2012-06-15 14:07:31 +04:00
|
|
|
<?php
|
|
|
|
/**
|
|
|
|
* Copyright (c) 2012 Bart Visscher <bartv@thisnet.nl>
|
|
|
|
* This file is licensed under the Affero General Public License version 3 or
|
|
|
|
* later.
|
|
|
|
* See the COPYING-README file.
|
|
|
|
*/
|
|
|
|
|
|
|
|
class OC_Request {
|
2013-12-12 14:32:56 +04:00
|
|
|
|
|
|
|
const USER_AGENT_IE = '/MSIE/';
|
|
|
|
// Android Chrome user agent: https://developers.google.com/chrome/mobile/docs/user-agent
|
|
|
|
const USER_AGENT_ANDROID_MOBILE_CHROME = '#Android.*Chrome/[.0-9]*#';
|
2014-01-29 13:58:34 +04:00
|
|
|
const USER_AGENT_FREEBOX = '#^Mozilla/5\.0$#';
|
2014-11-13 13:15:47 +03:00
|
|
|
const REGEX_LOCALHOST = '/^(127\.0\.0\.1|localhost)$/';
|
2014-09-11 16:14:02 +04:00
|
|
|
static protected $reqId;
|
2014-03-05 18:41:28 +04:00
|
|
|
|
2014-08-27 01:58:13 +04:00
|
|
|
/**
|
|
|
|
* Returns the remote address, if the connection came from a trusted proxy and `forwarded_for_headers` has been configured
|
|
|
|
* then the IP address specified in this header will be returned instead.
|
|
|
|
* Do always use this instead of $_SERVER['REMOTE_ADDR']
|
|
|
|
* @return string IP address
|
|
|
|
*/
|
|
|
|
public static function getRemoteAddress() {
|
2014-09-11 16:14:02 +04:00
|
|
|
$remoteAddress = isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : '';
|
2014-08-27 01:58:13 +04:00
|
|
|
$trustedProxies = \OC::$server->getConfig()->getSystemValue('trusted_proxies', array());
|
|
|
|
|
|
|
|
if(is_array($trustedProxies) && in_array($remoteAddress, $trustedProxies)) {
|
|
|
|
$forwardedForHeaders = \OC::$server->getConfig()->getSystemValue('forwarded_for_headers', array());
|
|
|
|
|
|
|
|
foreach($forwardedForHeaders as $header) {
|
|
|
|
if (array_key_exists($header, $_SERVER) === true) {
|
|
|
|
foreach (explode(',', $_SERVER[$header]) as $IP) {
|
|
|
|
$IP = trim($IP);
|
|
|
|
if (filter_var($IP, FILTER_VALIDATE_IP) !== false) {
|
|
|
|
return $IP;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return $remoteAddress;
|
|
|
|
}
|
|
|
|
|
2014-09-11 16:14:02 +04:00
|
|
|
/**
|
|
|
|
* Returns an ID for the request, value is not guaranteed to be unique and is mostly meant for logging
|
|
|
|
* @return string
|
|
|
|
*/
|
|
|
|
public static function getRequestID() {
|
|
|
|
if(self::$reqId === null) {
|
|
|
|
self::$reqId = hash('md5', microtime().\OC::$server->getSecureRandom()->getLowStrengthGenerator()->generate(20));
|
|
|
|
}
|
|
|
|
return self::$reqId;
|
|
|
|
}
|
|
|
|
|
2013-01-06 15:24:40 +04:00
|
|
|
/**
|
2014-05-19 19:50:53 +04:00
|
|
|
* Check overwrite condition
|
2013-11-25 00:18:14 +04:00
|
|
|
* @param string $type
|
2014-05-11 21:05:28 +04:00
|
|
|
* @return bool
|
2013-01-06 15:24:40 +04:00
|
|
|
*/
|
2013-02-23 15:58:06 +04:00
|
|
|
private static function isOverwriteCondition($type = '') {
|
2013-01-06 15:24:40 +04:00
|
|
|
$regex = '/' . OC_Config::getValue('overwritecondaddr', '') . '/';
|
2013-02-23 15:58:06 +04:00
|
|
|
return $regex === '//' or preg_match($regex, $_SERVER['REMOTE_ADDR']) === 1
|
2013-03-09 14:39:20 +04:00
|
|
|
or ($type !== 'protocol' and OC_Config::getValue('forcessl', false));
|
2013-01-06 15:24:40 +04:00
|
|
|
}
|
|
|
|
|
2014-12-03 21:54:48 +03:00
|
|
|
/**
|
|
|
|
* Strips a potential port from a domain (in format domain:port)
|
|
|
|
* @param $host
|
|
|
|
* @return string $host without appended port
|
|
|
|
*/
|
|
|
|
public static function getDomainWithoutPort($host) {
|
|
|
|
$pos = strrpos($host, ':');
|
|
|
|
if ($pos !== false) {
|
|
|
|
$port = substr($host, $pos + 1);
|
|
|
|
if (is_numeric($port)) {
|
|
|
|
$host = substr($host, 0, $pos);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return $host;
|
|
|
|
}
|
|
|
|
|
2014-02-18 19:26:37 +04:00
|
|
|
/**
|
2014-05-19 19:50:53 +04:00
|
|
|
* Checks whether a domain is considered as trusted from the list
|
2014-03-05 18:02:05 +04:00
|
|
|
* of trusted domains. If no trusted domains have been configured, returns
|
|
|
|
* true.
