From 69f5f6649e05dd404aa67fab95c5bb34e9ce4d1f Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Wed, 3 Dec 2014 19:54:48 +0100 Subject: [PATCH 1/3] Trim port from domain Depending on the used environment the port might be appended to the host header resulting in an inaccessible instance when initially setting up on a system with a different HTTP or HTTPS port. (for example test:500) To test this setup ownCloud under a different port with and without this patch. (heads-up: localhost is always white-listed, so use a different domain) --- lib/private/request.php | 24 +++++++++++++++++------- lib/private/setup.php | 2 +- tests/lib/request.php | 16 ++++++++++++++++ 3 files changed, 34 insertions(+), 8 deletions(-) diff --git a/lib/private/request.php b/lib/private/request.php index d079dc110d..794b566ce5 100644 --- a/lib/private/request.php +++ b/lib/private/request.php @@ -65,6 +65,22 @@ class OC_Request { or ($type !== 'protocol' and OC_Config::getValue('forcessl', false)); } + /** + * Strips a potential port from a domain (in format domain:port) + * @param $host + * @return string $host without appended port + */ + public static function getDomainWithoutPort($host) { + $pos = strrpos($host, ':'); + if ($pos !== false) { + $port = substr($host, $pos + 1); + if (is_numeric($port)) { + $host = substr($host, 0, $pos); + } + } + return $host; + } + /** * Checks whether a domain is considered as trusted from the list * of trusted domains. If no trusted domains have been configured, returns @@ -76,13 +92,7 @@ class OC_Request { */ public static function isTrustedDomain($domain) { // Extract port from domain if needed - $pos = strrpos($domain, ':'); - if ($pos !== false) { - $port = substr($domain, $pos + 1); - if (is_numeric($port)) { - $domain = substr($domain, 0, $pos); - } - } + $domain = self::getDomainWithoutPort($domain); // FIXME: Empty config array defaults to true for now. - Deprecate this behaviour with ownCloud 8. $trustedList = \OC::$server->getConfig()->getSystemValue('trusted_domains', array()); diff --git a/lib/private/setup.php b/lib/private/setup.php index 1443de1854..e5eb2bac19 100644 --- a/lib/private/setup.php +++ b/lib/private/setup.php @@ -162,7 +162,7 @@ class OC_Setup { && is_array($options['trusted_domains'])) { $trustedDomains = $options['trusted_domains']; } else { - $trustedDomains = array(OC_Request::serverHost()); + $trustedDomains = array(\OC_Request::getDomainWithoutPort(\OC_Request::serverHost())); } if (OC_Util::runningOnWindows()) { diff --git a/tests/lib/request.php b/tests/lib/request.php index 254048723e..3b70ed0ba2 100644 --- a/tests/lib/request.php +++ b/tests/lib/request.php @@ -228,6 +228,22 @@ class Test_Request extends \Test\TestCase { OC_Config::deleteKey('overwritehost'); } + public function hostWithPortProvider() { + return array( + array('localhost:500', 'localhost'), + array('foo.com', 'foo.com'), + array('[1fff:0:a88:85a3::ac1f]:801', '[1fff:0:a88:85a3::ac1f]') + ); + } + + /** + * @dataProvider hostWithPortProvider + */ + public function testGetDomainWithoutPort($hostWithPort, $host) { + $this->assertEquals($host, OC_Request::getDomainWithoutPort($hostWithPort)); + + } + /** * @dataProvider trustedDomainDataProvider */ From b3515a98e98e1403a841f435cfcd5058053dd4e1 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Wed, 3 Dec 2014 21:13:27 +0100 Subject: [PATCH 2/3] Add workaround for older instances To be removed with oCAdd workaround for older instances To be removed with oC99 --- lib/private/request.php | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/lib/private/request.php b/lib/private/request.php index 794b566ce5..3c33dfc340 100644 --- a/lib/private/request.php +++ b/lib/private/request.php @@ -86,13 +86,13 @@ class OC_Request { * of trusted domains. If no trusted domains have been configured, returns * true. * This is used to prevent Host Header Poisoning. - * @param string $domain + * @param string $domainWithPort * @return bool true if the given domain is trusted or if no trusted domains * have been configured */ - public static function isTrustedDomain($domain) { + public static function isTrustedDomain($domainWithPort) { // Extract port from domain if needed - $domain = self::getDomainWithoutPort($domain); + $domain = self::getDomainWithoutPort($domainWithPort); // FIXME: Empty config array defaults to true for now. - Deprecate this behaviour with ownCloud 8. $trustedList = \OC::$server->getConfig()->getSystemValue('trusted_domains', array()); @@ -100,6 +100,11 @@ class OC_Request { return true; } + // FIXME: Workaround for older instances still with port applied. Remove for ownCloud 9. + if(in_array($domainWithPort, $trustedList)) { + return true; + } + // Always allow access from localhost if (preg_match(self::REGEX_LOCALHOST, $domain) === 1) { return true; From 81541c56b6e489c14287e99cff239a89d9553e49 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Thu, 4 Dec 2014 12:16:33 +0100 Subject: [PATCH 3/3] Add test for IPv6 without port --- tests/lib/request.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/lib/request.php b/tests/lib/request.php index 3b70ed0ba2..ea3722b90a 100644 --- a/tests/lib/request.php +++ b/tests/lib/request.php @@ -232,7 +232,8 @@ class Test_Request extends \Test\TestCase { return array( array('localhost:500', 'localhost'), array('foo.com', 'foo.com'), - array('[1fff:0:a88:85a3::ac1f]:801', '[1fff:0:a88:85a3::ac1f]') + array('[1fff:0:a88:85a3::ac1f]:801', '[1fff:0:a88:85a3::ac1f]'), + array('[1fff:0:a88:85a3::ac1f]', '[1fff:0:a88:85a3::ac1f]') ); }