Do only follow HTTP and HTTPS redirects

We do not want to follow redirects to other protocols since they might allow an adversary to bypass network restrictions. (i.e. a redirect to ftp:// might be used to access files of a FTP server which might be in a secure zone and not be reachable from the net but from the ownCloud server)

Get final redirect manually using get_headers()

Migrate to HTTPHelper class and add unit tests

1 files changed, 12 insertions, 0 deletions

diff --git a/lib/private/server.php b/lib/private/server.php
index 912d5c4f635..7fa06298b29 100644
--- a/lib/private/server.php
+++ b/lib/private/server.php
@@ -212,6 +212,10 @@ class Server extends SimpleContainer implements IServerContainer {
 		$this->registerService('Db', function ($c) {
 			return new Db();
 		});
+		$this->registerService('HTTPHelper', function (SimpleContainer $c) {
+			$config = $c->query('AllConfig');
+			return new HTTPHelper($config);
+		});
 	}
 
 	/**
@@ -503,6 +507,14 @@ class Server extends SimpleContainer implements IServerContainer {
 	}
 
 	/**
+	 * Returns an instance of the HTTP helper class
+	 * @return \OC\HTTPHelper
+	 */
+	function getHTTPHelper() {
+		return $this->query('HTTPHelper');
+	}
+
+	/**
 	 * Get the certificate manager for the user
 	 *
 	 * @param \OCP\IUser $user (optional) if not specified the current loggedin user is used