or ($type !== 'protocol' and OC_Config::getValue('forcessl', false));
}
+ /**
+ * @brief Checks whether a domain is considered as trusted. This is used to prevent Host Header Poisoning.
+ * @param string $host
+ * @return bool
+ */
+ public static function isTrustedDomain($domain) {
+ $trustedList = \OC_Config::getValue('trusted_domains', array(''));
+ return in_array($domain, $trustedList);
+ }
+
/**
* @brief Returns the server host
* @returns string the server host
$host = trim(array_pop(explode(",", $_SERVER['HTTP_X_FORWARDED_HOST'])));
}
else{
- $host=$_SERVER['HTTP_X_FORWARDED_HOST'];
+ $host = $_SERVER['HTTP_X_FORWARDED_HOST'];
}
- }
- else{
+ } else {
if (isset($_SERVER['HTTP_HOST'])) {
- return $_SERVER['HTTP_HOST'];
+ $host = $_SERVER['HTTP_HOST'];
}
if (isset($_SERVER['SERVER_NAME'])) {
- return $_SERVER['SERVER_NAME'];
+ $host = $_SERVER['SERVER_NAME'];
}
- return 'localhost';
}
- return $host;
- }
+ // Verify that the host is a trusted domain if the trusted domains
+ // are defined
+ // If no trusted domain is provided the first trusted domain is returned
+ if(self::isTrustedDomain($host) || \OC_Config::getValue('trusted_domains', "") === "") {
+ return $host;
+ } else {
+ $trustedList = \OC_Config::getValue('trusted_domains', array(''));
+ return $trustedList[0];
+ }
+ }
/**
* @brief Returns the server protocol
}
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) {
$proto = strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']);
- }else{
- if(isset($_SERVER['HTTPS']) and !empty($_SERVER['HTTPS']) and ($_SERVER['HTTPS']!='off')) {
- $proto = 'https';
- }else{
- $proto = 'http';
- }
+ // Verify that the protocol is always HTTP or HTTPS
+ // default to http if an invalid value is provided
+ return $proto === 'https' ? 'https' : 'http';
+ }
+ if (isset($_SERVER['HTTPS']) && !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') {
+ return 'https';
}
- return $proto;
+ return 'http';
}
/**
OC_Config::setValue('passwordsalt', $salt);
//write the config file
+ OC_Config::setValue('trusted_domains', array(OC_Request::serverHost()));
OC_Config::setValue('datadirectory', $datadir);
OC_Config::setValue('dbtype', $dbtype);
OC_Config::setValue('version', implode('.', OC_Util::getVersion()));
$currentVersion = implode('.', \OC_Util::getVersion());
\OC_Log::write('core', 'starting upgrade from ' . $installedVersion . ' to ' . $currentVersion, \OC_Log::WARN);
$this->emit('\OC_Updater', 'maintenanceStart');
+
+ /*
+ * START CONFIG CHANGES FOR OLDER VERSIONS
+ */
+ if (version_compare($currentVersion, '5.00.29', '<')) {
+ // Add the overwriteHost config if it is not existant
+ // This is added to prevent host header poisoning
+ \OC_Config::setValue('trusted_domains', \OC_Config::getValue('trusted_domains', array(\OC_Request::serverHost())));
+ }
+ /*
+ * STOP CONFIG CHANGES FOR OLDER VERSIONS
+ */
+
try {
\OC_DB::updateDbFromStructure(\OC::$SERVERROOT . '/db_structure.xml');
$this->emit('\OC_Updater', 'dbUpgrade');
}
$this->emit('\OC_Updater', 'filecacheDone');
}
-}
\ No newline at end of file
+}
projects / nextcloud-server.git / commitdiff