diff options
| author | Roeland Jago Douma <rullzer@users.noreply.github.com> | 2020-01-20 14:22:18 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-01-20 14:22:18 +0100 |
| commit | ddf6942d90097b909edac07513bb95c7107b9f4c (patch) | |
| tree | 0d6ad373f24f7a4fff06c405dcfc40c2ba631166 | |
| parent | be9b279f9809d4c6b12d7a1cd0b2c7d92cac57ec (diff) | |
| parent | 8331d8296b1972224cf6e1e391bba1c9380799a5 (diff) | |
| download | nextcloud-server-ddf6942d90097b909edac07513bb95c7107b9f4c.tar.gz nextcloud-server-ddf6942d90097b909edac07513bb95c7107b9f4c.zip | |
Merge pull request #18924 from nextcloud/fix/18848/array-index
Make getServerHost more robust to faulty user input
| -rw-r--r-- | lib/private/AppFramework/Http/Request.php | 14 | ||||
| -rw-r--r-- | tests/lib/AppFramework/Http/RequestTest.php | 46 |
2 files changed, 53 insertions, 7 deletions
diff --git a/lib/private/AppFramework/Http/Request.php b/lib/private/AppFramework/Http/Request.php index 3563ce3a200..6554250902d 100644 --- a/lib/private/AppFramework/Http/Request.php +++ b/lib/private/AppFramework/Http/Request.php @@ -904,14 +904,14 @@ class Request implements \ArrayAccess, \Countable, IRequest { $trustedDomainHelper = new TrustedDomainHelper($this->config); if ($trustedDomainHelper->isTrustedDomain($host)) { return $host; - } else { - $trustedList = $this->config->getSystemValue('trusted_domains', []); - if(!empty($trustedList)) { - return $trustedList[0]; - } else { - return ''; - } } + + $trustedList = (array)$this->config->getSystemValue('trusted_domains', []); + if (count($trustedList) > 0) { + return reset($trustedList); + } + + return ''; } /** diff --git a/tests/lib/AppFramework/Http/RequestTest.php b/tests/lib/AppFramework/Http/RequestTest.php index 56982aaf511..be019050e1b 100644 --- a/tests/lib/AppFramework/Http/RequestTest.php +++ b/tests/lib/AppFramework/Http/RequestTest.php @@ -1222,6 +1222,52 @@ class RequestTest extends \Test\TestCase { $this->assertSame('', $request->getServerHost()); } + /** + * @return array + */ + public function dataGetServerHostTrustedDomain() { + return [ + 'is array' => ['my.trusted.host', ['my.trusted.host']], + 'is array but undefined index 0' => ['my.trusted.host', [2 => 'my.trusted.host']], + 'is string' => ['my.trusted.host', 'my.trusted.host'], + 'is null' => ['', null], + ]; + } + + /** + * @dataProvider dataGetServerHostTrustedDomain + * @param $expected + * @param $trustedDomain + */ + public function testGetServerHostTrustedDomain($expected, $trustedDomain) { + $this->config + ->method('getSystemValue') + ->willReturnCallback(function ($key, $default) use ($trustedDomain) { + if ($key === 'trusted_proxies') { + return ['1.2.3.4']; + } + if ($key === 'trusted_domains') { + return $trustedDomain; + } + return $default; + }); + + $request = new Request( + [ + 'server' => [ + 'HTTP_X_FORWARDED_HOST' => 'my.untrusted.host', + 'REMOTE_ADDR' => '1.2.3.4', + ], + ], + $this->secureRandom, + $this->config, + $this->csrfTokenManager, + $this->stream + ); + + $this->assertSame($expected, $request->getServerHost()); + } + public function testGetOverwriteHostDefaultNull() { $this->config ->expects($this->once()) |