diff options
| author | Björn Schießle <schiessle@owncloud.com> | 2014-02-24 11:23:20 +0100 |
|---|---|---|
| committer | Björn Schießle <schiessle@owncloud.com> | 2014-02-24 11:23:20 +0100 |
| commit | 195393e3241dd549676337d9ec02072373b99e50 (patch) | |
| tree | 43db25ad9b4913e57591fd8bedd77095ae754e77 | |
| parent | b88654561dc639637a5ac56832023b33dc85e284 (diff) | |
| parent | e9671c9c24e28a4baa96e0447f1d878a112b528b (diff) | |
| download | nextcloud-server-195393e3241dd549676337d9ec02072373b99e50.tar.gz nextcloud-server-195393e3241dd549676337d9ec02072373b99e50.zip | |
Merge pull request #7362 from owncloud/fix-7259-5
Backport #7259 to stable5
| -rwxr-xr-x | config/config.sample.php | 3 | ||||
| -rwxr-xr-x | lib/request.php | 46 | ||||
| -rw-r--r-- | lib/setup.php | 1 | ||||
| -rw-r--r-- | lib/updater.php | 15 |
4 files changed, 49 insertions, 16 deletions
diff --git a/config/config.sample.php b/config/config.sample.php index 092480d4f5d..77987a574e3 100755 --- a/config/config.sample.php +++ b/config/config.sample.php @@ -53,6 +53,9 @@ $CONFIG = array( /* The optional authentication for the proxy to use to connect to the internet. The format is: [username]:[password] */ "proxyuserpwd" => "", +/* List of trusted domains, to prevent host header poisoning ownCloud is only using these Host headers */ +'trusted_domains' => array('demo.owncloud.org'), + /* Theme to use for ownCloud */ "theme" => "", diff --git a/lib/request.php b/lib/request.php index d0b2feab311..2a7101efbe1 100755 --- a/lib/request.php +++ b/lib/request.php @@ -18,6 +18,16 @@ class OC_Request { } /** + * @brief Checks whether a domain is considered as trusted. This is used to prevent Host Header Poisoning. + * @param string $host + * @return bool + */ + public static function isTrustedDomain($domain) { + $trustedList = \OC_Config::getValue('trusted_domains', array('')); + return in_array($domain, $trustedList); + } + + /** * @brief Returns the server host * @returns string the server host * @@ -36,21 +46,27 @@ class OC_Request { $host = trim(array_pop(explode(",", $_SERVER['HTTP_X_FORWARDED_HOST']))); } else{ - $host=$_SERVER['HTTP_X_FORWARDED_HOST']; + $host = $_SERVER['HTTP_X_FORWARDED_HOST']; } - } - else{ + } else { if (isset($_SERVER['HTTP_HOST'])) { - return $_SERVER['HTTP_HOST']; + $host = $_SERVER['HTTP_HOST']; } if (isset($_SERVER['SERVER_NAME'])) { - return $_SERVER['SERVER_NAME']; + $host = $_SERVER['SERVER_NAME']; } - return 'localhost'; } - return $host; - } + // Verify that the host is a trusted domain if the trusted domains + // are defined + // If no trusted domain is provided the first trusted domain is returned + if(self::isTrustedDomain($host) || \OC_Config::getValue('trusted_domains', "") === "") { + return $host; + } else { + $trustedList = \OC_Config::getValue('trusted_domains', array('')); + return $trustedList[0]; + } + } /** * @brief Returns the server protocol @@ -64,14 +80,14 @@ class OC_Request { } if (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) { $proto = strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']); - }else{ - if(isset($_SERVER['HTTPS']) and !empty($_SERVER['HTTPS']) and ($_SERVER['HTTPS']!='off')) { - $proto = 'https'; - }else{ - $proto = 'http'; - } + // Verify that the protocol is always HTTP or HTTPS + // default to http if an invalid value is provided + return $proto === 'https' ? 'https' : 'http'; + } + if (isset($_SERVER['HTTPS']) && !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') { + return 'https'; } - return $proto; + return 'http'; } /** diff --git a/lib/setup.php b/lib/setup.php index 2a43f7b4475..d00e860434d 100644 --- a/lib/setup.php +++ b/lib/setup.php @@ -84,6 +84,7 @@ class OC_Setup { OC_Config::setValue('passwordsalt', $salt); //write the config file + OC_Config::setValue('trusted_domains', array(OC_Request::serverHost())); OC_Config::setValue('datadirectory', $datadir); OC_Config::setValue('dbtype', $dbtype); OC_Config::setValue('version', implode('.', OC_Util::getVersion())); diff --git a/lib/updater.php b/lib/updater.php index d0ae1fb4715..ec10377a4b9 100644 --- a/lib/updater.php +++ b/lib/updater.php @@ -97,6 +97,19 @@ class OC_Updater extends BasicEmitter { $currentVersion = implode('.', \OC_Util::getVersion()); \OC_Log::write('core', 'starting upgrade from ' . $installedVersion . ' to ' . $currentVersion, \OC_Log::WARN); $this->emit('\OC_Updater', 'maintenanceStart'); + + /* + * START CONFIG CHANGES FOR OLDER VERSIONS + */ + if (version_compare($currentVersion, '5.00.29', '<')) { + // Add the overwriteHost config if it is not existant + // This is added to prevent host header poisoning + \OC_Config::setValue('trusted_domains', \OC_Config::getValue('trusted_domains', array(\OC_Request::serverHost()))); + } + /* + * STOP CONFIG CHANGES FOR OLDER VERSIONS + */ + try { \OC_DB::updateDbFromStructure(\OC::$SERVERROOT . '/db_structure.xml'); $this->emit('\OC_Updater', 'dbUpgrade'); @@ -157,4 +170,4 @@ class OC_Updater extends BasicEmitter { } $this->emit('\OC_Updater', 'filecacheDone'); } -}
\ No newline at end of file +} |