Merge pull request #7584 from owncloud/stable5-trusteddomainerrorpage

[stable5] Show warning page when accessing server from an untrusted domain

3 files changed, 215 insertions, 19 deletions

diff --git a/lib/base.php b/lib/base.php
index e8f67db8881..3c3c13c8c47 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -612,6 +612,22 @@ class OC {
 			exit();
 		}
 
+		$host = OC_Request::insecureServerHost();
+		// if the host passed in headers isn't trusted
+		if (!OC::$CLI
+			// overwritehost is always trusted
+			&& OC_Request::getOverwriteHost() === null
+			&& !OC_Request::isTrustedDomain($host)) {
+
+			header('HTTP/1.1 400 Bad Request');
+			header('Status: 400 Bad Request');
+			OC_Template::printErrorPage(
+				'You are accessing the server from an untrusted domain.',
+				'Please contact your administrator'
+			);
+			return;
+		}
+
 		$request = OC_Request::getPathInfo();
 		if(substr($request, -3) !== '.js') {// we need these files during the upgrade
 			self::checkMaintenanceMode();
diff --git a/lib/request.php b/lib/request.php
index d83e432866c..4c627db3e6f 100755
--- a/lib/request.php
+++ b/lib/request.php
@@ -7,6 +7,8 @@
  */
 
 class OC_Request {
+	const REGEX_LOCALHOST = '/^(127\.0\.0\.1|localhost)(:[0-9]+|)$/';
+
 	/**
 	 * @brief Check overwrite condition
 	 * @returns bool
@@ -18,49 +20,91 @@ class OC_Request {
 	}
 
 	/**
-	* @brief Checks whether a domain is considered as trusted. This is used to prevent Host Header Poisoning.
-	* @param string $host
-	* @return bool
+	 * @brief Checks whether a domain is considered as trusted from the list
+	 * of trusted domains. If no trusted domains have been configured, returns
+	 * true.
+	 * This is used to prevent Host Header Poisoning.
+	 * @param string $host
+	 * @return bool true if the given domain is trusted or if no trusted domains
+	 * have been configured
 	 */
 	public static function isTrustedDomain($domain) {
-		$trustedList = \OC_Config::getValue('trusted_domains', array(''));
- 		return in_array($domain, $trustedList);
+		$trustedList = \OC_Config::getValue('trusted_domains', array());
+		if (empty($trustedList)) {
+			return true;
+		}
+		if (preg_match(self::REGEX_LOCALHOST, $domain) === 1) {
+			return true;
+		}
+		return in_array($domain, $trustedList);
 	}
 
 	/**
-	 * @brief Returns the server host
+	 * @brief Returns the unverified server host from the headers without checking
+	 * whether it is a trusted domain
 	 * @returns string the server host
 	 *
 	 * Returns the server host, even if the website uses one or more
 	 * reverse proxies
 	 */
-	public static function serverHost() {
-		if(OC::$CLI) {
-			return 'localhost';
-		}
-		if(OC_Config::getValue('overwritehost', '') !== '' and self::isOverwriteCondition()) {
-			return OC_Config::getValue('overwritehost');
-		}
+	public static function insecureServerHost() {
+		$host = null;
 		if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) {
 			if (strpos($_SERVER['HTTP_X_FORWARDED_HOST'], ",") !== false) {
-				$host = trim(array_pop(explode(",", $_SERVER['HTTP_X_FORWARDED_HOST'])));
-			}
-			else{
+				$parts = explode(',', $_SERVER['HTTP_X_FORWARDED_HOST']);
+				$host = trim(current($parts));
+			} else {
 				$host = $_SERVER['HTTP_X_FORWARDED_HOST'];
 			}
 		} else {
 			if (isset($_SERVER['HTTP_HOST'])) {
 				$host = $_SERVER['HTTP_HOST'];
-			}
-			else if (isset($_SERVER['SERVER_NAME'])) {
+			} else if (isset($_SERVER['SERVER_NAME'])) {
 				$host = $_SERVER['SERVER_NAME'];
 			}
 		}
+		return $host;
+	}
+
+	/**
+	 * Returns the overwritehost setting from the config if set and
+	 * if the overwrite condition is met
+	 * @return overwritehost value or null if not defined or the defined condition
+	 * isn't met
+	 */
+	public static function getOverwriteHost() {
+		if(OC_Config::getValue('overwritehost', '') !== '' and self::isOverwriteCondition()) {
+			return OC_Config::getValue('overwritehost');
+		}
+		return null;
+	}
+
+	/**
+	 * @brief Returns the server host from the headers, or the first configured
+	 * trusted domain if the host isn't in the trusted list
+	 * @returns string the server host
+	 *
+	 * Returns the server host, even if the website uses one or more
+	 * reverse proxies
+	 */
+	public static function serverHost() {
+		if(OC::$CLI) {
+			return 'localhost';
+		}
+
+		// overwritehost is always trusted
+		$host = self::getOverwriteHost();
+		if ($host !== null) {
+			return $host;
+		}
+
+		// get the host from the headers
+		$host = self::insecureServerHost();
 
