From a0e790227e2fe9c33930bfe4259a7ddfb3de585f Mon Sep 17 00:00:00 2001 From: Thomas Müller Date: Thu, 20 Feb 2014 14:10:09 +0100 Subject: remove unused functions - have been introduced with the old minimizer approach --- lib/private/request.php | 27 --------------------------- 1 file changed, 27 deletions(-) (limited to 'lib/private/request.php') diff --git a/lib/private/request.php b/lib/private/request.php index 0fd20b3cc1f..d0128f95d96 100755 --- a/lib/private/request.php +++ b/lib/private/request.php @@ -179,33 +179,6 @@ class OC_Request { } } - /** - * @brief Check if this is a no-cache request - * @return boolean true for no-cache - */ - static public function isNoCache() { - if (!isset($_SERVER['HTTP_CACHE_CONTROL'])) { - return false; - } - return $_SERVER['HTTP_CACHE_CONTROL'] == 'no-cache'; - } - - /** - * @brief Check if the requestor understands gzip - * @return false|string true for gzip encoding supported - */ - static public function acceptGZip() { - if (!isset($_SERVER['HTTP_ACCEPT_ENCODING'])) { - return false; - } - $HTTP_ACCEPT_ENCODING = $_SERVER["HTTP_ACCEPT_ENCODING"]; - if( strpos($HTTP_ACCEPT_ENCODING, 'x-gzip') !== false ) - return 'x-gzip'; - else if( strpos($HTTP_ACCEPT_ENCODING, 'gzip') !== false ) - return 'gzip'; - return false; - } - /** * @brief Check if the requester sent along an mtime * @return false or an mtime -- cgit v1.2.3 From fe44ac264bd8f636c1189d6ad6430ac991038ae6 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Tue, 18 Feb 2014 16:26:37 +0100 Subject: Add overwritehost config on setup and upgrade --- config/config.sample.php | 3 +++ lib/private/request.php | 46 +++++++++++++++++++++++++++++++--------------- lib/private/setup.php | 1 + lib/private/updater.php | 15 +++++++++++++++ 4 files changed, 50 insertions(+), 15 deletions(-) (limited to 'lib/private/request.php') diff --git a/config/config.sample.php b/config/config.sample.php index 0cd321d095d..ed37c60adf0 100755 --- a/config/config.sample.php +++ b/config/config.sample.php @@ -53,6 +53,9 @@ $CONFIG = array( /* The optional authentication for the proxy to use to connect to the internet. The format is: [username]:[password] */ "proxyuserpwd" => "", +/* List of trusted domains, to prevent host header poisoning ownCloud is only using these Host headers */ +'trusted_domains' => array('demo.owncloud.org'), + /* Theme to use for ownCloud */ "theme" => "", diff --git a/lib/private/request.php b/lib/private/request.php index 2c5b907846e..c3e28a9f08b 100755 --- a/lib/private/request.php +++ b/lib/private/request.php @@ -24,6 +24,16 @@ class OC_Request { or ($type !== 'protocol' and OC_Config::getValue('forcessl', false)); } + /** + * @brief Checks whether a domain is considered as trusted. This is used to prevent Host Header Poisoning. + * @param string $host + * @return bool + */ + public static function isTrustedDomain($domain) { + $trustedList = \OC_Config::getValue('trusted_domains', array('')); + return in_array($domain, $trustedList); + } + /** * @brief Returns the server host * @returns string the server host @@ -43,21 +53,27 @@ class OC_Request { $host = trim(array_pop(explode(",", $_SERVER['HTTP_X_FORWARDED_HOST']))); } else{ - $host=$_SERVER['HTTP_X_FORWARDED_HOST']; + $host = $_SERVER['HTTP_X_FORWARDED_HOST']; } - } - else{ + } else { if (isset($_SERVER['HTTP_HOST'])) { - return $_SERVER['HTTP_HOST']; + $host = $_SERVER['HTTP_HOST']; } if (isset($_SERVER['SERVER_NAME'])) { - return $_SERVER['SERVER_NAME']; + $host = $_SERVER['SERVER_NAME']; } - return 'localhost'; } - return $host; - } + // Verify that the host is a trusted domain if the trusted domains + // are defined + // If no trusted domain is provided the first trusted domain is returned + if(self::isTrustedDomain($host) || \OC_Config::getValue('trusted_domains', "") === "") { + return $host; + } else { + $trustedList = \OC_Config::getValue('trusted_domains', array('')); + return $trustedList[0]; + } + } /** * @brief Returns the server protocol @@ -71,14 +87,14 @@ class OC_Request { } if (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) { $proto = strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']); - }else{ - if(isset($_SERVER['HTTPS']) and !empty($_SERVER['HTTPS']) and ($_SERVER['HTTPS']!='off')) { - $proto = 'https'; - }else{ - $proto = 'http'; - } + // Verify that the protocol is always HTTP or HTTPS + // default to http if an invalid value is provided + return $proto === 'https' ? 'https' : 'http'; + } + if (isset($_SERVER['HTTPS']) && !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') { + return 'https'; } - return $proto; + return 'http'; } /** diff --git a/lib/private/setup.php b/lib/private/setup.php index 5232398d1d7..f3ef4df200d 100644 --- a/lib/private/setup.php +++ b/lib/private/setup.php @@ -65,6 +65,7 @@ class OC_Setup { OC_Config::setValue('passwordsalt', $salt); //write the config file + OC_Config::setValue('trusted_domains', array(OC_Request::serverHost())); OC_Config::setValue('datadirectory', $datadir); OC_Config::setValue('dbtype', $dbtype); OC_Config::setValue('version', implode('.', OC_Util::getVersion())); diff --git a/lib/private/updater.php b/lib/private/updater.php index 764a0f14120..f05d5038b76 100644 --- a/lib/private/updater.php +++ b/lib/private/updater.php @@ -102,6 +102,20 @@ class Updater extends BasicEmitter { $this->log->debug('starting upgrade from ' . $installedVersion . ' to ' . $currentVersion, array('app' => 'core')); } $this->emit('\OC\Updater', 'maintenanceStart'); + + /* + * START CONFIG CHANGES FOR OLDER VERSIONS + */ + if (version_compare($currentVersion, '6.90.1', '<')) { + // Add the overwriteHost config if it is not existant + // This is added to prevent host header poisoning + \OC_Config::setValue('trusted_domains', \OC_Config::getValue('trusted_domains', array(\OC_Request::serverHost()))); + } + /* + * STOP CONFIG CHANGES FOR OLDER VERSIONS + */ + + try { \OC_DB::updateDbFromStructure(\OC::$SERVERROOT . '/db_structure.xml'); $this->emit('\OC\Updater', 'dbUpgrade'); @@ -162,3 +176,4 @@ class Updater extends BasicEmitter { $this->emit('\OC\Updater', 'filecacheDone'); } } + -- cgit v1.2.3 From 432a42d846a7f180811fc9cd396c39175d5e5764 Mon Sep 17 00:00:00 2001 From: Vincent Petry Date: Tue, 25 Feb 2014 11:22:53 +0100 Subject: Fix case where port is missing Forward port of 6d3b5b24fd4f82c1cbfbc4cade5246a0335f8dda to master --- lib/private/request.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/private/request.php') diff --git a/lib/private/request.php b/lib/private/request.php index 14f3bf2cbb7..afd3fda4f2d 100755 --- a/lib/private/request.php +++ b/lib/private/request.php @@ -59,7 +59,7 @@ class OC_Request { if (isset($_SERVER['HTTP_HOST'])) { $host = $_SERVER['HTTP_HOST']; } - if (isset($_SERVER['SERVER_NAME'])) { + else if (isset($_SERVER['SERVER_NAME'])) { $host = $_SERVER['SERVER_NAME']; } } -- cgit v1.2.3