nextcloud /
server
@@ -28,108 +28,108 @@ |
||
| 28 | 28 | use Psr\Http\Message\RequestInterface; |
| 29 | 29 | |
| 30 | 30 | class DnsPinMiddleware { |
| 31 | - /** @var NegativeDnsCache */ |
|
| 32 | - private $negativeDnsCache; |
|
| 33 | - /** @var LocalAddressChecker */ |
|
| 34 | - private $localAddressChecker; |
|
| 35 | - |
|
| 36 | - public function __construct( |
|
| 37 | - NegativeDnsCache $negativeDnsCache, |
|
| 38 | - LocalAddressChecker $localAddressChecker |
|
| 39 | - ) { |
|
| 40 | - $this->negativeDnsCache = $negativeDnsCache; |
|
| 41 | - $this->localAddressChecker = $localAddressChecker; |
|
| 42 | - } |
|
| 43 | - |
|
| 44 | - private function dnsResolve(string $target, int $recursionCount) : array { |
|
| 45 | - if ($recursionCount >= 10) { |
|
| 46 | - return []; |
|
| 47 | - } |
|
| 48 | - |
|
| 49 | - $recursionCount = $recursionCount++; |
|
| 50 | - $targetIps = []; |
|
| 51 | - |
|
| 52 | - $soaDnsEntry = dns_get_record($target, DNS_SOA); |
|
| 53 | - if (isset($soaDnsEntry[0]) && isset($soaDnsEntry[0]['minimum-ttl'])) { |
|
| 54 | - $dnsNegativeTtl = $soaDnsEntry[0]['minimum-ttl']; |
|
| 55 | - } else { |
|
| 56 | - $dnsNegativeTtl = null; |
|
| 57 | - } |
|
| 58 | - |
|
| 59 | - $dnsTypes = [DNS_A, DNS_AAAA, DNS_CNAME]; |
|
| 60 | - foreach ($dnsTypes as $key => $dnsType) { |
|
| 61 | - if ($this->negativeDnsCache->isNegativeCached($target, $dnsType)) { |
|
| 62 | - unset($dnsTypes[$key]); |
|
| 63 | - continue; |
|
| 64 | - } |
|
| 65 | - |
|
| 66 | - $dnsResponses = dns_get_record($target, $dnsType); |
|
| 67 | - $canHaveCnameRecord = true; |
|
| 68 | - if (count($dnsResponses) > 0) { |
|
| 69 | - foreach ($dnsResponses as $key => $dnsResponse) { |
|
| 70 | - if (isset($dnsResponse['ip'])) { |
|
| 71 | - $targetIps[] = $dnsResponse['ip']; |
|
| 72 | - $canHaveCnameRecord = false; |
|
| 73 | - } elseif (isset($dnsResponse['ipv6'])) { |
|
| 74 | - $targetIps[] = $dnsResponse['ipv6']; |
|
| 75 | - $canHaveCnameRecord = false; |
|
| 76 | - } elseif (isset($dnsResponse['target']) && $canHaveCnameRecord) { |
|
| 77 | - $targetIps = array_merge($targetIps, $this->dnsResolve($dnsResponse['target'], $recursionCount)); |
|
| 78 | - $canHaveCnameRecord = true; |
|
| 79 | - } |
|
| 80 | - } |
|
| 81 | - } else { |
|
| 82 | - if ($dnsNegativeTtl !== null) { |
|
| 83 | - $this->negativeDnsCache->setNegativeCacheForDnsType($target, $dnsType, $dnsNegativeTtl); |
|
| 84 | - } |
|
| 85 | - } |
|
| 86 | - } |
|
| 87 | - |
|
| 88 | - return $targetIps; |
|
| 89 | - } |
|
| 90 | - |
|
| 91 | - public function addDnsPinning() { |
|
| 92 | - return function (callable $handler) { |
|
| 93 | - return function ( |
|
| 94 | - RequestInterface $request, |
|
| 95 | - array $options |
|
| 96 | - ) use ($handler) { |
|
| 97 | - if ($options['nextcloud']['allow_local_address'] === true) { |
|
| 98 | - return $handler($request, $options); |
|
| 99 | - } |
|
| 100 | - |
|
| 101 | - $hostName = (string)$request->getUri()->getHost(); |
|
| 102 | - $port = $request->getUri()->getPort(); |
|
| 103 | - |
|
| 104 | - $ports = [ |
|
| 105 | - '80', |
|
| 106 | - '443', |
|
| 107 | - ]; |
|
| 108 | - |
|
