mirror of
https://github.com/nextcloud/server.git
synced 2024-08-11 02:11:21 +02:00
Disallow certain malformed domain names even if they match the trusted domain expression
Stricter checking for valid domain names
This commit is contained in:
parent
2b4ceae620
commit
66a134e69e
@ -78,13 +78,16 @@ class TrustedDomainHelper {
|
|||||||
if (preg_match(Request::REGEX_LOCALHOST, $domain) === 1) {
|
if (preg_match(Request::REGEX_LOCALHOST, $domain) === 1) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
// Reject misformed domains in any case
|
||||||
// match, allowing for * wildcards
|
if (strpos($domain,'-') === 0 || strpos($domain,'..') !== false) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
// Match, allowing for * wildcards
|
||||||
foreach ($trustedList as $trusted) {
|
foreach ($trustedList as $trusted) {
|
||||||
if (gettype($trusted) !== 'string') {
|
if (gettype($trusted) !== 'string') {
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
$regex = '/^' . join('.*', array_map(function($v) { return preg_quote($v, '/'); }, explode('*', $trusted))) . '$/';
|
$regex = '/^' . join('[-\.a-zA-Z0-9]*', array_map(function($v) { return preg_quote($v, '/'); }, explode('*', $trusted))) . '$/';
|
||||||
if (preg_match($regex, $domain) || preg_match($regex, $domainWithPort)) {
|
if (preg_match($regex, $domain) || preg_match($regex, $domainWithPort)) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
@ -102,6 +102,10 @@ class TrustedDomainHelperTest extends \Test\TestCase {
|
|||||||
[$trustedHostTestList, 'abc.leadingwith.port:1234', false],
|
[$trustedHostTestList, 'abc.leadingwith.port:1234', false],
|
||||||
[$trustedHostTestList, 'trailingwith.port.abc:456', true],
|
[$trustedHostTestList, 'trailingwith.port.abc:456', true],
|
||||||
[$trustedHostTestList, 'trailingwith.port.abc:123', false],
|
[$trustedHostTestList, 'trailingwith.port.abc:123', false],
|
||||||
|
// bad hostname
|
||||||
|
[$trustedHostTestList, '-bad', false],
|
||||||
|
[$trustedHostTestList, '-bad.leading.host', false],
|
||||||
|
[$trustedHostTestList, 'bad..der.leading.host', false],
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user