|
|
|
|
* This is used to prevent Host Header Poisoning.
|
2014-04-16 00:55:20 +04:00
|
|
|
* @param string $domain
|
2014-03-05 18:02:05 +04:00
|
|
|
* @return bool true if the given domain is trusted or if no trusted domains
|
|
|
|
* have been configured
|
2014-02-18 19:26:37 +04:00
|
|
|
*/
|
|
|
|
public static function isTrustedDomain($domain) {
|
2014-11-13 13:15:47 +03:00
|
|
|
// Extract port from domain if needed
|
2014-12-03 21:54:48 +03:00
|
|
|
$domain = self::getDomainWithoutPort($domain);
|
2014-11-13 13:15:47 +03:00
|
|
|
|
|
|
|
// FIXME: Empty config array defaults to true for now. - Deprecate this behaviour with ownCloud 8.
|
|
|
|
$trustedList = \OC::$server->getConfig()->getSystemValue('trusted_domains', array());
|
2014-03-05 18:02:05 +04:00
|
|
|
if (empty($trustedList)) {
|
|
|
|
return true;
|
|
|
|
}
|
2014-11-13 13:15:47 +03:00
|
|
|
|
|
|
|
// Always allow access from localhost
|
2014-03-05 18:41:28 +04:00
|
|
|
if (preg_match(self::REGEX_LOCALHOST, $domain) === 1) {
|
|
|
|
return true;
|
|
|
|
}
|
2014-11-13 13:15:47 +03:00
|
|
|
|
2014-02-18 19:26:37 +04:00
|
|
|
return in_array($domain, $trustedList);
|
|
|
|
}
|
|
|
|
|
2012-08-07 00:16:45 +04:00
|
|
|
/**
|
2014-05-19 19:50:53 +04:00
|
|
|
* Returns the unverified server host from the headers without checking
|
2014-03-05 18:02:05 +04:00
|
|
|
* whether it is a trusted domain
|
2014-05-11 21:05:28 +04:00
|
|
|
* @return string the server host
|
2012-08-07 00:16:45 +04:00
|
|
|
*
|
|
|
|
* Returns the server host, even if the website uses one or more
|
|
|
|
* reverse proxies
|
|
|
|
*/
|
2014-03-05 18:02:05 +04:00
|
|
|
public static function insecureServerHost() {
|
|
|
|
$host = null;
|
2012-08-07 00:16:45 +04:00
|
|
|
if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) {
|
|
|
|
if (strpos($_SERVER['HTTP_X_FORWARDED_HOST'], ",") !== false) {
|
2014-03-05 20:04:45 +04:00
|
|
|
$parts = explode(',', $_SERVER['HTTP_X_FORWARDED_HOST']);
|
|
|
|
$host = trim(current($parts));
|
2014-03-05 18:02:05 +04:00
|
|
|
} else {
|
2014-02-18 19:26:37 +04:00
|
|
|
$host = $_SERVER['HTTP_X_FORWARDED_HOST'];
|
2012-08-07 00:16:45 +04:00
|
|
|
}
|
2014-02-18 19:26:37 +04:00
|
|
|
} else {
|
2013-07-02 01:51:43 +04:00
|
|
|
if (isset($_SERVER['HTTP_HOST'])) {
|
2014-02-18 19:26:37 +04:00
|
|
|
$host = $_SERVER['HTTP_HOST'];
|
2014-03-05 18:02:05 +04:00
|
|
|
} else if (isset($_SERVER['SERVER_NAME'])) {
|
2014-02-18 19:26:37 +04:00
|
|
|
$host = $_SERVER['SERVER_NAME'];
|
2013-07-02 01:51:43 +04:00
|
|
|
}
|
2012-08-07 00:16:45 +04:00
|
|
|
}
|
2014-03-05 18:02:05 +04:00
|
|
|
return $host;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Returns the overwritehost setting from the config if set and
|
|
|
|
* if the overwrite condition is met
|
2014-04-16 00:55:20 +04:00
|
|
|
* @return string|null overwritehost value or null if not defined or the defined condition
|
2014-03-05 18:02:05 +04:00
|
|
|
* isn't met
|
|
|
|
*/
|
|
|
|
public static function getOverwriteHost() {
