* of trusted domains. If no trusted domains have been configured, returns
* true.
* This is used to prevent Host Header Poisoning.
- * @param string $domain
+ * @param string $domainWithPort
* @return bool true if the given domain is trusted or if no trusted domains
* have been configured
*/
- public static function isTrustedDomain($domain) {
+ public static function isTrustedDomain($domainWithPort) {
// Extract port from domain if needed
- $domain = self::getDomainWithoutPort($domain);
+ $domain = self::getDomainWithoutPort($domainWithPort);
// FIXME: Empty config array defaults to true for now. - Deprecate this behaviour with ownCloud 8.
$trustedList = \OC::$server->getConfig()->getSystemValue('trusted_domains', array());
return true;
}
+ // FIXME: Workaround for older instances still with port applied. Remove for ownCloud 9.
+ if(in_array($domainWithPort, $trustedList)) {
+ return true;
+ }
+
// Always allow access from localhost
if (preg_match(self::REGEX_LOCALHOST, $domain) === 1) {
return true;