summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--apps/dav/lib/BackgroundJob/RefreshWebcalJob.php17
-rw-r--r--apps/dav/tests/unit/BackgroundJob/RefreshWebcalJobTest.php6
2 files changed, 20 insertions, 3 deletions
diff --git a/apps/dav/lib/BackgroundJob/RefreshWebcalJob.php b/apps/dav/lib/BackgroundJob/RefreshWebcalJob.php
index 871734aab55..e99cd7038f6 100644
--- a/apps/dav/lib/BackgroundJob/RefreshWebcalJob.php
+++ b/apps/dav/lib/BackgroundJob/RefreshWebcalJob.php
@@ -225,14 +225,25 @@ class RefreshWebcalJob extends Job {
}
if ($allowLocalAccess !== 'yes') {
- $host = parse_url($url, PHP_URL_HOST);
+ $host = strtolower(parse_url($url, PHP_URL_HOST));
// remove brackets from IPv6 addresses
if (strpos($host, '[') === 0 && substr($host, -1) === ']') {
$host = substr($host, 1, -1);
}
- if ($host === 'localhost' || substr($host, -6) === '.local' || substr($host, -10) === '.localhost' ||
- preg_match('/(^127\.)|(^192\.168\.)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^::1$)|(^[fF][cCdD])/', $host)) {
+ // Disallow localhost and local network
+ if ($host === 'localhost' || substr($host, -6) === '.local' || substr($host, -10) === '.localhost') {
+ $this->logger->warning("Subscription $subscriptionId was not refreshed because it violates local access rules");
+ return null;
+ }
+
+ // Disallow hostname only
+ if (substr_count($host, '.') === 0) {
+ $this->logger->warning("Subscription $subscriptionId was not refreshed because it violates local access rules");
+ return null;
+ }
+
+ if ((bool)filter_var($host, FILTER_VALIDATE_IP) && !filter_var($host, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
$this->logger->warning("Subscription $subscriptionId was not refreshed because it violates local access rules");
return null;
}
diff --git a/apps/dav/tests/unit/BackgroundJob/RefreshWebcalJobTest.php b/apps/dav/tests/unit/BackgroundJob/RefreshWebcalJobTest.php
index b7cee2c884d..8e24fb1f638 100644
--- a/apps/dav/tests/unit/BackgroundJob/RefreshWebcalJobTest.php
+++ b/apps/dav/tests/unit/BackgroundJob/RefreshWebcalJobTest.php
@@ -231,8 +231,14 @@ class RefreshWebcalJobTest extends TestCase {
public function runLocalURLDataProvider():array {
return [
['localhost/foo.bar'],
+ ['localHost/foo.bar'],
+ ['random-host/foo.bar'],
['[::1]/bla.blub'],
+ ['[::]/bla.blub'],
['192.168.0.1'],
+ ['172.16.42.1'],
+ ['[fdf8:f53b:82e4::53]/secret.ics'],
+ ['[fe80::200:5aee:feaa:20a2]/secret.ics'],
['10.0.0.1'],
['another-host.local'],
['service.localhost'],