mirrors
/
nextcloud
mirror of https://github.com/nextcloud/server.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 1008 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
17349 Commits
434 Branches
Tree: 3d0661a1e7
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '3d0661a1e7'
${ noResults }
nextcloud/lib/private/request.php

request.php 8.0KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273 
  1. <?php

  2. /**

  3.  * Copyright (c) 2012 Bart Visscher <bartv@thisnet.nl>

  4.  * This file is licensed under the Affero General Public License version 3 or

  5.  * later.

  6.  * See the COPYING-README file.

  7.  */

  8. 

  9. class OC_Request {

  10. 

  11. 	const USER_AGENT_IE = '/MSIE/';

  12. 	// Android Chrome user agent: https://developers.google.com/chrome/mobile/docs/user-agent

  13. 	const USER_AGENT_ANDROID_MOBILE_CHROME = '#Android.*Chrome/[.0-9]*#';

  14. 	const USER_AGENT_FREEBOX = '#^Mozilla/5\.0$#';

  15. 

  16. 	const REGEX_LOCALHOST = '/^(127\.0\.0\.1|localhost)(:[0-9]+|)$/';

  17. 

  18. 	/**

  19. 	 * @brief Check overwrite condition

  20. 	 * @param string $type

  21. 	 * @returns bool

  22. 	 */

  23. 	private static function isOverwriteCondition($type = '') {

  24. 		$regex = '/' . OC_Config::getValue('overwritecondaddr', '')  . '/';

  25. 		return $regex === '//' or preg_match($regex, $_SERVER['REMOTE_ADDR']) === 1

  26. 			or ($type !== 'protocol' and OC_Config::getValue('forcessl', false));

  27. 	}

  28. 

  29. 	/**

  30. 	 * @brief Checks whether a domain is considered as trusted from the list

  31. 	 * of trusted domains. If no trusted domains have been configured, returns

  32. 	 * true.

  33. 	 * This is used to prevent Host Header Poisoning.

  34. 	 * @param string $domain

  35. 	 * @return bool true if the given domain is trusted or if no trusted domains

  36. 	 * have been configured

  37. 	 */

  38. 	public static function isTrustedDomain($domain) {

  39. 		$trustedList = \OC_Config::getValue('trusted_domains', array());

  40. 		if (empty($trustedList)) {

  41. 			return true;

  42. 		}

  43. 		if (preg_match(self::REGEX_LOCALHOST, $domain) === 1) {

  44. 			return true;

  45. 		}

  46. 		return in_array($domain, $trustedList);

  47. 	}

  48. 

  49. 	/**

  50. 	 * @brief Returns the unverified server host from the headers without checking

  51. 	 * whether it is a trusted domain

  52. 	 * @returns string the server host

  53. 	 *

  54. 	 * Returns the server host, even if the website uses one or more

  55. 	 * reverse proxies

  56. 	 */

  57. 	public static function insecureServerHost() {

  58. 		$host = null;

  59. 		if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) {

  60. 			if (strpos($_SERVER['HTTP_X_FORWARDED_HOST'], ",") !== false) {

  61. 				$parts = explode(',', $_SERVER['HTTP_X_FORWARDED_HOST']);

  62. 				$host = trim(current($parts));

  63. 			} else {

  64. 				$host = $_SERVER['HTTP_X_FORWARDED_HOST'];

  65. 			}

  66. 		} else {

  67. 			if (isset($_SERVER['HTTP_HOST'])) {

  68. 				$host = $_SERVER['HTTP_HOST'];

  69. 			} else if (isset($_SERVER['SERVER_NAME'])) {

  70. 				$host = $_SERVER['SERVER_NAME'];

  71. 			}

  72. 		}

  73. 		return $host;

  74. 	}

  75. 

