fix(security): Handle idn_to_utf8 returning false

Signed-off-by: Joas Schilling <coding@schilljs.com>

diff --git a/lib/private/Security/RemoteHostValidator.php b/lib/private/Security/RemoteHostValidator.php
index 385b38cff983d13c52762cf95b800f8209dacb49..9cc69594c327303cbd1c1dd2186f41bed1c2da32 100644 (file)
--- a/lib/private/Security/RemoteHostValidator.php
+++ b/lib/private/Security/RemoteHostValidator.php
@@ -52,6 +52,10 @@ final class RemoteHostValidator implements IRemoteHostValidator {
                }
 
                $host = idn_to_utf8(strtolower(urldecode($host)));
+               if ($host === false) {
+                       return false;
+               }
+
                // Remove brackets from IPv6 addresses
                if (str_starts_with($host, '[') && str_ends_with($host, ']')) {
                        $host = substr($host, 1, -1);

diff --git a/tests/lib/Http/Client/ClientTest.php b/tests/lib/Http/Client/ClientTest.php
index 3cef9d7598656c7ad2ff6f1d3526c8fb5db5ecfa..0e6e265584ec16f24d96e1a849495005f5605d5d 100644 (file)
--- a/tests/lib/Http/Client/ClientTest.php
+++ b/tests/lib/Http/Client/ClientTest.php
@@ -149,6 +149,7 @@ class ClientTest extends \Test\TestCase {
                        ['https://service.localhost'],
                        ['!@#$', true], // test invalid url
                        ['https://normal.host.com'],
+                       ['https://com.one-.nextcloud-one.com'],
                ];
        }
 

diff --git a/tests/lib/Security/RemoteHostValidatorTest.php b/tests/lib/Security/RemoteHostValidatorTest.php
index 030a75b1e79ecabf83ba0cc5944590fa74bf0820..b1371d9343c393e078214d87d214c2167d1ce037 100644 (file)
--- a/tests/lib/Security/RemoteHostValidatorTest.php
+++ b/tests/lib/Security/RemoteHostValidatorTest.php
@@ -60,8 +60,17 @@ class RemoteHostValidatorTest extends TestCase {
                );
        }
 
-       public function testValid(): void {
-               $host = 'nextcloud.com';
+       public function dataValid(): array {
+               return [
+                       ['nextcloud.com', true],
+                       ['com.one-.nextcloud-one.com', false],
+               ];
+       }
+
+       /**
+        * @dataProvider dataValid
+        */
+       public function testValid(string $host, bool $expected): void {
                $this->hostnameClassifier
                        ->method('isLocalHostname')
                        ->with($host)
@@ -73,7 +82,7 @@ class RemoteHostValidatorTest extends TestCase {
 
                $valid = $this->validator->isValid($host);
 
-               self::assertTrue($valid);
+               self::assertSame($expected, $valid);
        }
 
        public function testLocalHostname(): void {