diff options
Diffstat (limited to 'apps')
-rw-r--r-- | apps/dav/lib/BackgroundJob/RefreshWebcalJob.php | 17 | ||||
-rw-r--r-- | apps/dav/tests/unit/BackgroundJob/RefreshWebcalJobTest.php | 6 |
2 files changed, 20 insertions, 3 deletions
diff --git a/apps/dav/lib/BackgroundJob/RefreshWebcalJob.php b/apps/dav/lib/BackgroundJob/RefreshWebcalJob.php index 871734aab55..e99cd7038f6 100644 --- a/apps/dav/lib/BackgroundJob/RefreshWebcalJob.php +++ b/apps/dav/lib/BackgroundJob/RefreshWebcalJob.php @@ -225,14 +225,25 @@ class RefreshWebcalJob extends Job { } if ($allowLocalAccess !== 'yes') { - $host = parse_url($url, PHP_URL_HOST); + $host = strtolower(parse_url($url, PHP_URL_HOST)); // remove brackets from IPv6 addresses if (strpos($host, '[') === 0 && substr($host, -1) === ']') { $host = substr($host, 1, -1); } - if ($host === 'localhost' || substr($host, -6) === '.local' || substr($host, -10) === '.localhost' || - preg_match('/(^127\.)|(^192\.168\.)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^::1$)|(^[fF][cCdD])/', $host)) { + // Disallow localhost and local network + if ($host === 'localhost' || substr($host, -6) === '.local' || substr($host, -10) === '.localhost') { + $this->logger->warning("Subscription $subscriptionId was not refreshed because it violates local access rules"); + return null; + } + + // Disallow hostname only + if (substr_count($host, '.') === 0) { + $this->logger->warning("Subscription $subscriptionId was not refreshed because it violates local access rules"); + return null; + } + + if ((bool)filter_var($host, FILTER_VALIDATE_IP) && !filter_var($host, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) { $this->logger->warning("Subscription $subscriptionId was not refreshed because it violates local access rules"); return null; } diff --git a/apps/dav/tests/unit/BackgroundJob/RefreshWebcalJobTest.php b/apps/dav/tests/unit/BackgroundJob/RefreshWebcalJobTest.php index b7cee2c884d..8e24fb1f638 100644 --- a/apps/dav/tests/unit/BackgroundJob/RefreshWebcalJobTest.php +++ b/apps/dav/tests/unit/BackgroundJob/RefreshWebcalJobTest.php @@ -231,8 +231,14 @@ class RefreshWebcalJobTest extends TestCase { public function runLocalURLDataProvider():array { return [ ['localhost/foo.bar'], + ['localHost/foo.bar'], + ['random-host/foo.bar'], ['[::1]/bla.blub'], + ['[::]/bla.blub'], ['192.168.0.1'], + ['172.16.42.1'], + ['[fdf8:f53b:82e4::53]/secret.ics'], + ['[fe80::200:5aee:feaa:20a2]/secret.ics'], ['10.0.0.1'], ['another-host.local'], ['service.localhost'], |