  76. 	/**

  77. 	 * Returns the overwritehost setting from the config if set and

  78. 	 * if the overwrite condition is met

  79. 	 * @return string|null overwritehost value or null if not defined or the defined condition

  80. 	 * isn't met

  81. 	 */

  82. 	public static function getOverwriteHost() {

  83. 		if(OC_Config::getValue('overwritehost', '') !== '' and self::isOverwriteCondition()) {

  84. 			return OC_Config::getValue('overwritehost');

  85. 		}

  86. 		return null;

  87. 	}

  88. 

  89. 	/**

  90. 	 * @brief Returns the server host from the headers, or the first configured

  91. 	 * trusted domain if the host isn't in the trusted list

  92. 	 * @returns string the server host

  93. 	 *

  94. 	 * Returns the server host, even if the website uses one or more

  95. 	 * reverse proxies

  96. 	 */

  97. 	public static function serverHost() {

  98. 		if(OC::$CLI) {

  99. 			return 'localhost';

  100. 		}

  101. 

  102. 		// overwritehost is always trusted

  103. 		$host = self::getOverwriteHost();

  104. 		if ($host !== null) {

  105. 			return $host;

  106. 		}

  107. 

  108. 		// get the host from the headers

  109. 		$host = self::insecureServerHost();

  110. 

  111. 		// Verify that the host is a trusted domain if the trusted domains

  112. 		// are defined

  113. 		// If no trusted domain is provided the first trusted domain is returned

  114. 		if (self::isTrustedDomain($host)) {

  115. 			return $host;

  116. 		} else {

  117. 			$trustedList = \OC_Config::getValue('trusted_domains', array(''));

  118. 			return $trustedList[0];

  119. 		}

  120. 	}

  121. 

  122. 	/**

  123. 	* @brief Returns the server protocol

  124. 	* @returns string the server protocol

  125. 	*

  126. 	* Returns the server protocol. It respects reverse proxy servers and load balancers

  127. 	*/

  128. 	public static function serverProtocol() {

  129. 		if(OC_Config::getValue('overwriteprotocol', '') !== '' and self::isOverwriteCondition('protocol')) {

  130. 			return OC_Config::getValue('overwriteprotocol');

  131. 		}

  132. 		if (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) {

  133. 			$proto = strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']);

  134. 			// Verify that the protocol is always HTTP or HTTPS

  135. 			// default to http if an invalid value is provided

  136. 			return $proto === 'https' ? 'https' : 'http';

  137. 		}

  138. 		if (isset($_SERVER['HTTPS']) && !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') {

  139. 			return 'https';

  140. 		}

  141. 		return 'http';

  142. 	}

  143. 

  144. 	/**

  145. 	 * @brief Returns the request uri

  146. 	 * @returns string the request uri

  147. 	 *

  148. 	 * Returns the request uri, even if the website uses one or more

  149. 	 * reverse proxies

  150. 	 * @return string

  151. 	 */

  152. 	public static function requestUri() {

  153. 		$uri = isset($_SERVER['REQUEST_URI']) ? $_SERVER['REQUEST_URI'] : '';

  154. 		if (OC_Config::getValue('overwritewebroot', '') !== '' and self::isOverwriteCondition()) {

  155. 			$uri = self::scriptName() . substr($uri, strlen($_SERVER['SCRIPT_NAME']));

  156. 		}

  157. 		return $uri;

  158. 	}

  159. 

  160. 	/**

  161. 	 * @brief Returns the script name

  162. 	 * @return string the script name

  163. 	 *

  164. 	 * Returns the script name, even if the website uses one or more

  165. 	 * reverse proxies

  166. 	 */

  167. 	public static function scriptName() {

  168. 		$name = $_SERVER['SCRIPT_NAME'];

  169. 		$overwriteWebRoot = OC_Config::getValue('overwritewebroot', '');

  170. 		if ($overwriteWebRoot !== '' and self::isOverwriteCondition()) {

  171. 			$serverroot = str_replace("\\", '/', substr(__DIR__, 0, -strlen('lib/private/')));

  172. 			$suburi = str_replace("\\", "/", substr(realpath($_SERVER["SCRIPT_FILENAME"]), strlen($serverroot)));

  173. 			$name = '/' . ltrim($overwriteWebRoot . $suburi, '/');

  174. 		}

  175. 		return $name;

  176. 	}

  177. 

