aboutsummaryrefslogtreecommitdiffstats
path: root/lib/private/AppFramework/Http/Request.php
diff options
context:
space:
mode:
Diffstat (limited to 'lib/private/AppFramework/Http/Request.php')
-rw-r--r--lib/private/AppFramework/Http/Request.php200
1 files changed, 102 insertions, 98 deletions
diff --git a/lib/private/AppFramework/Http/Request.php b/lib/private/AppFramework/Http/Request.php
index b09737a6fc6..7cc7467675c 100644
--- a/lib/private/AppFramework/Http/Request.php
+++ b/lib/private/AppFramework/Http/Request.php
@@ -1,47 +1,10 @@
<?php
declare(strict_types=1);
-
/**
- * @copyright Copyright (c) 2016, ownCloud, Inc.
- *
- * @author b108@volgograd "b108@volgograd"
- * @author Bart Visscher <bartv@thisnet.nl>
- * @author Bernhard Posselt <dev@bernhard-posselt.com>
- * @author Christoph Wurst <christoph@winzerhof-wurst.at>
- * @author Daniel Kesselberg <mail@danielkesselberg.de>
- * @author Georg Ehrke <oc.list@georgehrke.com>
- * @author J0WI <J0WI@users.noreply.github.com>
- * @author Joas Schilling <coding@schilljs.com>
- * @author Juan Pablo Villafáñez <jvillafanez@solidgear.es>
- * @author Julius Härtl <jus@bitgrid.net>
- * @author Lukas Reschke <lukas@statuscode.ch>
- * @author Mitar <mitar.git@tnode.com>
- * @author Morris Jobke <hey@morrisjobke.de>
- * @author Oliver Wegner <void1976@gmail.com>
- * @author Robin Appelman <robin@icewind.nl>
- * @author Robin McCorkell <robin@mccorkell.me.uk>
- * @author Roeland Jago Douma <roeland@famdouma.nl>
- * @author Thomas Müller <thomas.mueller@tmit.eu>
- * @author Thomas Tanghus <thomas@tanghus.net>
- * @author Vincent Petry <vincent@nextcloud.com>
- * @author Simon Leiner <simon@leiner.me>
- * @author Stanimir Bozhilov <stanimir@audriga.com>
- *
- * @license AGPL-3.0
- *
- * This code is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Affero General Public License, version 3,
- * as published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Affero General Public License for more details.
- *
- * You should have received a copy of the GNU Affero General Public License, version 3,
- * along with this program. If not, see <http://www.gnu.org/licenses/>
- *
+ * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-FileCopyrightText: 2016 ownCloud, Inc.
+ * SPDX-License-Identifier: AGPL-3.0-only
*/
namespace OC\AppFramework\Http;
@@ -51,36 +14,39 @@ use OC\Security\TrustedDomainHelper;
use OCP\IConfig;
use OCP\IRequest;
use OCP\IRequestId;
+use Psr\Log\LoggerInterface;
use Symfony\Component\HttpFoundation\IpUtils;
/**
* Class for accessing variables in the request.
* This class provides an immutable object with request variables.