|
|
|
|
if(OC_Config::getValue('overwritehost', '') !== '' and self::isOverwriteCondition()) {
|
|
|
|
return OC_Config::getValue('overwritehost');
|
|
|
|
}
|
|
|
|
return null;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2014-05-19 19:50:53 +04:00
|
|
|
* Returns the server host from the headers, or the first configured
|
2014-03-05 18:02:05 +04:00
|
|
|
* trusted domain if the host isn't in the trusted list
|
2014-05-11 21:05:28 +04:00
|
|
|
* @return string the server host
|
2014-03-05 18:02:05 +04:00
|
|
|
*
|
|
|
|
* Returns the server host, even if the website uses one or more
|
|
|
|
* reverse proxies
|
|
|
|
*/
|
|
|
|
public static function serverHost() {
|
2014-07-07 16:39:06 +04:00
|
|
|
if (OC::$CLI && defined('PHPUNIT_RUN')) {
|
2014-03-05 18:02:05 +04:00
|
|
|
return 'localhost';
|
|
|
|
}
|
|
|
|
|
|
|
|
// overwritehost is always trusted
|
|
|
|
$host = self::getOverwriteHost();
|
|
|
|
if ($host !== null) {
|
|
|
|
return $host;
|
|
|
|
}
|
|
|
|
|
|
|
|
// get the host from the headers
|
|
|
|
$host = self::insecureServerHost();
|
2012-08-07 00:16:45 +04:00
|
|
|
|
2014-02-18 19:26:37 +04:00
|
|
|
// Verify that the host is a trusted domain if the trusted domains
|
|
|
|
// are defined
|
|
|
|
// If no trusted domain is provided the first trusted domain is returned
|
2014-03-05 18:02:05 +04:00
|
|
|
if (self::isTrustedDomain($host)) {
|
2014-02-18 19:26:37 +04:00
|
|
|
return $host;
|
|
|
|
} else {
|
|
|
|
$trustedList = \OC_Config::getValue('trusted_domains', array(''));
|
|
|
|
return $trustedList[0];
|
|
|
|
}
|
|
|
|
}
|
2012-08-07 00:16:45 +04:00
|
|
|
|
|
|
|
/**
|
2014-05-19 19:50:53 +04:00
|
|
|
* Returns the server protocol
|
2014-05-11 21:05:28 +04:00
|
|
|
* @return string the server protocol
|
2012-08-07 00:16:45 +04:00
|
|
|
*
|
|
|
|
* Returns the server protocol. It respects reverse proxy servers and load balancers
|
|
|
|
*/
|
|
|
|
public static function serverProtocol() {
|
2013-03-09 14:39:20 +04:00
|
|
|
if(OC_Config::getValue('overwriteprotocol', '') !== '' and self::isOverwriteCondition('protocol')) {
|
2013-01-14 23:30:39 +04:00
|
|
|
return OC_Config::getValue('overwriteprotocol');
|
2012-11-22 22:22:00 +04:00
|
|
|
}
|
2012-08-07 00:16:45 +04:00
|
|
|
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) {
|
|
|
|
$proto = strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']);
|
2014-02-18 19:26:37 +04:00
|
|
|
// Verify that the protocol is always HTTP or HTTPS
|
|
|
|
// default to http if an invalid value is provided
|
|
|
|
return $proto === 'https' ? 'https' : 'http';
|
|
|
|
}
|
|
|
|
if (isset($_SERVER['HTTPS']) && !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') {
|
|
|
|
return 'https';
|
2012-08-07 00:16:45 +04:00
|
|
|
}
|
2014-02-18 19:26:37 +04:00
|
|
|
return 'http';
|
2012-08-07 00:16:45 +04:00
|
|
|
}
|
|
|
|
|
2012-09-09 14:54:47 +04:00
|
|
|
/**
|
2014-05-19 19:50:53 +04:00
|
|
|
* Returns the request uri
|
2014-05-11 21:05:28 +04:00
