1 files changed, 24 insertions, 9 deletions

diff --git a/lib/private/request.php b/lib/private/request.php
index d079dc110d1..3c33dfc340a 100644
--- a/lib/private/request.php
+++ b/lib/private/request.php
@@ -66,23 +66,33 @@ class OC_Request {
 	}
 
 	/**
+	 * Strips a potential port from a domain (in format domain:port)
+	 * @param $host
+	 * @return string $host without appended port
+	 */
+	public static function getDomainWithoutPort($host) {
+		$pos = strrpos($host, ':');
+		if ($pos !== false) {
+			$port = substr($host, $pos + 1);
+			if (is_numeric($port)) {
+				$host = substr($host, 0, $pos);
+			}
+		}
+		return $host;
+	}
+
+	/**
 	 * Checks whether a domain is considered as trusted from the list
 	 * of trusted domains. If no trusted domains have been configured, returns
 	 * true.
 	 * This is used to prevent Host Header Poisoning.
-	 * @param string $domain
+	 * @param string $domainWithPort
 	 * @return bool true if the given domain is trusted or if no trusted domains
 	 * have been configured
 	 */
-	public static function isTrustedDomain($domain) {
+	public static function isTrustedDomain($domainWithPort) {
 		// Extract port from domain if needed
-		$pos = strrpos($domain, ':');
-		if ($pos !== false) {
-			$port = substr($domain, $pos + 1);
-			if (is_numeric($port)) {
-				$domain = substr($domain, 0, $pos);
-			}
-		}
+		$domain = self::getDomainWithoutPort($domainWithPort);
 
 		// FIXME: Empty config array defaults to true for now. - Deprecate this behaviour with ownCloud 8.
 		$trustedList = \OC::$server->getConfig()->getSystemValue('trusted_domains', array());
@@ -90,6 +100,11 @@ class OC_Request {
 			return true;
 		}
 
+		// FIXME: Workaround for older instances still with port applied. Remove for ownCloud 9.
+		if(in_array($domainWithPort, $trustedList)) {
+			return true;
+		}
+
 		// Always allow access from localhost
 		if (preg_match(self::REGEX_LOCALHOST, $domain) === 1) {
 			return true;