 		// Verify that the host is a trusted domain if the trusted domains
 		// are defined
 		// If no trusted domain is provided the first trusted domain is returned
-		if(self::isTrustedDomain($host) || \OC_Config::getValue('trusted_domains', "") === "") {
+		if (self::isTrustedDomain($host)) {
 			return $host;
 		} else {
 			$trustedList = \OC_Config::getValue('trusted_domains', array(''));
diff --git a/tests/lib/request.php b/tests/lib/request.php
index 090cebc9231..2c4cee445be 100644
--- a/tests/lib/request.php
+++ b/tests/lib/request.php
@@ -70,4 +70,140 @@ class Test_Request extends PHPUnit_Framework_TestCase {
 			array('/oc/core1', '/oc/core/index.php'),
 		);
 	}
+	public function testInsecureServerHost() {
+		unset($_SERVER['HTTP_X_FORWARDED_HOST']);
+		unset($_SERVER['HTTP_HOST']);
+		unset($_SERVER['SERVER_NAME']);
+		$_SERVER['SERVER_NAME'] = 'from.server.name:8080';
+		$host = OC_Request::insecureServerHost();
+		$this->assertEquals('from.server.name:8080', $host);
+
+		$_SERVER['HTTP_HOST'] = 'from.host.header:8080';
+		$host = OC_Request::insecureServerHost();
+		$this->assertEquals('from.host.header:8080', $host);
+
+		$_SERVER['HTTP_X_FORWARDED_HOST'] = 'from.forwarded.host:8080';
+		$host = OC_Request::insecureServerHost();
+		$this->assertEquals('from.forwarded.host:8080', $host);
+
+		$_SERVER['HTTP_X_FORWARDED_HOST'] = 'from.forwarded.host2:8080,another.one:9000';
+		$host = OC_Request::insecureServerHost();
+		$this->assertEquals('from.forwarded.host2:8080', $host);
+
+		// clean up
+		unset($_SERVER['HTTP_X_FORWARDED_HOST']);
+		unset($_SERVER['HTTP_HOST']);
+		unset($_SERVER['SERVER_NAME']);
+	}
+
+	public function testGetOverwriteHost() {
+		unset($_SERVER['REMOTE_ADDR']);
+		OC_Config::deleteKey('overwritecondaddr');
+		OC_Config::deleteKey('overwritehost');
+		$host = OC_Request::getOverwriteHost();
+		$this->assertNull($host);
+
+		OC_Config::setValue('overwritehost', '');
+		$host = OC_Request::getOverwriteHost();
+		$this->assertNull($host);
+
+		OC_Config::setValue('overwritehost', 'host.one.test:8080');
+		$host = OC_Request::getOverwriteHost();
+		$this->assertEquals('host.one.test:8080', $host);
+
+		$_SERVER['REMOTE_ADDR'] = 'somehost.test:8080';
+		OC_Config::setValue('overwritecondaddr', '^somehost\..*$');
+		$host = OC_Request::getOverwriteHost();
+		$this->assertEquals('host.one.test:8080', $host);
+
+		OC_Config::setValue('overwritecondaddr', '^somethingelse.*$');
+		$host = OC_Request::getOverwriteHost();
+		$this->assertNull($host);
+
+		// clean up
+		unset($_SERVER['REMOTE_ADDR']);
+		OC_Config::deleteKey('overwritecondaddr');
+		OC_Config::deleteKey('overwritehost');