|
|
|
* @return string the request uri
|
2012-09-09 14:54:47 +04:00
|
|
|
*
|
|
|
|
* Returns the request uri, even if the website uses one or more
|
|
|
|
* reverse proxies
|
2014-02-06 19:30:58 +04:00
|
|
|
* @return string
|
2012-09-09 14:54:47 +04:00
|
|
|
*/
|
|
|
|
public static function requestUri() {
|
|
|
|
$uri = isset($_SERVER['REQUEST_URI']) ? $_SERVER['REQUEST_URI'] : '';
|
2013-03-09 14:39:20 +04:00
|
|
|
if (OC_Config::getValue('overwritewebroot', '') !== '' and self::isOverwriteCondition()) {
|
2012-09-09 14:54:47 +04:00
|
|
|
$uri = self::scriptName() . substr($uri, strlen($_SERVER['SCRIPT_NAME']));
|
|
|
|
}
|
|
|
|
return $uri;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2014-05-19 19:50:53 +04:00
|
|
|
* Returns the script name
|
2014-02-08 14:47:55 +04:00
|
|
|
* @return string the script name
|
2012-09-09 14:54:47 +04:00
|
|
|
*
|
|
|
|
* Returns the script name, even if the website uses one or more
|
|
|
|
* reverse proxies
|
|
|
|
*/
|
|
|
|
public static function scriptName() {
|
|
|
|
$name = $_SERVER['SCRIPT_NAME'];
|
2014-03-31 17:30:44 +04:00
|
|
|
$overwriteWebRoot = OC_Config::getValue('overwritewebroot', '');
|
|
|
|
if ($overwriteWebRoot !== '' and self::isOverwriteCondition()) {
|
2013-11-24 15:41:09 +04:00
|
|
|
$serverroot = str_replace("\\", '/', substr(__DIR__, 0, -strlen('lib/private/')));
|
2012-09-09 14:54:47 +04:00
|
|
|
$suburi = str_replace("\\", "/", substr(realpath($_SERVER["SCRIPT_FILENAME"]), strlen($serverroot)));
|
2014-03-31 17:30:44 +04:00
|
|
|
$name = '/' . ltrim($overwriteWebRoot . $suburi, '/');
|
2012-09-09 14:54:47 +04:00
|
|
|
}
|
|
|
|
return $name;
|
|
|
|
}
|
|
|
|
|
2012-08-07 22:33:25 +04:00
|
|
|
/**
|
2014-05-19 19:50:53 +04:00
|
|
|
* get Path info from request
|
2014-02-08 14:47:55 +04:00
|
|
|
* @return string Path info or false when not found
|
2012-08-07 22:33:25 +04:00
|
|
|
*/
|
|
|
|
public static function getPathInfo() {
|
2012-09-07 17:22:01 +04:00
|
|
|
if (array_key_exists('PATH_INFO', $_SERVER)) {
|
2012-08-07 22:33:25 +04:00
|
|
|
$path_info = $_SERVER['PATH_INFO'];
|
|
|
|
}else{
|
2013-02-28 00:38:58 +04:00
|
|
|
$path_info = self::getRawPathInfo();
|
2014-01-09 17:25:48 +04:00
|
|
|
// following is taken from \Sabre\DAV\URLUtil::decodePathSegment
|
2012-08-07 22:42:54 +04:00
|
|
|
$path_info = rawurldecode($path_info);
|
2012-11-04 14:10:46 +04:00
|
|
|
$encoding = mb_detect_encoding($path_info, array('UTF-8', 'ISO-8859-1'));
|
2012-08-07 22:42:54 +04:00
|
|
|
|
|
|
|
switch($encoding) {
|
|
|
|
|
2013-02-10 01:44:11 +04:00
|
|
|
case 'ISO-8859-1' :
|
|
|
|
$path_info = utf8_encode($path_info);
|
2012-08-07 22:42:54 +04:00
|
|
|
|
|
|
|
}
|
|
|
|
// end copy
|
2012-08-07 22:33:25 +04:00
|
|
|
}
|
|
|
|
return $path_info;
|
|
|
|
}
|
|
|
|
|
2013-02-28 00:38:58 +04:00
|
|
|
/**
|
2014-05-19 19:50:53 +04:00
|
|
|
* get Path info from request, not urldecoded
|
2014-04-21 17:44:54 +04:00
|
|
|
* @throws Exception
|
2014-02-08 14:47:55 +04:00