*
- * @property mixed[] cookies
- * @property mixed[] env
- * @property mixed[] files
- * @property string method
- * @property mixed[] parameters
- * @property mixed[] server
+ * @property mixed[] $cookies
+ * @property mixed[] $env
+ * @property mixed[] $files
+ * @property string $method
+ * @property mixed[] $parameters
+ * @property mixed[] $server
+ * @template-implements \ArrayAccess<string,mixed>
*/
class Request implements \ArrayAccess, \Countable, IRequest {
public const USER_AGENT_IE = '/(MSIE)|(Trident)/';
// Microsoft Edge User Agent from https://msdn.microsoft.com/en-us/library/hh869301(v=vs.85).aspx
- public const USER_AGENT_MS_EDGE = '/^Mozilla\/5\.0 \([^)]+\) AppleWebKit\/[0-9.]+ \(KHTML, like Gecko\) Chrome\/[0-9.]+ (Mobile Safari|Safari)\/[0-9.]+ Edge\/[0-9.]+$/';
+ public const USER_AGENT_MS_EDGE = '/^Mozilla\/5\.0 \([^)]+\) AppleWebKit\/[0-9.]+ \(KHTML, like Gecko\) Chrome\/[0-9.]+ (Mobile Safari|Safari)\/[0-9.]+ Edge?\/[0-9.]+$/';
// Firefox User Agent from https://developer.mozilla.org/en-US/docs/Web/HTTP/Gecko_user_agent_string_reference
public const USER_AGENT_FIREFOX = '/^Mozilla\/5\.0 \([^)]+\) Gecko\/[0-9.]+ Firefox\/[0-9.]+$/';
// Chrome User Agent from https://developer.chrome.com/multidevice/user-agent
public const USER_AGENT_CHROME = '/^Mozilla\/5\.0 \([^)]+\) AppleWebKit\/[0-9.]+ \(KHTML, like Gecko\)( Ubuntu Chromium\/[0-9.]+|) Chrome\/[0-9.]+ (Mobile Safari|Safari)\/[0-9.]+( (Vivaldi|Brave|OPR)\/[0-9.]+|)$/';
// Safari User Agent from http://www.useragentstring.com/pages/Safari/
public const USER_AGENT_SAFARI = '/^Mozilla\/5\.0 \([^)]+\) AppleWebKit\/[0-9.]+ \(KHTML, like Gecko\) Version\/[0-9.]+ Safari\/[0-9.A-Z]+$/';
+ public const USER_AGENT_SAFARI_MOBILE = '/^Mozilla\/5\.0 \([^)]+\) AppleWebKit\/[0-9.]+ \(KHTML, like Gecko\) Version\/[0-9.]+ (Mobile\/[0-9.A-Z]+) Safari\/[0-9.A-Z]+$/';
// Android Chrome user agent: https://developers.google.com/chrome/mobile/docs/user-agent
public const USER_AGENT_ANDROID_MOBILE_CHROME = '#Android.*Chrome/[.0-9]*#';
public const USER_AGENT_FREEBOX = '#^Mozilla/5\.0$#';
public const REGEX_LOCALHOST = '/^(127\.0\.0\.1|localhost|\[::1\])$/';
protected string $inputStream;
- protected $content;
+ private bool $isPutStreamContentAlreadySent = false;
protected array $items = [];
protected array $allowedKeys = [
'get',
@@ -99,18 +65,19 @@ class Request implements \ArrayAccess, \Countable, IRequest {
protected ?CsrfTokenManager $csrfTokenManager;
protected bool $contentDecoded = false;
+ private ?\JsonException $decodingException = null;
/**
* @param array $vars An associative array with the following optional values:
- * - array 'urlParams' the parameters which were matched from the URL
- * - array 'get' the $_GET array
- * - array|string 'post' the $_POST array or JSON string
- * - array 'files' the $_FILES array
- * - array 'server' the $_SERVER array
- * - array 'env' the $_ENV array
- * - array 'cookies' the $_COOKIE array
- * - string 'method' the request method (GET, POST etc)
- * - string|false 'requesttoken' the requesttoken or false when not available
+ * - array 'urlParams' the parameters which were matched from the URL
+ * - array 'get' the $_GET array
+ * - array|string 'post' the $_POST array or JSON string
+ * - array 'files' the $_FILES array
+ * - array 'server' the $_SERVER array
+ * - array 'env' the $_ENV array
+ * - array 'cookies' the $_COOKIE array
+ * - string 'method' the request method (GET, POST etc)
+ * - string|false 'requesttoken' the requesttoken or false when not available
* @param IRequestId $requestId
* @param IConfig $config
* @param CsrfTokenManager|null $csrfTokenManager
@@ -120,7 +87,7 @@ class Request implements \ArrayAccess, \Countable, IRequest {
public function __construct(array $vars,
IRequestId $requestId,
IConfig $config,
- CsrfTokenManager $csrfTokenManager = null,
+ ?CsrfTokenManager $csrfTokenManager = null,
string $stream = 'php://input') {
$this->inputStream = $stream;
$this->items['params'] = [];
@@ -319,11 +286,11 @@ class Request implements \ArrayAccess, \Countable, IRequest {
* In case of json requests the encoded json body is accessed
*
* @param string $key the key which you want to access in the URL Parameter
- * placeholder, $_POST or $_GET array.
- * The priority how they're returned is the following:
- * 1. URL parameters
- * 2. POST parameters
- * 3. GET parameters
+ * placeholder, $_POST or $_GET array.