  178. 	/**

  179. 	 * @brief get Path info from request

  180. 	 * @return string Path info or false when not found

  181. 	 */

  182. 	public static function getPathInfo() {

  183. 		if (array_key_exists('PATH_INFO', $_SERVER)) {

  184. 			$path_info = $_SERVER['PATH_INFO'];

  185. 		}else{

  186. 			$path_info = self::getRawPathInfo();

  187. 			// following is taken from Sabre_DAV_URLUtil::decodePathSegment

  188. 			$path_info = rawurldecode($path_info);

  189. 			$encoding = mb_detect_encoding($path_info, array('UTF-8', 'ISO-8859-1'));

  190. 

  191. 			switch($encoding) {

  192. 

  193. 				case 'ISO-8859-1' :

  194. 					$path_info = utf8_encode($path_info);

  195. 

  196. 			}

  197. 			// end copy

  198. 		}

  199. 		return $path_info;

  200. 	}

  201. 

  202. 	/**

  203. 	 * @brief get Path info from request, not urldecoded

  204. 	 * @throws Exception

  205. 	 * @return string Path info or false when not found

  206. 	 */

  207. 	public static function getRawPathInfo() {

  208. 		$requestUri = $_SERVER['REQUEST_URI'];

  209. 		// remove too many leading slashes - can be caused by reverse proxy configuration

  210. 		if (strpos($requestUri, '/') === 0) {

  211. 			$requestUri = '/' . ltrim($requestUri, '/');

  212. 		}

  213. 

  214. 		// Remove the query string from REQUEST_URI

  215. 		if ($pos = strpos($requestUri, '?')) {

  216. 			$requestUri = substr($requestUri, 0, $pos);

  217. 		}

  218. 

  219. 		$scriptName = $_SERVER['SCRIPT_NAME'];

  220. 		$path_info = $requestUri;

  221. 

  222. 		// strip off the script name's dir and file name

  223. 		list($path, $name) = \Sabre_DAV_URLUtil::splitPath($scriptName);

  224. 		if (!empty($path)) {

  225. 			if( $path === $path_info || strpos($path_info, $path.'/') === 0) {

  226. 				$path_info = substr($path_info, strlen($path));

  227. 			} else {

  228. 				throw new Exception("The requested uri($requestUri) cannot be processed by the script '$scriptName')");

  229. 			}

  230. 		}

  231. 		if (strpos($path_info, '/'.$name) === 0) {

  232. 			$path_info = substr($path_info, strlen($name) + 1);

  233. 		}

  234. 		if (strpos($path_info, $name) === 0) {

  235. 			$path_info = substr($path_info, strlen($name));

  236. 		}

  237. 		if($path_info === '/'){

  238. 			return '';

  239. 		} else {

  240. 			return $path_info;

  241. 		}

  242. 	}

  243. 

  244. 	/**

  245. 	 * @brief Check if the requester sent along an mtime

  246. 	 * @return false or an mtime

  247. 	 */

  248. 	static public function hasModificationTime () {

  249. 		if (isset($_SERVER['HTTP_X_OC_MTIME'])) {

  250. 			return $_SERVER['HTTP_X_OC_MTIME'];

  251. 		} else {

  252. 			return false;

  253. 		}

  254. 	}

  255. 

  256. 	/**

  257. 	 * Checks whether the user agent matches a given regex

  258. 	 * @param string|array $agent agent name or array of agent names

  259. 	 * @return boolean true if at least one of the given agent matches,

  260. 	 * false otherwise

  261. 	 */

  262. 	static public function isUserAgent($agent) {

  263. 		if (!is_array($agent)) {

  264. 			$agent = array($agent);

  265. 		}

  266. 		foreach ($agent as $regex) {

  267. 			if (preg_match($regex, $_SERVER['HTTP_USER_AGENT'])) {

  268. 				return true;

  269. 			}

  270. 		}

  271. 		return false;

  272. 	}

  273. }