|
|
|
* @return string Path info or false when not found
|
2013-02-28 00:38:58 +04:00
|
|
|
*/
|
|
|
|
public static function getRawPathInfo() {
|
2014-10-15 15:43:04 +04:00
|
|
|
$requestUri = isset($_SERVER['REQUEST_URI']) ? $_SERVER['REQUEST_URI'] : '';
|
2013-11-25 17:21:51 +04:00
|
|
|
// remove too many leading slashes - can be caused by reverse proxy configuration
|
2013-11-25 17:42:34 +04:00
|
|
|
if (strpos($requestUri, '/') === 0) {
|
|
|
|
$requestUri = '/' . ltrim($requestUri, '/');
|
|
|
|
}
|
|
|
|
|
2013-11-26 17:13:33 +04:00
|
|
|
// Remove the query string from REQUEST_URI
|
|
|
|
if ($pos = strpos($requestUri, '?')) {
|
|
|
|
$requestUri = substr($requestUri, 0, $pos);
|
|
|
|
}
|
|
|
|
|
2013-11-25 17:42:34 +04:00
|
|
|
$scriptName = $_SERVER['SCRIPT_NAME'];
|
2013-11-26 17:13:33 +04:00
|
|
|
$path_info = $requestUri;
|
|
|
|
|
|
|
|
// strip off the script name's dir and file name
|
2014-01-09 17:25:48 +04:00
|
|
|
list($path, $name) = \Sabre\DAV\URLUtil::splitPath($scriptName);
|
2013-11-26 17:13:33 +04:00
|
|
|
if (!empty($path)) {
|
|
|
|
if( $path === $path_info || strpos($path_info, $path.'/') === 0) {
|
|
|
|
$path_info = substr($path_info, strlen($path));
|
|
|
|
} else {
|
|
|
|
throw new Exception("The requested uri($requestUri) cannot be processed by the script '$scriptName')");
|
|
|
|
}
|
2013-11-25 17:42:34 +04:00
|
|
|
}
|
2013-11-26 19:52:33 +04:00
|
|
|
if (strpos($path_info, '/'.$name) === 0) {
|
2013-11-26 17:13:33 +04:00
|
|
|
$path_info = substr($path_info, strlen($name) + 1);
|
2013-02-28 00:38:58 +04:00
|
|
|
}
|
2013-11-26 17:13:33 +04:00
|
|
|
if (strpos($path_info, $name) === 0) {
|
|
|
|
$path_info = substr($path_info, strlen($name));
|
|
|
|
}
|
2013-11-28 00:28:54 +04:00
|
|
|
if($path_info === '/'){
|
|
|
|
return '';
|
|
|
|
} else {
|
|
|
|
return $path_info;
|
|
|
|
}
|
2013-02-28 00:38:58 +04:00
|
|
|
}
|
|
|
|
|
2013-02-10 14:05:43 +04:00
|
|
|
/**
|
2014-05-19 19:50:53 +04:00
|
|
|
* Check if the requester sent along an mtime
|
2014-02-08 14:47:55 +04:00
|
|
|
* @return false or an mtime
|
2013-02-10 14:05:43 +04:00
|
|
|
*/
|
|
|
|
static public function hasModificationTime () {
|
|
|
|
if (isset($_SERVER['HTTP_X_OC_MTIME'])) {
|
|
|
|
return $_SERVER['HTTP_X_OC_MTIME'];
|
|
|
|
} else {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
2013-12-12 14:32:56 +04:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Checks whether the user agent matches a given regex
|
|
|
|
* @param string|array $agent agent name or array of agent names
|
|
|
|
* @return boolean true if at least one of the given agent matches,
|
|
|
|
* false otherwise
|
|
|
|
*/
|
|
|
|
static public function isUserAgent($agent) {
|
|
|
|
if (!is_array($agent)) {
|
|
|
|
$agent = array($agent);
|
|
|
|
}
|
|
|
|
foreach ($agent as $regex) {
|
|
|
|
if (preg_match($regex, $_SERVER['HTTP_USER_AGENT'])) {
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false;
|
|
|
|
}
|
2012-06-15 14:07:31 +04:00
|
|
|
}
|