From d0a30b0e55799e8f5348ee558346d6ebf32cedda Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Thu, 13 Nov 2014 11:15:47 +0100 Subject: Ignore port for trusted domains This lead to a lot of confusion in the past and did not really offer any value. Let's remove the port check therefore. (it's anyways not really a part of the domain) Fixes https://github.com/owncloud/core/issues/12150 and https://github.com/owncloud/core/issues/12123 and also a problem reported by @DeepDiver1975. Conflicts: lib/private/request.php --- lib/base.php | 8 +------- lib/private/request.php | 18 +++++++++++++++--- 2 files changed, 16 insertions(+), 10 deletions(-) (limited to 'lib') diff --git a/lib/base.php b/lib/base.php index d365a4a306f..c97c158a1fb 100644 --- a/lib/base.php +++ b/lib/base.php @@ -613,14 +613,8 @@ class OC { header('HTTP/1.1 400 Bad Request'); header('Status: 400 Bad Request'); - $domain = $_SERVER['SERVER_NAME']; - // Append port to domain in case it is not - if($_SERVER['SERVER_PORT'] !== '80' && $_SERVER['SERVER_PORT'] !== '443') { - $domain .= ':'.$_SERVER['SERVER_PORT']; - } - $tmpl = new OCP\Template('core', 'untrustedDomain', 'guest'); - $tmpl->assign('domain', $domain); + $tmpl->assign('domain', $_SERVER['SERVER_NAME']); $tmpl->printPage(); exit(); diff --git a/lib/private/request.php b/lib/private/request.php index 1cfa4a150c5..d079dc110d1 100644 --- a/lib/private/request.php +++ b/lib/private/request.php @@ -12,8 +12,7 @@ class OC_Request { // Android Chrome user agent: https://developers.google.com/chrome/mobile/docs/user-agent const USER_AGENT_ANDROID_MOBILE_CHROME = '#Android.*Chrome/[.0-9]*#'; const USER_AGENT_FREEBOX = '#^Mozilla/5\.0$#'; - - const REGEX_LOCALHOST = '/^(127\.0\.0\.1|localhost)(:[0-9]+|)$/'; + const REGEX_LOCALHOST = '/^(127\.0\.0\.1|localhost)$/'; static protected $reqId; /** @@ -76,13 +75,26 @@ class OC_Request { * have been configured */ public static function isTrustedDomain($domain) { - $trustedList = \OC_Config::getValue('trusted_domains', array()); + // Extract port from domain if needed + $pos = strrpos($domain, ':'); + if ($pos !== false) { + $port = substr($domain, $pos + 1); + if (is_numeric($port)) { + $domain = substr($domain, 0, $pos); + } + } + + // FIXME: Empty config array defaults to true for now. - Deprecate this behaviour with ownCloud 8. + $trustedList = \OC::$server->getConfig()->getSystemValue('trusted_domains', array()); if (empty($trustedList)) { return true; } + + // Always allow access from localhost if (preg_match(self::REGEX_LOCALHOST, $domain) === 1) { return true; } + return in_array($domain, $trustedList); } -- cgit v1.2.3