diff options
| author | Lukas Reschke <lukas@statuscode.ch> | 2016-07-07 19:34:11 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2016-07-07 19:34:11 +0200 |
| commit | c8ba8f637eb04f70cde45c5051e7e78c0ab24026 (patch) | |
| tree | 598d46eec148647d4d609b19a974c9b3d18d304e /lib/private | |
| parent | 2a1a3957b65e847d51c4c735acf033f7df29cba6 (diff) | |
| parent | c2309f1bcd5469e44fb5902bc62b55f439deba52 (diff) | |
| download | nextcloud-server-c8ba8f637eb04f70cde45c5051e7e78c0ab24026.tar.gz nextcloud-server-c8ba8f637eb04f70cde45c5051e7e78c0ab24026.zip | |
Merge pull request #314 from jernst/master
Allow wildcard * to be used in trusted domains
Diffstat (limited to 'lib/private')
| -rw-r--r-- | lib/private/Security/TrustedDomainHelper.php | 23 |
1 files changed, 15 insertions, 8 deletions
diff --git a/lib/private/Security/TrustedDomainHelper.php b/lib/private/Security/TrustedDomainHelper.php index 75407ae3939..cf4def63dd3 100644 --- a/lib/private/Security/TrustedDomainHelper.php +++ b/lib/private/Security/TrustedDomainHelper.php @@ -70,7 +70,7 @@ class TrustedDomainHelper { // Read trusted domains from config $trustedList = $this->config->getSystemValue('trusted_domains', []); - if(!is_array($trustedList)) { + if (!is_array($trustedList)) { return false; } @@ -78,13 +78,20 @@ class TrustedDomainHelper { if (preg_match(Request::REGEX_LOCALHOST, $domain) === 1) { return true; } - - // Compare with port appended - if(in_array($domainWithPort, $trustedList, true)) { - return true; + // Reject misformed domains in any case + if (strpos($domain,'-') === 0 || strpos($domain,'..') !== false) { + return false; } - - return in_array($domain, $trustedList, true); + // Match, allowing for * wildcards + foreach ($trustedList as $trusted) { + if (gettype($trusted) !== 'string') { + break; + } + $regex = '/^' . join('[-\.a-zA-Z0-9]*', array_map(function($v) { return preg_quote($v, '/'); }, explode('*', $trusted))) . '$/'; + if (preg_match($regex, $domain) || preg_match($regex, $domainWithPort)) { + return true; + } + } + return false; } - } |