+ * The priority how they're returned is the following:
+ * 1. URL parameters
+ * 2. POST parameters
+ * 3. GET parameters
* @param mixed $default If the key is not found, this value will be returned
* @return mixed the content of the array
*/
@@ -391,13 +358,13 @@ class Request implements \ArrayAccess, \Countable, IRequest {
protected function getContent() {
// If the content can't be parsed into an array then return a stream resource.
if ($this->isPutStreamContent()) {
- if ($this->content === false) {
+ if ($this->isPutStreamContentAlreadySent) {
throw new \LogicException(
'"put" can only be accessed once if not '
. 'application/x-www-form-urlencoded or application/json.'
);
}
- $this->content = false;
+ $this->isPutStreamContentAlreadySent = true;
return fopen($this->inputStream, 'rb');
} else {
$this->decodeContent();
@@ -424,15 +391,22 @@ class Request implements \ArrayAccess, \Countable, IRequest {
// 'application/json' and other JSON-related content types must be decoded manually.
if (preg_match(self::JSON_CONTENT_TYPE_REGEX, $this->getHeader('Content-Type')) === 1) {
- $params = json_decode(file_get_contents($this->inputStream), true);
+ $content = file_get_contents($this->inputStream);
+ if ($content !== '') {
+ try {
+ $params = json_decode($content, true, flags:JSON_THROW_ON_ERROR);
+ } catch (\JsonException $e) {
+ $this->decodingException = $e;
+ }
+ }
if (\is_array($params) && \count($params) > 0) {
$this->items['params'] = $params;
if ($this->method === 'POST') {
$this->items['post'] = $params;
}
}
- // Handle application/x-www-form-urlencoded for methods other than GET
- // or post correctly
+ // Handle application/x-www-form-urlencoded for methods other than GET
+ // or post correctly
} elseif ($this->method !== 'GET'
&& $this->method !== 'POST'
&& str_contains($this->getHeader('Content-Type'), 'application/x-www-form-urlencoded')) {
@@ -448,6 +422,12 @@ class Request implements \ArrayAccess, \Countable, IRequest {
$this->contentDecoded = true;
}
+ public function throwDecodingExceptionIfAny(): void {
+ if ($this->decodingException !== null) {
+ throw $this->decodingException;
+ }
+ }
+
/**
* Checks if the CSRF check was correct
@@ -462,6 +442,10 @@ class Request implements \ArrayAccess, \Countable, IRequest {
return false;
}
+ if ($this->getHeader('OCS-APIRequest') !== '') {
+ return true;
+ }
+
if (isset($this->items['get']['requesttoken'])) {
$token = $this->items['get']['requesttoken'];
} elseif (isset($this->items['post']['requesttoken'])) {
@@ -515,7 +499,7 @@ class Request implements \ArrayAccess, \Countable, IRequest {
$prefix = '__Host-';
}
- return $prefix.$name;
+ return $prefix . $name;
}
/**
@@ -573,7 +557,14 @@ class Request implements \ArrayAccess, \Countable, IRequest {
* @return boolean true if $remoteAddress matches any entry in $trustedProxies, false otherwise
*/
protected function isTrustedProxy($trustedProxies, $remoteAddress) {
- return IpUtils::checkIp($remoteAddress, $trustedProxies);
+ try {
+ return IpUtils::checkIp($remoteAddress, $trustedProxies);
+ } catch (\Throwable) {
+ // We can not log to our log here as the logger is using `getRemoteAddress` which uses the function, so we would have a cyclic dependency
+ // Reaching this line means `trustedProxies` is in invalid format.