+	}
+
+	/**
+	 * @dataProvider trustedDomainDataProvider
+	 */
+	public function testIsTrustedDomain($trustedDomains, $testDomain, $result) {
+		OC_Config::deleteKey('trusted_domains');
+		if ($trustedDomains !== null) {
+			OC_Config::setValue('trusted_domains', $trustedDomains);
+		}
+
+		$this->assertEquals($result, OC_Request::isTrustedDomain($testDomain));
+
+		// clean up
+		OC_Config::deleteKey('trusted_domains');
+	}
+
+	public function trustedDomainDataProvider() {
+		$trustedHostTestList = array('host.one.test:8080', 'host.two.test:8080');
+		return array(
+			// empty defaults to true
+			array(null, 'host.one.test:8080', true),
+			array('', 'host.one.test:8080', true),
+			array(array(), 'host.one.test:8080', true),
+
+			// trust list when defined
+			array($trustedHostTestList, 'host.two.test:8080', true),
+			array($trustedHostTestList, 'host.two.test:9999', false),
+			array($trustedHostTestList, 'host.three.test:8080', false),
+
+			// trust localhost regardless of trust list
+			array($trustedHostTestList, 'localhost', true),
+			array($trustedHostTestList, 'localhost:8080', true),
+			array($trustedHostTestList, '127.0.0.1', true),
+			array($trustedHostTestList, '127.0.0.1:8080', true),
+
+			// do not trust invalid localhosts
+			array($trustedHostTestList, 'localhost:1:2', false),
+			array($trustedHostTestList, 'localhost: evil.host', false),
+		);
+	}
+
+	public function testServerHost() {
+		OC_Config::deleteKey('overwritecondaddr');
+		OC_Config::setValue('overwritehost', 'overwritten.host:8080');
+		OC_Config::setValue(
+			'trusted_domains',
+			array(
+				'trusted.host:8080',
+				'second.trusted.host:8080'
+			)
+		);
+		$_SERVER['HTTP_HOST'] = 'trusted.host:8080';
+
+		// CLI always gives localhost
+		$oldCLI = OC::$CLI;
+		OC::$CLI = true;
+		$host = OC_Request::serverHost();
+		$this->assertEquals('localhost', $host);
+		OC::$CLI = false;
+
+		// overwritehost overrides trusted domain
+		$host = OC_Request::serverHost();
+		$this->assertEquals('overwritten.host:8080', $host);
+
+		// trusted domain returned when used
+		OC_Config::deleteKey('overwritehost');
+		$host = OC_Request::serverHost();
+		$this->assertEquals('trusted.host:8080', $host);
+
+		// trusted domain returned when untrusted one in header
+		$_SERVER['HTTP_HOST'] = 'untrusted.host:8080';
+		OC_Config::deleteKey('overwritehost');
+		$host = OC_Request::serverHost();
+		$this->assertEquals('trusted.host:8080', $host);
+
+		// clean up
+		OC_Config::deleteKey('overwritecondaddr');
+		OC_Config::deleteKey('overwritehost');
+		unset($_SERVER['HTTP_HOST']);
+		OC::$CLI = $oldCLI;
+	}
 }