diff --git a/lib/private/request.php b/lib/private/request.php index d079dc110d..3c33dfc340 100644 --- a/lib/private/request.php +++ b/lib/private/request.php @@ -65,24 +65,34 @@ class OC_Request { or ($type !== 'protocol' and OC_Config::getValue('forcessl', false)); } + /** + * Strips a potential port from a domain (in format domain:port) + * @param $host + * @return string $host without appended port + */ + public static function getDomainWithoutPort($host) { + $pos = strrpos($host, ':'); + if ($pos !== false) { + $port = substr($host, $pos + 1); + if (is_numeric($port)) { + $host = substr($host, 0, $pos); + } + } + return $host; + } + /** * Checks whether a domain is considered as trusted from the list * of trusted domains. If no trusted domains have been configured, returns * true. * This is used to prevent Host Header Poisoning. - * @param string $domain + * @param string $domainWithPort * @return bool true if the given domain is trusted or if no trusted domains * have been configured */ - public static function isTrustedDomain($domain) { + public static function isTrustedDomain($domainWithPort) { // Extract port from domain if needed - $pos = strrpos($domain, ':'); - if ($pos !== false) { - $port = substr($domain, $pos + 1); - if (is_numeric($port)) { - $domain = substr($domain, 0, $pos); - } - } + $domain = self::getDomainWithoutPort($domainWithPort); // FIXME: Empty config array defaults to true for now. - Deprecate this behaviour with ownCloud 8. $trustedList = \OC::$server->getConfig()->getSystemValue('trusted_domains', array()); @@ -90,6 +100,11 @@ class OC_Request { return true; } + // FIXME: Workaround for older instances still with port applied. Remove for ownCloud 9. + if(in_array($domainWithPort, $trustedList)) { + return true; + } + // Always allow access from localhost if (preg_match(self::REGEX_LOCALHOST, $domain) === 1) { return true; diff --git a/lib/private/setup.php b/lib/private/setup.php index 1443de1854..e5eb2bac19 100644 --- a/lib/private/setup.php +++ b/lib/private/setup.php @@ -162,7 +162,7 @@ class OC_Setup { && is_array($options['trusted_domains'])) { $trustedDomains = $options['trusted_domains']; } else { - $trustedDomains = array(OC_Request::serverHost()); + $trustedDomains = array(\OC_Request::getDomainWithoutPort(\OC_Request::serverHost())); } if (OC_Util::runningOnWindows()) { diff --git a/tests/lib/request.php b/tests/lib/request.php index 254048723e..ea3722b90a 100644 --- a/tests/lib/request.php +++ b/tests/lib/request.php @@ -228,6 +228,23 @@ class Test_Request extends \Test\TestCase { OC_Config::deleteKey('overwritehost'); } + public function hostWithPortProvider() { + return array( + array('localhost:500', 'localhost'), + array('foo.com', 'foo.com'), + array('[1fff:0:a88:85a3::ac1f]:801', '[1fff:0:a88:85a3::ac1f]'), + array('[1fff:0:a88:85a3::ac1f]', '[1fff:0:a88:85a3::ac1f]') + ); + } + + /** + * @dataProvider hostWithPortProvider + */ + public function testGetDomainWithoutPort($hostWithPort, $host) { + $this->assertEquals($host, OC_Request::getDomainWithoutPort($hostWithPort)); + + } + /** * @dataProvider trustedDomainDataProvider */