}
if ($allowLocalAccess !== 'yes') {
- $host = parse_url($url, PHP_URL_HOST);
+ $host = strtolower(parse_url($url, PHP_URL_HOST));
// remove brackets from IPv6 addresses
if (strpos($host, '[') === 0 && substr($host, -1) === ']') {
$host = substr($host, 1, -1);
}
- if ($host === 'localhost' || substr($host, -6) === '.local' || substr($host, -10) === '.localhost' ||
- preg_match('/(^127\.)|(^192\.168\.)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^::1$)|(^[fF][cCdD])/', $host)) {
+ // Disallow localhost and local network
+ if ($host === 'localhost' || substr($host, -6) === '.local' || substr($host, -10) === '.localhost') {
+ $this->logger->warning("Subscription $subscriptionId was not refreshed because it violates local access rules");
+ return null;
+ }
+
+ // Disallow hostname only
+ if (substr_count($host, '.') === 0) {
+ $this->logger->warning("Subscription $subscriptionId was not refreshed because it violates local access rules");
+ return null;
+ }
+
+ if ((bool)filter_var($host, FILTER_VALIDATE_IP) && !filter_var($host, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
$this->logger->warning("Subscription $subscriptionId was not refreshed because it violates local access rules");
return null;
}
public function runLocalURLDataProvider():array {
return [
['localhost/foo.bar'],
+ ['localHost/foo.bar'],
+ ['random-host/foo.bar'],
['[::1]/bla.blub'],
+ ['[::]/bla.blub'],
['192.168.0.1'],
+ ['172.16.42.1'],
+ ['[fdf8:f53b:82e4::53]/secret.ics'],
+ ['[fe80::200:5aee:feaa:20a2]/secret.ics'],
['10.0.0.1'],
['another-host.local'],
['service.localhost'],
projects / nextcloud-server.git / commitdiff