diff options
| author | Vincent Petry <pvince81@owncloud.com> | 2014-03-05 15:02:05 +0100 |
|---|---|---|
| committer | Vincent Petry <pvince81@owncloud.com> | 2014-03-06 11:51:08 +0100 |
| commit | 421cff00bdb6441b1639c83ed68dc1cbe196e333 (patch) | |
| tree | 1ba3654cbae36056fc948d4ad9381805437be13f /lib/base.php | |
| parent | 1785c0c9b9fcdc6e9a8e58f13f45e5b53364882a (diff) | |
| download | nextcloud-server-421cff00bdb6441b1639c83ed68dc1cbe196e333.tar.gz nextcloud-server-421cff00bdb6441b1639c83ed68dc1cbe196e333.zip | |
Show warning page when accessing server from an untrusted domain
Added early check for the requested domain host and show a warning
page if the domain is not trusted.
Diffstat (limited to 'lib/base.php')
| -rw-r--r-- | lib/base.php | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/lib/base.php b/lib/base.php index 351b91b7dfa..82612a18771 100644 --- a/lib/base.php +++ b/lib/base.php @@ -694,6 +694,22 @@ class OC { exit(); } + $host = OC_Request::insecureServerHost(); + // if the host passed in headers isn't trusted + if (!OC::$CLI + // overwritehost is always trusted + && OC_Request::getOverwriteHost() === null + && !OC_Request::isTrustedDomain($host)) { + + header('HTTP/1.1 400 Bad Request'); + header('Status: 400 Bad Request'); + OC_Template::printErrorPage( + 'You are accessing the server from an untrusted domain.', + 'Please contact your administrator' + ); + return; + } + $request = OC_Request::getPathInfo(); if (substr($request, -3) !== '.js') { // we need these files during the upgrade self::checkMaintenanceMode(); |