Disallow certain malformed domain names even if they match the trusted domain expression

Stricter checking for valid domain names

lib/private/Security/TrustedDomainHelper.php

@@ -78,13 +78,16 @@ class TrustedDomainHelper {
 		if (preg_match(Request::REGEX_LOCALHOST, $domain) === 1) {
 			return true;
 		}
-
-		// match, allowing for * wildcards
+		// Reject misformed domains in any case
+		if (strpos($domain,'-') === 0 || strpos($domain,'..') !== false) {
+			return false;
+		}
+		// Match, allowing for * wildcards
 		foreach ($trustedList as $trusted) {
 			if (gettype($trusted) !== 'string') {
 				break;
 			}
-			$regex = '/^' . join('.*', array_map(function($v) { return preg_quote($v, '/'); }, explode('*', $trusted))) . '$/';
+			$regex = '/^' . join('[-\.a-zA-Z0-9]*', array_map(function($v) { return preg_quote($v, '/'); }, explode('*', $trusted))) . '$/';
 			if (preg_match($regex, $domain) || preg_match($regex, $domainWithPort)) {
  				return true;
  			}

tests/lib/Security/TrustedDomainHelperTest.php

@@ -102,6 +102,10 @@ class TrustedDomainHelperTest extends \Test\TestCase {
 			[$trustedHostTestList, 'abc.leadingwith.port:1234', false],
 			[$trustedHostTestList, 'trailingwith.port.abc:456', true],
 			[$trustedHostTestList, 'trailingwith.port.abc:123', false],
+			// bad hostname
+			[$trustedHostTestList, '-bad', false],
+			[$trustedHostTestList, '-bad.leading.host', false],
+			[$trustedHostTestList, 'bad..der.leading.host', false],
 		];
 	}
 }