusted) !== 'string') { |
|
91 | - break; |
|
92 | - } |
|
93 | - $regex = '/^' . implode('[-\.a-zA-Z0-9]*', array_map(function($v) { return preg_quote($v, '/'); }, explode('*', $trusted))) . '$/i'; |
|
94 | - if (preg_match($regex, $domain) || preg_match($regex, $domainWithPort)) { |
|
95 | - return true; |
|
96 | - } |
|
97 | - } |
|
98 | - return false; |
|
99 | - } |
|
80 | + // Always allow access from localhost |
|
81 | + if (preg_match(Request::REGEX_LOCALHOST, $domain) === 1) { |
|
82 | + return true; |
|
83 | + } |
|
84 | + // Reject misformed domains in any case |
|
85 | + if (strpos($domain,'-') === 0 || strpos($domain,'..') !== false) { |
|
86 | + return false; |
|
87 | + } |
|
88 | + // Match, allowing for * wildcards |
|
89 | + foreach ($trustedList as $trusted) { |
|
90 | + if (gettype($trusted) !== 'string') { |
|
91 | + break; |
|
92 | + } |
|
93 | + $regex = '/^' . implode('[-\.a-zA-Z0-9]*', array_map(function($v) { return preg_quote($v, '/'); }, explode('*', $trusted))) . '$/i'; |
|
94 | + if (preg_match($regex, $domain) || preg_match($regex, $domainWithPort)) { |
|
95 | + return true; |
|
96 | + } |
|
97 | + } |
|
98 | + return false; |
|
99 | + } |
|
100 | 100 | } |
@@ -82,7 +82,7 @@ discard block |
||
82 | 82 | return true; |
83 | 83 | } |
84 | 84 | // Reject misformed domains in any case |
85 | - if (strpos($domain,'-') === 0 || strpos($domain,'..') !== false) { |
|
85 | + if (strpos($domain, '-') === 0 || strpos($domain, '..') !== false) { |
|
86 | 86 | return false; |
87 | 87 | } |
88 | 88 | // Match, allowing for * wildcards |
@@ -90,7 +90,7 @@ discard block |
||
90 | 90 | if (gettype($trusted) !== 'string') { |
91 | 91 | break; |
92 | 92 | } |
93 | - $regex = '/^' . implode('[-\.a-zA-Z0-9]*', array_map(function($v) { return preg_quote($v, '/'); }, explode('*', $trusted))) . '$/i'; |
|
93 | + $regex = '/^'.implode('[-\.a-zA-Z0-9]*', array_map(function($v) { return preg_quote($v, '/'); }, explode('*', $trusted))).'$/i'; |
|
94 | 94 | if (preg_match($regex, $domain) || preg_match($regex, $domainWithPort)) { |
95 | 95 | return true; |
96 | 96 | } |