| 109 | - if ($port !== null) { |
|
| 110 | - $ports[] = (string)$port; |
|
| 111 | - } |
|
| 112 | - |
|
| 113 | - $targetIps = $this->dnsResolve($hostName, 0); |
|
| 114 | - |
|
| 115 | - $curlResolves = []; |
|
| 116 | - |
|
| 117 | - foreach ($ports as $port) { |
|
| 118 | - $curlResolves["$hostName:$port"] = []; |
|
| 119 | - |
|
| 120 | - foreach ($targetIps as $ip) { |
|
| 121 | - $this->localAddressChecker->ThrowIfLocalIp($ip); |
|
| 122 | - $curlResolves["$hostName:$port"][] = $ip; |
|
| 123 | - } |
|
| 124 | - } |
|
| 125 | - |
|
| 126 | - // Coalesce the per-host:port ips back into a comma separated list |
|
| 127 | - foreach ($curlResolves as $hostport => $ips) { |
|
| 128 | - $options['curl'][CURLOPT_RESOLVE][] = "$hostport:" . implode(',', $ips); |
|
| 129 | - } |
|
| 130 | - |
|
| 131 | - return $handler($request, $options); |
|
| 132 | - }; |
|
| 133 | - }; |
|
| 134 | - } |
|
| 31 | + /** @var NegativeDnsCache */ |
|
| 32 | + private $negativeDnsCache; |
|
| 33 | + /** @var LocalAddressChecker */ |
|
| 34 | + private $localAddressChecker; |
|
| 35 | + |
|
| 36 | + public function __construct( |
|
| 37 | + NegativeDnsCache $negativeDnsCache, |
|
| 38 | + LocalAddressChecker $localAddressChecker |
|
| 39 | + ) { |
|
| 40 | + $this->negativeDnsCache = $negativeDnsCache; |
|
| 41 | + $this->localAddressChecker = $localAddressChecker; |
|
| 42 | + } |
|
| 43 | + |
|
| 44 | + private function dnsResolve(string $target, int $recursionCount) : array { |
|
| 45 | + if ($recursionCount >= 10) { |
|
| 46 | + return []; |
|
| 47 | + } |
|
| 48 | + |
|
| 49 | + $recursionCount = $recursionCount++; |
|
| 50 | + $targetIps = []; |
|
| 51 | + |
|
| 52 | + $soaDnsEntry = dns_get_record($target, DNS_SOA); |
|
| 53 | + if (isset($soaDnsEntry[0]) && isset($soaDnsEntry[0]['minimum-ttl'])) { |
|
| 54 | + $dnsNegativeTtl = $soaDnsEntry[0]['minimum-ttl']; |
|
| 55 | + } else { |
|
| 56 | + $dnsNegativeTtl = null; |
|
| 57 | + } |
|
| 58 | + |
|
| 59 | + $dnsTypes = [DNS_A, DNS_AAAA, DNS_CNAME]; |
|
| 60 | + foreach ($dnsTypes as $key => $dnsType) { |
|
| 61 | + if ($this->negativeDnsCache->isNegativeCached($target, $dnsType)) { |
|
| 62 | + unset($dnsTypes[$key]); |
|
| 63 | + continue; |
|
| 64 | + } |
|
| 65 | + |
|
| 66 | + $dnsResponses = dns_get_record($target, $dnsType); |
|
| 67 | + $canHaveCnameRecord = true; |
|
| 68 | + if (count($dnsResponses) > 0) { |
|
| 69 | + foreach ($dnsResponses as $key => $dnsResponse) { |
|
| 70 | + if (isset($dnsResponse['ip'])) { |
|
| 71 | + $targetIps[] = $dnsResponse['ip']; |
|
| 72 | + $canHaveCnameRecord = false; |
|
| 73 | + } elseif (isset($dnsResponse['ipv6'])) { |
|
| 74 | + $targetIps[] = $dnsResponse['ipv6']; |
|
| 75 | + $canHaveCnameRecord = false; |
|
| 76 | + } elseif (isset($dnsResponse['target']) && $canHaveCnameRecord) { |
|
| 77 | + $targetIps = array_merge($targetIps, $this->dnsResolve($dnsResponse['target'], $recursionCount)); |
|
| 78 | + $canHaveCnameRecord = true; |
|
| 79 | + } |
|
| 80 | + } |
|
| 81 | + } else { |
|
| 82 | + if ($dnsNegativeTtl !== null) { |
|
| 83 | + $this->negativeDnsCache->setNegativeCacheForDnsType($target, $dnsType, $dnsNegativeTtl); |