+ error_log('Nextcloud trustedProxies has malformed entries');
+ return false;
+ }
}
/**
@@ -599,10 +590,15 @@ class Request implements \ArrayAccess, \Countable, IRequest {
if (isset($this->server[$header])) {
foreach (array_reverse(explode(',', $this->server[$header])) as $IP) {
$IP = trim($IP);
-
- // remove brackets from IPv6 addresses
- if (str_starts_with($IP, '[') && str_ends_with($IP, ']')) {
- $IP = substr($IP, 1, -1);
+ $colons = substr_count($IP, ':');
+ if ($colons > 1) {
+ // Extract IP from string with brackets and optional port
+ if (preg_match('/^\[(.+?)\](?::\d+)?$/', $IP, $matches) && isset($matches[1])) {
+ $IP = $matches[1];
+ }
+ } elseif ($colons === 1) {
+ // IPv4 with port
+ $IP = substr($IP, 0, strpos($IP, ':'));
}
if ($this->isTrustedProxy($trustedProxies, $IP)) {
@@ -622,48 +618,56 @@ class Request implements \ArrayAccess, \Countable, IRequest {
/**
* Check overwrite condition
- * @param string $type
* @return bool
*/
- private function isOverwriteCondition(string $type = ''): bool {
- $regex = '/' . $this->config->getSystemValueString('overwritecondaddr', '') . '/';
+ private function isOverwriteCondition(): bool {
+ $regex = '/' . $this->config->getSystemValueString('overwritecondaddr', '') . '/';
$remoteAddr = isset($this->server['REMOTE_ADDR']) ? $this->server['REMOTE_ADDR'] : '';
- return $regex === '//' || preg_match($regex, $remoteAddr) === 1
- || $type !== 'protocol';
+ return $regex === '//' || preg_match($regex, $remoteAddr) === 1;
}
/**
* Returns the server protocol. It respects one or more reverse proxies servers
- * and load balancers
+ * and load balancers. Precedence:
+ * 1. `overwriteprotocol` config value
+ * 2. `X-Forwarded-Proto` header value
+ * 3. $_SERVER['HTTPS'] value
+ * If an invalid protocol is provided, defaults to http, continues, but logs as an error.
+ *
* @return string Server protocol (http or https)
*/
public function getServerProtocol(): string {
- if ($this->config->getSystemValueString('overwriteprotocol') !== ''
- && $this->isOverwriteCondition('protocol')) {
- return $this->config->getSystemValueString('overwriteprotocol');
- }
+ $proto = 'http';
- if ($this->fromTrustedProxy() && isset($this->server['HTTP_X_FORWARDED_PROTO'])) {
+ if ($this->config->getSystemValueString('overwriteprotocol') !== ''
+ && $this->isOverwriteCondition()
+ ) {
+ $proto = strtolower($this->config->getSystemValueString('overwriteprotocol'));
+ } elseif ($this->fromTrustedProxy()
+ && isset($this->server['HTTP_X_FORWARDED_PROTO'])
+ ) {
if (str_contains($this->server['HTTP_X_FORWARDED_PROTO'], ',')) {
$parts = explode(',', $this->server['HTTP_X_FORWARDED_PROTO']);
$proto = strtolower(trim($parts[0]));
} else {
$proto = strtolower($this->server['HTTP_X_FORWARDED_PROTO']);
}
-
- // Verify that the protocol is always HTTP or HTTPS
- // default to http if an invalid value is provided
- return $proto === 'https' ? 'https' : 'http';
+ } elseif (!empty($this->server['HTTPS'])
+ && $this->server['HTTPS'] !== 'off'
+ ) {
+ $proto = 'https';
}
- if (isset($this->server['HTTPS'])
- && $this->server['HTTPS'] !== null
- && $this->server['HTTPS'] !== 'off'
- && $this->server['HTTPS'] !== '') {
- return 'https';
+ if ($proto !== 'https' && $proto !== 'http') {
+ // log unrecognized value so admin has a chance to fix it
+ \OCP\Server::get(LoggerInterface::class)->critical(
+ 'Server protocol is malformed [falling back to http] (check overwriteprotocol and/or X-Forwarded-Proto to remedy): ' . $proto,
+ ['app' => 'core']
+ );
}
- return 'http';
+ // default to http if provided an invalid value
+ return $proto === 'https' ? 'https' : 'http';
}
/**
@@ -750,11 +754,11 @@ class Request implements \ArrayAccess, \Countable, IRequest {
}
/**
- * Get PathInfo from request
+ * Get PathInfo from request (rawurldecoded)
* @throws \Exception
* @return string|false Path info or false when not found
*/
- public function getPathInfo() {
+ public function getPathInfo(): string|false {
$pathInfo = $this->getRawPathInfo();
return \Sabre\HTTP\decodePath($pathInfo);
}
@@ -858,7 +862,7 @@ class Request implements \ArrayAccess, \Countable, IRequest {
* Returns the overwritehost setting from the config if set and
* if the overwrite condition is met
* @return string|null overwritehost value or null if not defined or the defined condition
- * isn't met
+ * isn't met
*/
private function getOverwriteHost() {
if ($this->config->getSystemValueString('overwritehost') !== '' && $this->isOverwriteCondition()) {
generated by cgit v1.2.3 (git 2.39.1) at 2025-08-14 21:01:48 +0000