|
| 84 | + } |
|
| 85 | + } |
|
| 86 | + } |
|
| 87 | + |
|
| 88 | + return $targetIps; |
|
| 89 | + } |
|
| 90 | + |
|
| 91 | + public function addDnsPinning() { |
|
| 92 | + return function (callable $handler) { |
|
| 93 | + return function ( |
|
| 94 | + RequestInterface $request, |
|
| 95 | + array $options |
|
| 96 | + ) use ($handler) { |
|
| 97 | + if ($options['nextcloud']['allow_local_address'] === true) { |
|
| 98 | + return $handler($request, $options); |
|
| 99 | + } |
|
| 100 | + |
|
| 101 | + $hostName = (string)$request->getUri()->getHost(); |
|
| 102 | + $port = $request->getUri()->getPort(); |
|
| 103 | + |
|
| 104 | + $ports = [ |
|
| 105 | + '80', |
|
| 106 | + '443', |
|
| 107 | + ]; |
|
| 108 | + |
|
| 109 | + if ($port !== null) { |
|
| 110 | + $ports[] = (string)$port; |
|
| 111 | + } |
|
| 112 | + |
|
| 113 | + $targetIps = $this->dnsResolve($hostName, 0); |
|
| 114 | + |
|
| 115 | + $curlResolves = []; |
|
| 116 | + |
|
| 117 | + foreach ($ports as $port) { |
|
| 118 | + $curlResolves["$hostName:$port"] = []; |
|
| 119 | + |
|
| 120 | + foreach ($targetIps as $ip) { |
|
| 121 | + $this->localAddressChecker->ThrowIfLocalIp($ip); |
|
| 122 | + $curlResolves["$hostName:$port"][] = $ip; |
|
| 123 | + } |
|
| 124 | + } |
|
| 125 | + |
|
| 126 | + // Coalesce the per-host:port ips back into a comma separated list |
|
| 127 | + foreach ($curlResolves as $hostport => $ips) { |
|
| 128 | + $options['curl'][CURLOPT_RESOLVE][] = "$hostport:" . implode(',', $ips); |
|
| 129 | + } |
|
| 130 | + |
|
| 131 | + return $handler($request, $options); |
|
| 132 | + }; |
|
| 133 | + }; |
|
| 134 | + } |
|
| 135 | 135 | } |
@@ -89,8 +89,8 @@ discard block |
||
| 89 | 89 | } |
| 90 | 90 | |
| 91 | 91 | public function addDnsPinning() { |
| 92 | - return function (callable $handler) { |
|
| 93 | - return function ( |
|
| 92 | + return function(callable $handler) { |
|
| 93 | + return function( |
|
| 94 | 94 | RequestInterface $request, |
| 95 | 95 | array $options |
| 96 | 96 | ) use ($handler) { |
@@ -98,7 +98,7 @@ discard block |
||
| 98 | 98 | return $handler($request, $options); |
| 99 | 99 | } |
| 100 | 100 | |
| 101 | - $hostName = (string)$request->getUri()->getHost(); |
|
| 101 | + $hostName = (string) $request->getUri()->getHost(); |
|
| 102 | 102 | $port = $request->getUri()->getPort(); |
| 103 | 103 | |
| 104 | 104 | $ports = [ |
@@ -107,7 +107,7 @@ discard block |
||
| 107 | 107 | ]; |
| 108 | 108 | |
| 109 | 109 | if ($port !== null) { |
| 110 | - $ports[] = (string)$port; |
|
| 110 | + $ports[] = (string) $port; |
|
| 111 | 111 | } |
| 112 | 112 | |
| 113 | 113 | $targetIps = $this->dnsResolve($hostName, 0); |
@@ -125,7 +125,7 @@ discard block |
||
| 125 | 125 | |
| 126 | 126 | // Coalesce the per-host:port ips back into a comma separated list |
| 127 | 127 | foreach ($curlResolves as $hostport => $ips) { |
| 128 | - $options['curl'][CURLOPT_RESOLVE][] = "$hostport:" . implode(',', $ips); |
|
| 128 | + $options['curl'][CURLOPT_RESOLVE][] = "$hostport:".implode(',', $ips); |
|
| 129 | 129 | } |
| 130 | 130 | |
| 131 | 131 | return $handler($request, $options); |
